What to know before you open source an internal project

Originally posted on opensource.com in June 2017.

Before your company makes a project open source, make sure you’re ready for all your new responsibilities to the community that forms around it.

Your company is going to release an internal project as open source. Congratulations! You know your code is ready, but are you ready for all your new responsibilities?

Once a project has been released as open source, your company is not only responsible for the project, but also for the community that will form around it. This often requires changes to the development/build/release workflow. This is not about the code per se; it’s about all the processes and infrastructure that surround the code that make the open source project successful.

Here’s what you need to know and expect before you release your open source project.

Identify your company’s goals

Before you go much further, take a moment to evaluate your company’s goals for releasing the project in the first place. The company will invest a lot of time and effort into preparing this for release—and a lot more in maintaining the project and the community that forms around it. While it’s possible that these efforts are altruistic, it’s more likely that the company expects something for its investment.

Make sure you’re aware of these goals before diving into the project and its community. Taking steps to ensure your company can meet them not only helps the company, it helps free and open source software (FOSS) overall. Companies that don’t know or don’t meet their goals with an open source project withdraw from FOSS participation entirely, and that helps no one.

Understand community expectations

While your company may still hold the keys to the kingdom and decide what contributions to merge and when to bundle a release, all development must be done in the open in communication and coordination with the community that forms around it.

In other words, the project must operate according to established community expectations for an open source project. These expectations include (but are not limited to):

  • All development work—including bug fixes, new feature development, product roadmaps, and discussions and issue tracking about these things—occurs publicly and in coordination and cooperation with the community.
  • All build processes related to the code (continuous integration/deployment, etc.) operate publicly and are accessible by and to the community.
  • The company accepts contributions from the community, where “contributions” means not only code but also documentation, design, product roadmap guidance, governance, and other matters pertaining to the project. All contributions must be reviewed and considered promptly, and feedback must be provided publicly.

Know that community is key

Open sourcing a project creates a lot of work, though in practice it’s usually no more work than proprietary software development. Still, there can be considerable effort required to transition processes and culture to work efficiently and effectively in the open and support an open source community.

If it’s so much work, why do it?

As I mentioned earlier, businesses don’t usually release projects out of the goodness of their heart. They do it because they want to benefit from the community that hopefully will form around the project—but those benefits happen only if the company earns, builds, and maintains the community’s trust.

That trust happens by doing all work in the open and in communication and collaboration with the community. Any fully unilateral or private decisions the company makes will violate that trust and alienate the community. When a community is alienated, they leave (sometimes forking the code to start over elsewhere).

There is no way to benefit from a community that disappears. That leaves the company with a bunch of code that is open but no one uses or cares about, not to mention unable to meet the goals it set when it open sourced the project.

Launch your public issue tracker

Once a project is released, all bug reports—previous and new ones—must be available in the project’s public issue tracker. Here are some things you need to do:

  • Move pre-existing bugs/tickets/issues to the project’s issue tracker.
    • Be aware that moving often requires a script.
    • Before you move anything, review all existing issues and close those that have no real hope of ever being fixed.
    • Make sure to remove any proprietary information from any pre-existing bugs/tickets/issues before moving them to the public tracker.
  • Decide whether to move closed bugs/tickets/issues to the public tracker.
    • This is optional, but it can provide valuable context for future development.
    • Make sure to remove any proprietary information from any closed bugs/tickets/issues you plan to move before making them public.
  • Create a new workflow so all bugs/tickets/issues will be routed efficiently to and through the public issue tracker.
    • Coordinate and train all company staff who report or interact with bugs/tickets/issues.
    • If you use a publicly available issue reporting tool (e.g., ZenDesk), the new workflow must ensure that issues reported there are efficiently transferred to the public issue tracker and the reporting parties (usually customers) still receive the service and information they have come to expect.

Be ready to open your product roadmap

Once a project is released as open source, its development roadmap and all related discussions become publicly available.

  • All discussions and decisions about what goes onto the roadmap (and why) must now be held publicly and with the community’s input.
  • Community feedback should be integrated into the roadmap.

Please note: While the roadmap and all discussions about it occur in the open and with input from the community, unless it has made other accommodations the company may still have the final word on what goes onto the roadmap, when, and why. This should be done in a manner that is respectful of the community the project now serves and supports.

If the public roadmap includes features that interact with or rely on proprietary features, everyone who interacts with the project must be careful not to leak proprietary information in discussions about the public roadmap.

Define the contributions workflow

Once a project is released as open source, all contributions to it must use one public-facing workflow, regardless whether the contribution is from the originating company or the community.

