PLC4X – [Untitled]

Apache Maturity Model Assessment for PLC4X

Overview

This is an assessment of the PLC4X project’s maturity, meant to help inform the decision (of the mentors, community, Incubator PMC and ASF Board of Directors) to graduate it as a top-level Apache project.

It is based on the ASF project maturity model at https://community.apache.org/apache-way/apache-project-maturity-model.html

Maturity model assessment

Community members are encouraged to contribute to this page and comment on it, the following table summarizes project’s self-assessment against the Apache Maturity Model.

ID Description Status

ID	Description	Status
Code
CD10	The project produces Open Source software, for distribution to the public at no charge.	The project source code is licensed under the Apache License, version 2.0.
CD20	The project’s code is easily discoverable and publicly accessible.	Our sourcecode is available at Apache GitBox and GitHub and linked to from our website
CD30	The code can be built in a reproducible way using widely available standard tools.	our Maven build has been tested on Linux, Mac-OS and Windows and build description is available on our website
CD40	The full history of the project’s code is available via a source code control system, in a way that allows any released version to be recreated.	The entire commit history is available from the beginning.
CD50	The provenance of each line of code is established via the source code control system, in a reliable way based on strong authentication of the committer. When third-party contributions are committed, commit messages provide reliable information about the code provenance.	The project uses the git repository, managed by Apache Infra, ensuring provenance of each line of code to a committer, each line committed before entering incubation was equally configured.
Licenses and Copyright
LC10	The code is released under the Apache License, version 2.0.	Both the source distribution as well as the convenience binary artifacts clearly declare that they are licensed under the Apache 2.0 license
LC20	Libraries that are mandatory dependencies of the project’s code do not create more restrictions than the Apache License does.	The list of mandatory dependencies have been reviewed to contain approved licenses only.
LC30	The libraries mentioned in LC20 are available as Open Source software.	All mandatory dependencies are available as open source software.
LC40	Committers are bound by an Individual Contributor Agreement (the "Apache iCLA") that defines which code they are allowed to commit and how they need to identify code that is not their own.	The project uses a repository managed by Apache Gitbox — write access requires an Apache account, which requires an ICLA on file.
LC50	The copyright ownership of everything that the project produces is clearly defined and documented.	All files in the source repository have appropriate headers which is enforced by tooling included in the build. ICLAs from all initial committers have been documented. CCLAs from all companies involved have been documented. SGA is on file for the initial contribution.
Releases
RE10	Releases consist of source code, distributed using standard and open archive formats that are expected to stay readable in the long term.	Current source releases are distributed via dist.apache.org and Older source releases are available from archive.apache.org. Both are linked from the website.
RE20	Releases are approved by the project’s PMC (see CS10), in order to make them an act of the Foundation.	All incubating releases have been unanimously approved by the PLC4X community and the Incubator, all with at least 3 (P)PMC votes and more +1 than -1.
RE30	Releases are signed and/or distributed along with digests that can be reliably used to validate the downloaded archives.	All releases are signed, and the KEYS file is provided on dist.apache.org
RE40	Convenience binaries can be distributed alongside source code but they are not Apache Releases — they are just a convenience provided with no guarantee.	Convenience binaries are distributed via Maven Central Repository only. Currently due to the platform-dependency of C++ libraries, these are not distributed currently.
RE50	The release process is documented and repeatable to the extent that someone new to the project is able to independently generate the complete set of artifacts required for a release.	We have a guide for release managers, that has been tested by multiple release managers available on our website.
Quality
QU10	The project is open and honest about the quality of its code. Various levels of quality and maturity for various modules are natural and acceptable as long as they are clearly communicated.	All issues are documented in our JIRA instance, which is our primary bug and issue tracker.
QU20	The project puts a very high priority on producing secure software.	even if we haven’t received any security issues targeted at PLC4X yet, we proactively monitor our dependencies and if reported would treat them with the highest priority, according to the CVE/Security Advisory procedure.
QU30	The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them.	We are using Apaches default way to submit security related information, which is described on our website
QU40	The project puts a high priority on backwards compatibility and aims to document any incompatible changes and provide tools and documentation to help users transition to new features.	We try to keep everything as backward compatible as possible. If we are forced to introduce incompatible changes, these is documented in a `Incompatible changes` section as part of our release notes.
QU50	The project strives to respond to documented bug reports in a timely manner.	Bug reports are treated with priority and are automatically posted to our developer mailing list dev@plc4x.apache.org" class="bare">https://lists.apache.org/list.html?dev@plc4x.apache.org so they are prominently recognised.
Community
CO10	The project has a well-known homepage that points to all the information required to operate according to this maturity model.	The project website has a description of the project with technical details, how to contribute, team.
CO20	The community welcomes contributions from anyone who acts in good faith and in a respectful manner and adds value to the project.	So far we have recognized any form of contribution and every contributor with the desire to become part of the team has been invited to join.
CO30	Contributions include not only source code, but also documentation, constructive bug reports, constructive discussions, marketing and generally anything that adds value to the project.	It’s part of the contribution guide and the current committers are really keen to welcome contributions.
CO40	The community is meritocratic and over time aims to give more rights and responsibilities to contributors who add value to the project.	So far the community has elected 4 committers, all of them also being added to the PPMC.
CO50	The way in which contributors can be granted more rights such as commit access or decision power is clearly documented and is the same for all contributors.	The criteria is documented in the contribution guide.
CO60	The community operates based on consensus of its members (see CS10) who have decision power. Dictators, benevolent or not, are not welcome in Apache projects.	The project works to build consensus. All votes have been unanimous so far.
CO70	The project strives to answer user questions in a timely manner.	Responses to reported issues or asked questions typically are handled by the community withing a matter of a few hours (Responses being faster during typical European time-zone business-hours).
Consensus Building
CS10	The project maintains a public list of its contributors who have decision power — the project’s PMC (Project Management Committee) consists of those contributors.	All members of the team have been added on team page.
CS20	Decisions are made by consensus among PMC members 9 and are documented on the project’s main communications channel. Community opinions are taken into account but the PMC has the final word if needed.	All decisions are made on one of our mailing lists. Every decision discussed off-list has been taken back to the list for final discussion and we’ll keep on doing that.
CS30	Documented voting rules are used to build consensus when discussion is not sufficient.	We have documented our decision-making rule on our website.
CS40	In Apache projects, vetoes are only valid for code commits and are justified by a technical explanation, as per the Apache voting rules defined in CS30.	This part actively contradicts the voting rules of the Apache Incubator. This project follows the voting rules of the Apache Incubator which we documented on our website.
CS50	All "important" discussions happen asynchronously in written form on the project’s main communications channel. Offline, face-to-face or private discussions 11 that affect the project are also documented on that channel.	As mentioned in CS20 it is impossible to prevent off-list discussions when meeting in person. But we have always handled things in a way that we always write up summaries of important discussions and post them to the mailing lists.
Independence
IN10	The project is independent of any corporate or organizational influence.	The group of active committers and PPMCs consists of members of more than independent 4 companies.
IN20	Contributors act as themselves as opposed to representatives of a corporation or organization.	While there are several cases where committers and PPMC members utilize corporate infrastructure or these companies, no case has been found where any of these committers and PPMCs have represented corporate interests.

