Maturity Assessment for Apache DevLake™
The goals of this maturity model are to describe how Apache projects operate in a concise and high-level way, and to provide a basic framework that projects may choose to use to evaluate themselves.
More details can be found here.
Status of this assessment
This assessment is being evaluated during DevLake's graduation from Apache Incubator to a top-level Apache project.
Maturity model assessment
The following table is filled according to the Apache Maturity Model. Mentors and community members are welcome to comment and modify it.
CODE
| ID | Description | Status |
|---|---|---|
| CD10 | The project produces Open Source software for distribution to the public, at no charge. | YES The project source code is licensed under the Apache License 2.0. |
| CD20 | Anyone can easily discover and access the project's code. | YES The official website includes GitHub link which can access the project's repository on GitHub directly. |
| CD30 | Anyone using standard, widely-available tools, can build the code in a reproducible way. | YES Apache DevLake provides comprehensive development setup documentation with detailed build instructions. |
| CD40 | The full history of the project's code is available via a source code control system, in a way that allows anyone to recreate any released version. | YES The project uses Git and is hosted on GitHub, allowing anyone to view the full history and recreate any released version via commit logs and tags. |
| CD50 | The source code control system establishes the provenance of each line of code in a reliable way, based on strong authentication of the committer. When third parties contribute code, commit messages provide reliable information about the code provenance. | YES The project uses GitHub managed by Apache Infra, ensuring provenance of each line of code. Third-party contributions are accepted through pull requests with proper attribution and review processes. |
LICENSE
| ID | Description | Status |
|---|---|---|
| LC10 | The Apache License, version 2.0, covers the released code. | YES The LICENSE file is present in the repository and all source files include the Apache License 2.0 header. |
| LC20 | Libraries that are mandatory dependencies of the project's code do not create more restrictions than the Apache License does. | YES All dependencies have been reviewed and are compatible with Apache License 2.0 requirements. |
| LC30 | The libraries mentioned in LC20 are available as Open Source software. | YES All mandatory dependencies are available as Open Source software with compatible licenses. |
| LC40 | Committers are bound by an Individual Contributor Agreement (the "Apache iCLA") that defines which code they may commit and how they need to identify code that is not their own. | YES All committers have signed Apache iCLAs as required by Apache Software Foundation policies. |
| LC50 | The project clearly defines and documents the copyright ownership of everything that the project produces. | YES All source files include proper Apache License 2.0 headers with copyright notices. |
Releases
| ID | Description | Status |
|---|---|---|
| RE10 | Releases consist of source code, distributed using standard and open archive formats that are expected to stay readable in the long term. | YES Source releases are distributed via dist.apache.org in standard tar.gz format. |
| RE20 | The project's PPMC (Project Management Committee, see CS10) approves each software release in order to make the release an act of the Foundation. | YES All releases have been voted on by the PPMC on dev@devlake.apache.org and general@incubator.apache.org with at least 3 PPMC member votes. |
| RE30 | Releases are signed and/or distributed along with digests that anyone can reliably use to validate the downloaded archives. | YES All releases are cryptographically signed and include SHA-512 checksums. The KEYS file is available. |
| RE40 | The project can distribute convenience binaries alongside source code, but they are not Apache Releases, they are provided with no guarantee. | YES Docker images and other convenience binaries are provided but clearly marked as convenience distributions, not official Apache releases. |
| RE50 | The project documents a repeatable release process so that someone new to the project can independently generate the complete set of artifacts required for a release. | TODO Need to check with community members where the release process documentation is located. |
Quality
| ID | Description | Status |
|---|---|---|
| QU10 | The project is open and honest about the quality of its code. Various levels of quality and maturity for various modules are natural and acceptable as long as they are clearly communicated. | YES The project encourages users to report issues and maintains transparent communication about known limitations. |
| QU20 | The project puts a very high priority on producing secure software. | YES Security issues are addressed promptly with a dedicated security response process. |
| QU30 | The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them. | TODO Need to create security reporting documentation and establish security@devlake.apache.org or similar reporting channel. |
| QU40 | The project puts a high priority on backwards compatibility and aims to document any incompatible changes and provide tools and documentation to help users transition to new features. | YES The project follows semantic versioning and provides migration guides for breaking changes, with clear documentation of API changes between versions. |
| QU50 | The project strives to respond to documented bug reports in a timely manner. | YES The project maintains active issue tracking and has resolved 3400+ issues and 4900+ pull requests with prompt response. |
Community
| ID | Description | Status |
|---|---|---|
| CO10 | The project has a well-known homepage that points to all the information required to operate according to this maturity model. | YES The official website provides comprehensive information including documentation, community guidelines, and development resources. |
| CO20 | The community welcomes contributions from anyone who acts in good faith and in a respectful manner, and who adds value to the project. | YES The project provides detailed contributing guidelines and maintains a welcoming environment for all contributors. |
| CO30 | Contributions include source code, documentation, constructive bug reports, constructive discussions, marketing and generally anything that adds value to the project. | YES The community welcomes all forms of contributions including code, documentation, testing, bug reports, and community engagement. |
| CO40 | The community strives to be meritocratic and gives more rights and responsibilities to contributors who, over time, add value to the project. | YES The community has elected 14 PPMC members and 12 committers based on their contributions and merit. |
| CO50 | The project documents how contributors can earn more rights such as commit access or decision power, and applies these principles consistently. | YES The project has clear documentation on the contributor growth program and promotion processes. |
| CO60 | The community operates based on consensus of its members (see CS10) who have decision power. Dictators, benevolent or not, are not welcome in Apache projects. | YES All major decisions are made through community consensus and voting processes on the mailing list. |
| CO70 | The project strives to answer user questions in a timely manner. | YES The project uses dev@devlake.apache.org, GitHub issues, and community channels to provide timely support to users. |
Consensus
| ID | Description | Status |
|---|---|---|
| CS10 | The project maintains a public list of its contributors who have decision power. The project's PPMC (Project Management Committee) consists of those contributors. | YES The project maintains a public list of PPMC members and committers on the website. TODO: Verify this page is up to date. |
| CS20 | Decisions require a consensus among PPMC members and are documented on the project's main communications channel. The PPMC takes community opinions into account, but the PPMC has the final word. | YES All decisions are made through votes on dev@devlake.apache.org with proper documentation and at least 3 +1 votes from PPMC members. |
| CS30 | The project uses documented voting rules to build consensus when discussion is not sufficient. | YES The project follows standard Apache Software Foundation voting rules and procedures. |
| CS40 | In Apache projects, vetoes are only valid for code commits. The person exercising the veto must justify it with a technical explanation, as per the Apache voting rules defined in CS30. | YES The project follows Apache voting rules where vetoes are only valid for code commits and must be technically justified. |
| CS50 | All "important" discussions happen asynchronously in written form on the project's main communications channel. Offline, face-to-face or private discussions that affect the project are also documented on that channel. | YES All important discussions and decisions are documented on the mailing list in written form. |
Independence
| ID | Description | Status |
|---|---|---|
| IN10 | The project is independent from any corporate or organizational influence. | YES The PPMC members and committers represent multiple organizations and companies, ensuring no single corporate influence dominates the project. |
| IN20 | Contributors act as themselves, not as representatives of a corporation or organization. | YES Contributors participate in the project as individuals, not as corporate representatives, following Apache Software Foundation principles. |