Here’s an example of a typical workflow:

  • A contributor forks or clones the public repository to their own computer.
  • The contributor creates a feature branch of the repository and develops their contribution on that branch. This work, as it’s being done on their own computer, is private.
  • Once their contribution is ready, the contributor submits their contribution back to the public repository. (The process depends upon the version-control system in use and the preferences of the project.)
  • The contribution is publicly reviewed by community members who are qualified to do so (typically known as core contributors). These people then choose to merge, defer, or close (decline) the contribution. If the contribution is merged, it may be to master/head or a different branch, but this depends on the project’s needs and workflow.

Each project must consider and decide upon its specific contribution needs and workflow and make these publicly available in the project’s CONTRIBUTING.md file.

Don’t forget about the build process

The build process is often overlooked when planning to open source an internal project. This is unfortunate, as the build process also happens in the open once the project is released.

Some things to make sure of when opening the build process:

  • There is no proprietary or internal-only fork of the code.
    • If there is, it will betray the trust of the community, who will leave.
    • It will also greatly increase the work required to merge and maintain code.
  • All build processes must work against publicly available code, either the master/head or a stable branch maintained for build (whatever makes the most sense for the project and product).
  • All build artifacts should be made publicly available immediately upon build completion.
    • How they’re distributed after that (e.g., pushed to customers) is a business decision, but the build artifacts (including final binaries) are always publicly available.

Support open discussions of community governance and tooling

Once a project is released, all decisions that impact it or its community must be made in the open, including changes in governance, adjustments to tools such as version control or continuous integration, and changes or additions to communication routes.

This does not necessarily mean that every tiny decision must be sent to committee or requires full discussion from the entire community. Often it is enough to solicit suggestions and feedback from the community and consider them when making decisions.

All final decisions, the reasons behind them, and their expected outcomes must be publicly announced, available, and documented in whatever tracking system the project uses for such things (usually a mailing list plus the documentation system or a wiki).

Open anything else pertaining to the specific project

You get the idea by now:

Anything at all related to the project will need to be done in the open.

Once the project is released as open source, it no longer belongs to “you,” the company, and now belongs to “we,” the community (of which the company is a part). This means the community must be included at all points going forward.

No, I will not “lighten up”

Here’s a conversation I was in recently. It’s paraphrased and anonymized because I’m not here to name-n-shame.

Person1: Oh hey, $less_popular_project I work on was found to be one of the most secure!

Me: Nice! Good for them. /me boosts signal

Person2: Too bad no one uses $less_popular_project, lol

Me: Not cool. Don’t bag on other projects.

Person2: Lighten up. It’s a joke, jeez.

Had Person2 known Person1 I could’ve let it go as banter between friends, but Person2 didn’t. Person1 was a stranger to them.

I’d intended to leave it at that. I said my piece and pointed out bad behavior, but after thinking about it a bit, no. I’m not done yet. I’m sick of this crap and I’m going to plant my flag in the sand.

Person1 was excited that their project was receiving well deserved recognition for all of their hard work. Person2 used this as an opportunity for a cheap shot and hurtful language.

No matter what the intention (“It’s a joke, jeez.), hurtful language is still just that: hurtful.

There is absolutely no benefit to being mean here. This sort of micro-aggression is masquerading as humor but is amusing only to the teller, not to most of the hearers and certainly not to the target.

Angry cat photo from Flickr user jing.dong, CC-BY-NCFor many years now I’ve been (usually gently) calling people out when they try this sort of thing, but right now I’m going to be more direct about it:

Shaming people’s open source project or community, programming language, platform, editor, framework… This is what bullies do. It’s not funny. It’s not useful. It’s just childish and mean. Knock it the fuck off.

OK, maybe that was more than a little direct. Whatever. I’m tired of third-rate bullies hiding their attacks behind “it’s a joke, jeez.”

I will be firm, polite, and respectful when I do it, but make no mistake that I will call you on your shit and at absolutely no point will I “lighten up.”

At this point someone will chime in with “Yes, see Aurynn’s post, too!” so let me just beat you to that: The very good Contempt Culture by Aurynn Shaw

On the occasional unpleasantness of community

Dear well-dressed lady who walked by as I was clearing the sidewalk of snow and ice,

No, I am not doing this because, as you state, I am “ambitious.” There are myriad things I’d rather be doing right now, not the least of which is working on the article which is due tomorrow.

I am doing this because, however onerous, it’s the right thing to do. The ice I clear from my sidewalk may save one of my neighbors a very unpleasant fall. You, well-dressed lady walking by, must live in a city rather than a community. This is what we do when we live in a community: we help each other.

The same is true in open source communities. Do we want to write documentation? For many of us, the answer is “no.” Do we want to do code review? Hold design meetings? Take the time out to answer user questions? Triage bug reports? Again, the answer usually is “no.” But we do it because it’s the right thing. Because by taking a little bit of time to do something we may not enjoy, we make our little corner of the world a more pleasant and more welcoming place for others. We turn it from a project, from a city, into a community.

Enjoy the cleared sidewalk.

Love from a community member,

Me