You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The goals of this maturity model are to describe how Apache projects operate in a concise and high-level way, and to provide a basic framework that projects may choose to use to evaluate themselves.
The following table is filled according to the Apache Maturity Model. Mentors and community members are welcome to comment and modify it.
CODE
ID
Description
Status
CD10
The project produces Open Source software for distribution to the public, at no charge.
YES The project source code is licensed under the Apache License 2.0.
CD20
Anyone can easily discover and access the project's code..
YES The offical website includes direct links to the Github repositories with the project's codebase.
CD30
Anyone using standard, widely-available tools, can build the code in a reproducible way.
YES Apache SDAP provides a build guide (github | readthedocs) to enable users to build the necessary Docker images to run SDAP locally or in a Kubernetes cluster.
CD40
The full history of the project's code is available via a source code control system, in a way that allows anyone to recreate any released version.
YES We use git, enabling a full commit history and viewing differences between specific commits.
CD50
The source code control system establishes the provenance of each line of code in a reliable way, based on strong authentication of the committer. When third parties contribute code, commit messages provide reliable information about the code provenance.
YES The project uses Apache Infra managed GitHub, it ensures provenance of each line of code to a committer. Contributions are accepted in accordance with the Contributing Guide.
LICENSE
ID
Description
Status
LC10
The Apache License, version 2.0, covers the released code.
YES The LICENSE files are present in the GitHub repository. 123
LC20
Libraries that are mandatory dependencies of the project's code do not create more restrictions than the Apache License does.
IN PROGRESS Found an issue where top-level dependency installed LGPL package. Discussing how to organize SDAP functionality to move this to be an optional dependency.
LC30
The libraries mentioned in LC20 are available as Open Source software.
YES All installed dependencies are listed in files named requirements.txt, conda-requirements.txt, pyproject.toml, or poetry.lock and are open sourced on github.
LC40
Committers are bound by an Individual Contributor Agreement (the "Apache iCLA") that defines which code they may commit and how they need to identify code that is not their own.
YES All committers have iCLAs on file.
LC50
The project clearly defines and documents the copyright ownership of everything that the project produces.
YES? All source files are with APLv2 header, checked manually by rkk. There are some misc config files, etc that do not have headers, but, as they're not source files, they've been excluded from the checks
Releases
ID
Description
Status
RE10
Releases consist of source code, distributed using standard and open archive formats that are expected to stay readable in the long term.
The project's PPMC (Project Management Committee, see CS10) approves each software release in order to make the release an act of the Foundation.
YES All releases have been voted at dev@sdap.a.o and general@incubator.a.o, and have required at least 3 binding +1 PPMC votes to pass.
RE30
Releases are signed and/or distributed along with digests that anyone can reliably use to validate the downloaded archives.
YES All releases are signed, and the KEYS are available.
RE40
The project can distribute convenience binaries alongside source code, but they are not Apache Releases, they are provided with no guarantee.
YES Users can easily build binaries from source code using the provided guide. Binary images are not provided as official Apache realease, though some are available through Apache dockerhub.
RE50
The project documents a repeatable release process so that someone new to the project can independently generate the complete set of artifacts required for a release.
YES We can follow the Release guide to make new Apache SDAP releases, and so far we had 3 different release managers. The guide is not (yet) publically available, but is provided to a future RM upon the start of the release cycle.
Quality
ID
Description
Status
QU10
The project is open and honest about the quality of its code. Various levels of quality and maturity for various modules are natural and acceptable as long as they are clearly communicated.
YES We maintain an ASF Jira instance to enable users and community to report issues. PPMC and committers are notified via email when tickets are created.
QU20
The project puts a very high priority on producing secure software.
YES Though infrequent, security issues are addressed with the highest priority.
QU30
The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them.
YES Website has a link direct to the ASF security team.
QU40
The project puts a high priority on backwards compatibility and aims to document any incompatible changes and provide tools and documentation to help users transition to new features.
Not fully Evaluated Some tools are provided to transition old deployments to newer versions. Some versions are incompatible with data/backend storage schema of older deployments.
QU50
The project strives to respond to documented bug reports in a timely manner.
YES? The project has received 500+ issues, recent high-priority issues are closed with fast turnaround. There are unfortunately a number of older tickets that have not been properly closed. 300+ merged PRs.
Community
ID
Description
Status
CO10
The project has a well-known homepage that points to all the information required to operate according to this maturity model.
YES The website includes or links to all information user need to run Apache SDAP.
CO20
The community welcomes contributions from anyone who acts in good faith and in a respectful manner, and who adds value to the project.
YES Apache SDAP website points prospective viewers to our github repositories and mailing lists, inviting any interested to join.
CO30
Contributions include source code, documentation, constructive bug reports, constructive discussions, marketing and generally anything that adds value to the project.
YES All good contributions including code and non-code are welcomed.
CO40
The community strives to be meritocratic and gives more rights and responsibilities to contributors who, over time, add value to the project.
YES The community has elected 5 new PPMC members in 2022 and 2023.
CO50
The project documents how contributors can earn more rights such as commit access or decision power, and applies these principles consistently.
NOT YET The community is discussing this now.
CO60
The community operates based on consensus of its members (see CS10) who have decision power. Dictators, benevolent or not, are not welcome in Apache projects.
YES - For major changes Major project decisions (releases, large PRs, PPMC additions) are made by community VOTE on dev@. Some smaller PRs are reviewed and approved by the PPMC through Github.
CO70
The project strives to answer user questions in a timely manner.
YES We have resources such as ASF Slack, our mailing lists, Jira, etc that users can use to ask questions of the community. Links to all of these are provided on our website.
Consensus
ID
Description
Status
CS10
The project maintains a public list of its contributors who have decision power. The project's PPMC (Project Management Committee) consists of those contributors.
YES The website has a list of team and community members: PPMC, mentors and additional collaborators (SDAP users who frequently provide helpful input), with names, emails and github links.
CS20
Decisions require a consensus among PPMC members and are documented on the project's main communications channel. The PPMC takes community opinions into account, but the PPMC has the final word.
YES All decisions are made by votes on dev@sdap.apache.org, and with at least 3 +1 votes from PPMC.
CS30
The project uses documented voting rules to build consensus when discussion is not sufficient.
YES The project uses the standard ASF voting rules.
CS40
In Apache projects, vetoes are only valid for code commits. The person exercising the veto must justify it with a technical explanation, as per the Apache voting rules defined in CS30.
YES Apache SDAP community has not used the veto power yet except for code commits.
CS50
All "important" discussions happen asynchronously in written form on the project's main communications channel. Offline, face-to-face or private discussions that affect the project are also documented on that channel.
YES All important discussions and conclusions are recorded in written form. The SDAP community hosts a monthly public meeting to discuss project issues and progress. Invites and reminders are posted to dev@ prior to the meetings, agendas are available through the ASF Confluence wiki, and minutes are posted to dev@.
Independence
ID
Description
Status
IN10
The project is independent from any corporate or organizational influence.
IN PROGRESS The PPMC is working to add members from additional organizations, but currently, due to originating as a NASA/JPL project, a large number of active PPMC members are affiliated with NASA/JPL
IN20
Contributors act as themselves, not as representatives of a corporation or organization.
YES The contributors act on their own initiative without representing a corporation or organization.