Open Source Artifacts
This section describes common artifacts either consumed or produced when managing open source software within the enterprise. Artifacts may be machine- or process- generated (such as an SBOM) or the result of human effort (such as an Open Source Strategy).
The Artifacts
Open Source Policy
An open source policy is a set of guidelines that outlines how an organization will consume, contribute to, and create open source software. It defines the rules that govern the use, distribution, and licensing of open source software within the organization. It establishes processes for evaluating open source software, managing the risks associated with its use, and ensuring compliance with legal and ethical requirements.
Open Source Strategy
THIS IS A PLACEHOLDER
Common Vulnerabilities and Exposures (CVEs)
CVEs (Common Vulnerabilities and Exposures) are standardized identifiers for publicly known cybersecurity vulnerabilities which can be leveraged in exploits. The MITRE Corporation manages the CVE program, which receives funding from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
Data Loss Prevention Software
This article looks at Data Loss Prevention (DLP) software commonly used in financial organisations and how these impact open source consumption and contribution. It is not a complete reference for the subject of DLP generally, but should act as a starting point for understanding the issues involved.
Intellectual Property
This article discusses the main types of intellectual property and their application to open source within financial services.
Repositories
Article covering source and artifact repositories.
Software Bill of Materials (SBOM)
An SBOM, or Software Bill of Materials, is a list of all the components, libraries, and dependencies used in a software project, along with their associated version numbers and license information. There are two different SBOM formats:
Artifact Repository
For a financial services firm, the importance of hosting an artifact repository manager such as JFrog Artifactory or Sonatype's Nexus inside the firm's firewall cannot be overstated.
OpenChain ISO/IEC 18974:2023 - Security Assurance
OpenChain ISO/IEC 18974:2023 defines the key requirements of a quality open source security assurance program.
Open Source Program Office (OSPO)
This article talks about the Open Source Program Office (OSPO) organisational structure and its value.
OpenChain ISO/IEC 5230:2020 - License Compliance
OpenChain ISO/IEC 5230:2020 defines the key requirements of a quality open source license compliance program.
Open Source Review Board (OSRB)
The Open Source Review Board (OSRB), sometimes known as an "Advisory Council" is a governance body that reviews and approves open-source usage and contributions to ensure compliance with policies, licenses, and security standards.
Reference FOSS Policy
This document orginates from the Citi citi-ospo repository on GitHub. It is published under the Apache License 2.0 and is copyright to Citi.
Reference FOSS Policy
This is content originally from the FINOS Reference FOSS Policy Project which has not been updated recently. Feel free to suggest edits.
Software Licenses
This article provides some basic framing around the purpose of licenses within open source.
CLAs And DCOs
This article explains the concept of the Contributor License Agreement (CLA) and Developer Certificate of Origin (DCO) and the practical implications of these for organisations consuming and contributing to open source.