There was a time like this in the past, but it seems to have passed
◇2. Compliance
It seems that they worked hard on the site, it is not an issue for the entire company
see it as a legal issue
◇3. Participation
Misunderstandings that rely on others
Maintained even if left alone
No need to keep up with upgrades
◇4. Co-creation (collaboration)
Contribute only when you can afford it
No immediate effect
◇5. Strategy
we don’t have to do it ourselves
■OSPO GGI Mapping
◇OSS business strategy
OSS activities are positioned as part of the business, and targets are set with both the business and the community in mind.
OSPO representatives are able to communicate at C-Level regular meetings
Some employees do not understand the OSS business model
I’m trying to get the conversation across
There are contributors, but they are not in a form that leads to business
Classified as Strategy goal activities
Mapping to maturity level 5 could not be assigned
C) I felt that even at the maturity level they were going as far as strategy
Isn’t it that there are things that are done and things that are not done?
A) Communication at the top is done, but there are some areas such as education that are lacking
◇OSS hosting
Develop product A with OSS
Became a sponsor of the base OSS PJ and has also contributed
It is open on Github, but the problem is that there are few external contributors and users
There is no internal system in place to deal with the increase in external
Product B Source released, development closed
Activities to revitalize the user community have been activated
There are also users who customize
Categorized as Engagement goal activities
Maturity level is weak in Leadership Community Education Engagement
C) be able to act as a leader, but not able to engage
◇OSS contribution
I want a more influential approach to the community
It would be good if we could accumulate know-how on how to do this within the company.
We also support private and open source activists
I can get information and I can visualize it
Some people don’t want to be open as individuals and don’t want support
I’m trying to automate and collect contribution logs
I want to make use of the experience and know-how of employees who are responsible for board members
Classification is Engagement gaol activities maturity level
◇ What we want to do at TODO Group Japan
OSS Business strategy area
Not enough things that are organized in Japanese
Isn’t it easier to talk if you have something to show?
Combination of support type and open core type,
I think it would be easier to apply OSS to business if there is a place to analyze and discuss such things, such as using paid services as users use OSS.
OSS hosting area
It’s out there, but it’s revitalizing and gathering people
Know-how and best practices should be created
C) I would like to work with someone who is interestedI want to be able to bring out the results from Japan to the world.
C) Posing a very good challenge
there are many people who are interested in
Some people may be interested but unable to contribute
There was a company analysis at OSSJ, so It might be useful
thinking about doing it broadly or deeply.
Q) There was talk of researching external community contributions. how it ultimately intends to use the results
A) The company is happy to know individual skills
You can’t just get results
We provide financial support when making presentations at overseas events.
We want to create a win-win relationship from both sides
C) Motivation seems to increase
A) Incorporating skill development leave, we have prepared a system that allows you to go without using your paid leave.
Q) Is it better to set up a sub-work or continue here?
A) I don’t know the framework yet, but I want to do it
■ Issue mapping by OSPO maturity level and individual ⇔ company/OSPO scope
The usage status of Open Source can be grasped at the project level for the purpose of satisfying compliance, but it is not grasped in the necessary form when considering strategic utilization throughout the company.
I have mapped to 2 compliance and 3 participation in the OSPO maturity levels, but the objectives are 5 strategies and I feel that the OSPO maturity levels will come and go rather than monotonously climb
C) Issues that do not allow you to jump into the community as your own matter and issues such as being recognized by your superiors and improving the personnel system are related
Is there a link between individual issues and organizational issues?
The timing of individual motivation and organizational motivation is out of sync
want to raise my personal motivation, even if it’s just a little
If you try to make it fair, you can’t make it
Value standards such as the size of the community and the number of committed lines are difficult
OSS activities are not recognized by the company
are introducing new technology
Some people have good networks and some people don’t.
Individual study until community feedback is available
OSS activities are far away
Is the introduction of new technology evaluated?
OSS is even more unacceptable if it is not evaluated
A place to discuss careers
Individuals are not necessarily part of a community associated with the company
I want to promote it, but it is difficult to evaluate
Difficult in business evaluation
Establish other forms of awards or rewards
The next time you start working on your company’s business
SW human resource development
eventually return to business
Business is difficult if you don’t understand it
After all, SW is a human resource.
Scale of support for individuals
For example, overseas events are big, or they are paying attention to technology
■ Other
◇ Relationship with legal
Q) Are legal people familiar with OSS licenses and able to intervene?
C) Isn’t it an area that has been talked about in Open Chain?
C) We also aim to cooperate with legal affairs
I hold study sessions and get involved
No one understands OSS in ordinary company legal affairs
C) No legal involvement
Since it starts with compliance, it starts with a legal proposal, but the legal department cannot handle it, so the open source team is supposed to take responsibility.
C) The parent company is doing well, so we can do commercial distribution from there, but there are cases where we can’t do it ourselves.
◇ SBOM and department in charge, procurement contract text
Q) Is the procurement department in charge of SBOM or is the project doing it?
A) It is in the form that the place requested from procurement takes responsibility
It is supposed to be included in the instructions at the time of procurement, but the requesting department is supposed to include it
C) I think that the OSPO functions in the LF organizational form.
I think there are various ways to actually do it, but I was wondering if I would intervene or get involved
C) There are various aspects, SBOM can not do even if they know the law
Tooling is essential, OSPO’s position needs to be promoted when introducing Tooling
I can’t understand the contents of the software unless I’m on site,
collaboration is needed
C) OSPO is being asked to wield the flag, but there are various ways to do it, such as creating a new mechanism
C) It doesn’t matter if OSPO is a departmental organization or a company organization
Small steps to try to do things right together
C) SBOM does not proceed unless C-Level thinks SBOM is necessary
There are still not many companies that think that they have to do it desperately while thinking that it is exciting
C) There are many parts that move in the security system
that one is more motivational
C) The word SBOM stands alone, and the image differs from person to person
Security is shifting from the purpose of checking what license is included
It will also be used to understand the information we are using to make strategic decisions.
It will be different depending on what you emphasize, but it will be easier to talk if you use a common language
C) Concerning procurement, OSPO also participates in the preparation of the template and incorporates the conditions of OSS.
Regarding SBOM, the product security unit has started to move mainly in cooperation with OSPO.
With the cooperation of LF, we are planning an in-house lecture by asking the GM of OpenSSF and SPDX.
