Closed Julia-Ritter closed 2 years ago
Hey folks 👋🏻 - Great to meet you! (James McLeod, FINOS Director of Community)
Hello all. Excited to join the 1st SIG meeting of 2022.
Aaron Williamson, Williamson Legal
Ken D'Auria, The Hartford
great to join my 1st finos SIG meeting
Date
05 JAN 2022 - 7am ET / 10am ET / 3pm GMT
Untracked attendees
Meeting notices
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
WebEx info
Join by phone
Minutes
Recap of December’s call
FINOS State of Open Source in FinServ Report
@vmbrasseur: FINOS report reflects lack of awareness among financial services employees about their company’s open source leadership and policies. Are these results consistent with participants’ experience? What’s the reason for the gap?
One participant commented that their experience affirms the statistics. While some sell-side firms are approaching open source enthusiastically, there is very low awareness among buy-side firms and hedge funds. For newbies to open source, FINOS will need to offer meetings to go over the list of offerings and guide them to where they’re able to contribute and participate.
Another participant commented that they were “aghast” at the numbers. The path they recommend generally to those who are behind, is to introduce non-blocking control points in 4 places for review of open source issues: commercial reviews for vendor product purchase, internal (architectural) approval processes for use of new technologies, software design & development processes, and external contribution processes.
Make sure that the relevant team asks the question, what is the open source view of this request, this build, etc.? Questions will start simple and expand over time. These roadblocks will increase understanding in the organization and direct them to centralized resources that educate about the issues. Eventually you’ll challenge your third-party vendors and employees to understand those issues.
Now, at the participant’s firm, these control points require controlled approval from someone doing a review. Challenges are educating the teams on why they need to care, why it’s important and what the risks are. It would help to have open source training as a standard requirement, but you’ve got to build that up.
Another participant underscored that training is critical. Developers know about and want to contribute to open source, but require education. Their firm just kicked off OSPO, more of a community of practice than a formal entity. Involves people from all of the departments that need to have input. Focusing on training: educating management as well as developers on both the value and risks of open source. Log4j is an opportunity to get that back in front of management. Building system bill of materials for our own components.
Q: What about an obligations management system? That’s the harder part.
A: Don’t have that yet. Working on a system bill of materials, but obligations are the next step. Working on putting together a contribution pilot, but so far developers have decided it was too onerous to get all the approvals in advance and have decided not to go forward. Currently piggybacking on cybersec executive order and requiring BOMs for all of the software we’re acquiring.
Q: Any kind of materials FINOS and/or the SIG can provide to aid this process for members?
A: Generic education material on open source usage, obligations, etc.
@copiesofcopies: the FINOS Open Source License Compliance Handbook (https://github.com/finos/OSLC-handbook) meant to assist with managing obligations. Asked participants take a look and see if it is a useful input to their obligation management process — FINOS is interested in putting more energy into building it out if it’s of use.
@vmbrasseur: The TODO Group is also a good source of guidance for building out your open source programs. Changes coming to OSR in 2022: OSR will be a strategic initiative, with plans to be solidified by the January 19th board meeting.
@jgavronsky: Have a meeting tomorrow to discuss plans and milestones for OSR and where we can be of most use to the OSR community. Want to focus OSR and take the existing materials and push forward to bring more useful tools to the membership and community.
A participant suggested putting together not only resources, but also publishing recipes or paths for different organizations starting in different places that show different ways to reach OSS maturity.