[The Fundamentals] Governance in projects and companies

Governance in projects and companies

Walid : Welcome to all of you for this new episode. Today, it’s an episode that stems from an anecdote that I’m going to tell you. We’re at the Capitole du Libre 2025 (Editor’s note: mistake it’s 2024), it’s 10 a.m., I meet our guest Sébastien Dinot, in front of his booth, the CS booth. We talk and he says to me ” Listen Walid, you did an episode on the economic models and governance of free software, I listened to the whole episode and in fact I have to tell you that I’m not happy because you don’t talk about governance at all.” And I told him, “You’re absolutely right, so we’re going to do an episode on what governance is in free software and in a company.” So here we are. Our guest today is Sébastien Dinot, who will introduce himself right after. As usual, my partner to talk about these subjects is Raphaël Semeteys who is devrel at Worldline. Hello Raphaël and hello Sébastien and welcome to Projets Libres!

Sébastien : Hello Walid and hello Raphaël.

Presentation of Sébastien Dinot

Walid : Great, listen, we’re in good shape, the weather is nice, let’s go for this episode. Today, therefore, we welcome Sébastien Dinot and Sébastien, I’ll let you introduce yourself first. Can you tell us a little bit about yourself and how you got into Free Software?

Sébastien : I work for the technical department of CS Group, which is a subsidiary of Sopra Steria. And my daily work consists of supporting the CS teams and our customers in their acculturation to free software. That is to say, I will support them in the four dimensions, which are the technical, legal, social and economic dimensions. In concrete terms, this can involve legal compliance audits, support for a contribution, explaining how to release a project, or even the related strategy, or even developing the company’s strategy with regard to free software. I created CS’s Open Source Program Office – OSPO – 12 years ago. Apart from that, in a private capacity, I was a member of the board of directors of APRIL, the secretary, then vice-president for 13 years.

Walid: How did you discover free software? When was it, was it during your studies, was it after?

Sebastien: After… I am old. I have a very clear memory of it. It was February 1998. In February 1998, I don’t know if it speaks to you, but it’s pure chance. I discovered that a long time later. This was at the time when Christine Peterson, Bruce Perens, Eric Raymond and company were creating the Open Source Initiative. When they were creating the OSI, I said to two friends, “I should train in Unix, it would still be good for my culture”. And these two guys were like, “Look, we’ve heard about a free Unix that runs on PC, you should try that. It’s called Linux.” OK. I didn’t have the internet at that time. I went to a bookstore, I came across a book: “Introduction to Red Hat Linux”. It must have been 4.8, I think, at the time. I bought the book, I installed the CD and I discovered a world. And very quickly, I said to myself, “but this is great, I have a lot of tools”. And a whole bunch of questions came up, actually. How come I have all these tools for free? Who makes them? What for? How does it work? I asked myself a lot of questions. I really started to be interested in the way this software was produced, which, at the time, for me, was above all free. And then, in Paris, in October 1998, it was the Fête de la Science, I heard about an animation around free software at the Cité des Sciences. I went. And then, I came across a bunch of passionate young hackers, with boundless energy, who made demos and everything. And then, I find them super nice. And then, I think that the next day, I joined their association which was APRIL.

The creation of the Open Source Initiative (OSI)

Walid: Wait, can you remind you what the OSI is?

Sebastien: So OSI is the Open Source Initiative.

In fact, there are two movements around free software. Historically, there is the Free Software Foundation, the FSF, which adopts a philosophical and political approach to free software and which has defined what is called the Free Software Definition, FSD. And then, in 1998, there were people who said to themselves that they were more technicians, let’s say, and who didn’t want to hear about the philosophical, political dimension of free software at the time, and said to themselves: “We have to find a new marketing program for free software. Because it’s too complicated to explain that free is like freedom, but it’s not free.” So, we’re going to find new terms. And they came together to create what would become the OSI.

Sebastien Dinot

And in the middle of this gang of hackers, some of whom are famous, Bruce Perens, Eric S. Raymond and then others, there was a woman who was not a hacker, but who was… I think it is from memory, it must be… I don’t know how to say it in French. She is a forecaster. She studies current science to try to project herself into the future and try to anticipate developments. And it’s… she, Christine Peterson, who has been somewhat forgotten by history, who suggested that everyone use the term open source. We owe him that term.

Walid: It was the historic moment.

Sébastien: And so, the OSI created the Open Source Definition.

Sébastien’s contributions to free software

Walid: OK. You mentioned April. Are there any projects in which you are involved, in particular, or themes in which you are more involved than others in the free software world?

Sebastien: It depends on whether you’re talking about projects or themes. I’m particularly interested in the governance aspects, we’ll talk about that later, and in the life of free software projects. Apart from that, at the beginning, I have a developer profile. And so, through my background, my experience, I have always had a taste for high-performance code and robust code. Code optimization, code reliability. And so, from there came the practice of unit testing, all the good development practices, CI/CD, and all that. And so I support a lot of projects on these aspects. The implementation of good development practices, and since we are in the free software sector too, the best practices of collaborative development. Afterwards, if we talk about projects in which I am involved, paradoxically, there are few. So, I’m a developer, I say I’m passionate, and I contribute to few projects, it’s surprising. In fact, when I discovered free software, I realized that if I didn’t code software, it didn’t matter, someone would code better than me. But on the other hand, I was quite good at defending my ideas and that in this field, there weren’t that many of us. And among these people, few were willing to devote energy to promoting and defending free software. And I told myself that it’s more interesting for me to invest in it. That’s why I invested a lot of time in April. And afterwards, I also got involved in Open Data. I got some results that I’m a little proud of. And still, over the years, I have been involved in two projects, more than others. So, I say more than others because my job leads me to work on a lot of projects on an ad hoc basis and to advise a lot of projects. But in the long term, there are two projects in which I have invested. And here again, paradoxically, people don’t know me too well about these projects. They don’t know I exist because I’m the guy in the machine room, making sure that the servers run, that the CI/CD tools work, etc. So, things that are not visible, actually. The first is a project created by CS in 2002 and released in 2008, called Orekit. It is a library of space mechanics released under an Apache license. There, I administer the servers, I set up the quality of things, I set up the CI/CD, I introduced tools such as Discourse so that the community works better. I make sure that governance is applied. So, today, the developers are great, it’s really a great project. If the free world worked like this, all the time, it would be a world of kissing bears. But at the beginning, people weren’t too used to it. So, I made sure that the CS developers behaved well with the community. Because the most valuable thing about a free project is its community. There you go. And I did a bit of the same kind of thing, but I stopped in 2022, for a project called Orfeo Toolbox. So, from 2008 to 2022. And this is a C++ project. It is a remote sensing-oriented image processing library, i.e. for the use and processing of satellite products. And other than that, privately, I’m a hiker and a map enthusiast. And so, since 2009, I have been contributing massively to OpenStreetMap. I’m at more than 2 million edits on the project.

Walid: There you go. OpenStreetMap that we have talked about in a lot of episodes. A fairly recurring topic, especially in the episodes on transport, we talk a lot about OpenStreetMap, because indeed, it’s a bit the basics. Ok, Raphaël, do you have any questions?

Raphaël: No, no, that’s clear. I understand the position you describe, Sébastien. Precisely, that’s what’s strong in free software and in the community aspect. If everyone brings something to the table, it’s not just the code in the community, we’re going to talk about it with the governance.

Defining governance in an open source project

Walid: So, precisely… We’re going to move on to the first part on governance, since we decided, in doing this episode, to focus on two themes. The first is the theme of what is governance in free software, in a free project, and the second is what is governance within a company. So, if we take governance in a free project, the first question we can ask ourselves is, first, what do we call governance? What is governance?

Sébastien:

So, earlier, I was talking about the four dimensions of free software. And indeed, a free project is a project that results from the collaboration of legal and natural persons in four dimensions: technical, legal, social and economic. And you don’t get involved in a project if you don’t know the conditions of engagement.

