.NET, Open Source & You?! Dominick Baier @leastprivilege https://speakerdeck.com/leastprivilege

2 @leastprivilege Me • Independent Consultant – Specializing on Application Security Architectures – Working with Software Development Teams (ISVs and in-house) • Co-Creator of IdentityServer OSS Project – Certified OpenID Connect & OAuth 2.0 Implementation for .NET – https://identityserver.io • Co-Creator of PolicyServer – Modern Authorization Solution – https://policyserver.io email dominick.baier@leastprivilege.com blog http://leastprivilege.com twitter @leastprivilege slides https://speakerdeck.com/leastprivilege

3 @leastprivilege My Open Source History

4 @leastprivilege My Open Source History • 2009 - 2013 "Open Source Samples" – StarterSTS – IdentityModel – IdentityServer 1 & 2 • 2013 - now "Real Open Source" – IdentityServer3 • 51 contributors / 1,268,903 nuget downloads – IdentityServer4 • 137 contributors / 1,807,751 nuget downloads – IdentityModel • 14 contributors / 7,265,299 nuget downloads • 2016 IdentityServer joins the .NET Foundation • 2017 joined as .NET Foundation Advisory Board Member • 2018 IdentityServer ships with ASP.NET Core 2.2 https://github-contributions.now.sh/

5 @leastprivilege Agenda • A little history of open source (in the Microsoft world) • Consuming open source • Producing open source

6 @leastprivilege Richard Stallman By Thesupermat - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=37264906 https://www.gnu.org/software/hurd/history.html https://en.wikipedia.org/wiki/GNU_Project https://en.wikipedia.org/wiki/Richard_Stallman

7 @leastprivilege https://www.theregister.co.uk/2001/06/02/ballmer_linux_is_a_cancer/

8 @leastprivilege

9 @leastprivilege

10 @leastprivilege https://www.slideshare.net/openstack_kr/microsoft-loves-linux

11 @leastprivilege https://www.zdnet.com/article/why-microsoft-is-turning-into-an-open-source-company/

12 @leastprivilege Consuming Open Source

13 @leastprivilege Create an Open Source Company Culture • Decide on suitable licenses – permissive vs non-permissive vs viral • Employees should be allowed to contribute (back) – during business hours • Consider "sponsoring" the projects you depend on – money or time "In layman's terms, this means that our employees are free to create any sort of open source outside of business hours (as long as it doesn't compete with our business), are free to contribute to open source we depend on at any time, and they own the copyright to that work (or whatever the terms are of the project they contribute to). The only real stipulation is that the project's licence must allow us to use it in our commercial software." http://dhickey.ie/2014/11/our-open-source-policy-at-evision/

14 @leastprivilege Producing Open Source

15 @leastprivilege Why? • You want to help out other people – open issues when you find bugs or unexpected behavior – create pull requests to fix bugs – contribute to documentation • Start your own project – for fun – for improving your skills – develop your own brand – company sponsored OSS James Newton-King: "Open Source from the Trenches" https://www.youtube.com/watch?v=uEq-rivegew

16 @leastprivilege IDEs • Visual Studio Community Edition – https://www.visualstudio.com/vs/community/ • JetBrains Rider – https://www.jetbrains.com/buy/opensource/ • Misc – VS Code, Sublime, Vim…

17 @leastprivilege Source Control • Learn git! – get posh-git and/or zsh • Git for Windows – https://git-scm.com/download/win • SourceTree – https://www.sourcetreeapp.com/ • Github Desktop – https://desktop.github.com/ • Alternatives – https://git-scm.com/download/gui/windows

18 @leastprivilege My Favourite https://github.com/jesseduffield/lazygit

19 @leastprivilege Source Hosting • Github • Bitbucket • GitLab

20 @leastprivilege Github • Organization vs single repo • Select a LICENSE https://choosealicense.com/

21 @leastprivilege What should be in a Repo? • Code • Tests • Self-contained way to build that code – e.g. build.cmd – don't require Visual Studio • README – super important • Code of Conduct – https://www.contributor-covenant.org/

22 @leastprivilege Milestones

23 @leastprivilege Labels

24 @leastprivilege Projects

25 @leastprivilege Dealing with issues • Issue/bug tracker vs support forum • Require useful information – good error messages – logging output • Use StackOverflow (get a tag) • Don't – Email – Twitter – …

26 @leastprivilege ISSUE_TEMPLATE.MD

27 @leastprivilege Brand new: Multiple Templates

28 @leastprivilege Gitter • Free chat room for your users

29 @leastprivilege Tests • The more tests, the better you sleep – especially when "strangers" start adding code • High code coverage is nice, but not the most important thing – I prefer integration tests over 100% unit test coverage • Demand a test for every PR

30 @leastprivilege Dealing with Pull Requests • Do you want to accept PRs at all? • If you do – the code will become YOUR code, and you have to maintain it for a long time – require test coverage of the changes/additions – require same coding style as rest of project (e.g. using editorconfig.json) • Add a CONTRIBUTING.MD • Consider a Contribution License Agreement (CLAs)

31 @leastprivilege CONTRIBUTING.MD • File describing how people can get involved

32 @leastprivilege

33 @leastprivilege PULL_REQUEST_TEMPLATE.MD

34 @leastprivilege Build Automation • Job of build is – restore packages – build code – run tests – publish artifacts • Should run automatically – check-ins – pull requests • Many options – Rake, Fake, PSake, MSBuild – commercial products

35 @leastprivilege Build Servers • AppVeyor – https://www.appveyor.com/ • Travis CI – https://travis-ci.org/

36 @leastprivilege Azure DevOps

37 @leastprivilege Versioning • GitVersion

38 @leastprivilege Publishing

39 @leastprivilege Release Notes • https://github.com/ GitTools/GitReleaseManager

40 @leastprivilege Documentation • Github Pages / Wiki – https://guides.github.com/features/pages/ • Read The Docs – https://readthedocs.org/ • Microsoft DocFX – https://dotnet.github.io/docfx/

41 @leastprivilege GhostDoc • https://submain.com/products/ghostdoc.aspx

42 @leastprivilege Sharing Secrets • Accounts • Nuget keys • Signing certificates • … • 1Password – https://github.com/1Password/1password-teams-open-source

43 @leastprivilege Promote your Project • Twitter • Blog posts • Conference/Usergroup/Meetup talks • Submit to Microsoft – ASP.NET Community Standup – On .NET • StackOverflow – help other people that have problems (with your library) – link back to github/docs/nuget

44 @leastprivilege .NET Foundation • IP, legal and "business continuity" support • Useful services – CLA management – HTTPS certificates – Code/nuget signing – Forums – Hosting/software – Sponsoring – CI/CD https://dotnetfoundation.org/

45 @leastprivilege Sustainability • Provide commercial services – consulting – training – developer / production support – commercial add-ons • Sponsorship – https://opencollective.com/ – https://www.patreon.com/ https://hueniverse.com/a-new-social-contract-for-open-source

46 @leastprivilege Attract new Contributors • Create small and easy to implement issues – label them – register label at http://up-for-grabs.net

47 @leastprivilege Closing thoughts • The "new" .NET ecosystem is definitely better than the "old" one – easier access to development teams – more "development in the open" • Microsoft has not turned into a charity – be prepared that they can compete with your OSS project any time they want • "Every open source project needs a business plan" – Microsoft's is selling Azure – what's yours?

48 @leastprivilege thank you!