Our Director of DevOps, Maurizio Pillitu, speaks on how the Foundation enables OSS compliance at FinJS in London.

How are you engaging in the Open?

The Symphony Software Foundation was founded by the largest financial institutions worldwide to foster an open ecosystem and standardization on the Symphony messaging platform. Open source software (OSS) was chosen to create pervasive adoption and de-risk the structural investment for such a mission critical channel like inter and intra firm collaboration. Amongst other bylaws provisions,  this was ensured by mandating publication of any asset (code, binaries, documentation, etc.) using a very permissive enterprise-friendly license (Apache License version 2).

OSS is massively adopted and a strategic CIO concern, as documented by Blackduck on the Future of Open Source 2016 survey; and the numbers are growing: +5% of adoption and +2% of OSS contributions in 2015. However, when you look at the firms that commit dedicated resources to OSS development (33% of the interviewed) and/or define formal policies for selecting/approving OSS code (50% of the interviewed), numbers are lower than expected and suggests that there is room for improvement on how OSS is adopted and engaged with.

While the open ecosystem is in fact thriving in terms of mass production and commoditization of software, examples like Heartbleed (as a result of which the Core Infrastructure Initiative was founded) or the infamous left-pad NPM ecosystem failure require the Foundation to put open source software compliance at the very heart of our Open Developer Platform.

Why OSS compliance

From a consumer or contributor perspective, reaching OSS karma is more of a journey that, most commonly, starts from consumption and ends with compliance (in the most broad sense - including security and legal compliance, but also high quality standards and respect for the Community's code of conduct)

Nevertheless, compliance is  propaedeutic to make an educated choice when utilizing OSS, as it provides clear guidelines to assess a project, and to decide if it's secure, reliable, compatible with your firm’s bylaws and so on.

Compliance is an important subset of software asset management and corporate risk management - it involves a thorough software auditing that relies on metrics (what to track), KPIs (how to express progress) and measurements (how to produce KPIs).

OSS Actors

The Symphony Software Foundation aims to help both consumers, to make an educated choice, and contributors, to share/reuse compliance metrics and automation/infrastructure.

Contributors

Within our project hosting offering, we facilitate (among other things) a continuous validation process that is responsible for running different types of measurements and publishing those results on the project's homepage, in the form of badges and achievements.

Contributors can configure validation processes of their choice by interacting with a project infrastructure that the Foundation constantly evolves to meet new requirements, platforms and ecosystems.

We believe this automation allows Contributors to focus on their core skill and desire, i.e. delivering high quality code to projects through of a seamless developer experience.

Consumers

All projects hosted by the Foundation adhere to a project lifecycle that is composed by four phases:

1. Incubating, where experimentations and innovation happens
2. Active, the longest of the processes, for projects that adhere to an established level of security, quality and legal compliance. In other words, enterprise grade projects.
3. Long-term maintenance, for projects that continue to be maintained, but have achieved a high degree of functional comprehension
4. Archived, for projects that are no longer actively maintained, or falter for other reasons

Each phase clearly defines what a consumers can expect from the project in terms of maturity. Metrics and KPIs are then published on the project’s homepage using badges, graphics and user manuals to lead the consumer to an educated decision. 

CONCLUSIONS

Open compliance in highly regulated industries is an opportunity...

1. For enterprise consumers, to get a low-risk/high-value, educated selection approach to OSS technology
2. for enterprise contributors, to share best practices, metrics, infrastructure and build better quality software, while knowing the OSS software produce is directly usable through a smooth adoption path in the firm

The Foundation enables this opportunity by defining and enforcing the project lifecycle across all hosted projects, which embodies legal, security and quality standards common in regulated industries like financial services.

We’d love to hear from our and other communities if we are going in the right direction, share experiences and - if you are a Member - don’t forget to participate to our Open Source Readiness Working Group.

You can get in touch and send us your feedback here.