Sébastien Dinot

And so, for someone to get involved in a free project, they need to know the conditions of engagement on these four dimensions. So, at the technical level, it will be the source code, the methods, the tools, the contribution guide, which will define the practical modalities of contribution. At the legal level, it will be the licenses and contribution agreements, which are legal in nature, but here they encroach a little on the social dimension, because it can be a source of tension. And at the social level, at the level of human relations, well, it is governance and the associated documents, such as the code of conduct, that will define the social framework for collaboration. So, code and tools, technique, licensing and contribution agreements, legal framework and governance, social framework. Then there is the economic dimension, which is handled in different ways depending on whether it is a small project or a large project bringing together large groups. This is very vast, in fact.

And so, governance, which addresses this social dimension, is the constitutional foundation of the project. It defines a set of principles and rules, and therefore of operation, and when it is published, what we call having open governance, we make sure that all the people involved in the project or planning to get involved are aware of the rules of engagement, the rules of participation. And that’s very interesting because not only can it actually decide who to contribute, but also, in the event of a drift in the project, everyone is free to refer to the governance and say “wait, we’re going out of our way, you’re not applying the rules that were tacitly agreed.”

Sébastien Dinot

So, governance, from one project to another, it addresses different points, but there is a subset that we always find, and that is the roles and rights, I would even say the privileges associated with these roles, the decision-making processes and the people involved in these decision-making processes. That’s really what you find everywhere. But we can have other aspects. For example, we can have the objectives, the scope of the project, to make sure that it doesn’t go in all directions. And so when people come up with new features, we’ll be able to say, “Wait, we’re taking care of things outside of the project,” so we want to stay the course.

It can also be a code of conduct. Then… In 2025, when we see how some people behave, a code of conduct is more necessary than ever. I was someone who used to be reluctant to the code of conduct and finally I became a follower and I advocate the use of the code of conduct, the implementation of the code of conduct. But it can also be governance, the commitments of a project to a third-party structure. For example, there are open source foundations and many projects join these foundations, put themselves under their umbrella. And these foundations have requirements. Well, making these requirements known, the relationships that link the project and the foundation, can be interesting, too. So, governance, in the end, introduces transparency on the functioning of the project and trust. And trust is what you need to commit to a project. We are in the human element, really, 100%. On the other hand, there is one small detail that I pay attention to, and that is that I spoke earlier of the constitutional basis. And I really see governance as a constitutional foundation. And the problem with the constitutional foundation is that it tends to sacralize what it says. And that it is difficult to go back on it afterwards. It requires quite cumbersome processes. And so, you have to be careful not to freeze things too much in the project. A little anecdote, earlier, I was talking about Orekit. Well, it’s not a big deal, but the governance explains that we contribute to the project by sending patches by email. This may have been true in 2002, but it is no longer the case at all in 2025. And I wonder what it does there, it wouldn’t have its place, it shouldn’t have its place. And I am going to propose a review of governance to correct a few small details, some ageing of this type.

Raphaël: So, I have a question, because you talk about open governance, so there, it’s when the constitution, the governance, the rules, they are explicit, but it’s not always the case in projects or maybe it appears at a time of maturation or maturity of the project.

Sebastien: Yes you’re right. This is not always the case. So, when this is not the case, it is either very small projects. In fact, you have to realize, you know it as well as I do, but it must be said for the listeners, most projects are led by one person. And that person gets any contribution as a blessing: “It’s great, I had a contribution this month, it’s fabulous.” And so, this person, the project leader, does not bother with a governance rule, a contribution agreement. He takes this contribution, he integrates it and he is happy.

But when your project starts to grow, you need governance to sort it all out. But this need for governance only appears when it is clear that you intend to share powers. However, we can see that some projects, although large, so we are no longer in the case I described earlier, are voluntarily controlled by a single company that decides everything. So it doesn’t need governance, it decides internally. Afterwards, people decide whether or not to contribute, but here, we are in a totally unequal relationship, in fact. Therefore, external contributors cannot make their voices heard.

Sébastien Dinot

And I know of several projects that have died or forked as a result. So, governance, indeed, many projects do not have it out of ignorance or voluntarily, because power is held by a single entity that has no intention of sharing.

On the other hand, any project that starts to have regular contributions and so on, I invite their leaders to ask themselves the question. Because we shouldn’t wait for there to be a problem, for there to be a clash, to settle things urgently, it risks dynamiting the project. Things have to be planned beforehand, so that the day the problem occurs, there are rules to refer to and we can say objectively, no. What you are doing is not acceptable, no, it is not the spirit of the project, etc. Or the decision-making process has not been respected, so the decision is null and void.

Walid: The term governance is something that happened at the very beginning of free software, this term didn’t exist? Is it something that happened over time, and I guess evolved over time as well?

The appearance of the term governance of a free project and its evolution

Sebastien: No, indeed, at the beginning, few people cared about governance. There is probably one major exception which is the Debian project. The Debian project, in 1997, was equipped with a social contract, followed in 1998, if my memory serves me correctly, by a constitution. And I remember that in the early 2000s, everyone looked at the Debian project as a curiosity. They have a social contract, it’s strange, they have set very strict rules. Few projects were organized in this way. If you take the GNU Project, for example, which is much older than Debian, because Debian had to start in 1993, and the GNU Project in 1983, so it’s 10 years older. Well, for a long time, the GNU Project, the leadership was just the work of Richard Stallman, who indicated what he was going to do. So, it was the GNU manifesto, it was the definition of Free Software and other founding documents that put the GNU project in this logic. But in the end, the FSF and Richard Stallman, for a very long time, didn’t care about people. They have evacuated this subject. In fact, they weren’t treating him. And I learned not so long ago, by pure chance, that in 2020, the GNU Project had a social contract. A project created, started in 1983, did not really have a social contract until 2020. On the other hand, you have the Apache Foundation, which we were supposed to be again… it was still the twentieth century when it was created, I think it was 1999. And very early on, it adopted a governance system that it imposed on all the projects that joined it. It created ” The Apache Way “, the Apache way of doing things, in fact. We will certainly talk about it again. It has adopted a meritocratic model and it requires all its projects to operate according to this model. By the way, I think back to the Debian project. So, not only is there a constitution, but there is also a Debian Project Leader who is elected every year. So, every year, there are several people who apply. These people can eventually be re-elected, but generally, after 2, 3, 4 years, they hand over. And today, there are many projects that have this mode of operation. But in 1998, it was the exception.

Governance models

Raphaël: They even campaign and everything, it’s a whole system. And indeed, between Apache Way and Debian Rules, etc., in relation to my remark, from earlier, when you start a project, you start to get contributions. And then, somehow, it is necessary at some point to organize or make things explicit. So what is the toolbox or how can someone or a community that is in the process of self-organizing itself, what can they base themselves on? Precisely, we talked to Apache Way about this, how they do it at Debian. Are there good practices, even types of governance that have been defined?

Sebastien: Before good practices, there are governance models. Historically, the two that we have seen emerge are the BDFL, the benevolent dictator for life, and meritocracy.

So, the benevolent dictator for life lives up to his name. He is benevolent towards the project, not necessarily towards his community. And it’s usually a single person, who decides everything in the project. And there is no counter-power. So, you will tell me that this is the very definition of a dictator, of course, but it is a problem. Because in fact as soon as there are going to be tensions, the dictator, in the end, is always right. And so, you need human qualities that you don’t always find in developers for the community not to explode, and to have a sense of discussion, while saying at the end, I decide. And the BDFL tends to favor forks, community explosions. So, it’s a model that is unfortunately often toxic, and a number of projects have abandoned it.

Sébastien Dinot

Or often when the initial creator decides to turn the page, we are not going to renew a new dictator, we are going to move on to another model. And then, generally, after the dictatorship, what do people want? They want democracy. They don’t even need meritocracy, they want democracy. I will come back to this.

