The open source ecosystem is a rich ecosystem composed of very different types of projects and of communities, organizations, and maintainers supporting them. This diversity of project and community types isn't well documented and is rarely considered by policymakers. As a result, the whole open source ecosystem is often lumped together as a whole, or separated into arbitrary groups that don't match reality. The purpose of this white paper is threefold:
- Identify important traits of open source projects that help differentiate and categorize projects into meaningful groups.
- Define a set of categories based on those traits.
- Propose a mapping from identified traits and categories to CRA roles (Manufacturer, Open Source Software Steward, not in scope).
- Provide examples of open source projects for each category and demonstrate where they fit and why.
This document is a deliverable of the Cyber Resilience SIG of the Open Regulatory Compliance Working Group (ORC) of the Eclipse Foundation. It is a draft and does not yet represent the consensus of ORC or its members.
This document is released under the CC-BY 4.0 License. It is not governed by the Eclipse Foundation Specification Process (EFSP).
This document is developed in the open, on GitHub. To contribute to future revisions of this document or submit errata, please send a pull request or open an issue.
While open source projects share a number of critical traits such as license recognized by the Open Source Initiative, there's a number of traits that differentiate them.
These traits provide a usefull framework to categorize open source projects together.
Traits:
- governance
- trademark ownership
- contribution model
- business model
- etc.
Projects which share certain traits naturally fall in the same category. We've regrouped them in the following categories.
This section proposes from the traits and categories identified in section 2 ann 3 respectively to CRA roles (Manufacturer, Open Source Software Steward, not in scope).
Using the framework described in section 1 and the mapping described in section to 3, provide a few case studies.
The following people have contributed to this document either directly or indirectly (e.g. by raising issues): Florian Idelberger, Georg Link, Götz Görisch, Steffen Zimmermann, and Tobie Langel.
If you have contributed to this document and aren't properly acknowledged or if you want to edit or remove your name, please let us know by opening an issue and we will fix this right away.