Draft of the 'Secure InnerSource' pattern (aka 'Balancing Openness and Security')

[spier]

Initial commit of 'Secure InnerSource' pattern.

Implements #369.

Checklist (for things to do before merging):

• pick a good name
• shorten the Patlet
• add pattern to overview
• add contributors using Co-authored-by:

After merging:

• Reach out to Royal Bank of Canada (RBC). Point them to the pattern and ask them, if they would like to extend the pattern with their experience and add themselves to the Known Instances.

GitHub users to add to PR:

bart golsteijn <3263880+bartgolsteijn@users.noreply.github.com>
arlou <arlou.yang@gmail.com>

[spier]

Added some more info about the areas in the pattern that still need to be worked out.

[spier]

Naming things is hard, which is also true for patterns :)

Especially when using the term InnerSource in pattern titles we want to be careful, as otherwise all InnerSource patterns end up with that term in the title.

Some alternative proposals:

• Security and InnerSource
• Satisfying Security Concerns
• Addressing Security Concerns
• Security Concerns and Mitigation
• Working with Security
• Security and Transparency
• Security and Discoverability
• Secure Discoverability
• Discoverability in a Secure Way

Titles are often named either after the problem they address, or the solution they propose.

Anybody got an idea for a great title? Please comment.

[bartgolsteijn]

Balancing Openness and Security

[spier]

Secure Code Sharing

[spier]

Repository Sharing Levels

[spier]

I am opting for the title "Balancing Openness and Security" for now.
Will also add some of the alternative proposals here to the "Alias" section of the pattern.

When we level up the pattern to higher states of maturity, e.g. by getting more orgs to confirm how they are using this pattern, we can reconsider what the best name for this is.

And yes, naming is hard :)

[conrogers]

Would this be where you put companies that follow this pattern? If so, my previous employer, Verizon, follows this to a T.

[conrogers]

@spier

[spier]

@conrogers yes exactly. Theoretically you can just add the company the company name here.

However, it becomes more meaningful if we can add a couple of sentences about how the pattern is used at the given org. For example as done here.

Do you still have somebody at Verizon that you would like to pull in here, who can speak to how the pattern is used?

[bartgolsteijn]

Please add Philips. For now without implementation details, these can be added later when certain mechanisms have been implemented and validated.

[spier]

@bartgolsteijn I added Philips.

[spier]

@conrogers we made some good progress on the review. Therefore we are likely to merge this pattern as an Initial pattern shortly. For patterns in that maturity we don't need Known Instances yet.

If we should merge this PR before you get back to this thread, would you mind opening a new issue, mentioning the opportunity to possibly add Verizon as a Known Instance?

[conrogers]

Oh yes, please go ahead and add Verizon. I was there only a few months ago and know the developer and manager over the innersource effort. I'll ask if Kendra would like to add details but truthfully I can add all the detes myself haha.

[spier]

Awesome. Added!

[spier]

Thank you @bartgolsteijn @arlou and @conrogers for your help with this pattern.

I did some final cleanup and the pattern is now available here:
https://github.com/InnerSourceCommons/InnerSourcePatterns/blob/main/patterns/1-initial/balancing-openness-and-security.md

Last things I changed included:

• Renaming the pattern to "Balancing Openness and Security"
• Adding a Sketch/Visual (mostly to remind us to find a better one in the future
• Adding notes for leveling up the pattern in the future