Constructing a Corporate Open Source Policy?

Stokey asks: "I work for a global finance firm, (60000+ employees and presence in 25+ countries) in the Group IT department. Pressure is building from the businesses to cut costs and Open Source software has been pushed onto the discussion table. I am trying to educate IT Directors where I can with correct definitions, breaking down assumptions, and will most likely end up writing the group wide Open Source policy. The challenges are well known: risk, cost, support, licensing, benefits, training, and so forth. I am looking for help in putting together a pack that can be handed to our IT Directors forum which contains a policy, TCO (Total Cost of Ownership) reviews, and risk reviews by companies that have done it. After asking what Gartner has to say, the next question will be 'So who else has done this?'. Can Slashdot assist?" What information do you think should be included to sell Open Source to management at the top-level of any corporation or business?

I'm sure several of you have run into this situation before, so I figure this may be as good of a place as any to suggest what information might be appropriate to place in such a policy, especially for future IT workers who find themselves in this position. If people are serious in getting Open Source further into the enterprise than it has already is, such information will be necessary to convince the powers-that-be on the things that we already know: Open Source can be as good as, or better than, commercial software for business tasks. Things like licensing descriptions, common misconceptions, and what Open Source really is would be an absolute must. What other information do you think would be absolutely necessary to include into such policy?

Don't sell "Open Source"

[rjstanford]

Some open source projects are very well done, and provide clear and immediate benefits upon implementation - assuming that you have problems that they solve. Others are less so. In other words, don't try to sell "Open Source" as a fundamental concept. Sell specific open-source solutions to specific corporate problems.

Remember also that everything is relative. Let's say that you're working for a small software company. You need an office suite. You could use OpenOffice, which has no initial cost and a small but non-zero chance of incorrectly storing documents that get sent to potential customers and investors. Or you could go to Microsoft.com and get a ton of NFD software, including Office, for a couple of hundred bucks. Here, the open-source solution fails to be appealing. If you're developing J2EE applications and need a good app server though, its very possible that JBoss provides a compelling open-source alternative to expensive software like WebSphere.

But (and here I'm speaking as the CTO for a growing software company), if you start out with blanket statements like "Open source has lower TCO," without talking to the specific context of a business problem - I may agree in principle, but speaking as the company, "I don't care." Solve a problem, do it well, do it cheaply, and you'll find that the company execs don't care either - but that holds true in both directions. If the best solution happens to be open-source then they'll probably go for it, but not because its "k3wl" or open, but because its better for the business.

This is the time for open source to, as they say, put its cards on the table. The advocates feel that it does deliver lower TCO (and other advantages). I happen to lean that way myself. But that should mean, ironically enough, that the end product should be superior without including the specific point that its open source, any more than I would pick any other product because of the way that its built. The better building technique produces a better product, and that's why it gets used.

At least, that's my opinion.

Re:Don't sell "Open Source"

[rjstanford]

But this doesn't have to happen at all. OpenOffice allows you to set .doc as the default save format; resulting in a zero percent chance of files being saved incorrectly and your customers ever receiving unreadable documents.

Not quite true - a couple of times, the last time I tried to use Open Office, I opened a .DOC file, made some changes, saved it, and got ready to send it off. Being the trusting soul that I am, since I was just eval'ing OO, I checked it in Word. For some reason the bullets had been changed to little smiley faces - at least, when it was opened in Word (which is almost certainly what the recipient would do with it).

Seriously.

Why did this happen? I don't know. The other issue is that I don't care. I have better things to do with my time than to try to figure it out as well (at least at the moment). So I ditched the whole product. Was it because of something that Word did to the original document that OO didn't properly understand? Could be. Again, who knows? I do know that that wouldn't have made a good impression on our client though.

Saving $200 - good
Showing poor QC to a multi-million dollar client - bad
Any questions?

Re:Don't sell "Open Source"

[KGBear]

Unfortunately, it's not that easy. I tend to agree with you in principle - just pick the right tool for the job, it shouldn't matter if it's open source or not. On the other hand, You must remember that there is a lot of pressure against anything Open Source (in the form of marketing from Microsoft, conservatism inside the organization, end-user unwillingness to learn something different) and this pressure should be balanced with an equal force and opposite direction if your Open Source implementation is to be successfull. More and more it becomes hard to chose the right tool for the job because Microsoft tools, Microsoft proponents and Microsoft consultants don't want you to integrate.

I had this discussion with my boss where I used to work a few years ago. He felt that it was OK to include Outlook as an option for a mail client for users alogside Eudora and Netscape Mail, I felt it was risky. This is how it went:

- User starts using Outlook, notices the groupware functions
- Instead of asking for the functions, they ask that those buttons in their Outlook clients "be enabled"
- The only way to do that was (at the time) to replace Sendmail with MS Exchange
- Exchange doens't integrate with current NIS+ servers unless it's through AD + Windows Services for Unix
- That requires master and slave AD servers;
- AD + Exchange will be happier with their own DNS server
- No real Open Source anti-virus software to talk to Exchange while running on Linux, so there's another Windows server

So there you have it: one Linux server that used to run Sendmail, anti-virus, NIS and DNS get's replaced by 1 Exchange server, 2 AD servers, 1 IIS server, 1 anti-virus server. 1 linux box replaced by 6 Windows servers at considerable cost and we lost our ability to chose the right tool for the job for that whole chain.

In the end what I'm saying is that while choosing for the right tool for the job you should be careful not to be locked into something that will force you to pick a lot of tools not so right for the job!

Re:Don't sell "Open Source"

[IANAAC]

Actually, you are now able let your users use Outlook (full functionality) without using Exchange on the server side. SUSE sells OpenExchange, Samsung sells Contact. Both run on a Linux server. They're not cheap, but they are substantially cheaper than Exchange.

So, in the end you could reduce the number in that pile of servers :-).

Re:Don't sell "Open Source"

[rjstanford]

Because not all documents are finished products. We do use PDF wherever possible, but when collaborating towards a final draft of anything, a modifiable format is much more useful. Saves having to retype the document every time, and having features such as "Track Changes" helps a bunch too.

IBM (or other)?

[shatfield]

It sounds like you may need to talk with IBM (or other large open source based company, maybe RedHat? ) about some of this stuff -- they probably have done a lot of the homework for you.

Good luck, please let us know how this goes!

Maintenance

[Ridgelift]

Try digging back to as far as the 70's and 80's when companies hired people to write them code. The idea of relying on closed-source software was really an idea from the late 80's and 90's, sold on the idea that it would be cheaper.

If a large company commits to integrating some Open Source, hire programmers to "tweak it the way they want" and then contribute the resulting code back to the Open Source community.

THEN compare your TCO's, RTI's and EIEIO's to you CICIO's.

Linux TCO

[Dr+Caleb]

First - ignore the Gartner Group. Most Financial Managers love the Gartner group for some reason, but WRT technology, I've never found them to be right. I think someone pointed out, using their TCO formula, your toaster costs you $4000 a year to own.

The Robert Francis Group has a .pdf of a study commissioned by IBM on the TCO of Linux (the link is for web servers, but there are other .pdf's under the 'research' link). You have to fill out some data, but it doesn't have to be representative of you. Download the PDF, it's pretty interesting!

Verizon does it.

[thedoktor]

Verizon's IT division had been running the entire development team on Linux, Openoffice for years now. There was an article somtimes back, on newsweek about a Verizon Director George Huges's initiatives.

Re:BIg Company

[beacher]

Another fine article - EU Publishes Open Source Migration Guidelines

Interesting read.. Your biggest opponents are going to be your non-coding macro writers...
-B

www.cat.com

[dukeluke]

Try Caterpillar for a real life example! -- I know personally that all their back end servers and mission critical servers are indeed open source.

And - NASA's going open source too see /. here

All Your Base Are Belong To Us

Re:Don't think of it as open source

[wo1verin3]

>>no, they are saying "I don't trust that a non-
>>commercial entity can provide ongoing support
>>nor do I trust a product without several names >>I can immediately call to get my request routed
>>to the correct division for support"

Do you of many non-commercial entities that trade publically? Going open source doesn't mean you're going non-commercial. It means you have the option to go this route, or not go this route.

Re:Don't think of it as open source

[LurkerXXX]

Mod parent up.

Wow, we can use all this great software we found on Sourceforge for our corporate enterprise. Then when it's abandoned like so many projects are on sourceforge... what? Oh great, we can 'read the code'. What do we do now? We can either wait for some bored group of kind souls to take it over, or we now have to hire ourselves a permanent staff of 50 code monkeys to keep the code patched and updated? Great. That's going to do wonders for the bottom line.

Having access to the "source" does you no good unless you are personally going to set up the staff up to make use of that fact. Ford motor company doesn't want to spend millions and millions of dollars maintaining their own operating system for use inhouse. They pay some company to provide the OS and share the costs involved with tens of thousands of other companies that also want to buy that software.

Seeing #includes is nice, but having a company standing behind and maintaining the software is what is needed.

Open Source Policy at my firm (a major Bank)

[justanyone]

I also work at a financial services company. Our Policy:

If the open source is supported by a company, then we can sue the company, and it's okay to use it.

On the other hand, we use Perl extensively (though not as extensively as I might hope) and though we officially get our modules from an ActiveState CD, we do have modules from CPAN, though ones I've tested well.

I used to work at a company that had an exceptionally good policy.
I'd like to expand on theirs and propose one that is like this:

1. Open Source software is to be considered equally with closed source software when it comes to product features.

2. Support for open source products should be considered alongside support options for closed source products and both purchase and support costs counted into the total cost of purchase / ownership.

