Episode 84: Community Viability - how Verizon thinks about OSS risk

May 16, 2024

Gary White, Principal Engineer at Verizon, discusses viability metrics models for OSS risk at Verizon. Topics include creating and simplifying models, using Augur for metrics, and challenges in deploying metrics within organizations. The conversation also covers the importance of community engagement, the role of libyres in risk assessment, and Verizon's approach to software viability metrics. Emphasis is placed on engaging with different metric models, enforcing terms on OSS, and supporting projects through active involvement.

Ask episode

Chapters

Transcript

Episode notes

Introduction

00:00 • 2min

Exploring Viability Metrics Models for Open Source Software at Verizon

02:29 • 4min

Exploring Libyres as a Metric in Governance Viability

06:27 • 3min

Verizon's Approach to Software Viability Metrics

09:26 • 13min

Exploring Viability Models and Risk within the Chaos Ospo Working Group

22:44 • 8min

Embracing Connections Through Travel and Conferences

30:17 • 5min

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 84

In this episode of CHAOSScast, Dawn Foster, Matt Germonprez, Alice Sowerby, and guest Gary White, Principal Engineer at Verizon’s OSPO office, delve into the world of viability metrics models developed for assessing the risks associated with using open source software components. Gary explains the creation process of these models, their application within Verizon for software evaluation, and the significance of engaging with the open source community to enhance project viability. The conversations also explore the challenges and considerations in deploying these metrics within organizations, emphasizing the blend of policy enforcement and cultural influence to manage open source software dependencies effectively. Press download now to hear more!

[00:02:30] Dawn asks Gary to elaborate on the choice of Verizon for the viability metrics models. He explains the creation of the first four metrics models for assessing risks in open source software components, and the development of a fifth model to simplify the original four. Also, he explains the importance of being quantitative about software library choices, influenced by a research paper from Carnegie Mellon and existing CHAOSS metrics.

[00:05:16] Gary mentions using Augur for metrics collection at Verizon and the benefits of tracking with CHAOSS tools.

[00:06:27] Matt asks Gary to provide an example of a metric used in the governance model, and he talks about the Libyears metric, which helps understand the total years behind all dependencies of a component, reflecting the risk associated with aging dependencies.

[00:07:50] Alice wonders about the “happy region” for the Libyears metric and its implications on risk assessment.

[00:09:25] Dawn asks Gary to discuss how these metrics are utilized at Verizon. He describes using these metrics to evaluate the viability of software at Verizon, including different use cases and dependency risks.

[00:11:39] Alice explores how Gary considers the context in which components are used when calculating risk.

[00:13:24] Matt asks about the process of engaging with the metrics models within the organization. Gary explains that the approach depends on several factors such as severity of finding, buy-in from the organization, and the organizational structure of the OSPO, and details the use of specific resources like the “endoflife.date.”

[00:18:07] Gary outlines how Verizon integrates risk management frameworks with organizational tools like dashboards to disseminate collected data and foster buy-in for automated systems.
[00:21:16] Alice asks Gary for advice on engaging with open source communities when viability metrics indicate potential issues. Gary highlights the importance of community and governance metrics in driving organizational support for critical open source projects.

[00:22:43] Gary shares his experience in the CHAOSS group, emphasizing the value of diverse opinions in developing and validating viability metrics models.

[00:24:33] Dawn highlights the significance of the discussions on viability and risk in the OSPO working group, emphasizing how these are critical concerns for OSPO leaders.

[00:25:24] Dawn inquires about how Verizon uses CHAOSS metrics beyond viability assessment, particularly in open source management. Gary discusses leveraging CHAOSS metrics across various teams to judge component use and risk profiles and explains Verizon’s approach to using metrics involving both an educational component and a policy component.

[00:27:33] Gary talks about focusing on the ongoing efforts to integrate and optimize the Augur system at Verizon, acknowledging Sean Goggins for his assistance, and expresses a desire to contribute back to the community, and exploring new metrics to trace and predict significant events in the open source ecosystem.

Value Adds (Picks) of the week:
[00:30:29] Dawn’s pick is going on an Afternoon Tea London Sightseeing Bus Tour with friends.
[00:31:07] Matt’s pick is reflecting on the value of attending conferences and meeting people.
[00:32:10] Gary’s pick is the support from the Augur team, attending conferences, and meeting people.
[00:32:51] Alice’s pick is attending OSSNA in Seattle.

Panelists:
Dawn Foster
Matt Germonprez
Alice Sowerby

Guest:
Gary White

Links:

CHAOSS

CHAOSS Project X/Twitter

CHAOSScast Podcast

podcast@chaoss.community

Dawn Foster X/Twitter

Matt Germonprez X/Twitter

Alice Sowerby LinkedIn

Gary White LinkedIn

“We Feel Like We’re Winging It”: A Study on Navigating Open Source Dependency Abandonment (ACM Digital
Library)