And meritocracy is different. It is a division of powers according to the merit of each person. So, at first glance, it seems really nice as a model because you think, it’s good. The more people invest in a project, the more they contribute, the more power they have. That is something that is right. In practice, the problem with meritocracy is that it does not stand up well to the wear and tear of time. No one questions the merit. Everyone knows what we owe to the old glory of the project. And so that, even when young developers join the management bodies of the project, when the young developer, who is active and to this day, is very valuable to the project, expresses a point of view, if the old contributor who is there, because no one has ever asked him to leave and everyone knows that we owe him the project historically, etc. If the old developer doesn’t agree, usually, we’ll agree with the old person rather than the young one. Whereas at the moment, the young contributor is more valuable to the project. And so, meritocracy is often criticized for creating castes and reproducing societal biases.

Sébastien Dinot

As a result, two other models have appeared over time. This is the democratic model I was referring to earlier, where there, typically, we say to ourselves, but in the end, Debian has understood everything. We are going to organize a temporal fluidity of powers, with mandates that have a limited duration in time, elections. So, as you said, Raphael, Debian, they even campaign, they defend their vision of the project, they put forward their hopes for the project, and the developers vote. And then you have another model which is called liberal, because in fact, roughly speaking, there are no rules. We will rather say that there is the only rule that exists, it is the one who does who is right. So, there’s a soft consensus, and then, in the end, someone decides to go down a path, they’ve coded things, and that’s it.

Walid: Do you have an example of a project like this?

Sebastien: It seems to me that within the CNCF, I have seen projects like this. But I’d have to look… But yes, there are, for sure. Do-ocracy is the one who is right.

Raphaël: I had a question about the democratic model, at least the Debian model. Because Debian, the people who vote in the project are those who have the status of Debian developer. So there is still a mix. You have to deserve, you know. You must first have arrived at Debian developer.

Sebastien: If you transpose that into our society, you have to be part of the community to have the right to express yourself. And in the elections in France, except, I think, for the local elections for a few years, but you have to be French to participate in the election of the president. You can live in France for 20 years, if you are not French, you do not have the right to vote for the President of the Republic. And yet, you are concerned.

Raphaël: You have to be a citizen of the project.

Sebastien: There you go. And there, for Debian, it’s the same. You are a developer. The term developer at Debian is quite broad. You have that status, so you’re an identified member of the community, so you have the right to vote. You’re a user, it’s cool, we’re super happy to have you, it’s great. However, no, you are not a member of the Debian community. But indeed, afterwards, there is always… Democracy always has its limits, whether on free software or in everyday life.

Raphaël: The other bias that I also see in the meritocracy part, in addition to the resistance to time, is the power games that can occur when it comes to people who are paid by companies.

Sebastien: Yes you’re right.

Precisely, companies love meritocracy because they invest in a project, they get an aura, recognition, and afterwards, even if they slow down, since no one is asking them to leave the governing bodies, as everyone knows what they are owed historically, no. They retain decision-making power, while no longer contributing much to the project. So companies don’t really like democratic models where, in the end, you have to go back to coal every year or two and get a mandate again.

Sébastien Dinot

Walid: If I go back to the beginning of the conversation, let’s imagine, I’m a free software user. I’m trying to choose a tool. I come across a tool, it looks nice. We’re going to talk about it later, it makes a bit of a transition with the rest, with the tools. But I’ll see a little. I realize that there is no real governance.

Sébastien : Yes.

The asymmetric contribution mode

Walid : And that it’s a tool with a company behind it. In fact, basically, I should have a big warning. Be careful, it’s not clear. What happens if tomorrow I start contributing to this project?

Sebastien: Yes you’re right. There are questions to ask that many people don’t ask. But for example, at CS, we have rules on this subject. For example, there are projects that require what I call an asymmetric contribution mode. That is to say, in fact, the project is under a strongly diffusive license, but it only accepts contributions under a permissive, very evasive license, such as MIT, BSD. This means that they can close the code again. On the other hand, you, behind, can’t close because their license, strongly diffusive, GPL type, imposes itself on you. Well, typically, at CS, we don’t accept to contribute to projects that have an asymmetrical contribution mode. We contribute under the project license or we don’t.

Walid: Is that possible? We ask you to have your code under one license, but we release it under another license.

Sebastien: That’s right. These are projects that are carried out by a single company. They want to keep power and they want to arrogate to themselves… Because in fact, historically, there are several ways of managing contributions. There is either a transfer of copyright, or contribution agreements that are such as the classic ICLA (Editor’s note: Individual Contributor License Agreement), CCLA (Editor’s note: Corporate Contributor License Agreement) or the Developer Certificate of Origin. But if we take the transfer of copyright, so the Copyright Assignment, well, it is divisive. You ask a third party to contribute and assign their rights to their contribution to you. Frankly, most of the time, people say to themselves, “No, I’m contributing to a project, I don’t see why I would give up my rights and why I shouldn’t have the right to reuse my own work behind it.” So, you really have to be called the Free Software Foundation to obtain results and contributions with such high standards. And still, I know people around me who refuse to contribute to GNU projects because they don’t accept the transfer of copyright, including for the benefit of the FSF. So, the FSF is well-intentioned, it thinks, “If we have all the copyrights, the only person who can be sued is the FSF. And we have the means to resist an attack and defend the project. So, we are securing the project.” That’s why it’s very good. But there are people who don’t accept that. And we see commercial players who, at one time, tried to demand the transfer of economic rights. We still see them. It’s less common, but we still see it. And so, as they are the only holders of the economic rights, they are the only ones who can decide on the license. And so, they can possibly provide a closed version or change the license later, without having to ask anyone anything. But then, the other strategy is to say “Oh no, but I’m not asking for a copyright transfer. On the other hand, you contribute to my project under a permissive free license that allows me to close the code, and I release it under a license, strongly diffusive, so you don’t have the right to close the code. So, indeed, for us, it’s something unacceptable.

Walid: In short, we deviate a little I was going to say. First of all, a project on which you have a Contributor License Agreement, which is supported by a company. You can tell yourself that the risk of the project closing down is not negligible.

Sebastien: It’s a reality, but afterwards, it depends on how the CLA, the Contributor License Agreement, is run. It is important to know that generally, the CLA, “you contribute to the project, okay, thank you, and you agree that your code will be incorporated into the free project and distributed under the project’s license”. So, we take a project under Apache, you agree that it will be released under the Apache license. And indeed, in the past, there have been a number of legal loopholes that have led projects to have to change licenses. And I had to deal with this kind of thing, and it’s complicated. Change of license… find all the contributors, ask them if they agree to switch from license A to license B, etc. Sort it out, “he has no answer, or she has no answer, in the end, either we rewrite the code and throw it away, or we forget about the functionality”. So it’s complicated, it can take months. SciLab, it took them a year and a half to switch from CeCILL to another GPL license (Editor’s note: see the license history). However, modern agreements provide for this and say, “You agree that we may change the license at a later date if the need arises.” And this is where there is potentially a problem. For example, on Orekit, we say “there is such a clause, you accept”, but we say in our CLA “if we change, it will be for a license that remains in the spirit of the Apache 2 license”. In other words, the day we realize that there is a legal flaw in Apache 2, and that people are exploiting it, we say to ourselves that we may switch to an Apache 3 (Editor’s note: Sébastien meant: “the Apache foundation would hasten to publish a v3 and the Orekit project would certainly adopt it”), but we will not switch to a proprietary license or anything else. So, indeed, we have to be wary, but we have to analyze, always the same, what are the rules of engagement? What do I agree to?

What do we need to do governance in 2025?

Walid: What tools do we need to govern in 2025?

