 And Chinese companies play a very important role in it. From this list, we can see that companies like Alibaba, Baidu, Tenshin, and Huawei, Pincap, it is actually a backbone of all the sort of contributions, especially Ali, which has held the first position in the contribution list for 10 consensus years. Yeah. And I'll take two minutes to briefly describe the scientific method behind this ranking. One of the research area in our lab is performing data health behavior log data analysis. The number of complete logs in 2020 was at 86 million, and in 2021, it topped 1 billion. And there are a lot of interesting things that can be analyzed from these behavior logs, such as who made what contribution, when, through what contribution, collaboration, and with what impact, we even created a niche research area called open metrology, which is a systematic study using data science method. We measure, model, and analyze project, developers process, an other object to deliver is to understand the metrics, such as activity and influence. The relational graph data is very useful. Mathematical tools similar to PageRank, which can be used to calculate typical metric value across the domain. And this is done through an open source project called Open Digger. At present, many technical analysis articles, academic papers, industry-wide papers, government reports, etc., are cited from with open data. And to provide a better service, we have recently launched another open source project, Open Lead Board, which is a monthly ranking list, which gives you a very visual view of the global and the Chinese open source development, including project ranking, organization company rankings, and the development rankings. As you can see from this chart, the two organizations from Alibaba and the AND group are ranked very high in China today, based on which I think our panel today will also be very repressive. By the way, the data project behind this list, Open Digger, is also an open source project currently incubated in the Mulan community. A neutral organization similar to a foundation in China. Behind it is the China Standard Institute, who also reflected government's contribution in participating in and supporting the construction of open source ecology. And the Chinese government attached great importance to the construction of a global open source ecology. However, it is equally evidence from some of our analysis that there is still a clear gap between Eastern and Western countries in the overall open source ecological contribution. The inference metric here, which is calculated by the method of global graph analysis I mentioned earlier, reflects the position of a project in the overall ecology. Our main gap is mainly in the overall volume. The average inference of our individual project is very close to or compel, but the number of projects that China's company open source is still silently behind other international companies. Nevertheless, with the global trend of enterprise activity embracing over source, also as the brain of enterprise open source governance and operation is already a consensus among everyone. I am also very happy to have the opportunity to talk with the leader of OSPO today. Our listeners must also be very interested in the practice of how companies promote open source in behind. Okay, that means I first introduce so much. Okay, thanks, Mr. Wang, for the source introduction of XLAB and the work of it. And I think what's really good about Open Leaderboard as mentioned earlier is beyond project and developers. This product also present indicators such as activity and influence for a large organization, specifically for commercial corporations. And it must be not easy for companies to use, to participate and even to contribute to open source. So that's what I really wish to learn from Richard and Amber as the managers of two very great OSPO's. So what are the challenges that makes it so crucial to set up an OSPO? Let's start from... Yeah, sure, I can go first. Yeah, so thanks, Professor Wang and Xiaoya. As we co-started and groups OSPO last year, we realized the need for OSPO actually comes from a fact that doing open source as a corporation is intrinsically harder. There are two primary reasons associated with that. One, the overall cost and risk exposure as a corporation. Two, it actually takes longer time to build momentum. So participating in open source is actually much easier as an individual. You just do it. There are clear costs, such as time and energy and relatively clear goals, such as social recognition. It's easy to evaluate. On the corporate side, things are different as the overall cost and potential risk exposure is actually higher. There are risks associated with improper actions such as compliance risk, legal risk, or security risks. So the proper use of licenses provides certain levels of protection, but there are still non-truel compliance of business PR risks lingering around. Similarly, the overall cost of doing open source is also considerably higher. Depending on the nature of the project, you need to thoroughly think through from a strategy perspective on how the project should be productionized and governed. There's also this cost problem. It's not easy to make someone who never done open source to fully embrace open source software and community best practices. The engineers are less motivated to write documentations and also take significant amount of effort to build habits for asynchronous communications. Just name a few of the challenges. So if the open source is hard with so many challenges, why would corporate still want to do it? This is because compared to individuals who participate in open source, the potential reward, quote unquote, from being open is pretty high. For instance, to be tooling-sized service or software, if done right, can directly benefit from being open sourced. The to be software ecosystem in China is also quite, is not quite the same compared to the Western world. It requires more than one project or team's effort to make a company's open source successful. So we do need to measure those risks, costs, and gains. This is actually where the metrics will come in. We'll also talk about that later. The second reason, it takes time to attribute momentum. Another challenge actually comes from the fact that it takes time to really build up all these open source practices. Investing in open source is typically a long-term plan which requires dedication. Why? Some of the immediate problems are relatively easy to address like providing open source license consulting for teams, but many other things, including by non-limited to as we call the culture of being defaultly open. So as other asynchronous communication practices, it actually takes much longer time to fully realize their potential benefits. There might be people challenging you along the way. Corporate investment open source is similar to investing in research institutions. The benefit is more long-term than short-term and evaluating short-term gains can be tricky. So committed to open source was required top-down dedication as well as bottom-up understanding. Let me handle this number, yeah. Thank you, Richard, and I can totally agree with you. And before I try to answer the question of why Ospaul, I'm going to give you a brief introduction about Alibaba's open source journey. And first, Alibaba's businesses comprise China and global e-commerce, local consumer services, cloud computing, logistics, digital media and entertainment and so on. So we started our open source journey very early back to 2008. And so far, we have more than 3,000 open repositories at GitHub, which attracted more than 13,000 contributors, 30,000 contributors and more than 1 million stars at GitHub, which is quite impressive. And our journey in open source has gone through three stages. And the first stage is from 2008 to early 2010. And back then, the Ospaul movement is still in its infancy and the influence is mainly in North America. And Alibaba is more of a user of open source software. And we occasionally contributed back to the open source projects that we use, like MySQL. And the main goal is to use open source software to replace expensive proprietary software to reduce cost. And this is only the first stage. And the second stage is from 2012 to 2019. In this stage, Alibaba has witnessed the value of open source, especially its impact on technology and technology influence and its value on attracting high quality employees. So we started to open source our own projects. For example, Rock MQ, which is a unified messaging engine lightweighted data processing platform. Because Alibaba has unique business scenarios like the E-commerce shopping festival like W11. And we are one of the biggest users of our own open source projects that we can incubate a lot of great open source projects like Double and Rock MQ. And in this stage, we do have open source technology committee, which is a virtual team composed of Alibaba technology decision makers to act as executive sponsor to make decisions of what to open source and what not to open source. But now, back then, we still don't have an OSPO. And the third stage is from 2019 to till now. And it is not until 2019 that Alibaba has established the OSPO. And for the first time, we have the full-time employee to work in OSPO. In this stage, the OSPO's responsibility is to work closely with the Alibaba open source technology committee on open source strategy, compliance automation, big project facilitator, and developer and academia outreach. So in a nutshell, why OSPO? Our main goal was to ensure that as a company, first, we are good employees. We're setting the boundary between proprietary code and open source code. And second, we are good open source citizens. We are not breaking any rules in the open source world. We need to respect the open source license and making sure we're given back to the open source projects that we depend on. And third, which is the most important reason is by investing time and effort in the open source projects, we need to ensure that Alibaba is having its technology footprint in the open source ecosystem. So these are the three main reasons that I think OSPO is important for Alibaba and the main reason why we started OSPO back to 2019, not in the first place. Thank you. Thanks, Richard. Thanks, Richard and Amber, for sharing the story and the ten points a company and enterprise faced. So I think after knowing why a corporation needs an OSPO, it's important then to ask, how do we perform it? So as mentioned before, we can see Alibaba and N Group ranked very high regarding the cooperation activity and influence in open source based on the behavioral data on GitHub. So would you share with us the story of how you govern and maintain open source within a large corporation? Because I think that must be used for use cases for other companies. We can start from this point. Sure. Thanks, Xia Yan. And I really agree with Amber. So there's always open source projects and there's also not the other way around. So N Group also has open source projects way before we have an OSPO, which we only initiated last year. So N Group open sources built top notch front end projects such as N Design and V, like JS, back to 10 years ago. We also have a top notch backend projects like Oceanbase, which is an industrial grade for business