On project governance

Recently, some of the i2b2 team asked me for my thoughts on project governance. I find that my lengthy email answers to these kinds of questions are worth blogging about. I mean really, its a bother to write a good blog post and a bother to write a long email… why duplicate??

The original question was very broad:

Can you share any pointers to governance procedures, policy
and organization for an OS process?
The first question to ask is who, practically speaking, currently has the right to modify the published version of i2b2? Lets call those the “developers”.
The second question to ask is who owns the trademark to the term “i2b2”? That person or organization is by implication the current shepherd. Most of your concern should go into legitimizing your current development team and ensuring that your shepherd organization is doing right by them.

Next, is there a for-profit company that is predominantly the employer of more than half of the developers? If that is the case than you can consider a for-profit shepherd organization (like RedHat or Canonical). Usually for an organic project like i2b2 this will not work.

Next you can setup a new non-profit as the shepherd organization. This is the most common model. The purpose of this organization is primarily to have someone to sue other than developers directly. 501c3s are a bother to setup, if you want you can create an “arm” of an existing non-profit. There are at least two options for this, you can work with Open Health Tools which is really designed to support this. Often that does not work for licensing or other governance  reasons, and if you need more autonomy but still want a non-profit shield, you are welcome to setup sub-organization with Liberty Health Software Foundation.  There are other Open Source Health IT non-profits out there…

No matter if you setup your own non-profit, partner with an existing one, or choose a for-profit vehicle, your governance model is basically the same core set of issues. The questions you must answer definitively with your organization governance is:

• Who gets to update the code?
• Who gets to name a particular codebase as the “current” and “official” version of i2b2?
• If you have a modular architecture (and who doesn’t?) how do you decide which modules get to advertise on the main community “site”
• How do new developers earn the right to update the core code?
• Who will you recommend for paid support? How can an organization get on that list? This is an important question, you must do everything to ensure that when i2b2 is installed somewhere by some third party that if that third party was using the i2b2 name to market themselves that they did a good job.
• What are the rules for the use of the i2b2 trademark?
• Where do you go on the web to participate in the i2b2 user and developer community?
• Who owns the copyright to i2b2? What is the license? If you decide to change the license how will that happen? Are you requiring copyright assigments for coded contributions and if so, to whom are the copyrights assigned?
• What is your policy towards patented software? (Universities can be sensitive about this)
• Will the organization be employing developers? Will you seek money for development?
• How will you unsure that future difficult decisions on your project will be made well?

I know that i2b2 has very strong academic associations, as many FOSS projects do. That relationship may mean that “at the university’s discretion” is often the answer to many of the above questions. That is fine, but you need to make it perfectly clear which of the above questions you are abdicating (and why) and which you are not.

I hope that I have adequately opened a can of worms for you. I have many opinions on how these questions should be answered and for each of them there are many different legit paths taken by other FOSS organizations. I can intelligently discuss how the top reference organizations function as applied to you (like Apache, Mozilla, Eclipse and Linux) to see where there might be areas for you to imitate. Let me know which of these topics interest you and I can discuss them further here. The most important thing to realize is that your governance -cannot- be as complex as the Apache governance processes without also having the kinds of resources that the Apache projects have. You either need to work with an organization like Open Health Tools which has alot of these things figured out, (but may have made decisions that you cannot live with) or you need to create a light-weight set of processes and governances that are something that your organization can actually follow.

I am sure that you already have concerns and ideas that I have not even listed, either because I am unaware, or I think there are not important. So I as you go through this process I would advise you to ask two questions:

“What bargain am I making with my users? Besides understanding what my software does, my users want to understand what license obligations they are undertaking to use my software. They want to understand how to connect into a community of users, and how to get paid support if they need it. Are the ‘terms’ for becoming a user of the my software clear and fair? “

and

“What bargain am I making with my developers? Developers are by implication both interested and not satisfied with my current software. They want to improve it with me, but they must calculate whether it is worth their time to make the investment to develop with me. Are the ‘terms’ that I set forward to them clear enough that they can determine whether to make that investment? ”

Sometimes an shepherd organization is going to have to make unpopular decisions. (Like Red Hat did in retiring Red Hat Linux and creating Fedora) How will your organization be able to make good decisions that potentially infuriate your users? More importantly, how will your organization recognize when your community of users has moved beyond you? (Like the firefox project did inside Mozilla) how will your organization maintain the humility to recognize that a community version is better than your official version?

If you get either of these questions wrong, your shepherd organization will end up holding your project back in the long term.

Probably the most controversial question that you have to answer is to what degree you will allow your community to rule you. When WorldVista (the current non-profit for VistA) was originally formed, they were concerned that corporate interests would “buy-out” the WorldVistA board. As a result there are no elections to the WorldVistA board positions. There is no way for the community to remove board members. Over time, this has resulted in a steady loss of “doers” on the WorldVistA board. Enforcing “doing” over “dithering” is impossible if you cannot rid yourself of someone who really wants to “dither” (for goodness sake look at Congress). As a result, the board tends to attract and keep “ditheres” while alienating “doers” in the community. The few “doers” on the current WorldVistA board are long-suffering and patient individuals… martyrs really. The end result is that WorldVistA consistently refused to make the difficult decisions. When they do act, it is usually only after a particular strategy has become obvious (<- read this as “too late”)

WorldVistA did not start out that way, it is a factor of organization rot based on bad decisions made early in the formation process. But remember, their concern was very real. There are plenty of organizations that get taken over by corporate interests. The purpose of a shepherding organization is to protect the project for its developers and users, that means partnering with companies, but not being ruled by them.

For a worst-case scenario of how an organization can get embroiled in project issue, consider when Tridgell developed a FOSS Bitkeeper client while employed by OSDL (the precursor to the Linux Foundation). At the time OSDL also employed Linus Torvalds, who was in favor of using the proprietary Bitkeeper. From OSDLs perspective, you had a big mess. Two of its sponsored developers where at odds putting in a potential position of liability from Bitmover, the company behind the proprietary Bitkeeper tool.

You have to consider the far future of a project as you consider your governance structure. To do this, you have to honestly, and potentially painfully, asses the potential conflicts within your particular community. Remember that it will not be you sitting in your chair when the critical decisions are made, you have to be able to assume that your replacements will be competent, but you would be foolish to assume that they have your motivations. Its a difficult balance and I wish any project luck with that.

For the best examples of well-run shepherding in our community I would recommend Medsphere.org (the community arm of Medsphere corp) and the OpenMRS project.

HTH,
-FT