Technology Portfolio Management (TPM) Best Practices

Overview

Open source software is created and maintained by communities of contributors that range from single individuals to thousands of active participants backed by multiple major commercial organizations. The health of the community that maintains an open source component is as important as the current quality of the component itself: a well-written, well-architected component maintained by a single unpaid volunteer who could cease contributing at any moment carries a different risk profile than a comparable component maintained by a large, commercially-backed community with governance structures, release processes, and long-term sustainability funding.

Best Practice

Include open source project health as a required dimension of the Technical Fitness assessment for any technology in the Open Source Components Inventory or the Software Technologies Inventory that depends substantially on open source foundations. The project health assessment should evaluate: community size and diversity, measuring the number of active contributors, the diversity of organizational affiliations among contributors, and the trend in contributor growth or decline over the past twelve months; release cadence and maintenance activity, measuring the frequency and regularity of releases, the responsiveness of maintainers to security vulnerability disclosures, and the average time to resolve reported issues; commercial backing and governance structure, assessing whether the project has the backing of significant commercial organizations that have a financial interest in its continued health, a formal governance structure with defined decision rights, and an explicit sustainability model; and bus factor, assessing the minimum number of contributors whose departure would place the project at critical risk of abandonment or significant degradation in maintenance quality. A project with a bus factor of one or two is at significantly higher risk than a project with broad, distributed contribution and multiple commercial sponsors.

Benefit(s)

Including project health in the open source technology fitness assessment gives the organization an early warning system for open source components that are at risk of becoming unsupported or abandoned before that risk materializes as a governance crisis. Components with deteriorating project health metrics receive increased governance attention and may receive a Strategic Disposition change — from Sustain to Move-Away, for example — in advance of a project abandonment event rather than in response to it. The organization develops a technology fitness assessment capability for open source that is proportionate to the specific risk profile of open source components, which differs meaningfully from the risk profile of commercially-supported software.