Click to listen to the 11th issue of "Big Guy Interview": Follow Xiang Shuming into ZTE, and explore the excellent practice of enterprise open source risk management
(It is recommended to play under WiFi)
Open Source Rainforest: Please briefly introduce yourself to the audience
Hello everyone, I am Xiang Shuming. I am currently doing open source compliance governance work in ZTE Corporation. I am the Director of Open Source Compliance & Security Governance of ZTE Corporation, a full member of the Open Source Society, and 33 Chinese Open Source Pioneers in 2022.
Open Source Rainforest: When did you start contacting open source? Why are you interested in open source governance?
I have been in contact with open source since 2014. My interest in open source governance is mainly related to my work experience. I used to be the EPG team leader and am very familiar with R&D process improvement. To me, open source governance is a new addition to R&D process improvement. It's just a part of external constraints. From disorder to order, I personally have a natural preference, which is also the result of my career.
The Open Source Rainforest: When and Why Did You Get Into Open Source Governance?
ZTE has established a sound R&D management mechanism and risk management and control system very early on. Every year, it needs to look for TOP risks in its own business field. Around 2014, I worked in the company’s product platform department. The risks on the front line of the market are what the product line pays attention to. Focus, risk identification of the platform department I think open source compliance is a long-term and arduous risk point. It should be part of the improvement of the R&D process and will coexist with the product R&D process and its improvement for a long time. It is a good career research direction , Building an enterprise-level management and control mechanism that reduces the risk of using open source is beneficial to both the enterprise and the individual, and it is also quite challenging, so since then I have devoted myself to the study and research of open source governance.
Open Source Rainforest: What is your comment on the current situation of open source governance in domestic enterprises?
I personally think that China has passed the evangelistic stage of open source governance, and everyone no longer discusses the need to use open source. More attention has been paid to how to use open source in a compliant and safe manner, but in terms of how to systematically build an effective open source compliance & security control mechanism for enterprises, the vast majority of enterprises do not have this awareness or do not know how to proceed. Most of them just stay in details such as specific license compliance and the elimination of a certain security loophole. ZTE has joined the ranks of internationalization very early, and regards compliance and open source compliance as the management of the entire enterprise. One of the cornerstones.
Open Source Rainforest: TODO Group mentioned several stages such as use period, participation period, contribution period, and leadership period. As for pioneers like ZTE, which stage do you think your company is currently in?
I think ZTE is currently at the leading stage of the industry in terms of open source governance. After six or seven years of exploration and practice at the organizational level, we have encountered and overcome many different business governance scenarios, and have accumulated considerable experience. He has a lot of open source governance experience and lessons, and also actively participates in and contributes to external open source communities.
In fact, most enterprises use open source in the first stage, using open source software in the product development process to serve the enterprise's product development and operation. In the process of using open source software, enterprises will find that open source software itself has many compliance and security issues, and these risks must be borne by the enterprise itself. Most of these open source software are not guarded by a dedicated team in the enterprise, and it is impossible to guard all the open source software. So in such a scenario, how can the enterprise efficiently integrate the open source software used? In order to reduce the risk of regulation and security, can these open source projects be developed remotely/asynchronously in another R&D mode through internal open source, so as to protect them? Now the industry is also discussing whether projects in the open source community can be operated and managed as credible open source projects to improve their compliance and security and reduce corresponding risks. Enterprises can choose according to their actual situation.
Open Source Rainforest: How is your company's open source management unit organized? Are there any challenges and difficulties in this process?
Open source governance involves all areas and processes of software development and operation, so the open source governance unit is destined to be only a virtual organization, from the company OSPO office to relevant experts in the field of open source governance, until it covers all project teams with software development, There are at least a few hundred team members with relevant open source governance responsibilities. The roles involved mainly include: open source COP team members, process improvement experts, legal experts, product/platform managers, R&D representatives, project open source governance interface persons, system engineers, project teams, open source software guardian projects/guardians, intellectual property experts, IPR Manager, Configuration Administrator, QA/PME, ECC, Project Compliance Manager, Security Team, Supply Chain Team, Standards Team, Open Source Contribution Team.
Since open source governance involves a wide range of areas, it is difficult to set up a full-time department in an organization to manage it. Therefore, starting from 2014, we first established an open source governance team at the research institute level, and by 2016 it became an open source governance team at the company level. The COP (Community of Practices: Community of Practice) team covers all products and teams that use the software in the company, and gradually builds a set of EAR (Export Administration Regulations, US Export Administration Regulations) compliance, open source compliance, product security and Including GDPR (General Data Protection Regulation), a control and response mechanism for the whole process from market opportunities to product operation and maintenance, in order to reduce product compliance & security risks, and improve customer satisfaction and trust in using our products. The main challenge is how to effectively coordinate all parties to participate in open source governance.
Open Source Rainforest: In terms of using open source, are there any interesting things or challenges that you can share?
