 Welcome to my talk about open source project governance, leadership and company affiliation. Today, I'm gonna talk about a few topics related to governance. Starting with a look at the differences between projects that are under foundations compared to projects that are run out of individual companies. After that, I'll talk about how governance is mostly about the roles and processes that guide how people collaborate and make decisions, including some thoughts on how to document all of this in ways that set up your project for success. Then I'll wrap it up with a few final thoughts and some links to a few useful resources. But first, I'll tell you a bit about me. I've been in the technology industry for over 20 years, working mostly on open source projects from within a pretty wide variety of companies like Puppet and Intel. At Pivotal, I was responsible for Pivotal's Kubernetes contribution strategy, and I was actively contributing to the Kubernetes contributor experience, special interest group. Now I'm working in VMware's open source program office, and I'm responsible for our open source community strategy. So lately I've been active in the CNCF contributor strategy seg, in particular the governance working group. I'm also a board member of Open UK, which is focused on developing and sustaining leadership in open technology within the UK. I'm a governing board member and maintainer for the Linux Foundation's chaos project, which is focused on using metrics to evaluate the health of open source projects. And I'm on the advisory board for Patergia, which is a company that does open source health metrics. I also have a PhD from the University of Greenwich in London, where I spent some time researching how people working at a bunch of different companies collaborate together within the Linux kernel. I wanted to start by talking about why it's important to think about who controls or owns an open source project, because it's something that many of us probably don't spend as much time thinking about as we should. Projects that are controlled by foundations and ones that are owned by an individual company can have very different dynamics and different risks associated with participating in those projects. It isn't always clear whether a foundation is neutral or not. I generally start by looking at the leadership for the foundation. If the board of directors or other leadership bodies are made up of people who work at a wide range of companies, especially competing companies, that's a good indication that it's a neutral foundation with a good balance of people to represent different various aspects of the industry. If the board members are primarily made up of people from a single company or maybe just a couple of companies that have very close ties, it's not likely to be a true neutral foundation. Trademarks are another thing to look at and in a neutral foundation, the foundation should own the trademarks associated with the name of the foundation and the projects or if they don't own them, at least they manage them. And if the trademarks are owned by a company, especially a single company, that's a red flag that the foundation is probably not neutral. It can also help to look at the projects under that foundation. Were they originated at a single company or did they come from a variety of companies? Do those projects have leaders from a variety of companies? Do they have contributor license agreements or CLA's from a single company or is the CLA from the foundation? The more you see references to a single company across the projects, the less likely the foundation is to be neutral. And these are just a few of the many things should look at when deciding if a foundation is neutral or not. The Apache Software Foundation, the CNCF, the Linux Foundation, that those are all neutral foundations, examples of them, there are many others. On the flip side, the open usage comments is not one that I would classify as a neutral foundation. The success of Kubernetes can be attributed in part to being contributed to the cloud-native computing foundation. Putting Kubernetes into a neutral foundation with representation from a bunch of different companies provided a level playing field where each of us could collaborate and innovate as equals to create something that benefits the entire ecosystem. With neutral foundations, our end users get access to more innovation from a diverse group of contributors while also reducing vendor lock-in. For example, users of Kubernetes can consume enterprise versions from a wide variety of different vendors that run on any of the leading cloud providers. And as software vendors, we can contribute to foundation-driven projects with the confidence that no one company is in control of the project. And that we can all contribute as equals within the community. Open-source projects that are controlled by a single company are higher risk because they operate at the whims of that company. Whereas projects that are under neutral foundations have a lower risk, both for end users and for software vendors. When a project is owned by a company, there is little recourse for outside contributors when that company decides to go in a different direction that maybe doesn't align with the needs or the expectations of the other participants within that community. When a project is owned or controlled by a company, consider the reputation of that company as a steward for open-source projects. But keep in mind that they can change their strategy at some later date. We've seen this with Google, for example, around the SDM and Knative projects. And I'm not saying that we shouldn't participate in open-source projects owned by other companies. We certainly should in a lot of cases, but we should think about the risks that we're taking. In some cases, it makes a lot of sense to accept this higher risk. But we should try to at least make sure that as a company, we understand the risks that we're taking. At VMware, we believe that contributing open-source projects to neutral foundations is important. And it's something that we do regularly for projects that we've started once they gain a bit of traction with people outside of the company. For example, we've contributed harbor and contour to the CNCF. And we contributed turn to Linux Foundation's Automated Compliance Tooling Project. We've also contributed projects to the Apache Software Foundation and a bunch of other foundations as well. And the challenge with contributing open-source projects to foundations is that you do give up some of your control from the company to the foundation. Typically, assets like the projects, trademarks, repositories, websites, and other things would be then transferred from the company to the foundation. Existing maintainers and leaders will usually keep their positions. However, neutral foundations try to make sure that governance is set up in a way that makes it easy for people from other companies to participate and eventually then move into leadership positions. So as the contributing company, you should expect for more leadership transitions over time as you get more leaders in the project that work for other companies and as a percentage fewer that end up working for your