You assume some risks every time your company employs any technology, open-source or not. When I consider the dangers of open source, I’m reminded of an XKCD comic depicting how all contemporary infrastructure is precariously based on a project run by a random person in Nebraska. This is a more typical scenario than you might believe.

Several approaches to assessing and addressing these hazards exist. You can help make the correct business decisions about utilizing and contributing to cloud-native, open-source projects by assessing those risks.

Here are the questions you should ask, as well as how to deal with the risks that the answers may pose.

1. What do you know about the contributors?

Are there enough contributions from enough organizations for any open-source projects that you rely on? The purpose of this inquiry is to ensure that the project can continue without interruption if something significant happens to one of the contributors or organizations.

This is a greater danger for projects that are extremely complex or incorporate technology that necessitates specialist knowledge. You should also consider where the contributors work. If the majority of them work for the same company, consider what might happen if that company’s strategy changes or is bought. It may even run out of money or close its doors.

Finally, consider whether the project would be successful if all of that company’s employees left.

2. Who’s in control?

Who owns or controls an open-source project is another crucial risk indicator? Projects with neutral governance, in which decisions are made by people from a variety of different companies, present a lower risk from a risk standpoint. Projects built on vendor-neutral foundations have the lowest risk.

Kubernetes’ success is due in part to the Cloud Native Computing Foundation’s leadership (CNCF). Putting Kubernetes on a neutral foundation created a fair playing field where people from various firms could collaborate on something that benefited the entire ecosystem.

With resource materials, maintenance sessions, and assistance with various administrative duties, the CNCF focuses on helping cloud-native projects set themselves up for success.

Open-source projects controlled by a single firm, on the other hand, are more vulnerable because they are subject to the whims of that company. If the corporation decides to move in a direction that does not fit with the expectations of the community’s other participants, outside contributors have no redress. Within a project, this can take the form of licensing modifications, forks, or other governance concerns.

3. Is the governance documentation clear?

You can learn about potential hazards by reading the governance paperwork for a project. Due to the possibility of misunderstanding and imprecise expectations, projects with minimal or no governance documentation are at a higher risk.

Governance is intended to define roles and duties as well as decision-making processes, however, it varies in size depending on the project.

All initiatives should have governance documents, according to the CNCF. By the time a project enters the incubation phase, the contributors managing it must have governance.MD file that outlines who is leading it and how future leaders will be chosen, with the requirement that the process is employer-neutral.

The idea is that a fair and open procedure for picking leaders, such as elections, decreases your risk because your contributors can vote in the elections and have a role in how the project is run.

4. Does the project have a charter? What’s in it?

A project charter, which can take many different forms, should also be included in the project. Often, it isn’t referred to as a charter at all, but rather as a goal statement, scope, values, principles, and other similar notions contained in governance documents and/or project README files.

The cloud-native ecosystem as a whole is complicated, and many projects have overlapping features. A charter can help end-users understand how your project fits into the larger ecosystem and what features it offers vs the various alternatives. Having this documented can assist avoid future conflicts and misunderstandings, lowering risk.

5. What is the community’s culture?

The neighborhood might also have a significant impact on the project’s total risk. Examine how people treat one another in the community, particularly on mailing lists, GitHub reviews, Slack/IRC, and other lines of contact. Because your staff will love contributing to the community, projects with a culture focused on respect and kindness have a reduced risk.

Toxic cultures in open-source projects, on the other hand, put your staff and other contributors in danger. Employees’ emotional and physical health may be jeopardized, and toxic environments can have a negative impact on retention, as employees may be willing to quit a project’s poisonous community and seek employment elsewhere.

It will be difficult, if not impossible, to limit this risk if the culture is too poisonous. There’s always the possibility that things will go horribly wrong with the project as a whole if things in the community deteriorate further and contributors begin to vanish.

Start by understanding your acceptable risk

The majority of business decisions boil down to risk assessment and tradeoffs. As a result, you should consider project risks in terms of how you’ll use these initiatives in your company. If you’re going to construct a product on top of open source, you’ll want to minimize risk as much as feasible.

You can, however, tolerate more risk if you’re employing an open-source project as a small component within a minor element of your infrastructure.

There is no such thing as a perfect endeavor, no such thing as a perfect risk, and no such thing as a perfect answer for every case. Like most things, project risk occurs on a scale. Choosing which risks taking is only the beginning of the process; you need also consider how to monitor and manage those risks over time.

Consider the risks you’re taking and make informed decisions about which ones are acceptable.

For more info:

Also Read: