Ask HN: Does your company use a tool for outbound open source contributions?

[BenBoe]

There is a lot of blog posts about ‘outbound open source’ contributions in small or big companies. Example: http://www.smashingmagazine.com/2013/12/open-sourcing-projects-guide-getting-started/. Especially when starting a new open source project, many companies go through IP compliance checks and evaluate which license to apply (MIT vs Apache etc). Often times there is an approval process involved by the various parties (management, lawyers, process owners, etc).

Does your company have a tool for this process? If so which one? All I found so far was some companies leveraging Jira workflows.

[theWold]

I don't quite understand what you mean by outbound? I assume you mean people who contributed to the code from outside of the company and how we officially add their code in.

https://github.com/capitalone/Hygieia

So I work for Capital One (obligatory What's in your Wallet). This is our Open Source DevOps Dashboard (Apache v2). We do make outside contributars agree to a "Capital One Individual and Corporate Contributor License Agreement" (ctrl-f for 'Link to Agreement' on the main git page I provided above).

Essentially, from a buddy of mine who works on it, we basically just need to make sure people don't somehow add non-compatiable liscensed code to it, and we can keep using it with your contribution.

As for the commits from outside and taking it so that we can use it, I believe we not only have the team incharge of the project review the code, but also our Application Security guys look at the code a lot. (They always scrutinize any and all non internal code for any sort of malicious intent (software or legal)). Once the green light is from them then we are good to go, to my understanding. I don't directly work on the project. (Shameless plug for what I do work on https://ane.capitalone.com/landing . Huzzah for Direct Auto Loans!)

I don't know much else, but if you reach out to any of the more active people who contribute they'll reach back out, or atleast they did for me when I reached out via my personal git account.

We have two other open source projects, but I am not as familiar with them as Hygieia.

https://github.com/capitalone

[BenBoe]

Thanks @theWold - that makes sense. Having a CLA in place is they way to make sure the rights are assigned to the open source projects for further use.

I wonder if the people who initially started the open source project had to go through some sort of approval process by management and whether that was facilitated by a tool? Also if the company somehow keeps track of the open source projects activities. Outbound basically meaning = from company to open source world.

[theWold]

> I wonder if the people who initially started the open source project had to go through some sort of approval process by management and whether that was facilitated by a tool?

VERY much so. So, imagine yourself as some old bank executive. Sure you work at a more progressive (tech and policy wise) bank than others, but still at the end of the day we're a bank. Why would we give free things away? That was the main reaction before our current CIO, Rob Alexandar, got into the mix of things. He has slowly been pushing to become more and more forward thinking about tech from the top down. Which is a hard thing in such a regulated environment like a bank. There are so many internal power struggles on old systems that all new tech hires (new meaning last 5 years and younger) with getting rid of older things. We have begun to rewrite major systems. Keeping good documentation. Transitioning everything to git rather than SVN. Updating our AppSec ability to audit things quickly such that we can actually get something to production in a week if we really want to.