Code

CD10

The project produces Open Source software, for distribution to the public at no charge.

The project source code is licensed under the Apache License, version 2.0.

CD20

The project’s code is easily discoverable and publicly accessible.

Our sourcecode is available at Apache GitBox and GitHub and linked to from our website

CD30

The code can be built in a reproducible way using widely available standard tools.

our Maven build has been tested on Linux, Mac-OS and Windows and build description is available on our website

CD40

The full history of the project’s code is available via a source code control system, in a way that allows any released version to be recreated.

The entire commit history is available from the beginning.

CD50

The provenance of each line of code is established via the source code control system, in a reliable way based on strong authentication of the committer. When third-party contributions are committed, commit messages provide reliable information about the code provenance.

The project uses the git repository, managed by Apache Infra, ensuring provenance of each line of code to a committer, each line committed before entering incubation was equally configured.

Licenses and Copyright

LC10

The code is released under the Apache License, version 2.0.

Both the source distribution as well as the convenience binary artifacts clearly declare that they are licensed under the Apache 2.0 license

LC20

Libraries that are mandatory dependencies of the project’s code do not create more restrictions than the Apache License does.

The list of mandatory dependencies have been reviewed to contain approved licenses only.

LC30

The libraries mentioned in LC20 are available as Open Source software.

All mandatory dependencies are available as open source software.

LC40

Committers are bound by an Individual Contributor Agreement (the "Apache iCLA") that defines which code they are allowed to commit and how they need to identify code that is not their own.

The project uses a repository managed by Apache Gitbox — write access requires an Apache account, which requires an ICLA on file.

LC50

The copyright ownership of everything that the project produces is clearly defined and documented.

All files in the source repository have appropriate headers which is enforced by tooling included in the build. ICLAs from all initial committers have been documented. CCLAs from all companies involved have been documented. SGA is on file for the initial contribution.

Releases

RE10

Releases consist of source code, distributed using standard and open archive formats that are expected to stay readable in the long term.

Current source releases are distributed via dist.apache.org and Older source releases are available from archive.apache.org. Both are linked from the website.

