If you’re starting or running an Open Source Program Office (OSPO), you don’t have to invent everything from scratch. OSPO resources from foundations and communities give you guides, playbooks, and a shared vocabulary. This list curates guides, tools, communities, and maturity models that help you build policy, compliance, and strategy in one place.
I’ve grouped entries by type so you can jump to what you need. Review the How to Use This List section if you’re not sure where to start.
Scope: Included resources are public, maintained, and directly useful for OSPO work (strategy, compliance, community, or tooling). I omit vendor-only or paywalled content.
How to Use This List
Just starting an OSPO? Begin with Guides and Frameworks: the Linux Foundation guide, TODO Group resources, and GitHub’s github-ospo. Then skim Maturity Models and Playbooks to see how the function can evolve.
Need compliance or security structure? Use OpenChain and OpenSSF in Guides, plus your own tooling. CHAOSS helps if you care about contribution and community metrics.
Looking for peers and events? Go to Communities and Events. OSPOCon and the OSPO Alliance offer regular touchpoints.
Choosing tools? Tools and Dashboards lists hubs and references; many OSPOs also use composition analysis and vulnerability scanners (not listed here) for day-to-day work.
Guides and Frameworks
Guides and frameworks that define what an OSPO is and how to run one.
TODO Group
TODO Group is a community of practitioners who publish OSPO guides and best practices. Their Guides and Resources cover creating an open source program, setting strategy, measuring success, employee engagement, community building, and participating in open source. Guides are openly licensed and widely cited. Start here if you want a shared definition of OSPO and practical how-to content.
Linux Foundation: Starting an Open Source Program Office
The Linux Foundation hosts a short guide, Starting an Open Source Program Office, developed with the TODO Group. It explains why organizations create an OSPO, what they do, and first steps. Good for leadership or stakeholders who need a quick, authoritative overview.
OSPO Book (TODO Group)
The OSPO Book is a longer, book-style resource from the TODO Group. It goes deeper on strategy, structure, compliance, and community. Use it when you want more detail than the individual guides and are willing to read in depth.
OpenChain
OpenChain is a standard for open source compliance programs. Many OSPOs use it to structure license compliance, supplier expectations, and process. The project provides the specification, conformance, and reference material. If your OSPO owns or supports compliance, OpenChain is a core reference.
OpenSSF
The Open Source Security Foundation (OpenSSF) focuses on open source security: supply chain, vulnerabilities, and best practices. OSPOs often work with OpenSSF initiatives (e.g., SBOM, signing, scorecards) and use their guides to align with security teams. Use OpenSSF when security and dependency visibility are in scope for your OSPO.
CHAOSS
CHAOSS (Community Health Analytics Open Source Software) provides metrics and metrics models for community health, contribution, and diversity. OSPOs use CHAOSS when they need to measure or report on open source participation and community health. The project offers definitions, dashboards, and tools.
GitHub: github-ospo
github-ospo is a GitHub-maintained repo that helps open source program offices get started. It offers guidance and resources for teams building or running an OSPO. Useful if your organization already uses GitHub and you want a single, practical entry point.
Tools and Dashboards
Hubs and references for tooling that OSPOs use. This section points to catalogs and communities rather than listing every product.
TODO Group: Tools for Managing Open Source Programs
The TODO Group guide Tools for Managing Open Source Programs surveys categories of tools (e.g., composition analysis, license scanning, contribution workflow) and how they fit into OSPO work. Use it to map your needs to tool types before evaluating specific vendors.
OSPO Alliance Resources
The OSPO Alliance Resources page collects tools, methods, best practices, and stories from members. It’s useful for seeing what other organizations use and how they describe their tooling. Geographically skewed toward European initiatives but relevant for any OSPO.
GitHub OSPO repositories
GitHub maintains a set of OSPO-related repositories (ospo-reusable-workflows for centralized Actions, issue-metrics, stale-repos, contributors, evergreen, and others) for org and program management. Use them to automate dependency updates, gather issue/PR metrics, find stale or empty repos, and standardize contribution workflows. Good if you run OSPO or open source programs on GitHub and want ready-made actions and tooling.
Communities and Events
Places to meet other OSPO practitioners and stay current.
