CHAOSScast

Episode 84: Community Viability - how Verizon thinks about OSS risk

May 16, 2024

Gary White, Principal Engineer at Verizon, discusses viability metrics models for OSS risk at Verizon. Topics include creating and simplifying models, using Augur for metrics, and challenges in deploying metrics within organizations. The conversation also covers the importance of community engagement, the role of libyres in risk assessment, and Verizon's approach to software viability metrics. Emphasis is placed on engaging with different metric models, enforcing terms on OSS, and supporting projects through active involvement.

34:46

Creator website

Episode guests

Gary White

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Viability metrics models aid in assessing risks of open source software components by focusing on governance, compliance, security, and strategy.

Utilizing metrics like 'libyres' assesses dependency risks and aids in standardizing dependency usage within organizations for effective management.

Deep dives

Introduction of Panelists and Roles

The podcast episode introduces the panelists, including Don Foster, Matt German-Pray, Gary White, and Alice Sowerby, who discuss measuring open source community health and their respective roles in the Chaos Project, academia, Verizon's open source program office, and tech leadership. Their diverse backgrounds contribute to a rich discussion on community metrics and governance.

Introduction

2min

Exploring Viability Metrics Models for Open Source Software at Verizon

4min

Exploring Libyres as a Metric in Governance Viability

3min

Verizon's Approach to Software Viability Metrics

13min

Exploring Viability Models and Risk within the Chaos Ospo Working Group

8min

Embracing Connections Through Travel and Conferences

5min

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 84

In this episode of CHAOSScast, Dawn Foster, Matt Germonprez, Alice Sowerby, and guest Gary White, Principal Engineer at Verizon’s OSPO office, delve into the world of viability metrics models developed for assessing the risks associated with using open source software components. Gary explains the creation process of these models, their application within Verizon for software evaluation, and the significance of engaging with the open source community to enhance project viability. The conversations also explore the challenges and considerations in deploying these metrics within organizations, emphasizing the blend of policy enforcement and cultural influence to manage open source software dependencies effectively. Press download now to hear more!

[00:02:30] Dawn asks Gary to elaborate on the choice of Verizon for the viability metrics models. He explains the creation of the first four metrics models for assessing risks in open source software components, and the development of a fifth model to simplify the original four. Also, he explains the importance of being quantitative about software library choices, influenced by a research paper from Carnegie Mellon and existing CHAOSS metrics.

[00:05:16] Gary mentions using Augur for metrics collection at Verizon and the benefits of tracking with CHAOSS tools.

[00:06:27] Matt asks Gary to provide an example of a metric used in the governance model, and he talks about the Libyears metric, which helps understand the total years behind all dependencies of a component, reflecting the risk associated with aging dependencies.

[00:07:50] Alice wonders about the “happy region” for the Libyears metric and its implications on risk assessment.

[00:09:25] Dawn asks Gary to discuss how these metrics are utilized at Verizon. He describes using these metrics to evaluate the viability of software at Verizon, including different use cases and dependency risks.

[00:11:39] Alice explores how Gary considers the context in which components are used when calculating risk.

[00:13:24] Matt asks about the process of engaging with the metrics models within the organization. Gary explains that the approach depends on several factors such as severity of finding, buy-in from the organization, and the organizational structure of the OSPO, and details the use of specific resources like the “endoflife.date.”

[00:18:07] Gary outlines how Verizon integrates risk management frameworks with organizational tools like dashboards to disseminate collected data and foster buy-in for automated systems.
[00:21:16] Alice asks Gary for advice on engaging with open source communities when viability metrics indicate potential issues. Gary highlights the importance of community and governance metrics in driving organizational support for critical open source projects.

[00:22:43] Gary shares his experience in the CHAOSS group, emphasizing the value of diverse opinions in developing and validating viability metrics models.

[00:24:33] Dawn highlights the significance of the discussions on viability and risk in the OSPO working group, emphasizing how these are critical concerns for OSPO leaders.

[00:25:24] Dawn inquires about how Verizon uses CHAOSS metrics beyond viability assessment, particularly in open source management. Gary discusses leveraging CHAOSS metrics across various teams to judge component use and risk profiles and explains Verizon’s approach to using metrics involving both an educational component and a policy component.

[00:27:33] Gary talks about focusing on the ongoing efforts to integrate and optimize the Augur system at Verizon, acknowledging Sean Goggins for his assistance, and expresses a desire to contribute back to the community, and exploring new metrics to trace and predict significant events in the open source ecosystem.

Value Adds (Picks) of the week:
[00:30:29] Dawn’s pick is going on an Afternoon Tea London Sightseeing Bus Tour with friends.
[00:31:07] Matt’s pick is reflecting on the value of attending conferences and meeting people.
[00:32:10] Gary’s pick is the support from the Augur team, attending conferences, and meeting people.
[00:32:51] Alice’s pick is attending OSSNA in Seattle.

Panelists:
Dawn Foster
Matt Germonprez
Alice Sowerby

Guest:
Gary White

Links:

CHAOSS

CHAOSS Project X/Twitter

CHAOSScast Podcast

podcast@chaoss.community

Dawn Foster X/Twitter

Matt Germonprez X/Twitter

Alice Sowerby LinkedIn

Gary White LinkedIn

“We Feel Like We’re Winging It”: A Study on Navigating Open Source Dependency Abandonment (ACM Digital
Library)