On September 30, TODO Group Ambassador and member Alin Jerpelea was one of the organizers of the 7th Swedish OSPO Network Workshop, focusing on Open Source Intake. A total of 35 participants from across the industry and the public sector came together to dive into the practical aspects of open source intake—from compliance and sustainability to tooling. This post captures some of the key takeaways from Alin:
Tools an Data
- No single tool does it all—legal, security, community, quality… each area has its own needs. Using multiple data sources can offer broader coverage, but it also brings more complexity. Comparing tools and understanding what works best for your specific context is key. In some cases, a single reliable source may be the most efficient choice
- Open source tools can absolutely stand up to commercial ones—especially when you know what you’re looking for. It’s also important to remember that the best tool today might not be the best tomorrow. Flexibility and adaptability matter
- Above all, ensure that you own your data Vendor lock-in can make switching tools costly and painful down the line
Compliance and Legal
- License detection remains a tricky business. Something labeled as “BSD” by a tool can actually refer to several different licenses
- Automation helps, but manual checks are still essential, especially when accuracy matters
- Dealing with false positives in license detection is a widespread challenge across scanning tools, though some perform better than others
- Bridging the gap between legal and engineering teams makes a major difference here—this is where OSPOs can and should play a central role as brokers and facilitators
- Defining which licenses are acceptable or not can streamline intake decisions, but many cases will still need nuanced, context-specific review.
Health and Sustainability
- Open source projects need regular check-ups—just like people. Evaluating activity levels, contributor diversity, and responsiveness helps identify potential risks early.
- A healthy project is about more than code—it’s about community, governance, and long-term viability
- Sustainability isn’t a one-off effort; it’s about building habits and processes that keep projects healthy over time
- A simple health-check framework can help organizations make better decisions when adopting open source components, and CHAOSS metrics and tools are a great starting point.
A Growing Community
What began as a small gathering of practitioners has evolved into a vibrant community of professionals who share a common goal: to strengthen open source capabilities and collaboration across Sweden. Within this network, TODO Group members play an active role, helping promote TODO resources and best practices that can guide organizations at different stages of their OSPO journey. Through these collaborations, the Swedish community connects local experiences with the global OSPO ecosystem, fostering shared learning and mutual growth.
A Special thanks to Sony** for hosting this workshop. We’re already looking forward to the next session, where discussions will turn to current and emerging policies—including the Cyber Resilience Act (CRA).