GitHub has published its own internal guides and tools on how to go about setting up an open source program office (OSPO).
The new GitHub-OSPO repository on GitHub (where else?) is aimed at businesses in the first year of setting up their inaugural OSPO, and includes everything from policies covering contributor license agreements (CLA) to guides on archiving repositories. It’s basically all about helping small-scale open source projects evolve into something more substantial and organized.
The rise of the OSPO
Open source software intersects with just about every facet of the modern technology stack, from cloud computing and databases to servers and supercomputers. Many companies also elect to open-source their own internal projects to foster industry buy-in and community engagement. But companies looking to keep on top of all their open source componentry, compliance, security, and licensing obligations will soon realize the immense challenges they face. And this is why the OSPO is emerging as a staple part of the modern corporation, formalizing what might previously have been a loose collective of employees spanning myriad departments and roles.
Moreover, the U.S. Securing Open Source Software Act, proposed legislation that emerged in the wake of the critical Log4Shell security flaw, focuses on ways to improve the security of open source software in government systems — this includes provisions for vulnerability detection / disclosure, SBOMs (software bill of materials), and setting up an OSPO within at least one federal agency.
While tech giants like Microsoft and Spotify have dedicated OSPOs, we’ve seen a surge in all manner of organizations following suit. Just last month, the Dutch Government revealed it was setting up an OSPO, following the World Health Organization’s (WHO) OSPO launch last year. Goldman Sachs, meanwhile, opened its OSPO back in 2021.
According to GitHub’s recent Octoverse report, 30% of Fortune 100 companies have an OSPO in place. And this surge in OSPO interest is essentially what GitHub is looking to support by releasing its own internal policies and tools as a blueprint for others to follow.