Episode 84

Community Viability - how Verizon thinks about OSS risk


16 May 2024

34 mins 46 secs

Your Hosts
Special Guest

About this Episode

Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 84

In this episode of CHAOSScast, Dawn Foster, Matt Germonprez, Alice Sowerby, and guest Gary White, Principal Engineer at Verizon’s OSPO office, delve into the world of viability metrics models developed for assessing the risks associated with using open source software components. Gary explains the creation process of these models, their application within Verizon for software evaluation, and the significance of engaging with the open source community to enhance project viability. The conversations also explore the challenges and considerations in deploying these metrics within organizations, emphasizing the blend of policy enforcement and cultural influence to manage open source software dependencies effectively. Press download now to hear more!

[00:02:30] Dawn asks Gary to elaborate on the choice of Verizon for the viability metrics models. He explains the creation of the first four metrics models for assessing risks in open source software components, and the development of a fifth model to simplify the original four. Also, he explains the importance of being quantitative about software library choices, influenced by a research paper from Carnegie Mellon and existing CHAOSS metrics.

[00:05:16] Gary mentions using Augur for metrics collection at Verizon and the benefits of tracking with CHAOSS tools.

[00:06:27] Matt asks Gary to provide an example of a metric used in the governance model, and he talks about the Libyears metric, which helps understand the total years behind all dependencies of a component, reflecting the risk associated with aging dependencies.

[00:07:50] Alice wonders about the “happy region” for the Libyears metric and its implications on risk assessment.

[00:09:25] Dawn asks Gary to discuss how these metrics are utilized at Verizon. He describes using these metrics to evaluate the viability of software at Verizon, including different use cases and dependency risks.

[00:11:39] Alice explores how Gary considers the context in which components are used when calculating risk.

[00:13:24] Matt asks about the process of engaging with the metrics models within the organization. Gary explains that the approach depends on several factors such as severity of finding, buy-in from the organization, and the organizational structure of the OSPO, and details the use of specific resources like the “endoflife.date.”

[00:18:07] Gary outlines how Verizon integrates risk management frameworks with organizational tools like dashboards to disseminate collected data and foster buy-in for automated systems.
[00:21:16] Alice asks Gary for advice on engaging with open source communities when viability metrics indicate potential issues. Gary highlights the importance of community and governance metrics in driving organizational support for critical open source projects.

[00:22:43] Gary shares his experience in the CHAOSS group, emphasizing the value of diverse opinions in developing and validating viability metrics models.

[00:24:33] Dawn highlights the significance of the discussions on viability and risk in the OSPO working group, emphasizing how these are critical concerns for OSPO leaders.

[00:25:24] Dawn inquires about how Verizon uses CHAOSS metrics beyond viability assessment, particularly in open source management. Gary discusses leveraging CHAOSS metrics across various teams to judge component use and risk profiles and explains Verizon’s approach to using metrics involving both an educational component and a policy component.

[00:27:33] Gary talks about focusing on the ongoing efforts to integrate and optimize the Augur system at Verizon, acknowledging Sean Goggins for his assistance, and expresses a desire to contribute back to the community, and exploring new metrics to trace and predict significant events in the open source ecosystem.

Value Adds (Picks) of the week:
[00:30:29] Dawn’s pick is going on an Afternoon Tea London Sightseeing Bus Tour with friends.
[00:31:07] Matt’s pick is reflecting on the value of attending conferences and meeting people.
[00:32:10] Gary’s pick is the support from the Augur team, attending conferences, and meeting people.
[00:32:51] Alice’s pick is attending OSSNA in Seattle.

Dawn Foster
Matt Germonprez
Alice Sowerby

Gary White



CHAOSS Project X/Twitter

CHAOSScast Podcast


Dawn Foster X/Twitter

Matt Germonprez X/Twitter

Alice Sowerby LinkedIn

Gary White LinkedIn

“We Feel Like We’re Winging It”: A Study on Navigating Open Source Dependency Abandonment (ACM Digital



CHAOSS-Topics: All Metrics Models

CHAOSS-OSS Project Viability Starter

CHAOSS-Augur NEW Release v0.63.3

Classic Afternoon Tea London Sightseeing Bus Tour

Open Source Summit North America 2024 Seattle

Support CHAOSScast