Risk is a new group, focused on metrics for issues pertaining to Risk in open source.
Economic value is expressed in different ways for different types of stakeholders. We will be exploring this space in the coming months.
| Focus Area | Goal |
|---|---|
| 1. Business Risk | Understand how active a community exists around/to support a given software package. |
| 2. Code Quality | Understand the quality of a given software package. |
| 3. Licensing | Understand the potential IP issues associated with a given software package’s use. |
| 4. Security | Understand security processes and procedures associated with the software’s development. |
| 5. Transparency | Understand how transparent a given software package is with respect to dependencies, licensing (?), security processes, etc. |
| 6. Dependency Risk Assessment | Understand software dependency risk. |
This CHAOSS working group is using the general CHAOSS mailing list.
The Risk Working Group meets every other Monday from 11-12 Pacific Time. All are welcome.
The videoconference URL is https://zoom.us/j/4998687533.
You can also read our meeting notes.
We have gotten requests from community members to establish industry-standard metrics for risk in open source. Lack of metrics makes it difficult for business decision makers to compare open-source methods to alternatives. Lack of metrics makes it difficult to allocate resources optimally across projects, slowing decision making and product innovation.
We believe that risk metrics can accelerate the adoption of open source methods within industry, providing more opportunities for developers to make a living wage in open source.
Identify Stakeholders and Validate Interest
- Identify market segments and stakeholders
- Understand Who cares about Open Source Risk (and why)
- Specify and prioritize Key Performance Indicators
- Calculate potential aggregate risk
Grow hands-on community
- CHAOSS Members: Consultants, researchers, grant writers
- Project Stakeholders: Sponsors, maintainers, contributors, consumers
Build reusable assets
- Repeatable methodology for discovering value
- MVP Tooling with Development Roadmap
In the long term, we’d like to publish trusted industry-standard Risk Metrics. A kind of S&P for software development, an authoritative source for metrics significance and industry norms.
We're just getting started!
Maintainers
Core Contributors
- Kate Stewart
- Matt Snell
- Kevin Lumbard
- Sophia Vargas
- David Wheeler
- Lucas Gonze
The criteria for becoming a core contributor is to participate at least once per month over a period of 3 months. Participation could include providing feedback in the weekly D&I meetings, providing feedback on docs, or making other contributions on GitHub (commits / issues). People not participating over a 3 month period may be removed as core contributors.
If you'd like to be on our squad, an easy way to start is by going through the issue list and fixing some. 🎉
All Contributors
Are you eligible to be on this list? You are if you helped in any capacity, for example: Filed an issue. Created a Pull Request. Gave feedback on our work. The team will try to update this list monthly, but please open an issue or post on the mailing list if we've missed anyone.
If you find yourself missing, please create a pull request or reach out to a maintainer. We started to maintain this list after starting the working group and are likely missing some of you. If you find yourself listed here and want to be removed, please create a pull request or ask a maintainer.
