THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
This is an assessment of the Apache Daffodil podling’s maturity, meant to help inform the decision (of the mentors, community, Incubator PMC and ASF Board of Directors) to graduate it as a top-level Apache project.
It is based on the ASF project maturity model at https://community.apache.org/apache-way/apache-project-maturity-model.html
| ID | Description | Meets | Comments |
|---|---|---|---|
| Code | |||
| CD10 | The project produces Open Source software, for distribution to the public at no charge. [1] | Yes | The project source code is licensed under the Apache License, version 2.0. |
| CD20 | The project's code is easily discoverable and publicly accessible. | Yes | Linked from the website, available via gitbox.apache.org and GitHub. |
| CD30 | The code can be built in a reproducible way using widely available standard tools. | Yes | The build uses sbt. Build and test instructions are in the README.md file. |
| CD40 | The full history of the project's code is available via a source code control system, in a way that allows any released version to be recreated. | Yes | Using Git, main repository at https://github.com/apache/daffodil, releases are cut from that repository. All releases are tagged. |
| CD50 | The provenance of each line of code is established via the source code control system, in a reliable way based on strong authentication of the committer. When third-party contributions are committed, commit messages provide reliable information about the code provenance. [2] | Yes | The project uses a git repository, managed by Apache Infra, ensuring provenance of each line of code to a committer. Third party contributions are accepted in accordance with the For Contributors page. |
| Licenses and Copyright | |||
| LC10 | The code is released under the Apache License, version 2.0. | Yes | Source distributions clearly state license. |
| LC20 | Libraries that are mandatory dependencies of the project's code do not create more restrictions than the Apache License does. [3] [4] | Yes | The list of mandatory dependencies have been reviewed to contain approved licenses only. |
| LC30 | The libraries mentioned in LC20 are available as Open Source software. | Yes | All mandatory dependencies are available as open source software. See below. |
| LC40 | Committers are bound by an Individual Contributor Agreement (the "Apache iCLA") that defines which code they are allowed to commit and how they need to identify code that is not their own. | Yes | The project uses a repository managed by Apache Infra -- write access requires an Apache account, which requires an ICLA on file. |
| LC50 | The copyright ownership of everything that the project produces is clearly defined and documented. [5] | Yes | All files in the source repository have appropriate headers. Software Grant Agreements for the initial donations and Corporate CLAs have been filed. |
| Releases | |||
| RE10 | Releases consist of source code, distributed using standard and open archive formats that are expected to stay readable in the long term. [6] | Yes | Source releases are distributed via dist.apache.org and linked from the website (in Release section). |
| RE20 | Releases are approved by the project's PMC (see CS10), in order to make them an act of the Foundation. | Yes | All incubating releases have been approved by the Daffodil community and the Incubator, all with at least 3 (P)PMC votes. |
| RE30 | Releases are signed and/or distributed along with digests that can be reliably used to validate the downloaded archives. | Yes | All releases are signed, and the KEYS file is provided on dist.apache.org. |
| RE40 | Convenience binaries can be distributed alongside source code but they are not Apache Releases -- they are just a convenience provided with no guarantee. | Yes | Convenience binaries are distributed via Maven Central Repository and via dist.apache.org. |
| RE50 | The release process is documented and repeatable to the extent that someone new to the project is able to independently generate the complete set of artifacts required for a release. | Yes | The Release Workflow is available describing the entire process. The Daffodil releases have been performed by at least three different release managers. |
| Quality | |||
| QU10 | The project is open and honest about the quality of its code. Various levels of quality and maturity for various modules are natural and acceptable as long as they are clearly communicated. | Yes | The project records all bugs in the Apache’s JIRA issue tracker. The project uses continuous integration: The test coverage analysis report is available here: https://codecov.io/gh/apache/daffodil The code analyzer analysis report is available here: These workflows are setup/defined here: |
| QU20 | The project puts a very high priority on producing secure software. [7] | Yes | Security issues are treated with the highest priority. Further, some of the contributors are using the software in Cybersecurity applications. |
| QU30 | The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them. [8] | Yes | There's a security statement on wiki for contributors, and a security link on the website, which provides a link to the ASF security information. |
| QU40 | The project puts a high priority on backwards compatibility and aims to document any incompatible changes and provide tools and documentation to help users transition to new features. | Yes | Each release note, such as for the 3.0.0 release, contains discussion of new features, fixes, and has a section on Compatibility/Deprecation. The project aims to make no backward incompatible changes within a given major version. |
| QU50 | The project strives to respond to documented bug reports in a timely manner. | Yes | User bugs are given very high priority, and the backlog of JIRA issues is given high priority as evidenced by this open/closed report. Response times on the dev list, user list and jira are good. |
| Community | |||
