Who owns open source governance? Legal?
Let’s step back and consider what OSS is replacing. OSS is an alternative to developing, testing, and maintaining the software in-house.
Therefore, the use of each OSS package should be governed similarly to how one governs other external software suppliers. Unlike in-house developed software, you don’t control the open source developers, but governing open source mimics the governing of software sourced from other external suppliers.
Here is the priority of who should govern open source:
- Role which governs use of software developed by partner companies
- Role which governs use of software developed by outsourcing companies
- Often this role makes too many optimistic assumptions about the quality of software produced by the outsourcer, so this role might not spend the necessary time evaluating the quality of the open source
- Role which governs use of software developed by commercial companies
- Often this role is too concerned with financials that don’t apply to open source
- Each product team
So if an organization doesn’t already have one of the first three roles listed above, the responsibility for open source governance should fall to each product team. Hopefully the common leader of these product teams will recognize the overhead of distributed open source governance and centralize it, effectively creating one of the first three roles.
Certainly, the role which governs open source should consult with the Legal department as needed. However, any one of the above roles will be better able to apply all the right quality controls to ensure the security, maintainability, etc. of the open source than can the Legal department.