RE20

Releases are approved by the project’s PMC (see CS10), in order to make them an act of the Foundation.

All incubating releases have been unanimously approved by the PLC4X community and the Incubator, all with at least 3 (P)PMC votes and more +1 than -1.

RE30

Releases are signed and/or distributed along with digests that can be reliably used to validate the downloaded archives.

All releases are signed, and the KEYS file is provided on dist.apache.org

RE40

Convenience binaries can be distributed alongside source code but they are not Apache Releases — they are just a convenience provided with no guarantee.

Convenience binaries are distributed via Maven Central Repository only. Currently due to the platform-dependency of C++ libraries, these are not distributed currently.

RE50

The release process is documented and repeatable to the extent that someone new to the project is able to independently generate the complete set of artifacts required for a release.

We have a guide for release managers, that has been tested by multiple release managers available on our website.

Quality

QU10

The project is open and honest about the quality of its code. Various levels of quality and maturity for various modules are natural and acceptable as long as they are clearly communicated.

All issues are documented in our JIRA instance, which is our primary bug and issue tracker.

QU20

The project puts a very high priority on producing secure software.

even if we haven’t received any security issues targeted at PLC4X yet, we proactively monitor our dependencies and if reported would treat them with the highest priority, according to the CVE/Security Advisory procedure.

QU30

The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them.

We are using Apaches default way to submit security related information, which is described on our website

QU40

The project puts a high priority on backwards compatibility and aims to document any incompatible changes and provide tools and documentation to help users transition to new features.

We try to keep everything as backward compatible as possible. If we are forced to introduce incompatible changes, these is documented in a Incompatible changes section as part of our release notes.

QU50

The project strives to respond to documented bug reports in a timely manner.

Bug reports are treated with priority and are automatically posted to our developer mailing list dev@plc4x.apache.org" class="bare">https://lists.apache.org/list.html?dev@plc4x.apache.org so they are prominently recognised.

Community

CO10

The project has a well-known homepage that points to all the information required to operate according to this maturity model.

The project website has a description of the project with technical details, how to contribute, team.

CO20

The community welcomes contributions from anyone who acts in good faith and in a respectful manner and adds value to the project.

So far we have recognized any form of contribution and every contributor with the desire to become part of the team has been invited to join.

CO30

Contributions include not only source code, but also documentation, constructive bug reports, constructive discussions, marketing and generally anything that adds value to the project.

It’s part of the contribution guide and the current committers are really keen to welcome contributions.

CO40

The community is meritocratic and over time aims to give more rights and responsibilities to contributors who add value to the project.

So far the community has elected 4 committers, all of them also being added to the PPMC.

CO50

The way in which contributors can be granted more rights such as commit access or decision power is clearly documented and is the same for all contributors.

The criteria is documented in the contribution guide.

CO60

The community operates based on consensus of its members (see CS10) who have decision power. Dictators, benevolent or not, are not welcome in Apache projects.

The project works to build consensus. All votes have been unanimous so far.

CO70

The project strives to answer user questions in a timely manner.

Responses to reported issues or asked questions typically are handled by the community withing a matter of a few hours (Responses being faster during typical European time-zone business-hours).

Consensus Building

CS10

The project maintains a public list of its contributors who have decision power — the project’s PMC (Project Management Committee) consists of those contributors.

All members of the team have been added on team page.

CS20

Decisions are made by consensus among PMC members 9 and are documented on the project’s main communications channel. Community opinions are taken into account but the PMC has the final word if needed.

All decisions are made on one of our mailing lists. Every decision discussed off-list has been taken back to the list for final discussion and we’ll keep on doing that.

CS30

Documented voting rules are used to build consensus when discussion is not sufficient.

We have documented our decision-making rule on our website.

CS40

In Apache projects, vetoes are only valid for code commits and are justified by a technical explanation, as per the Apache voting rules defined in CS30.

This part actively contradicts the voting rules of the Apache Incubator. This project follows the voting rules of the Apache Incubator which we documented on our website.

CS50

All "important" discussions happen asynchronously in written form on the project’s main communications channel. Offline, face-to-face or private discussions 11 that affect the project are also documented on that channel.

As mentioned in CS20 it is impossible to prevent off-list discussions when meeting in person. But we have always handled things in a way that we always write up summaries of important discussions and post them to the mailing lists.

Independence

IN10

The project is independent of any corporate or organizational influence.

The group of active committers and PPMCs consists of members of more than independent 4 companies.

IN20

Contributors act as themselves as opposed to representatives of a corporation or organization.

While there are several cases where committers and PPMC members utilize corporate infrastructure or these companies, no case has been found where any of these committers and PPMCs have represented corporate interests.