Lessons From GitHub*



Photo by Changbok Ko on Unsplash

As the home of so much open source code, GitHub* has a unique view of the open source ecosystem. Ashley Wolf, GitHub’s Director of Open Source Programs, shares her own take on the role of an OSPO, trends in open source software development, and the tools her team gives back to the community. 

Katherine Druckman: GitHub is where a lot of open source gets made today, and I think that's really exciting because I'm hoping we'll get to peek behind the curtain just a tiny bit. 

Ashley, please tell us a little bit about yourself and what you do at GitHub? 

Ashley Wolf: Sure, and thank you for having me on the podcast. Really excited to be here today. I'm Ashley Wolf. I lead GitHub's Open Source Program Office, or OSPO. I've been at GitHub for about two and a half years now, and I'm focused on helping people at GitHub be successful with open source. We do that through both programs and product work, which hopefully we'll cover a little bit throughout the show. 

I became familiar with OSPOs after I knew what open source was. I came around to work in what I think is a bit of a niche because I was very interested in the intersection of technology, public policy, and community. Along the way, after I started getting involved in Open Source as a developer, I learned that there were organizations that create these programs around “giving code away for free,” and I was really surprised. 

I thought, “Wow, companies are giving their code away for free. What's that all about?” I started to do a bit more research in that area and learned about folks like Heather Meeker, Gil Yehuda, and others that were championing this idea of open source program offices. I became really interested in joining one.  

I learned everything I could about a career path and opportunity there. And fortunately, about a decade ago, I ended up joining the Yahoo Open Source Program Office and got my start working in OSPOs there. 

Katherine Druckman: I had a conversation with Jessica Marz who heads up our own OSPO here at Intel, and I wanted to mention something that came up in that conversation, which is that the role of the OSPO and OSPOs themselves can be quite different at different companies. And I think that's kind of an interesting perspective that you might bring. The OSPO role is important to connecting so many dots across a company or organization. How do you view the role of the OSPO and what are your priorities at GitHub?

Ashley Wolf: I heard that podcast and Jessica said it very well. I'll say it in another way: It's not one size fits all when it comes to creating an OSPO inside of an organization.  

With more traditional large companies, there is a status quo around having an OSPO because they use a lot of open source. They want to create a strategy around open source, so it makes sense to have a program office like that. You'll see pretty similar functions focusing on open source license compliance and security vulnerabilities within open source. Then, there is focus on looking after the communities and open source that folks within the company are creating, and hopefully establishing some presence within the ecosystem through working with organizations, external engagement work, maybe sustaining open source on their own through contributions or funding organizations and foundations. 

We'll see a lot of that with more of the large companies like tech companies. And in addition to that, I've seen the trend now shift maybe away from a focus on compliance and code to a lot more around community and engagement as we move away from just big companies setting up OSPOs to all types of other industries looking at learnings from what we've done with OSPOs and taking those to build out their own open source program offices.

For example, universities are creating OSPOs and their focus isn't necessarily around code and compliance. It's more on the external engagements, connecting with researchers, connecting with other universities, and we're seeing a rise in governments creating OSPOs as they're embracing the adoption of open source, wanting to contribute more, and wanting to focus on securing open source more.

Katherine Druckman:  As I mentioned, GitHub is the home to so much open source, and it's foundational to the open source software ecosystem. So many projects rely on GitHub and its tools. Who among us doesn't love GitHub actions? For that reason, I think your perspective seems uniquely valuable. What is it like seeing GitHub's community role from your angle?

Ashley Wolf: I'm super excited to be able to see things from this side. I remember eagerly looking at GitHub, wondering how to absorb all that was happening there. And now that I'm on the other side of the table, I'm able to see all this activity and community at scale. I'm consistently in awe, and I'm excited at the prospect of learning something new about what people are doing in open source and sharing that excitement or celebrating it with them. I think our latest stats that we share about what's happening on GitHub is somewhere like 100 million developers today on GitHub, 4 million plus organizations, and just last year alone, there were 413 million contributions to open source.

And when we look at the perspective from an OSPO, some of the most popular projects on GitHub are backed by companies. Among some of the large projects that we all rely on and use, a number of them are company led, company maintained, and a lot of people inside of companies are working on open source more and more as part of their full-time jobs.

Katherine Druckman: From your position, how does visibility into that greater GitHub landscape inform your own use of open source software within the company?  

Ashley Wolf: Open source was happening long before I came to GitHub, and there was a tremendous amount of open source that we use that we're contributing to, and a number of people at GitHub that are considerable maintainers and involved in different parts of the ecosystem. So, when we looked at the goals for establishing an OSPO at GitHub a few years back, it really centered around helping us be more successful. 

Since we operate at such a large scale with the amount of open source we use, we encourage a lot of open source use. We encourage people to contribute to open source, to create a lot of open source. And over the years, we found ourselves in a place where we've done a lot. Now we want to be better stewards of what we have out there. 