company. Well, this does mean giving up some control over the project. There are a lot of benefits. With advantages around community building, innovation, wider adoption, it's something that we should at least consider for our open-source projects. It's also important to think about when your project might be ready to contribute to a neutral foundation. If your project is very immature, foundations are unlikely to be interested in your project. Whereas a project with many users that has good traction within the industry that just maybe needs some help moving up to the next level would be much more likely to be accepted into a foundation. However, companies should understand that contributing a project to a foundation is an ongoing commitment. It's not an exit strategy. And you need to be prepared to provide staff and support over both the short-term and the long-term just like you would if you weren't contributing it to a foundation and you were going to continue to maintain it internally. We've been doing quite a bit of work within the CNCF contributor strategy seg in the governance working group to help document governance best practices. And this section contains a lot of ideas, inspiration, and materials that I've been working on along with people like Josh Bergus, for example, within this working group. Now, a lot of people like to hate on governance. It's just paperwork. It's busy work. It's politicking that gets in the way of doing the real work on the project. The reality is that governance can be found in all open source projects in one form or another to specify the processes for how people work together within the project. Ideally, it will be clearly documented, but for some projects, especially the smaller ones, it might be a bit more ad hoc and informal. Governance helps outline the expectations around roles and responsibilities along with the decision-making processes. So it's important to have at least the basics in place early, since it's one of those things that you may think you don't need until you realize that you actually do when something goes wrong. It's usually easier to set clear expectations up front rather than realizing later that various people have very different expectations, which can take a lot more time to sort out. This doesn't mean that you need to specify everything up front, and I would discourage you from over-engineering your governance processes before you need them. A project with only a few people will not need elaborate elections to select leaders, but you should probably define a few basic roles, like maintainer, for example, the process for contributing to your project, and define how decisions about those contributions are made. If the process for collaboration and decision-making are not clearly documented as part of the project governance, this can increase the risk of participating in the project or in using the project because it introduces a lot of uncertainty into the mix. Knowing how collaboration occurs and how decisions are made is absolutely vital to being able to make contributions that are more likely to be accepted. There are a few documents that every project, even the very small ones, should have. It should go without saying, but open-source projects need appropriate licensing documentation. I occasionally find repos with missing license files, which is maybe less common, but more often I see licenses not applied correctly within projects. In addition to just putting a license file in your repository, some licenses require things like a notices file or license headers within each source file. You should also have a code of conduct that people can easily find with details about how to report incidents, along with then the consequences if someone violates that code of conduct. Sometimes people who are new to implementing codes of conduct can find it intimidating because they think it's something that they need to write from scratch. But I would encourage you not to do that. You should just use something like the contributor covenant, which is pretty much the gold standard for codes of conduct right now. And it can be simply copied and added to your repository. There's nothing special that you need to write for the code of conduct itself. However, the bit that you do need to spend some time on is making sure that you actually have a plan for enforcing it before you need it. You'll need to nominate a couple of people who will be responsible for taking reports from community members when the code of conduct has been violated and then handling those responsibly. But the contributor covenant page actually has loads of details and links to resources for learning about how to implement and enforce a code of conduct. And so that can be a really good starting point. Your contribution documents should provide enough details about the contribution process so that someone new to the project can make their very first contribution. This includes details about how to sign your contributor license agreement if you have one, a CLA, or how to use the developer certificate of origin or soft and refer to as the DCO or signed off by process if you have that instead. Also, if you have strong preferences about coding style, testing, documentation, or other requirements, this is a good opportunity to make sure that new contributors know these upfront, which helps reduce the burden of trying to educate each individual contributor about your requirements while you're also trying to review their contribution for its merits. You'll want to make sure that your contributors know what to expect and how to navigate the project when making contributions. The communication process should also be clearly defined so that people know both where and how to contribute to the project. Maybe you prefer mailing list discussions or Slack messages or issues for feature requests. Maybe you have separate communication channels for users and a different one for developers. Make sure that everyone understands how people within the project communicate with each other to avoid a frustrating experience, not just for your new contributors, but also for your existing ones. Projects should also document the processes for reporting and responding to security issues. Projects that take a proactive approach to addressing security issues and releasing fixes are much more likely to be secure. You should also be using automated tools like Dependabot, for example, to help identify when new versions of dependencies are available, which also helps you keep on top of potential security issues. And while there are no guarantees and critical security issues can just sort of pop up at any time, taking a proactive approach to security reduces the likelihood of having serious security issues that will then be exploited later. The project should have a security.md file or another document with details about the process for reporting and responding to security concerns. At a minimum, you'll want to have a way for people to privately report security issues and have a few people who are designated to handle those issues. Large projects that are used by vendors within their commercial products should also have things like embargo lists where you can provide