The first challenge: How much open source software does the enterprise use? How many licenses are used? How are these open source software used? This part is very difficult to answer; the second challenge: how to manage the open source used in stock and use it in compliance? The third challenge: open source software is invisible and intangible, how to efficiently and effectively manage it to meet the compliance control needs of open source software.
In these scenarios, there must be an effective management system that can truly and clearly understand which open source software is used by the enterprise and how these software are used in the project version. Without these basic capabilities, the effectiveness of open source governance will definitely be greatly reduced. In addition, as for the management of the license, what I see is that everyone is still at a relatively superficial level. I think it is still necessary to be clear about the above points, that is, to solve the problem of "where am I?" in management, and to clarify the goal of open source governance in combination with organizational strategy, that is, "where am I going?" Put forward improvement requirements in the process of open source governance, otherwise it is really difficult to propose governance goals and annual governance requirements, and it will be difficult to start governance.
Open Source Rainforest: In terms of supply chain management, is the management of safety and compliance complicated?
complex. A product may be developed by only one development team at the beginning. Later, as the organization expands and products diversify, platform-based development requirements will be raised and multiple project teams (products, platforms, components) will jointly develop a product. With the introduction of open source software, software development has gradually evolved into a modular, assembled, and diversified mixed-source development model. However, we found that the software directly developed by the company's internal team generally follows the organization's R&D management requirements, and its compliance and security are relatively guaranteed. Compliance and safety cannot be guaranteed.
In addition, in the process of external introduction, the project team will not only introduce from the open source community, but also introduce some commercial software, outsourcing software, development software, SDK and other third-party software, which will become part of the product composition. Therefore, when introducing the above-mentioned third-party software, whether the third-party organization understands open source compliance and whether its compliance and security can be guaranteed during version distribution also needs to be controlled.
There are still a lot of so-called open software on the market, which we can download from the community or public places, and the risks of these software are also very high. If there is no control over the developer's introduction process of "open source software", these software can be easily introduced, but they often have open source compliance and security risks.
So I think that in order to do it well, it is necessary to establish an effective management system for "control loopholes" in all aspects of introduction, use, governance, and response, and to manage the full life cycle of all open source software and third-party software. As for the full life cycle management of these open source software and third-party software, because different categories are involved in different fields and departments when they are introduced in the enterprise, the corresponding processes need to be sorted out and established separately, and the process will be complicated and difficult. accomplish.
Open Source Rainforest: ZTE has so much experience in open source governance, has it considered sharing its practical experience and ideas with the outside world?
We all know that open source requires compliance and security control, and many companies will share some excellent practices. I think it is still necessary to combine their own practices based on their own actual situation and unique processes in order to truly implement it effectively.
In recent years, ZTE has actively participated in various sharing and standard setting work of international and domestic open source communities and standardization organizations, especially the sharing of experience and ideas on open source governance.
Open Source Rainforest: What to expect from TODO Group?
In fact, many software development companies, I think the problems they encounter in different scenarios should be the same as those encountered by ZTE, Huawei, and even foreign leading companies, so they participate in domestic communities and some foreign TODOs During the group, the problems encountered by everyone in the actual governance process, how to solve these problems after they arise or how to reduce the risk of the problem, have some reference value for each other, so I hope that the TODO Group can actively collect the problems in the governance process and governance practice, provide more opportunities for collaboration, exchange and sharing, and mutual learning.
Open Source Rainforest: What are your expectations for the future development of open source governance in domestic enterprises?
The requirement of open source governance is not an additional burden imposed on projects or enterprises from the outside, but an inevitable need of the market after the entire industry develops to a certain level, and it is an inevitable choice for enterprises to operate and develop in a healthy and long-term manner. Business operation is the original driving force. From the perspective of business operators, the internal compliance and security governance of an enterprise should revolve around the operation of the enterprise. So how to build an environment, from asking me to do what I want to do, this is what I hope to see, so that our country's software companies will be more competitive, and all of us can use software products with more confidence.
Open Source Rainforest: What advice do you have for Open Source Rainforest, and what do you expect Open Source Rainforest to do next?
It is hoped that Open Source Rainforest can become a seeding machine for open source governance ecology. At present, many companies engaged in software development have relatively weak project management and process control. After the introduction of open source software, it is difficult to achieve results by relying on the original extensive management. It is hoped that the open source rainforest can become a seeding machine for the open source governance ecology, sowing the mechanism of how to do it, and taking root in domestic enterprises.
Open Source Rainforest builds a knowledge system around the three aspects of open source general knowledge, open source use, and open source contribution. It is willing to systematically share long-term accumulated experience with enterprises, provide cooperation in teams, mechanisms, and projects, and promote enterprises to use open source more efficiently. , Contribute to open source, improve the level of open source technology and application in the whole industry.
The content of Open Source Rainforest has been open-sourced and hosted at https://github.com/opensource-rainforest. You are welcome to contribute content in the form of Pull Request, discuss in the form of Issue, and jointly maintain the content of Open Source Rainforest.
Welcome to pay attention to the "Open Source Rainforest" public account to get the latest and most complete news.