When Yahoo! + Aol. Blended Open Source Programs

Home , Flickr

A Tale of Two Cities: When Yahoo! + Aol. blended Open Source Programs

March 12, 2019

Prepared by Gil Yehuda Boil it down to one thing:

Your company needs an Open Source Program

1. Stories No OSPO → problems 2. Details Yes OSPO → benefits 3. Q&A

2 It was the best of times It was the worst of times...

Verizon acquired AOL. in 2016 Companies are cool and companies suck

Verizon acquired some of Yahoo! in 2017 Tech press presents a distorted view of reality

The unified business unit was called Oath: Culture is subjective and measurement is local

It is now called Verizon Media✓ Integrating two cultures gets political and ugly

The business combines internet media and Stories are fun, but we’re here to inform / inspire consumer experiences with ad tech / B2B brands.

3 E Pluribus Unum

Which is where the story gets complicated. This is not a story of two companies, but of 100 companies and thousands of people.

Could this be brought together to make one?

4 What does “Engineering Culture” mean?

How effective is your corporate technical governance? What is the role of engineering w/r/t the company? How do others perceive your engineering culture?

Is software created in anticipation of a need, or in response to a need? Insight Why do bad things happen with no central OSPO?

● Engineers have misconceptions about licenses and are afraid to ask for help.

● When engineers don’t trust the process, they invent their own rules; inviting more risk.

● It only takes a few people to create a lot of problems.

6 Photo Credit CC-BY-NC-ND-SA 2.0 www.flickr.com/photos/sharmilirakhit In “theory” you might face these questions

● Who removes people from your GitHub org when they leave the company?

● Should you use free TravisCI by publishing your proprietary code on GitHub?

● Are you one P4ssW0rd away from being hacked if you don’t turn on 2FA on the org?

● What if you buy a company and distribute their code without M&A diligence?

● Would anyone actually publish code that is downright embarrassing to your corporate brand?

● Why is it bad to have code on GitHub with no owner, no license?

7 Problems that creep up when you don’t run an OSPO

Tech Debt and Industry Misalignment Legal and License Problems

Holding an investment in outdated tech Published projects with wrong or missing that block you from keeping current. licenses. No open source terms in contacts. No license compliance on apps.

Attracting and Retaining Talent Leaked Information Engineers tend to prefer working at Former employees with privileged access companies with a strong engineering to repos see your code. Employees culture that supports open source. publish what they want anywhere.

8 Blending companies is hard, but...

Open Source Community Theory can help. ○ Shared Fate ○ Shared Faith ○ Utility > interaction costs

9 Maybe we focus on shared objectives?

Control Tech Debt Achieve Excellence Legal Compliance Open Source keeps us aligned By using open source properly, we At least to avoid dealing with any with industry. reduce abandonment and rework. legal problems.

and shared values...

Support Engineers Help Hiring / Branding Be Good Citizens Make it easy for engineers to Leveraging open source to attract By giving back to the community, interact with open source and with talent and reclaim recognition that by sharing code and proven any code for that matter. we’re a also a tech company. effective practices.

10 The OSPO Team + Partners

Legal Paranoids

Gil Yehuda Ashley Wolf Mani Subramaniam Sr. Dir Technology OS Program Manager + Mobile Compliance Washington, DC YDN Product Owner Engineer Los Angeles, CA Sunnyvale, CA

Responsible for Yahoo Responsible for Responsible for mobile Developer Network and the operations and internal app compliance Open Source Program at engagements. engineering Verizon Media. Tech PR Developer tools

Rosalie Bartlett Ben Pearson HR / Talent External Technology Sr. Community Manager Developer Advocate Acquisition Partners Sunnyvale, CA Austin, TX

Responsible for Responsible for external community managing GitHub.com management administration 11 What does the OSPO do?

Program License inbound Contributions to Compliance Open Source Management review projects Management partnerships

Supporting internal Reviewing the use of open Reviewing contribution Responsible for mobile and Reset membership with engineering groups with source in our products and policies and CLAs TV app compliance foundations, partner open source issues platforms engineering and automation companies

Community New project Issue support and Unauthorized code Security Alerts development publication resolution removal

Promoting projects via Reviewing publication Ensuring issues are Bug Bounty alerting us GitHub alerting us blogs, podcasts, and steps completed prior addressed on our of unauthorized code about vulnerable speaking events to publication external repos published dependencies

12 At the initial, tactical level

Program License inbound Contributions to Compliance Open Source Management review projects Management partnerships

Set up and Take them as they Set up CLA review Install tools and run Do the minimum communicate come process with legal baseline

Community New project Issue support and Unauthorized code Security Alerts development publication resolution removal Create content Publish process: Get visibility to Do a ton of Set up process events, partner lightweight and the problem and cleanup and and automate it with PR graduated triage tracking

13 Where we are now

7 6 200 500+ Strategic projects Podcasts this year Mobile and TV apps Engineers pay attention to the OSPO (about 10%) 16 24 100% Promoted projects Blog posts this year App License Compliance 330 Jira tickets per quarter 440 19 100% Active projects YouTube videos this year Artifact Compliance

14 Open Source Page is live Podcast page is live! Open Source is Newsworthy

In fact, open source is the technology leadership we can talk about externally. It is what people use to develop an impression of our tech savvy and leadership.

17 Seven strategic projects

opensource.yahoo.com Happy Ending!

Blending companies is not easy. Pointing to really bad mistakes helps demonstrate you need to fix things ASAP. It takes a team. Value must be greater than the cost of interaction. Eventually the shared fate leads to shared faith and collaboration on outcomes.

19 Unlike the original tale of two cities, we end with no beheadings. Takeaway messages: 1. Your company needs an Open Source Program 2. Supporting the engineering culture helps 3. Get alignment on the outcome, the OSPO will follow

20 Thank You

Ashley Wolf Technical Program Manager Open Source & External Technology [email protected]

Gil Yehuda Senior Director Open Source & External Technology [email protected]