| CO10 | The project has a well-known homepage that points to all the information required to operate according to this maturity model. | Yes | The project website has a description of the project with technical details, how to contribute, team. |
| CO20 | The community welcomes contributions from anyone who acts in good faith and in a respectful manner and adds value to the project. | Yes | It is highlighted on our website community page. |
| CO30 | Contributions include not only source code, but also documentation, constructive bug reports, constructive discussions, marketing and generally anything that adds value to the project. | Yes | These alternate contributions (tests too) are highlighted on our website community page. |
| CO40 | The community strives to be meritocratic and over time aims to give more rights and responsibilities to contributors who add value to the project. | Yes | The community has elected 4 new committers during incubation, based on meritocracy. |
| CO50 | The way in which contributors can be granted more rights such as commit access or decision power is clearly documented and is the same for all contributors. | Yes | There is a prominent link to The Apache Way from our For Contributors page. |
| CO60 | The community operates based on consensus of its members (see CS10) who have decision power. Dictators, benevolent or not, are not welcome in Apache projects. | Yes | The project works to build consensus. All votes have been unanimous so far. |
| CO70 | The project strives to answer user questions in a timely manner. | Yes | The project typically provides detailed answers to user questions within reasonable time via dev@ mailing list and user@ mailing list. |
| Consensus Building | |||
| CS10 | The project maintains a public list of its contributors who have decision power -- the project's PMC (Project Management Committee) consists of those contributors. | Yes | The PMC and committers list. |
| CS20 | Decisions are made by consensus among PMC members [9] and are documented on the project's main communications channel. Community opinions are taken into account but the PMC has the final word if needed. | Yes | The project has been making important decisions on the project mailing lists. Vast majority of, if not all, decisions have had a consensus without any PPMC action needed. |
| CS30 | Documented voting rules are used to build consensus when discussion is not sufficient. [10] | Yes | The project uses the standard ASF voting rules. Voting rules are clearly stated before the voting starts for each individual vote. |
| CS40 | In Apache projects, vetoes are only valid for code commits and are justified by a technical explanation, as per the Apache voting rules defined in CS30. | Yes | The few vetos we've seen were due to finding glitches in our releases. These have all been cordially resolved and the releases respun and successfully released. With respect to code changes, we rely on pull request code reviews, and consensus discussions there. |
| CS50 | All "important" discussions happen asynchronously in written form on the project's main communications channel. Offline, face-to-face or private discussions [11] that affect the project are also documented on that channel. | Yes | The project has been making important decisions on the project mailing lists. Minor decisions may occasionally happen during code reviews, which are also public, asynchronous, and in written form. |
| Independence | |||
| IN10 | The project is independent from any corporate or organizational influence. [12] | Yes | The project has PPMC members from 3 different organizations. Viewpoints from all committers/PPMC members are respected equally regardless of affiliations. There is growth of the contributions coming from different committers. |
| IN20 | Contributors act as themselves as opposed to representatives of a corporation or organization. | Yes | While the committers are compensated by companies for work on the project, the committers and contributors act on their own initiative without representing a corporation or organization, as per the Apache Way discussion of "Community of Peers". |
Footnotes
- "For distribution to the public at no charge" is straight from the ASF Bylaws at http://apache.org/foundation/bylaws.html. (1)
- See also LC40. (2)
- It's ok for platforms (like a runtime used to execute our code) to have different licenses as long as they don't impose reciprocal licensing on what we are distributing. (3)
- http://apache.org/legal/resolved.html has information about acceptable licenses for third-party dependencies (4)
- In Apache projects, the ASF owns the copyright for the collective work, i.e. the project's releases. Contributors retain copyright on their contributions but grant the ASF a perpetual copyright license for them. (5)
- See http://www.apache.org/dev/release.html for more info on Apache releases (6)
- The required level of security depends on the software's intended uses, of course. Expectations should be clearly documented. (7)
- Apache projects can just point to http://www.apache.org/security/ or use their own security contacts page, which should also point to that. (8)
- In Apache projects, "consensus" means widespread agreement among people who have decision power. It does not necessarily mean "unanimity". (9)
- For Apache projects, http://www.apache.org/foundation/voting.html defines the voting rules. (10)
- Apache projects have a private mailing list that their PMC is expected to use only when really needed. The private list is typically used for discussions about people, for example, to discuss and to vote on PMC candidates privately. (11)
- Independence can be understood as basing the project's decisions on the open discussions that happen on the project's main communications channel, with no hidden agendas. (12)
Copyright © 2019-2020 The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache®, the names of Apache projects, and the feather logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.