Corporate Open Source Governance of Software Supply Chains


Today most software products incorporate free/libre and open source software (FLOSS) components. FLOSS components are used in development infrastructures, generic and non-differentiating features and functionalities, web browsers, databases, and operating systems. Some software products are built on top of FLOSS frameworks. Open source software usage often ensures lower cost, higher quality, and quick availability, especially when using generic software components and libraries. Using open source software in products comes with legal, business, and technical risks, however. A major challenge for companies is understanding and complying with licenses and regulations related to the FLOSS components they use in their products. On a deeper level, these issues go beyond the in-house software development, including complete software supply chains and FLOSS components used within them. The potential risks of using open source components can result in litigation due to open source license non-compliance, copyright infringement, or loss of intellectual property. There are several ongoing court cases in Germany, in China, and in the USA, which highlight the significance of the above-mentioned risks. Companies can address the risks of FLOSS use by establishing corporate open source governance – a set of processes, best practices, and tools employed by companies to govern the use of FLOSS components as parts of their commercial products while minimizing their risks and maximizing their benefit from such use. Corporate open source governance covers topics of open source component selection and approval, ensuring open source license compliance through code scans and audits, as well as bill of materials management focused on open source component and their metadata, etc. The goal of our research project was to build a methodological framework for corporate open source governance in companies with software-intensive products. In the scope of this dissertation, we researched the state of the art regarding the corporate open source governance in the literature, built a theory of industry best practices for corporate open source governance based on expert interviews and other primary materials, and evaluated the proposed theory through a multiple-case case study at German companies operating internationally. In the first stage, we studied the state of the art in academic research through a literature review of 87 publications on the topic. We conducted a qualitative data analysis of the papers, deriving the core concepts of corporate open source governance from the literature – risks of the ungoverned FLOSS use, getting started with FLOSS governance, inbound governance, supply chain management, outbound governance, and general governance. We then mapped the reviewed papers to the identified core concepts and presented highlights on each concept, which were later compared with the insights from the proposed theory. In the second stage, we asked the overarching research question of how companies using open source components in their products should govern this use based on the industry best practices. Taking a practice-based approach, we conducted a qualitative survey that included 20 primary materials (published governance guidelines, white papers, slides) and 21 expert interviews at 15 companies with an advanced understanding of open source governance. Based on the findings from the qualitative survey, we built a theory of industry best practices for corporate open source governance, with a particular focus on supply chain management. Our theory proposes industry best practices on the core topics of FLOSS governance in companies – getting started with corporate open source governance, inbound governance, outbound governance, general governance, and the focal topic of the study – supply chain management in the context of open source governance. Going beyond the textual presentation of the theory, we also presented our findings in an actionable and industry-friendly format of interconnected best practice patterns that formed a handbook for corporate open source governance. We attached excerpts from our governance handbook in the appendix of this dissertation. In the third stage, we evaluated the proposed theory through a multiple-case case study with a holistic design at two case studies in production-level projects at two large German companies that used open source software in their products, but lacked open source governance. Case Study A was a 2.5-year longitudinal study into a company that was just getting started with open source governance. This enabled us to evaluate the getting started and inbound governance aspects of our theory. The length of the study enabled us to thoroughly analyze the current use of open source software and its informal governance in the various divisions of the company, followed by the guided implementation of the industry best practices from our theory. We then observed how the best practices were applied in a real-life production environment. Case Study B was a one-year longitudinal study into a company that already has the fundamental framework for open source governance, but lacks processes and practices for governing the use of open source software from its supply chain. Using the initial situation assessment as a baseline, we implemented the industry best practices on supply chain management from our theory. We then observed the effectiveness of the proposed practices in improving FLOSS governance and the drawbacks of these practices. In both case studies, we evaluated our theory using the quality criteria of completeness, variability, structure, comprehension, understandability, applicability, relevance, significance, and usefulness. We conclude the dissertation by discussing the key results highlighting the value of our contribution to both academia and industry. On one hand, our research publications enrich academic research on open source governance. On the other hand, practitioners can follow the suggested best practices applying the governance handbook we developed. We also discussed the limitations of this dissertation to both theory building and theory evaluation. We then suggested directions for further research that could enrich the topic of corporate open source governance, for example, industry best practices for open source license compliance and its automation, setting up and managing an open source program office, open source component search and selection, and release management.

PhD Dissertation