OSPOCon
OSPOCon is the Linux Foundation’s event track focused on Open Source Program Offices. It runs as part of broader Linux Foundation events (e.g., Open Source Summit). Sessions cover strategy, compliance, case studies, and tooling. Good for in-person or virtual networking and learning from other orgs.
OSPO Alliance
The OSPO Alliance is a community initiative (Eclipse Foundation and partners) focused on open source good governance and OSPO adoption. It offers resources, OSPO OnRamp webinars, and a place to share practices. Valuable if you want a community that emphasizes governance and European perspectives.
TODO Group Community
The TODO Group itself is a community of practitioners from companies and organizations. Participation happens through membership, contributions to guides, and events. If you want to influence or reuse shared OSPO content, TODO is the primary home for that.
Maturity Models and Playbooks
Frameworks that describe how an OSPO can evolve from basic to advanced.
TODO Group OSPO Maturity Model and Studies
The TODO Group publishes studies and maturity-oriented content that describe stages of OSPO development (e.g., ad hoc, defined, strategic). Use these to assess where your organization is and to plan next steps. The exact maturity model document may live under “Resources” or “Studies” on their site.
OSPO Alliance Good Governance Initiative
The OSPO Alliance Good Governance Initiative (GGI) is a framework to assess and improve open source governance in organizations. It complements maturity thinking with a governance lens and is available in multiple languages. Useful when you need to align OSPO growth with governance and risk.
Benefits of Using OSPO Resources
Using these OSPO resources gives you:
- Shared language: Terms like OSPO, compliance program, and contribution workflow mean the same thing across organizations.
- Faster setup: Guides and playbooks reduce the time to first policy and first process.
- Alignment with standards: OpenChain and OpenSSF help you align with common compliance and security expectations.
- Peer learning: Communities and events let you learn from others’ mistakes and successes.
- Evidence for leadership: Maturity models and case studies help you explain the value and roadmap of an OSPO.
Getting Started
If you’re new to the idea of an OSPO, read What is an OSPO? for a clear definition and mental model. Then:
- Read the Linux Foundation guide Starting an Open Source Program Office for a short overview.
- Skim the TODO Group guides and pick two or three that match your immediate need (e.g., strategy, compliance, community).
- If compliance is in scope, review OpenChain.
- Join one community (TODO Group or OSPO Alliance) or attend an OSPOCon session to hear how others run their OSPO.
Use Cases
Common ways people use this list:
- Starting an OSPO: Use guides and the “Starting an Open Source Program Office” overview, then maturity or playbook content to plan phases.
- Improving compliance: Combine OpenChain with your existing tooling and the TODO compliance-related guides.
- Measuring and reporting: Use CHAOSS for contribution and community metrics; use maturity models to report progress to leadership.
- Finding peers: Rely on OSPO Alliance and TODO Group for webinars, events, and shared resources.
- Tool selection: Use the TODO tools guide and OSPO Alliance resources to map requirements to tool categories before RFPs or pilots.
Considerations
- Resources change: URLs and document names shift. If a link breaks, search the organization’s site or use their main resource index.
- No one-size-fits-all: Your OSPO’s scope (compliance-only vs. strategy and community) should drive which resources you use first.
- Combine with internal context: These resources give structure; you still need to adapt them to your company’s legal, security, and culture.
- Tool coverage: The list emphasizes guides, communities, and frameworks and includes selected vendor tooling (e.g., GitHub OSPO repositories and reusable workflows). For composition analysis, vulnerability scanning, or other contribution platforms, use the tools guide and your own evaluation.
References and Resources
- TODO Group, guides, OSPO Book, and community.
- Linux Foundation Open Source Guides, including Starting an Open Source Program Office.
- OSPO Alliance, resources, Good Governance Initiative, and OSPO OnRamp.
- OpenChain, open source compliance standard.
- OpenSSF, open source security initiatives and guides.
- CHAOSS, community health and contribution metrics.
- GitHub github-ospo, helping OSPOs get started.
- GitHub OSPO repositories, tools and actions for OSPO and org management.
- GitHub ospo-reusable-workflows, centralized reusable GitHub Actions (Auto-Labeler, Labeler, Release, Release Image, etc.).
- What is an OSPO?, for a concise definition and how an OSPO fits with compliance, security, and strategy.
Comments #