From ef88e4220bdc0a99a63a5e8e2dce89e0c774d661 Mon Sep 17 00:00:00 2001 From: Startrekzky Date: Fri, 25 Jul 2025 20:49:20 +0800 Subject: [PATCH 1/2] docs: finish the last two todos in the maturity doc --- community/maturity.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/community/maturity.md b/community/maturity.md index cd01985f8fe..4ca1f2f5ef0 100644 --- a/community/maturity.md +++ b/community/maturity.md @@ -53,7 +53,8 @@ The following table is filled according to the [Apache Maturity Model](https://c | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **QU10** | The project is open and honest about the quality of its code. Various levels of quality and maturity for various modules are natural and acceptable as long as they are clearly communicated. | **YES** The project encourages users to [report issues](https://github.com/apache/incubator-devlake/issues) and maintains transparent communication about known limitations. | | **QU20** | The project puts a very high priority on producing secure software. | **YES** Security issues are addressed promptly with a dedicated security response process. | -| **QU30** | The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them. | **TODO** Need to create security reporting documentation and establish security@devlake.apache.org or similar reporting channel. | +| **QU30** | The project provides a well-documented, secure and private channel to report security issues, along with a documented way of responding to them. | **YES** When users open a new issue on the project’s GitHub repository, they are prompted with a “Report a security vulnerability” option that directs them to follow the Apache Software Foundation’s standard security disclosure process. + | | **QU40** | The project puts a high priority on backwards compatibility and aims to document any incompatible changes and provide tools and documentation to help users transition to new features. | **YES** The project follows semantic versioning and provides migration guides for breaking changes, with clear documentation of API changes between versions. | | **QU50** | The project strives to respond to documented bug reports in a timely manner. | **YES** The project maintains active issue tracking and has resolved 3400+ issues and 4900+ pull requests with prompt response. | @@ -73,7 +74,7 @@ The following table is filled according to the [Apache Maturity Model](https://c | **ID** | **Description** | **Status** | | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | -| **CS10** | The project maintains a public list of its contributors who have decision power. The project's PPMC (Project Management Committee) consists of those contributors. | **YES** The project maintains a public list of [PPMC members and committers](https://devlake.apache.org/team) on the website. **TODO:** Verify this page is up to date. | +| **CS10** | The project maintains a public list of its contributors who have decision power. The project's PPMC (Project Management Committee) consists of those contributors. | **YES** The project maintains a public list of [PPMC members and committers](https://devlake.apache.org/team) on the website. | | **CS20** | Decisions require a consensus among PPMC members and are documented on the project's main communications channel. The PPMC takes community opinions into account, but the PPMC has the final word. | **YES** All decisions are made through votes on dev@devlake.apache.org with proper documentation and at least 3 +1 votes from PPMC members. | | **CS30** | The project uses documented voting rules to build consensus when discussion is not sufficient. | **YES** The project follows standard Apache Software Foundation voting rules and procedures. | | **CS40** | In Apache projects, vetoes are only valid for code commits. The person exercising the veto must justify it with a technical explanation, as per the Apache voting rules defined in CS30. | **YES** The project follows Apache voting rules where vetoes are only valid for code commits and must be technically justified. | From d022a401fcb6affff647718137b9e05a65fd87c2 Mon Sep 17 00:00:00 2001 From: Startrekzky Date: Mon, 28 Jul 2025 13:02:13 +0800 Subject: [PATCH 2/2] docs: add the link to the release doc --- community/maturity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/maturity.md b/community/maturity.md index 4ca1f2f5ef0..c66a52b0ec1 100644 --- a/community/maturity.md +++ b/community/maturity.md @@ -45,7 +45,7 @@ The following table is filled according to the [Apache Maturity Model](https://c | **RE20** | The project's PPMC (Project Management Committee, see CS10) approves each software release in order to make the release an act of the Foundation. | **YES** All releases have been voted on by the PPMC on dev@devlake.apache.org and general@incubator.apache.org with at least 3 PPMC member votes. | | **RE30** | Releases are signed and/or distributed along with digests that anyone can reliably use to validate the downloaded archives. | **YES** All releases are cryptographically signed and include SHA-512 checksums. The [KEYS](https://dist.apache.org/repos/dist/release/incubator/devlake/KEYS) file is available. | | **RE40** | The project can distribute convenience binaries alongside source code, but they are not Apache Releases, they are provided with no guarantee. | **YES** Docker images and other convenience binaries are provided but clearly marked as convenience distributions, not official Apache releases. | -| **RE50** | The project documents a repeatable release process so that someone new to the project can independently generate the complete set of artifacts required for a release. | **TODO** Need to check with community members where the release process documentation is located. | +| **RE50** | The project documents a repeatable release process so that someone new to the project can independently generate the complete set of artifacts required for a release. | **YES** The documentation of the release process can be found on [our website](https://devlake.apache.org/docs/DeveloperManuals/Release-SOP/#asf-release-policy). | ### Quality