Sebastien: I would say that we must not reinvent the wheel. And we have to start from things that exist and have proven their worth. So, first of all, we need to know which model we want to adopt: BDFL, meritocracy, liberal, democratic. And then, we’re going to see what foundations do. Because the foundations, they have lawyers who have done quite elaborate things. And here, we’re sure it’s solid, on the other hand, it can be scary. If you take the NumFOCUS foundation, it offers you governance models. You don’t have to adopt the governance it offers you. However, it does have requirements and your governance must comply with these requirements. But there are less ambitious projects that are very useful. For example, there is a project that deserves to be known, which is called MVG – Minimal Viable Governance : it is a project that addresses… So they cut it in half. They put themselves in the situation where an organization would like global governance for a set of projects. And so, part of the governance is for the organization. These are the rules that apply across all projects. And part of the governance that is proposed is addressed to the project with the latitude it has. Typically, it’s a very good idea to start with this kind of thing rather than reinventing everything. But today, clearly, we have to go and see what is being done in foundations and above all understand the implications of each model.

Who works on topics related to the governance of open source projects?

Walid: Who works on these governance issues? Are there any instances? Are there think tanks? Who are the people who work on these subjects?

Sebastien: Foundations, the Linux Foundation, for example, Apache, are already happening. So, the GNU Project, I said they worked on the GNU Social Contract. So, it is these foundations that will think about governance and rules that they will impose on all projects that wish to join them. But otherwise, it is each project that will decide at its level the governance it will put in place. And for example, I have already accompanied several projects that have contacted me. Their porters contacted me. They said, “We’re a consortium, we want to release software, and we want to set up governance.” I supported them in the development of this governance after studying what their project was, what their strategy was, what their place was in the ecosystem and what their expectations were, and we forged a governance adapted to the project.

Walid: But here, for example, people contact you, you do that, but in this whole ecosystem, who works on these subjects? Are they consulting firms? Are they lawyers? Who are the experts, in fact, in these fields?

Sebastien: So, I don’t know all the actors, as you can imagine, but I know that there are different actors who propose. I know that the Eclipse Foundation offers this type of support. There are people at home who offer this. I’m sure you’ll see companies like Inno³, who know it very well, they’re able to support you on this kind of project (Editor’s note: see the episode with Benjamin Jean). After that, there are people who, like me, have a small reputation, and so we contact them, and then we sign a contract with the company that employs them. Well, there you go, so there are a number of players.

But also, we can go and see communities, like the Rust community, for example, which has worked a lot on governance, on inclusivity, on a lot of subjects, which is rather at the forefront. Even if there were internal clashes at a certain time that caused some moderators to leave, precisely because the rules of governance were not respected by the hard core. But at least the documents exist. The situation is obviously different depending on whether you are a small project with… We’re between two friends and we’re doing something or we’re a big company, and behind it, there’s a strategic issue. We are a large group. And then, typically, you take large companies like RTE, which is very active in the field of energy-related software. Well, they even decided to lean on the Linux Foundation. They even created the Linux Foundation Energy, LFE, to take advantage of this whole canvas. Because at their level, between equivalent operators between different countries, there were enormous challenges in terms of governance. I believe that there is no single answer to your question.

Walid: I wasn’t expecting a single answer, but it was more to give an overview of the people who are interested in this subject, who are thinking about it, etc. Raphael?

Raphaël: I imagine that when you get closer, you want to enter a foundation, it will depend on the foundation. As you said, there are some who will propose things. There are some who will accompany you, as you said. There are some who will leave you completely free and who will say you respect, this, this, this, that, the rest, it’s your business. There are also communities or meta-communities, as I call them, that exist and that can more or less accompany, or even impose.

Sébastien : You’re absolutely right. For example, you take the NumFOCUS foundation. NumFOCUS, I had mentioned it several times, is a foundation that, at the beginning, aims to promote free computing for scientific use, for scientific purposes. Once we’ve said that, it seems very targeted, but when we look at it, since it’s any software likely to be of interest to the scientific world, it’s relatively broad. Many projects have joined it. This foundation is quite remarkable. Unlike many foundations that will charge you for membership, you join it, it doesn’t make you pay, on the other hand, it has a lot of requirements. And these requirements, they depend on the level of integration you want, the level of support you want. If you just want to be affiliated, you have to have open governance, it has to be inclusive, it has to respect this, that, after, it’s up to you to see the details. And if, on the other hand, the NumFOCUS foundation can finance projects. And here, if we want to join this funding program, the NumFOCUS foundation has additional requirements. And in particular, it wants a place on the steering committee, the PMC (Editor’s note: Project Management Committee), the PSC, whatever you want, to see from the inside what is happening and to make sure that the money it provides is well used. So really, we’re in the context of a foundation that really has a variable geometry policy, depending on what you expect from it.

What is meant by corporate governance?

Walid: Let’s move on to the second part. Now let’s talk about the governance and business part. Here, for once, something else. I am a corporation or I am a public body. In short, I want to contribute, I want to be a good citizen. How do I go about it? What are we talking about governance when we are a company or an organization?

Sebastien: We have the same term, but we arrive at a subject that has nothing to do with the first one.

Walid: It’s funny that we use the same term, by the way.

Sebastien: There you go.

Governance is, in the company, the security and formalization of your relationship with free software. Securing has two meanings: securing the use, how I control, what we use and that I make sure that, for example, in terms of licenses, it’s in line with my industrial policy, that it’s in line with my customers’ industrial policy, my contractual requirements, possibly the law, or things like that. And then, indeed, for the few companies that decide to contribute to free software projects, or even to publish free software, well, how do we do things properly?

Sébastien Dinot

So, we’re going to put in place processes to make sure that, in the end, to facilitate, because by framing, we’re paradoxically facilitating, rather than letting it happen and having people contribute under the table because they’re afraid of getting a slap on the wrist, they don’t really know what they can do, not do. No, we’re going to frame, we’re going to announce this governance, we’re going to say if you want to release, if you want to contribute, go through this committee that manages it, this person. And we will accompany you and you will be able to do it. And we secure the company at the same time, by checking that things are done correctly and that we are able to do so. And we secure the employee because he or she gets the green light from the entity that is responsible for issuing his or her green lights. And so, behind it, we can’t blame him for anything.

Walid: It’s something I wasn’t necessarily aware of, but in discussing with you, you pointed me out an example, precisely, of the fact that the employee, if he goes to the OSPO, in the case of CS, we’ll talk about it later, and you give him the green light, it’s you who are responsible for the fact that we release this code and it’s not an action by the employee, He didn’t make the decision.

Sebastien: Yes, that’s it. In fact, the OSPO, the Open Source Program Office, will carry out the legal analysis, will ensure that at the contractual level, we are in a position, that we have not transferred the rights to our client, and will carry out a certain number of checks. You can even ask if you see that the code has been a little sloppy, that it’s not up to standard, because sometimes it’s not customer projects, sometimes you’re freeing up, it’s going to be a tool that you’ve made internally. Because it met a need, and we thought it would be nice to publish it. We will be able to have requirements on the quality of the code, by saying that there is a minimum union to respect, in terms of documentation, of the information given to users.

And indeed, within the OSPO, there is the legal department, there is the technical department, there is the marketing department, who, in the process, have the opportunity to express themselves. There are these analyses that are done. And so, when the employee receives the green light from the OSPO, he receives the green light through the OSPO from the technical department, the legal department and the marketing department. After that, we can no longer blame him for having done what he did. He followed the rules and got the green light.

Sébastien Dinot

What’s interesting is that someone once said to me, when I talked about it, “When you give someone permission to contribute, how do you secure it? Are you making an amendment to his contract? Indeed, in many companies where things are not framed differently, if we want to make it safer, we will make an amendment to the contract. But at CS, it’s not worth it. The person has received the green light from the legal and technical departments. The OSPO records, traces the decisions, records all this in a forge. The person is secure, he or she does not need an endorsement.

Raphaël: I had a remark because we said, yes, we use the same word, but in fact, it’s not for the same thing, but it’s true that you said in the first case, a governance, there is a constitution, there are rules, there is a contract that is made, and here, it’s a bit the same. Not that we’re doing exactly the same thing, but you were saying, yes, but the quality of the code, the documentation, and then this, and then that, actually, that, I guess it’s described somewhere. You also have a policy or a constitution somewhere that is the basis of your governance, in fact.

Sebastien: That’s right. Governance, at the beginning, had to be written and elaborated. After that, we had to put in place procedures to support the release and to support the contribution. So, you’re right, it’s all elaborate. So, yes, it’s governance. But what I wanted to say is that you’re right, it’s the same principle, but already then, we don’t publish it. This governance remains an internal process in a company. And then, the objective is really to secure the corporate relationship with Open Source.

Raphaël: Yes, it doesn’t cover the same things and it’s not the same objective.

Sebastien: That’s why I wanted to make a distinction.

When did the notion of free software governance appear in companies?

Walid: When does this notion of corporate governance appear? Because at the beginning, it’s the same, companies, there weren’t these legal tools, there weren’t these organizations.

Sebastien: I don’t have a date to give you, but on the other hand, I guess it appeared very early. In the most mature companies, those that are most concerned about legal risk on the one hand and their intangible assets on the other. On the one hand, when you use components and you learn that there are licenses that are potentially highly diffusive, you may want to ban them. If we ban them like that en bloc, it shows that we don’t understand the subject. But hey, I know companies… in 1999, I had discussed with a very large French manufacturer who had already spotted the GNU GPL and who forbade the use of components under the GNU GPL in his company, for example. It forbade the use of GCC while the GCC comes with an exception, which has taken different forms over time, there has always been an exception that has caused the normal use of GCC not to cause the spread of the GNU GPL license to the compiled executable. But hey, very early on, there are companies that have taken care to secure their software, and then, in terms of contribution, when you contribute, when you release it’s always an internal know-how that you reveal. And there, there are many companies that simply have the reflex to prohibit. And that’s a strategic mistake in my eyes, because contributing and releasing is also a way to make yourself known and acquire a technical reputation.

Walid: We’ll talk about that later.

Raphaël: I had a comment on the maturity of companies. In relation to that, especially the use.

I have found, at least during my career, that it happened early. Among manufacturers, i.e. those who are used to mixing code and hardware, because they have this notion of BOM, well Build of Material , and then, yes, Software, SBOM (Editor’s note: see this article on the Inno³ website). But indeed, you were talking about space stuff and everything, very quickly, people understood that if they sent code into space, it was complicated afterwards if we had problems. Or if we had distributed millions of mobile phones in the wild and we ended up with licensing problems. I, in any case, found that it was in the industrial field that quite early on, people were mature on this subject.

Raphaël Semeteys

Sebastien: There have been major lawsuits, for example, between IBM and other hardware or operating system manufacturers. You could imagine, you take environments where there are very few players in the running, and they are just behemoths. For example, you take aeronautics with Boeing and Airbus. You can imagine that if at some point, one of the two can make a legal mistake with the other, he will not deprive himself. And so, indeed, there, it is certain that things are framed. And the only problem is that often, the framing leads to inhibition in these cases. You have to know how to overcome inhibition and play the right card.

Walid: I had exactly the same remarks that you said by a big French space manufacturer too. The first thing it does is look at all the licenses, analyze all the licenses and everything. It’s really a pretty substantial job, in the end.

Sebastien: Yes, absolutely.

The genesis of the term OSPO and how OSPO works at CS Group

Walid: We have just said that governance is something that happened quite early. But there is a term that came later, and that is the term OSPO. Can you explain a little, if you know, how we come to this term OSPO and where it comes from?

Sebastien: So, the term itself is very old.

Walid : Oh, yes?

Sebastien: It already existed when I created the Free Software Steering Committee, the CPLL, in CS. When I put forward this idea in 2012, well, we created it in 2013, it already existed. But it was used by a few rare American companies. It did not yet have an important significance, it did not yet have the value of a standard. It took on its flagship value at the turn of the 2020s, when it became a concern for a greater number of companies, that as a result, more companies sought to create such a committee, that a name was needed. They clung to what they found. There was the OSPO, in the wake of this, there was on the one hand the OSPO Alliance, supported in particular in Europe by the OW2 and other players. And there was the TODO Group, and these two entities that aim to offer companies the implementation of good practices to, precisely, secure their relationship with Open Source, but secure it in a positive way, secure the use, but afterwards, invite them to contribute and release. Well, these two groups popularized the term OSPO and so much so that in 2022-2023, at CS, we said to ourselves “well, the CPLL, no one knows, every time, I am obliged to explain what it is. Well, we’re going to adopt the term OSPO flag.” And the CPLL became the Open Source Program Office.

Raphaël: Earlier, you mentioned it a little bit when you said, when we give the green light, the “we”, that is to say the people who are represented in the OSPO, that’s it, who are the stakeholders, who is involved in this and why in fact?

Sebastien: From one company to another, it varies greatly.

Unfortunately, there are many companies where OSPO is just one person. And the final “O”, it goes from Office to Officer. And this person has no particular authority, except to examine requests and possibly refer them to complementary actors. And so, when you have the green light from the OSPO, you don’t get a green light, because you still have to get everyone to validate it.

Sébastien Dinot

I was already aware of this in 2012, when we were thinking about CS’s OSPO. So, I wanted to do things differently, because there was that bias. But there were also others. I knew structures that already had governance, but they were so complex, so many buffers were needed, it nipped in the bud any desire to contribute or release. So, I said to myself “I want something efficient, I want something that makes things easier. And that when we get the green light from the OSPO, it’s good, we can go for it.” And so, rather than creating an Officer, I really wanted to create an Office by saying “who has a say in this liberation process?” There are, as I said, the Technical Department, the Legal Department, and the Marketing Department. But there is also the operational chain of command. Because in the end, it is the operational chain of command that decides its strategy in its market. After that, the question is, where do we stop? Too low, we may not address the strategic level, and therefore it is not right. Too high, if you go all the way to the executive committee, you have to contextualize the request so much, to provide so much information, it’s inefficient, and what’s more, frankly, these are things that people don’t care about, it doesn’t concern them when they’re on the executive committee of a big company, the details of strategy. And so, when you think about it, you say to yourself, the right level of decision is division. At home, we are now Business Units. So, division. And we said, OK, the division head, the division director, decides his strategy. However, he may not be aware of certain details. He may not be aware of the contractual context of this project. And so, we decided that we were asking that the technical, legal and marketing department be permanent members of the OSPO. And that we have representatives from each BU to do the relays on a daily basis, in the different BUs. And we also have one or two open source experts to handle requests concretely. But then, in the decision-making process, we involve the hierarchical chain of the applicant, the project manager, the director of the activity or department and the director of the division. And when the division director and everyone else said yes, we, on our side, did our job, we did the legal audit, we asked for some adjustments if the expectations were not respected. And so, the OSPO says OK, yes or no. Generally, the answer is yes.

Walid: A request, in your case, is it a ticket? What’s that? How do I apply?

Sebastien: It’s a file that people have to fill out. There is a file for the contribution and a file for the release. This file allows us to enter the information we need. What is the beneficiary project? What is its license? What is the contractual context? It is not necessarily very long, but we need to know that. It avoids asking questions every time. And then, it’s to be sure that the employees who want to contribute or liberate have asked themselves questions. For example, earlier, we were talking about governance. They are asked “have you planned for governance?” The answer does not necessarily have to be “yes, I have planned governance, it will be meritocracy”. The answer can be “no, because it’s a tool for which we don’t have any particular ambition, we just think it would be nice to liberate, it’s to be useful to others. And then, if one day we start to have contributions, at that time, we will think about governance.” But it’s certain that people have asked themselves the question. And so they fill out this file, and we’re already looking at this file. Sometimes there are supplementary questions, because there are things that are not very clear or that challenge us. And then, afterwards, we’re going to ask for access to the source code and we’re going to look a little bit at what the code looks like.

Walid: That’s in case you want to release a project. And in case you want to contribute to an existing project, you don’t have this notion of governance?

Sebastien: If. So, first of all, we’re going to check that it’s a free project because we’re only contributing to free software projects, that it’s not asymmetrical contribution. We can have contribution agreements and have the developers involved and the division director sign it. There are these kinds of things that we will deal with in the context of a contribution.

Corporate contribution vs. personal contribution

Raphaël: There may also be cases, very simple, I contribute in my name, in the name of the company, what do I put as an identifier?

Sebastien: So, here, you bring up an interesting subject which is that, indeed, when it is in the context of one’s work, economic rights are, by the Intellectual Property Code, automatically devolved to the employer. So, first of all, the copyright will be the employer and not you. You can appear as an author, you have the recognition of your paternity, that’s all, it doesn’t give you more rights.

And on the other hand, there are cases, because in fact… What does the OSPO deal with? In terms of contributions, it deals with one-off requests, one-off contributions. Here, we have developed a function for a project A and we want to submit it. It will be more interesting for us to submit it than to keep it for ourselves. We have long-term contributions. So, there, the one-time contribution, the code already exists, we know the context perfectly: “OK, we know the code and we’re giving the green light for this”. After that, we have the long-term contribution. We have employees who… for example, we have a collaborator who ported PowerPC processors to Linux. It’s CS that largely maintains the PowerPC processor in Linux. Now, he’s been doing this for years, and every time he pushes code, he hasn’t asked for permission. So, we examine a request for a long-term contribution, an authorization for a long-term contribution, and we say, once we have verified that everything is good, “this developer, within the framework of this project, this project with us, this contractual context, has the right to contribute to this free project”. And if one of the elements changes, we will reassess, but if not, we don’t change. After that, we have liberation. And the fourth thing is the employee’s contributions on his or her personal time.

Generally speaking, when it’s on your personal time and with your own means, it’s none of the company’s business. That’s his problem and it’s his copyright. On the other hand, it can be a matter for the company when the contribution can appear as an unfair act. That it is considered that it implements particular know-how, companies. And there, we explain to the developers, in this case, if you suspect that there may be this problem, come to the OSPO and we deal with it. Either in the end, you get the agreement, and that’s good, everyone is happy, but at least it’s secure. Or you are told no, and in that case, at least, you are not investing for nothing, you are not likely to be sanctioned later, to have a trial or anything. Or, if you ever decide that your project is more important than your job at CS, you can decide to quit and go with your project. OK, that’s your choice. But in any case, we are not going to find ourselves in a conflictual situation a posteriori, where there would be losers on both sides.

Sébastien Dinot

This case has already happened. For example, a colleague who was paid to contribute to QGIS on her professional time, told us, “I would like to contribute on other subjects”. We told him, “No, we’re not interested.” She said, “OK, I’ll do it on my own time.” “Ah, OK, okay, we’ll deal with this at the OSPO level.” And we defined with her, we told her, “OK, so this perimeter is on your professional time and it’s copyright CS. This perimeter is on your personal time with your own means, and it’s copyright you.” We deal with that.

Raphaël: This is important to specify.

Because I’ve already come across, in some contexts, IP managers who told developers: “Even if you code at home in the evening with your own means, there’s no way you’re going to do a reset and forget everything you’ve learned in the company. So, I consider that what you do… ». You see, by doing FUD (Editor’s note: fear, uncertainty, doubt), you see, a little bit like that. And so that’s where you have to support the poor developers who, as a result, don’t know what to do anymore. They say, ooh, there, I’m going to have problems.

Raphaël Semeteys

Sebastien: Exactly, you’re right. But of course there are companies, they play the FUD, they play the threat. But no, the law doesn’t say that. The law is explicit at this level.

Walid: There’s one last thing that we haven’t talked about, but because it’s quite peripheral to that, and I’ll refer people to a very interesting conference that was given by… at the Capitole du Libre, this year, by a colleague of yours on fusion, your colleague Alice…

Sébastien : Oh yes, Alice!

Walid: From home and Emmanuel from CNES on the merger of two communities, which was super interesting on all these legal problems and all that, etc. (Editor’s note: The federation of open source tools : issues, methods and problems).

Sebastien: She had to manage the technical, legal and social aspects, precisely. The human aspects, with governance and all that.

Walid: The mergers of two projects that don’t have the same licenses, that don’t have the same governance and everything. It was quite interesting. We will also put the link in it. It was quite interesting.

The economic benefits for CS Group of contributions to free software

Walid : We’ve already started talking about CS’s contributions. But I know because we’ve talked about it before. And I’d like you to talk about it a little. It’s OK, you’re doing it right. You try to behave well in your contributions. But what is the quid pro quo, in fact? That is to say, what advantage does it give you over others to do this?

Sebastien: I’m going to take the Orekit project, for example. So, here, it’s more than a contribution, it’s a liberation. So, a space mechanics project that we released in 2008, whose governance we opened up in 2011. Today, there is a steering committee with 17 people representing 13 different entities. We have external committers, external release managers . Today, it no longer surprises anyone in CS to see an official release of Orekit, a product from CS, rolled out by someone working for the US Navy or for Airbus Defence and Space. This project, which is really free in its noblest expression, objectively, in 2025, it still costs us much more to develop than what it brings us directly, because we have a few requests for services for specific development, for integration, for studies. This is very far from covering the investment cost. So, if we only looked at the direct return on investment, it would absolutely not be interesting for us to do Orekit. But it turns out that we have the ability to measure the indirect return on investment. And what is this indirect return on investment? Already, we made Orekit because we wanted to be autonomous in this area. We have it, and with a brick that has become…

Walid: What is us? is it CS?

Sebastien: CS wanted its independence.

Initially, we made Orekit because we thought we wanted to have our own tool in space mechanics. So that you no longer have to depend on third parties. And so, already, not only today, we have this brick, but in addition, it is one of the bricks that is a reference. Airbus Defence and Space, in all its space mechanics centres, is now integrating Orekit. And the trajectory calculations are done by Orekit. And it is far from being the only manufacturer. There are many other industrial agencies, research laboratories that do this. Through this recognition, we have obtained notoriety. And this notoriety has contributed to the conquest of new markets.

Sébastien Dinot

I was talking about Airbus Defence and Space. For example, we were absent from Airbus Defence and Space. They discovered Orekit. They were like, “wow, that’s great.” They saw what we were doing in the free software sector, by the way. They saw our skills, our ability to do auditing, code and everything. And they thought we were an interesting partner. And so, they took us as first-tier contractors. And we have today, it is an important customer for us. And we have a great relationship with him. Similarly, the European Space Agency (ESA) has taken us on as a first-tier contractor. And since it ejected two other historical contractors in the process, it was summoned to justify itself.

Walid: Can you explain what this means for people who don’t know, first-level contractor?

Sebastien: In fact, we are authorized to respond directly to ESA’s calls for tenders and not to go through a third party to represent us. The ESA, therefore, chose us. She had to explain herself. Because of the four subcontractors she has selected, she has given us the second grade. And so, she said, quite simply, and this is in a public conference, there is one that can be found, she said, we took CS, roughly speaking, they said, we took CS because they did Orekit. Clearly, Orekit is great. So, they know the mechanics of space. We were able to see the code, super well designed, super well coded, so, at the computer level, they master. In addition, it’s a free, permissive license. That’s exactly what we appreciate. So it’s completely compatible with our industrial policy. It suits us very well. And they put Orekit forward to explain why they took us and why they gave us such a good rating. And since then, ESA has given us a lot of contracts. We have been subcontractors for them for years. And most of these contracts have absolutely no connection to Orekit. It’s in other areas. So, there may be studies on Orekit, there may be Orekit integrations, but that’s anecdotal compared to a whole bunch of other contracts we have with them, EUMETSAT, the same. I can take a lot of them. And so, people with whom Orekit has played, and our Open Source policy, because it’s not just Orekit, there’s all our maturity, all our know-how, all our skills, have played the role from foot to door. We get in thanks to that, we’re recognized because of it, and then we are taken on as subcontractors and we carry out a whole bunch of services for these customers. And in a few years, the space division of CS, which is the most driving force on this Open Source governance, the one that publishes more things in free, that contributes more to third-party projects, well, its staff, so not only thanks to Open Source, it would be pretentious, but because there are also obviously very qualified staff, very sharp. But in the end, its workforce, in a few years, grew from 200 to 800 people.

We have gone from a French stature to a European stature. NASA knows us, it has already invited us to conferences, the US Navy is making an important contribution to the Orekit project. We have contributions from the US Navy, which have made Airbus Defence and Space and CS swoon (Editor’s note: Sébastien is referring to the work on multi-threading). We were happy. Again, recently, we have a major research laboratory in the United States that has contributed. And so, we have an international aura thanks to that. And it brings us markets. And if we think about the marketing campaigns that would have had to be done to have this level of reputation and hope to be recruited by these major accounts as subcontractors, the budgets would be incomparable. It would be much more important.

Walid: In fact

The most important thing about it is the long time, in the end. That is to say, you don’t have a marketing campaign, but you have time ahead of you. Which means that, as you do things well over time, but it also means that you shouldn’t look for a short-term spinoff.

Walid Nouh

Sebastien: Exactly. Let’s say that this is a strength of ESNs compared to publishers.

A publisher, he sells his product. And so, its strategy, whether it’s free or proprietary, is necessarily focused on this product. And when he chooses free software, he has to find an economic model that is viable for that product. An IT services company can play this card. So, CS a particular ESN is rare in the end on ESNs that publish their own tools. But we have people who are very competent in the business areas, and so we develop tools for our own needs. That’s why we made tools like Orekit. And so, we have the ability to offer services in other areas. So, the fact that Orekit is the foot in the door, or the lever, the step of access to new customers, and that afterwards we are ordered to perform on something else, is not a problem for us. As long as we end up finding our way around and gaining in fame, as long as we win in the market, everyone is satisfied.

Sébastien Dinot

Raphaël: I would complete what you say, Walid, over the long term. In fact, it’s trust. That is to say, trust takes time to build. But once it’s there, it’s something you can really count on. Because people, over time, they have gained confidence in that. And I think that contributing and doing open governance on this kind of thing, by being a player like an ESN and providing solutions of this type, gives confidence.

Sebastien: So, to complete, to go along with you, Raphaël, one thing I can say, because similarly, Airbus Defence and Space gave a conference on the subject (Editor’s note: see slides 10 to 14). They gave a talk one day where they explained what they were doing with Orekit and all the good things they thought about it. And they said that day that between the time they discovered Orekit and the moment they decided to display their choice, to say, we’re using Orekit and we’re going to get involved in the community, there were four years. They put him under observation for four years. They ran it, they looked at what it looked like on the calculations, etc. And they did benchmarks with other tools, because for them, it’s the building block of space mechanics. And so, for four years, they evaluated the product. And after four years, they said to themselves, but not only is the product good, not only is it efficient, but the community is also working great. There’s a level of support because obviously, they ran into problems, so, more or less anonymously, they had asked questions and stuff like that. And they said that there is a level of support that we don’t have, even with paid services from other publishers. And as a result, they came out with what I call them. We use Orekit and we will get involved in the community.

Walid: Four years, on the scale of a young publisher who makes his product, four years, he can be dead, you know.

Sebastien: That’s right.

Walid: When you choose a product from a startup, which has raised a lot of money to try to be the best and to show and market and say that it is better, it turns out, in three years, its product is no longer there. That’s why I was really talking about the long term.

Sebastien: I’ll tell you that I think that if we had thought at one time or another that we would be reaping the fruits of our efforts four or five years later, people would have said, “No, but I’m not going to invest for five years for a hypothetical return in five years.” But our first objective was to be autonomous. We created Orekit because we wanted to be autonomous in our market, to be able to conquer other markets. The initial driving force was commercial, strategic.

Raphaël: After all, the time in aeronautics and aerospace is not the same as in startups.

Walid: Is that clear.

Raphaël: Even at Elon Musk’s, because…

Walid: When you’re asked to provide 30-year or 20-year support on your software, it’s not the same thing anymore.

Sebastien: That being said, I think that things are changing with what is called New Space. We have startups that have visibility in 6 months, 1 year, 2 years.

Walid: We have pretty much swept through the different subjects. We could certainly have gone into much more detail on certain subjects, but this is not bad. I don’t know if Raphaël, you still have other questions about this or not?

Best practices around software dependency controls in projects at CS Group

Raphaël: I have a question, but hey… I don’t know, because maybe I’m going to open a box there, a few minutes from the end. It’s about good practices in terms of use. So, here, we’re not even sure of contribution or release, but just developers or architects who select components, libraries, who pull dependencies in projects that are internal projects for products or for customers. So, there, I imagine that in your constitution, policy, I don’t know what to call it, there are rules on that too, but is that enough, or did you also need to put in place tools to control what happens in terms of spending, in particular?

Sebastien: The control is being implemented gradually. We use tools in the context of… So either I do audits because I’m asked to do an audit, before a release or before a delivery, often a little late, I’m asked to do an audit, and so I eventually explain what’s wrong with the project, what needs to be broken and redone, or I say “it’s okay, you can release, it’s perfect.” After that, there are tools that help to carry out these audits, which are generally proprietary, but which cost an arm and a leg, to put it clearly, so they are rarely implemented. And then, there are more basic tools that will just be able to generate what is called an SBOM, so a Software Bill of Materials. So, basically, it’s “here’s the software and the list of components I found inside.” The only problem is that these tools are based on systems of packaging, dependency, inclusion, etc. So, they’re going to find the components that are used as such. On the other hand, they won’t be able to identify the 500 lines copied and pasted into your project that come from such a GPL-licensed project. And that’s a potential problem. So, indeed, when we are asked, we carry out audits, as part of the security of the supply chain, we are also in the process of putting in place tools that aim at legal security, but also at securing against security breaches, life management, life cycle and obsolescence. It’s the fight against software obsolescence. Make sure you have components that are not too old. And then, in terms of rules, we are not perfect. We don’t have absolute rules. On the other hand, I am regularly asked for advice on a brick. For example, we don’t have monolithic rules like “it’s the GNU GPL, you don’t use it, it’s no”. It is: what do you do with this component? In what context? And I’ll tell you if you can use it or not. And then, in the selections, we have rules, good practices. Well, I always say: don’t just look at the code. Check if there is the bug tracker. Are there any bugs that are reported? Are they corrected quickly? Do you detect a lively community of contributors and users? Or is there only one person? There you go. It’s the kind…

Walid: Sorry, no, it’s just to say, you can’t see, you can’t see Raphael’s face with his big smile because that’s his favorite subject, that’s why. Sorry.

Sebastien: That’s it, okay, very good. But here’s the thing, actually, I’m asking people, well, I’m going to check a whole bunch of parameters for them. So, there’s the Open Hub platform, I don’t know if you’re familiar with it. It’s a crowdsourced platform. And if your software you use is not present, you can declare it and you come back the next day. Generally, he has done the analysis. And he’s going to tell you, that’s it, this project, on average, there are 5 contributors per month, 30 commits. It has been around for 5 years, it has a growing vitality. And so, you say: he’s a good horse. And on the other hand, when you see that your project is dead, there hasn’t been a single contribution for 5 years, you say: alert. OK, it looks great, great, but there’s no one working on it for 5 years. No, stop.

OSPOs and training

Raphaël: OK, well, then, that’s my last question. After that, I stop, I promise. So, yes, what I understand, that is to say at the project level, they still have their strategy, even technical, they choose their component, etc. And then, when they have certain questions or there is an audit, they will go and look in detail. The question I have is whether it is a prerogative or something that an OSPO can do, in general, in your country or perhaps in other contexts, to do popularization, training, to explain, in fact, things, because it is a…

Sebastien: Ah, I completely forgot to talk about all that. You’re right, it’s not “we can”, it’s “we must”. CS has a copyright and free software awareness program in place. And so, for the record, to be totally transparent, we set up this program, essentially at the beginning, at the level of the Space BU, the Space division, because it is the one that contributes the most, that releases the most things, etc. And so, we explained to people what copyright is, and then, how licenses work, what support you can have internally, it’s half a day of training, and we trained a lot of people. And we saw a whole bunch of bad practices and mistakes disappear that I regularly found in projects. And there have been times when trained people, I remember once, a developer came to see me, and “hey Sébastien, hey, I think we did something stupid in the project, can you come and see?” Oh yes, and indeed, someone who hadn’t taken the training had made a mistake, I had to recover the blow behind. Well, there you go, and I managed to get it back, so much the better, there you go, I had to treat. So he showed a real interest, actually. It was really a success. And then, between the increase in the number of staff from 200 to 800, the renewal of the staff, at CS as everywhere else, there is turnover, and a change in priorities, we put this programme on hold for a while. And then, quite quickly, after a year, two years, I saw problems reappear that had completely disappeared. So much so that today, there are department heads who ask me to put it back in place. I recently spoke with a department manager who told me “I want us to put this in place for all my teams.” Because he knew the time when there was this program, he had seen it. Today, when he sees the mistakes that are made and that are made up for by the OSPO, by the analyses, he says “I don’t want that to happen again”.

Walid: What type of error is it? Can you give an example so that we can imagine?

Sebastien: This is typically the inclusion of a GPLed component that you want to release under the Apache license, for example. It’s going to be copyrights that aren’t appropriate, information that isn’t provided, things that shouldn’t be done, that should be controlled, that aren’t controlled.

Raphaël: What I also tell myself is what I see at my level, is that there is popularization to be done with developers, those who will do, use, etc. but also at the level of their manager.

Sebastien: That’s right. And I don’t have the same discourse, obviously, when I talk to developers or managers. Just like there are times, in fact, the awareness program, I’ve already been asked to give it in other companies to create an internal culture. And there, there are companies where it will be technical staff that I have in front of me. And I also happened to have the management, the entire management of the company. From a company that wanted to understand what free software is and how it could integrate it into its strategy. And here, I’m not talking about Git again. Is that clear.

Final Words

Walid: We’ll stop there because we’ve already talked a lot and it was super interesting. Before we stop, I would like to suggest that you make a final word. But before I say a final word, I would like Raphael to make a final word, himself. Do you remember anything from all this exchange, first Raphaël?

Raphaël: Yes, I’m very happy with this exchange. It’s very interesting to have a clear and well-organized feedback, well structured, as Sébastien can do, and with more than several decades of experience on how to set up all this and how it has evolved. So I think that’s fundamental. And that’s why my last question was oriented. But I think he stays, and that’s why a podcast like yours, Walid, it’s fundamental for that, I think too.

We must continue to popularize and explain, in fact. I see it with the new guys, the young people who are coming in, etc. Sometimes, we start from a long way. For them, GitHub, open source, I take the code, I don’t ask myself any questions, absolutely none. And it’s a shame because it’s rich, in fact. There are really things to learn. And we’ve seen it, we’ve talked about the human aspects, social contracts and everything. There are really things to learn, even on a personal level.

Raphaël Semeteys

And it’s a shame to… So, for that alone, I’m happy; That’s my word. Excuse me.

Walid: Sébastien, your last word?

Sebastien: My word is that software is not just a technical object, it is a dual object, it is therefore technical and legal. When you use it, when you handle it, it has technical consequences, but also legal consequences. And beyond that, it’s an object that is made by humans. And so, there are social considerations, human factors to be taken into account that should not be neglected because they are essential.

The success of your software is not measured by the quality of its code, even if the quality of this code determines whether or not you will adopt it, it contributes to its adoption. In the end, the success of your software is measured by its community of users and contributors. And so, if you’re going to go on that kind of adventure, you have to make sure that you have a community that works well, that develops well. It requires thinking about governance.

Sébastien Dinot

Walid: My last word is that, being myself trying, as of today, that is to say March 19th, to try to create a small team to work around the podcast, there are these questions of rules, tools, collaboration, all that, etc., a little bit of governance, even if it’s not in a reduced model, But it’s a bit the same. So, it’s pretty interesting to do that now. And I’m super happy because we’ve been discussing these subjects together for quite some time, Sébastien, when we meet at the different shows, and I told you that it was really worth doing an episode.

We’re done, we’ve been recording for 1h30. Thank you to the listeners who have held on until now. We hope you have learned some things. Feel free to give feedback through our usual social networks, especially Mastodon, which is a decentralized network and is quite appropriate in these times. And then, see you next for other episodes. As you may have seen, the pace of publication has slowed down a bit, since we have gone back to a one-month rate these days. Listen Sébastien, we look forward to seeing you again next time. Raphaël, see you soon. Be well, both of you.

Sebastien: Thank you both. It was very interesting to talk to you. Thank you for the invitation.

Raphaël: Thank you.

Walid: See you again.

Episode production

• Remote check-in on March 19, 2025
• Plot: Raphaël Semeteys & Walid Nouh
• Transcription: Walid Nouh, Sébastien Dinot (proofreading and corrections)
• To go further: Sébastien Dinot & Walid Nouh

To go further

Sébastien’s interventions or writings:

• Managing your free software project, beyond the code (Capitole du libre 2024) (French)
• Feedback on the implementation of an OSPO (French)
• Major changes in the governance of open source projects (Libre à vous) (French)
• Evolutions of the governance of open source projects (French)
• Free software Projects: Each Resource Has Its Own License (French)

Recommended and reviewed by Sebastien to learn more:

• Open Source Guides
• Organization, governance of Open Source projects (Inno3) (French)
• Do-ocracy
• Orekit on Openhub : For your information, the COCOMO method is known to significantly overestimate (a factor of 3 is often announced) the cost of developing a project using a modern language. This is the case with Orekit. OpenHub announces 192 years of effort. CS estimates his effort on Orekit at 44 years, to which we must add a few years, maybe 10, for all the other contributors.

Significant example of a contribution on Orekit:

https://orekit.org/doc/orekit-day/2019/3-quartz-fds-presentation-for-orekit-day-airbus-ds.pdf Cf. plates 10 to 14, especially plate 13. 🙂

For the record, on Plate 14, Airbus Defence and Space (ADS) points out some potential improvements to Orekit: “Not designed for multi-threading with heterogeneous data contexts”

The US Navy’s Naval Research Laboratory (NRL) having made the same observation, an NRL researcher (Evan Ward) corrected this famous “data context” problem a few months later. See this exchange on the forum: https://forum.orekit.org/t/data-context-proposal/589

In short:

* September 18: Evan Ward (NRL) announces his intention and asks if his design is suitable for everyone.

* Great welcome from CS, ADS (“Yannick” was then the head of the ADS space mechanics department) and others. But Yannick explains that he has a use case that is not satisfied by Evan’s proposal. Evan reviews his copy, he and Yannick talk, Evan opens an exit to mark the field, then more news.

* November 15: 2 months have passed. Evan announces that he has made good progress and explains a difficulty he is facing. New exchange between the NRL, ADS and, a little CS (Luc).

* December 3: Evan announces that he is done and has just pushed a MR (Editor’s note: merge request). Everyone is enthusiastic.

Evan did a terrific job on this one and he solved a design problem that was annoying everyone. ADS and CS have done nothing except to express their grievances and encourage it, but they are the first beneficiaries of this great progress. The other residual issue (multithreading) will be fixed in Orekit 12.

Recommended by Projets Libres! :

• Business foundations for open source: what are the specificities and challenges? – OSXP 2024 (French)
• [Transport] – Creating a railway business software and federating players in Europe – OSRD and the OpenRail association – SNCF Réseau (French)
• The Eclipse Foundation – software sustainability and European sovereignty – Gaël Blondelle

This article has been automatically translated from the original language into English.

License

This podcast is released under the CC BY-SA 4.0 license or later