We want to actively maintain and help our projects to be successful, working more closely with the community. So inside of GitHub, within our OSPO, we focused on establishing guidelines, some policies, and a framework to help folks that wanted to do these types of open source engagements. And we do so in a way that follows best practices, both on behalf of what the business or legal or security teams would expect, as well as what the community expects from us so that we can be good corporate citizens around open source like we all want to be, and so that our projects that we create and put out there can hopefully be successful and valuable to others.



Katherine Druckman: We've both been around open source for quite a long time and, from my perspective and probably yours, those kinds of numbers you were throwing out earlier are so mind blowing. You used to kind of feel like open source was almost a small world, like we all kind of knew each other or at least a couple degrees. So, it’s amazing to hear these numbers.  

You used a phrase near and dear to all our hearts, which is “best practices.” I'd love to discuss some lessons you've learned on contribution best practices, consumption best practices, and community best practices. 

Ashley Wolf: Definitely, I think one that we get asked about a lot and that resonates with many groups that are looking to establish an OSPO or people inside of organizations that want to get started with creating a brand new project is around setting up lifecycle for your project, meaning be prepared not only to set it up, get it out there, talk about it, welcome the community, and get everything you need in the repos set up to the standards that your organization sets. 

For example, you'll want a code of conduct, a license file, and a hefty README. In addition to all that, you'll want to think about what success for the project looks like. If you're not meeting your goals around the project or it's not gaining the traction you're looking for, or ultimately it comes to a point where maintainership is no longer happening within the project, what are you going to do about it? 

So, prepare for the project to enter the open source arena and hopefully to be successful, and then think about what it looks like to wind down the project when it comes to the point where it's no longer going to be actively maintained or supported by your organization, perhaps. And so at GitHub, as we've created all these projects over the years, what we've learned is how important it is to also do graceful exits from projects or to plan to communicate when we intend to sunset a project to make sure that the community's aware. As we went through all these exercises, I think that's very helpful for others to think of as well. We've published a few guidelines and resources and made those available to others in our own repo called github-ospo so others could learn from our experiences there too.

It’s something a lot of other communities think about as well. Within the Apache Software Foundation, they have the concept of an attic. They talk about what it looks like for projects to go through the lifecycle from incubator to active, and then to wind it down.

Katherine Druckman: I love that you mentioned winding it down. In my personal experience as a developer, contributor, or consumer of open source projects, some of the times when I've been the most impressed with someone's work and contribution is in sunsetting a project, in correctly wrapping it up, doing it responsibly, and with great consideration for the people that are using it.  

It’s interesting that you bring that up because it's not necessarily the first thing people think of, but it's incredibly important work and it's important to be thoughtful and be a good citizen, which brings me to my next question.  

What does it mean to be a good open source citizen? I think that can be a very complex thing. Are there are any specific pitfalls where people might want to revisit and focus on what they might have missed? Where are people getting it right and where are people not?

Ashley Wolf: To me, at the core, being a good open source citizen means responsible use of open source and contributing to the open source ecosystem. And that can unfold in a number of ways. That can mean things like license compliance, ensuring you're meeting the obligations of all the licenses for the open source you depend on, participating in sustaining critical open source that you depend on or that the community relies on to ensure that it's secure, healthy, and well maintained. We've all heard horror stories about cases where projects can succumb to the pitfalls of lack of maintainership, overwhelming number of security vulnerabilities, and then we all scramble to figure out what to do about our dependencies. 

So being responsible with not only using open source, but also finding ways to contribute back to these projects, whether that's code, non-code, contribution dollars directly to the projects, organizations, or ecosystem members that help to funnel money and support the health of these projects. In addition to that, there are some ways that we can think about sustaining that go beyond just dollars.

That can be code or non-code contributions, but it can also be strategic partnerships, joining working groups. There are activities, even if you're in an OSPO, that you may not be aware of. There are working groups within the CHAOSS* Project. The CHAOSS Project is a Linux Foundation* group that is focused on community health and metrics around open source.

There is one group right now that's focused on OSPO value metrics, which is super interesting and helpful for all of us that look at how to measure success within our OSPOs. In addition, there are several OSPO working groups. Another through the Linux Foundation is the TODO* group. There's also OSPO++, OSPO Alliance and a new OSPO working group that's focused on university-based OSPOs.

So, there are many ways that we can not only use but contribute back, and for OSPOs it is important to figure out where you'll be able to balance not only using but giving back. Many of us think about that with budgets, but it can also be how people can spend their time supporting the ecosystem as well.

 For more of this conversation and others, subscribe to the Open at Intel podcast:

About the Author

Katherine Druckman, an Intel Open Source Evangelist, is a host of podcasts Open at Intel, Reality 2.0 and FLOSS Weekly.  A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards.