Why companies that rely on open-source projects must insist on a strong, enforceable code of conduct

Once derided and under constant legal attacks, open-source software is now a force in the tech industry with Docker, Hortonworks and Cloudera all being recent examples of how companies can thrive around an engaged community whose contributors help ensure that the core technology is up to date and contains the latest features.

But there’s another side to open-source technology that goes beyond the benefits of free labor and innovation from the many software engineers who choose to spend their free time contributing to a project. Unlike a typical business in which an employee’s bad behavior can lead to disciplinary actions, open-source community members often don’t have the same recourse; it’s not like there’s an open-source human resources department they can turn to.

Consider the case of Seth Vargo, an engineer from the company [company]Chef[/company], which provides commercial support for the open-source Chef configuration management tool. Vargo left the company and the Chef community after he said he received death threats from community members due to their displeasure with some of his contributions.

This dilemma highlights the tricky issues companies that depend on open-source technologies for their commercial success face in trying to adequately police those communities who they have no real control over.

While companies may be reticent to dictate the behaviors of the open-source community for fear that doing so will stifle innovation or cause members to question the motives of their corporate overseers, if a situation gets out of hand, it’s wise for companies to take some sort of action so that its open-source talent doesn’t leave and tensions don’t escalate.

One way to combat bad behaviors and create some semblance of order is to create a strong code of conduct, which is a set of guidelines that dictates what the community believes to be acceptable behavior. First developed and popularized by the Ada Initiative — a non-profit organization that aims to support women in open technology — in response to several incidents of sexual harassment and assault at open-source conferences, these guidelines can help community members agree upon and recognize inappropriate behavior and even take action should something outrageous occur.

Open-source projects have historically consisted of self-regulating collections of people whose work on technology doesn’t necessarily take place under the auspice of a particular entity, explained Heather J. Meeker, a partner at the law firm O’Melveny & Myers who specializes in open-source licensing.

[pullquote person=”Heather J. Meeker” attribution=”Heather J. Meeker, O’Melveny & Myers” id=”905707″]“The open-source community can tend to be very pointed and vocal about their opinions, and when you combine that with the ability to make comments anonymously, it may bring out the voice of strong opinions that might not take place in a situation where everyone has to identify themselves.” [/pullquote]

The creation of organizations like the Linux Foundation and Mozilla Foundation, who both oversee their respective open-source technologies, changed the notion that these kinds of projects could only be successful when left to their own devices. Now, companies are getting into the action and taking on similar roles to those foundations in order to tap into the talent of open-source communities.

These communities are typically removed from businesses as far as anything legal is concerned, and companies like it that way, said Meeker. That legal separation from the communities frees them up from the typical administrative issues they might have to deal with like they would if they were maintaining separate smaller businesses under their corporate umbrellas; these issues include intellectual property concerns, what they have to report in terms of accounting and other potential liabilities.

Because they don’t have a legal obligation to the communities, however, companies “can only exercise authority through moral suasion,” said Meeker, which makes for an interesting dilemma when some community members decide to cause a little trouble.

“The open-source community can tend to be very pointed and vocal about their opinions, and when you combine that with the ability to make comments anonymously, it may bring out the voice of strong opinions that might not take place in a situation where everyone has to identify themselves,” said Meeker.

The Chef engineer who received death threats

In the case of Seth Vargo, who has since taken an engineering job at the data-center-management tool company HashiCorp, his departure caused Chef to take a hard look at its community. Vargo has not elaborated on his harassment beyond what he provided on his website, and he declined to comment when I contacted him for this story.

While Chef had community guidelines akin to a code of conduct that outlined acceptable behaviors the company expects from its community, the incident involving Vargo led to the company revisiting and updating those guidelines to help mitigate future episodes, said Chef’s community director Nathen Harvey, who helped develop the revised document.

Seth Vargo
Seth Vargo

The original Chef code of conduct contained behavioral recommendations, like how how to be respectful to one another, and to choose your words carefully so you don’t come across as being a jerk.

The newer draft, however, contains more punitive measures in addition to a list of unacceptable behaviors and includes a new community regulatory team consisting of advocates, an ombudsperson and a decision maker; their duties are to look out for trouble on email lists, IRC, GitHub and other places where members frequent.

If the advocates or ombudsperson (Harvey currently holds this position) discover negative behavior, the crew will do its best to determine the circumstances of the incident and find out who was the person or people responsible for instigating the situation. If the issue warrants it, it will be up to Chef CTO and co-founder Adam Jacob to determine the next steps, which include a possible removal from the online spaces where the Chef community frequent.

In the instance that a community member feels his or her safety is compromised, the guidelines state to contact law enforcement.

“We didn’t [just say] ‘here is our community guidelines,’” said Harvey. “We worked together with the community to come up with the guidelines.”

The importance of community moderation and intervention

Even though a company has no legal authority over an open-source community, having a committee in charge of looking over how the members communicate with each other is crucial to creating civility within an opinionated culture, explained Valerie Aurora, the co-founder of the Ada Initiative.

“Many corporations have taken a hands-off approach so far,” said Aurora in reference to how some companies believe that by policing a community too much, “they will stop producing value for free.”

Original Chef Code of Conduct
Original Chef Code of Conduct

According to Rackspace software developer Alex Gaynor — a director of the Python Software Foundation, former director of the Django Software Foundation and open-source contributor to OpenStack — the Django open-source project benefited a whole lot by adopting a code of conduct in which moderators could take action if a situation warranted it.

“’Hey, that language is not OK here,’” said Gaynor, describing what moderators need to say to contributors who display trollish behavior. “You deal by warnings and if they don’t seem to be taking an interest, you escalate that to a temporary ban or even something permanent.”

Aurora recommends companies involved with open-source committees have a paid staff member whose job is to look out for nefarious activities, because she believes that it will be difficult for someone to want to take on that task for free.

[pullquote person=”Russell Keith-Magee” attribution=”Russell Keith-Magee, President, Django Software Foundation” id=”905708″]“I think there is a moral responsibility to ensure that these communities aren’t toxic groups.”[/pullquote]

In Chef’s case, Harvey maintains that its moderators are doing it for the love of the game, so to speak.

“The fact of the matter is at Chef, there is no one whose job is to go monitor IRC,” said Harvey. “No one is paid to answer questions on StackOverflow. People at Chef do it because they care about the community and care about the project.”

Can a code of conduct actually help?

It remains to be seen how Chef’s revamped code of conduct will prevent further situations like Seth Vargo’s, but for organizations like the Django project and the Ada Initiative, having a code of conduct with some level of enforcement policies has prevented outbursts in their respective situations.

“I think there is a moral responsibility to ensure that these communities aren’t toxic groups,” said Russell Keith-Magee, president of the Django Software Foundation and a core developer on the project.

After the Ada Initiative developed its code of conduct, Aurora said she saw an uptick in women attending open-source conferences, and that those women feel less threatened than they used to at the events. There’s also been a drop in offensive behavior at these conferences, such as people slipping in pornography into presentation slides.

If there’s one thing for certain about governing open-source communities, it’s that it’s not an easy task. Even Linux guru Linus Torvalds (who himself has been the subject of controversy for making aggressive comments) recently admitted that he made mistakes within his own Linux community.

“The problems tend to be around alienating users or developers and I’m pretty good at that,” Torvalds said at LinuxCon Europe 2014. “I use strong language. But again there’s not a single instance I’d like to fix. There’s a metric s******* of those.”

Linus Torvalds
Linus Torvalds

Given the strong personalities in the open-source community and a lack of any legal recourse, companies involved with open-source projects may get more than they bargain for when harassment and even death threats occur. But perhaps in these situations, having a code of conduct and some level of enforcement could help mitigate the problems before they happen.

“[The Chef community] is not an entity, it is a bunch of people,” said Harvey. “The code of conduct is probably the strongest thing that binds us together and the software itself.”

So the lesson here seems to be that nothing in life is free — not even labor. If you’re a company that’s attached to an open-source community, it’s nice that you’ve separated yourself from any legal responsibilities, but that doesn’t mean you are totally off the hook if something unfortunate happens. When bad apples in the community are left unchecked, they could drive away the community members who are actively contributing and the negative publicity surrounding the project could lead to software engineers not wanting to participate. Say goodbye to your free innovation.

“A responsible corporate entity can’t divest itself of all responsibility,” said Keith-Magee. “The market should be holding companies responsible for their decisions.”

Post and thumbnail images courtesy of Shutterstock user Boumen Japet.