3. Small one-off and/or utility products should not be required to be supported by a vendor. This means primarily code and products that are easily understood and thus where support for them in-house is not difficult or problematic.

4. Any time a large open-source product is considered, such as Apache, MySQL, Linux, etc., some investigation should be made of viable support options along with the true cost of in-house support (learning curve short or steep, etc.)

5. Large support vendors (PC desktop support companies) should be encouraged / required to provide support for open source desktop applications such as MySQL admin tools, etc.

6. Internal projects whose functions are not firm-specific should be strongly considered for placement in an open source mode.

7. Attention should be paid in the design of all projects to move proprietary or business-specific information from source code into configuration files. This will enable easier decision making about making a project open source.

8. Projects that are designated by a manager as open source should be hosted in a publically accessible location such as SourceForge.

9. One project lead should be designated (usually the project manager, but it may be the chief technical person). This person should be responsible for filtering all proprietary information out of the code and documents placed in the open source repository.

10. A project homepage and some documentation should be created for the open source repository. This should also include release notes and postings on FreshMeat.org on a semi-regular basis. The dual goals of the publicity should be to encourage others to use the software and thus contribute to the development / support of it. This should include the web-search-ability of the project to make sure anyone searching for it will be able to find it.

OpenOffice.org's presentation software "Impress"

[Anonymous+Custard]

OpenOffice.org's presentation software "Impress" can open and save PowerPoint files:
From http://www.openoffice.org/product/impress.html
"Of course, you are free to use your old Microsoft PowerPoint presentations, or save your work in PowerPoint format for sending to people who are still locked into Microsoft products. Alternatively, use IMPRESS's built-in ability to create Flash (.swf) versions of your presentations."

OSS Policies - here are some useful links

[dwheeler]

I think you'll find these useful:

1. Why OSS/FS? Look at the Numbers! has lots of quantitative data showing that you should consider using OSS/FS. The whole thing is long; Why OSS/FS? Look at the Numbers (presentation) is useful as a short presentation of the info.
2. The MITRE report on OSS use in the DoD shows that OSS is already being widely used there.
3. On May 28, 2003, the DoD issued a formal memo placing OSS/FS on a level playing field with proprietary software, without imposing any additional barriers.
4. If you want to reference guidance on how to evaluate OSS/FS, see How to Evaluate Open Source Software / Free Software (OSS/FS) Programs.
5. Although it's from a government view, you might find this presentation helpful: What Should Governments Examine in Acquiring COTS Open Source Software (OSS)?

Hope those references help.

One Firm that Just Finished an OSS Policy

[cbm_dude]

I'm not sure I can add new ideas, but my firm just recently inked their open source policy. My company is a big 3 global life insurance firm, which implies the firm is not an early adopter.

That said, many development managers and architecture folks have seen value in open source for some time, and have utilized it in projects (below the radar). As the quality of open source increases, and the deliverable become larger (Xerces to OopenOffice), we asked that the company formalize the usage of OSS.

During discussions we argued that OSS should not be treated differently than other purchased and/or developed SW. We did see a few exceptions:

• In OSS, you play the role of vendor in acquisition of the SW (With vendor SW, you trust they shipped the correct and uncorrupted version. And we know they do mess that up, but then you yell at them. There's no one to yell at for dloading the wrong OSS version except ourselves...)
• Paid Support may not be available, which adds some risk.

However, once those have been met (i.e. the risk issue is mitigated), we saw no difference between vendor code and OSS code.

Legal and Security drafted a policy, and it recently became official. In essence, the policy states the few additional risks that must be mitigated, and then states that OSS must go our normal software acquisition procedures.

I know some purists (zealots...) may disagree with the exceptions above, but we decided they were acceptable, were good business practices (remember, business could care less about the OSS philosphy, they are interested in lowering costs and/or raising quality while not raising unmitigated risk...), and were not worth the fight to remove. We decided this policy would allow us to utilize open source where appropriate, and time will pass. As the fight shifts from components (MSXML versus Xerces) to applications (MSOffice versus OpenOffice et al), business will become more comfortable with OSS, and the policies will change to reflect that (I remember in 1994-6 when companies resisted WWW, because they saw no value in it).

In the end, though, resist the urge to make the policy a political statement. I agree OSS needs help to thrive in a corporate environment, but not that much help. If OSS can't lower prices and/or increase quality while not raising unmitigated risk, then it truly is not appropriate for business.

As for the other items you mentioned, I don't think TCO is best done globally. Quite frankly, in some areas, OSS has lower TCO, in others it does not. Risk can be generally reviewed at the global level, but risk really depends on usage (Writing reports with OOO is low risk, calculating agent commissions with OOO might be high risk).

I agree with others that if you are looking for a "why use OSS", Call IBM or RedHat or some other places, there is plenty of material like that out there. Coupled with Gartner and Giga/Forrester, you should be set.