HTAP database. We are also rich of cloud native projects such as Sofa Stack, which was actually the first open source project that culminated on the backend side, as well as Mohsen, Layoto, and we are also exploring new areas like Cushion Stack, as long as I try just to name a few. I would say we begin our OSPO practices primarily last year. I summarize the overall OSPO role as maybe one principle and three practices. So the principle is OSPO would be the go-to entity for both internal and external open source related matters. In engineering terms, we identify OSPO as a facade or a public API, which abstract internal capabilities and interact with external world. Why was this public API metaphor? Because the public API is designed to last. So it's a contract with external communities and entities. To do that, we have normalizing and standardizing OSPO. So it becomes a common terminology and potentially a common belief that we can all fall back to. So we don't need to start from there to explain that we need a governing body which could help the company managing open source compliance matters, as well as blah, blah, blah. Instead, we can just say, let's build the OSPO. We do believe that not all OSPs are created equal. So it's actually by design for OSPs to take different forms, just as what Amber described. As OSPO and Alibaba also, we learn actually from each other, but we also have distinct characteristics. So on the side, we focus on three primary practices, two on the internal side and one external side. On the internal side, OSPO is actually unnecessary infrastructure to enable developers and their teams to open source compliantly and confidently. So this aims to help internal engineering teams. The primary focus of this work is fair-heading processes and best practices for projects and community members to learn and follow. So if we go down one level, we're focusing on tools and utilities such as odd SCA, SAST tools, communication tools and utilities, which could help achieving that. Matrix is also a key aspect as observability is typically a critical factor of infra. And the second practice we do is we consider OSPO as an enabler. So we can actually do open source without OSPO. So what does OSPO really do? In our terms, OSPO is actually act as a catalyst to a chemical reaction. So catalyst itself will not achieve much, but it either makes an impossible reaction pattern or it actually enhances the speed of the results of reaction. So Engroup OSPO actually helped our projects as a girl. We first provide strategic planning for goals, governance consultation, operation plans design, just to name a few, as well as potential go-to-market strategies to actually help the projects being more professional and successful. The metrics and evaluation criteria provide no-star guidance for our teams. So they would have some impartial and professional references, which they can directly relate it to. This is also why we're actively collaborating with X-Labs and the rest of the research institutions. Last but not least, the third practice is on the external side, we would like OSPO to be the deal maker. There's a book I really love. The Rainforest, The Secret to Building Next Silicon Valley. On my first read of that book, it actually talks about success factors of Silicon Valley. But on the subsequent release, I felt everything the book was discussing can be applied for open source communities. The book actually mentioned that even though there are many other places with similar concentration on talents and investment, what made Silicon Valley so specially successful was the network hubs. So there are those well-connected individuals with a given style and they connect startups with investments. So the book refers such existence as a deal maker with a positive connotation. So at the facade, which connects with the external world and communicate with communities, foundations and the collaborators, OSPO has the potential to be this deal maker. For instance, good projects like ocean base or the cloud native projects actually can benefit from other consolidations that the OSPO is actually acting as a facade so that we can actually aggregate all the external demand to offer our projects all together as a unified solution, just to give one example. Let me handle this to Amber now. And I can talk and resonate with you and we definitely learn from each other about how to work in the OSPO. And talking about OSPO practice, I think the Todo Group is already doing a great job by raising the awareness of OSPO and creating content out there on OSPO best practice for different organizations to learn. And the OSPO mind map, which is created by Todo Group, give us a great bird-eye view on how to set up roles and responsibilities for OSPO. It also gave us practical advice on how to set up the right size of OSPO. It can be a full-time employee, large or small team, a virtual team or a single full-time employee managing multiple functions. And the best advice I can give you to other organizations who are thinking about setting up OSPO is don't think about the roles and responsibilities first. Think about the organization's goals first. It's not about how to do the OSPO right. It's just about what goals you want the OSPO to achieve. And do I already have the right person, right talent in the organization to reach the goal or solve those certain priorities? And like I said, it was not until like 2019 that Alibaba set up its own OSPO with full-time employee. And still, we are a very agile and very compact and hybrid team working with our legal department and risk management department. And as a such compact team, managing more than 3,000 open repositories