information to vendors and give them time to prepare their security fixes for their products in advance of that security issue becoming public to help them avoid being exploited as soon as the issue becomes public and give them a little bit of time to prepare. You should also have some kind of documentation about your leadership. For small projects, you might just need a list of maintainers in your readme file or maybe owners or maintainers files that indicate which people are responsible for the various areas within the project. Defining the roles and responsibilities for contributors, reviewers, and maintainers is probably enough as a first step which can help with then recruiting people into these roles. For bigger projects, you'll want to have a lot more details about the specific roles and responsibilities for each of the different leadership roles along with then how other people can move into those positions. You might have committees, working groups, special interest groups, or other groups that will need leaders. And again, having this documented can really help you recruit new leaders as you grow the project and need more people to share the workload. There are quite a few different options for selecting leaders as a part of defining your governance. And the ideal is to have a process that provides a fair and level playing field that defines how contributors can eventually move up and become leaders. This should be documented so that all participants can clearly understand the criteria and the process for moving both into and then again out of leadership positions. Most of the bigger projects like Kubernetes, for example, have an election process, at least for the top levels of leadership like a steering committee. Then at the lower levels of leadership, many projects have a process where the existing leaders help select the newer leaders. For example, new maintainers are often nominated by existing maintainers and approved after maybe a certain number of maintainers agree, or sometimes it requires a vote by maintainers or maybe from a particular committee. And there are a bunch of different options for selecting leaders. So I will not try to cover all of them here, but there is an entire document devoted to these various options which are available at the link on the slide for more details. Your project governance should be designed to keep diversity and inclusion top of mind. Building a diverse community where all people feel welcome and included does not just happen. It requires putting work and thought into it. And when you're starting a project and thinking about governance, this is a good time to do this. I talked about codes of conduct earlier and having a code of conduct that you actively enforce helps make sure that everyone feels safe and welcome within your community. Providing an environment where everyone, including people from marginalized populations feel safe is the first step toward building a diverse community around your project. You should also look at whether you have a diverse set of people at every level within the project, but especially in leadership positions. And if not, you should come up with programs that help underrepresented folks get involved and then move up within your project. Ideally having programs that give people opportunities for shadowing, mentoring and sponsoring new potential leaders can help you grow a diverse set of people into leaders within the project. The Kubernetes contributor experience special interest group is a great place to see an example of how to implement programs for things like shadowing and mentoring. Projects that make a concerted effort to bring in new people from a variety of backgrounds and have programs in place to help them grow into leadership positions are more likely to benefit from increased innovation and have a healthier community. Diversity and inclusion can be really difficult to measure. And it usually involves mostly a manual assessment, but we've defined some metrics within the chaos projects, diversity and inclusion working group that you should have a look at for ideas about measuring various aspects so that you can then improve your projects, diversity and inclusion. Governance is one of those things that is never really finished. We work in a space with constant change, technologies change, strategies change, the way we work changes, everything changes. And our governance needs to evolve right along with those changes. In particular, as open source projects become more mature and grow what they need from governance will change dramatically. The governance processes that you need when you have only a couple of maintainers is likely to be insufficient when the project grows dramatically. And as your projects evolve, your governance should evolve right along with them. And you can see some of this within the CNCF requirements. So if you look within the CNCF, their projects can apply to be in sandbox. They can move up to incubating and then they can eventually move to graduate it. And the requirements are a little bit different for each one and they do tend to build on each other. So the CNCF documentation for the guidelines for what it takes at each of those three levels and what the requirements are that you need to move into each one of those levels can help you get a real sense for how the governance does evolve within projects and what you need when you're small versus what you need when you're a big graduated project like Kubernetes, for example. There are so many aspects of good governance for open source projects. And I only had time to talk in detail about a few of the ones that I think are the most important, but taking a step back from looking at the big picture, what I have here on the slide is the common theme that drives why I think governance as a whole is so important. Governance provides a framework for setting expectations for roles, responsibilities and how people within your project should behave. By clearly documenting these expectations, you can reduce uncertainty and make it easier for people to know how to participate in your project. The more you can do to help everyone participate in meaningful ways, the more welcome they will feel within your open source community. I'll wrap up the talk with a few resources that people might find useful. The to-do group has a bunch of guides that have great information about creating and managing healthy projects. And many of them talk about various aspects of governance. The CNCF contributor strategy SIG has a governance working group with more details about what you need for governance and some options for leadership selection. The open source way guidebook has an entire chapter on governance that has loads of details and it's an absolutely fantastic resource and it's a great starting point if you're just starting to figure out governance for your project. And these are all really great starting points for understanding how to govern your open source project and what you might need for your project. With that, I will say thank you for coming to my talk and I have left some time for questions. So hopefully we can answer a few of your questions now that the talk is finished. So again, thank you so much.