and some of China's most vibrant open-source projects is such a big challenge. But as a horizontal team, we are working with expert teams on tooling automations both in governance and community management. For example, we have... That's why we work with XLab for a long time to measure the influence and healthy level for our projects and making sure we are monitoring in the right direction. And we are definitely not just looking at the star figures on GitHub. But there is no secret formula that you can apply to your organization that if you want to set up an OSPO and really make the impact and get the value out of your effort. So you have to set up the right goals and get the right people to work together within your organization and leverage the effort. And I think this is the advice I can give you to my peers who are thinking about setting an OSPO from a scratch. Well, I really couldn't agree more with Amber on the best practices side. In fact, I mean, the OSPO best practices should be very golf centric and back to our three practices. We focus on the necessary infra and on that particular front, we actually focus on the governance side back a lot. Back to the risk we mentioned, typical companies will have security and compliance teams. That said, open source security and compliance requirements are specific. After finding those alliance members, next step, okay, let me do this again. Crap. I was totally off sync. Okay. All right. I really can't agree more with what Amber mentioned. Setting up OSPO's best practices should be very golf centric. So back to the three practices I mentioned, I would offer maybe two additional tips, which we can actually use to setting up OSPO from ground up. The first one is finding all the lines you can find. So actually back to the risk we mentioned, typically companies will have security and compliance teams. That said, open source security and compliance requirements are specific. Furthermore, as open source communities means code and documentation is visible on public internet, branding and PRs would like to work with us too. So after finding those alliance members, next step will be refining and standardizing the methodology. And once we have the methodology, the next question will be about tooling. So this coherence theme is actually falling through when I actually set up the OSPO from ground up. On top of that, one group is actually facing additional challenge with multiple fleets with a group, which are facing different compliance and governance requirements. For instance, MI Bank, which is an groups of fleets, is an online bank and a financial institution. So there will be additional regulations and compliance requirements for using open source software specifically tailored for banks on top of all the open source requirements we already have. So that's one aspect. And another aspect is really about all OSPs are created differently. We can definitely use our imagination. While to do go back to provides a very standardized practices and all the reference material can have, I would strongly suggest everyone to actually use that imagination to identify internal external clients and really trying to solve their problem. All of them, I would say like the regular practices. So for end, one thing we did is we actually adopted lifestyles, all the life cycles of CNCF use internally and provide end-to-end support for open source projects depending on their stage. So projects started from sandbox stage in which we would help the team to refine and focus on their primary goals. And as a criteria for open, for sandboxing is actually the team review. We review the application with a joint board including by non-limited to the TOC compliance expert, security expert, brand expert, as on the chart. Together we make a diplomatic decision on if the project is ready to be open sourced. And once the open source actually passed our joint review in the incubation stage depending on the nature of the project, we will focus on designing the operation strategies as well as potential commercialization strategies with the project team. So it's actually a rinse and repeat process that also works closely with the project team. For the mall, we actually have inner source as a staging environment which people can put their projects in to learn and grow. Inner source by definition is this internal environment in which people can actually share their projects as if it's being open sourced but it's only visible to the whole corporation. By offering engineering a playground internally it significantly reduces barrier of contributions and sharing. Engineers who actually shine and contributed to open source directly felt more comfortable in an inner source environment. It also act as a perfect playground for setting up good practices like documentation rules, async communication rules which solves the fundamental problems also faces. Just add a few additional, I would say, pro tips to our discussion. Thank you. Thanks Richard for adding the structure and introduced to us how different department, the project team, the security team, how they are interconnected and cooperate with each other. That's very inspirational. Thank you Richard and Amber. I really like the idea that Amber mentioned how the design structure and the strategy of NOSCO should be based on the organization's goal. Okay. I think the data insights, the way we measure the tool provided by XLAB Illustrated today and two best practices of the two rather significant NOSCOs in China are inspirational. And so that's all the panel discussion for today. Thanks audience who listened to this panel. Thank you. Thank you. Thank you. Thank you. We still see you offline soon.