Open Source project life-cycle states and indicators
Document status: ⚠️ DRAFT
[!CAUTION] What you see here is a DRAFT of an overview of Open Source project life-cycle conditions and needs, created by the CPAN Security Group (CPANSec). As long as this document is in DRAFT, all of the points and ideas below are suggestions, and open to revision, deletion or amending – by you!
- Contribute on Github: https://github.com/CPAN-Security/security.metacpan.org/tree/lifecycle/docs/foss-project-lifecycle.md
- Discuss on IRC: ircs://ssl.irc.perl.org:7063/#cpan-security
- Discuss on Matrix: https://matrix.to/#/#cpansec:matrix.org
This document is background material and notes for the CycloneDX OSS Sustainability WG. In this project we try to help both OSS project’s Maintainers communicate their needs and requirements, as well as help the share important information that may assist their user’s business continuity challenges.
Project Need Indicators
States in bold exist on CPAN.
| Needs | Maint = 0 | Maint = 1 | Maint > 1 | Maint needs increase | Maint is declining | Response time | Claim source |
|---|---|---|---|---|---|---|---|
| NEEDHELP | no | YES | YES | YES | no | LOW | Maintainer |
| HANDOFF | no | YES | no | YES | YES | LOW | Maintainer |
| ADOPTME | YES | no | no | YES | no | NONE | Ecosystem |
| NEEDFUNDING | no | YES | YES | no | no | LOW | Maintainer |
| NEEDSUPPORT | no | YES | YES | no | no | LOW | Maintainer |
- NEEDHELP – The project is understaffed, and requires additional co-maintainers for sustainable and continued development. (Ref: PAUSE-2017)
- (number of maintainers is higher than 0)
- (number of maintainers is too low)
- HANDOFF – The project maintainer is looking for someone to take over the project as a new maintainer (Ref: PAUSE-2017)
- (number of maintainers is 1)
- (number of maintainers is about to reduce to 0)
- ADOPTME – The project is abandoned, or the project maintainer has been confirmed beyond reasonable doubt to be unresponsive, and therefore the project is made available for adoption (Ref: PAUSE-2017)
- The project needs a new maintainer
- (number of maintainers is 0)
- (number of maintainers is too low)
- NEEDFUNDING – This project needs funding
- Workload is unsustainable with only a volunteer-level commitment
- (number of maintainers is 1 or higher)
- (number of maintainers does not need to change)
- NEEDSUPPORT – This project needs non-funding support
- Project growth and sustainability is hindered by lack of non-code contributions
- Examples: Branding development; Code security audit; Event organizing; Documentation writing;
- (number of maintainers is 1 or higher)
- (number of maintainers does not need to change)
- See Enumeration of NEEDSUPPORT items for examples
Enumeration of NEEDSUPPORT items
When a project signals they NEEDSUPPORT, this can imply any of a number of activities are needed assistance with.
Needs in bold are found in CHAOSS-2020.
- Brand Development
- Brand Strategy
- Brand Management and Implementation
- Bug Triage
- Code Review
- Development process
- Maintainability review
- Security review
- Code Writing and development
- Internationalization/I18N
- Community Building and Management
- Culture and conduct
- Diversity, Equity, Inclusion
- Forum management, moderation and support
- Governance development
- Recruitment and on-boarding
- Content Creation
- Audio or Video Editing
- Podcast Hosting or Participation
- Creative Work and Design
- Documentation Authorship
- Automation and Completeness
- Consistency and Voice
- Indexing, Findability and SEO
- Localization/L10N and Translation
- User or Stakeholder Relevance
- Event Organizing
- Conferences, Meetups, Hackathons or other gatherings for social knowledge-sharing
- Online events, webinars or classes/training
- Program committee work
- Social and networking events
- Financial Management
- Fund-raising
- Legal Counsel
- License Conflict Resolution
- License Enforcement
- Trademark Defense
- Trademark Registration
- Mentorship (Ref: MSFTOSS-2024)
- Code contribution
- Documentation
- Governance
- Outreach and Communication
- Security
- Open Source Steward (EU Cyber Resilience Act)
- Outreach
- Industry/Stakeholder/OSPO Outreach and Assistance
- Marketing and Campaign Advocacy
- Media relations
- Public Relations - Interviews with Technical Press
- Social Media Management and presence
- Speaking at Events and Conference Presentations
- Website Development
- Writing Articles
- Packaging
- Adaptation new packaging systems
- Container assembly
- Package maintenance
- Release management
- Tooling development
- Quality Assurance and Testing
- Security-Related Activities
- Hardening
- Writing automated security tests
- Skill and contribution gaps compensation (Ref: MSFTOSS-2024)
- Language
- Specialized skills
- Technology/platform
- Teaching and Tutorial Building
- Course/training material development
- Technical infrastructure and hosting
- Chat forum hosting
- DNS and Email hosting
- Other hosted community services
- Troubleshooting and Support
- User Support and Answering Questions
- User Interface, User Experience, and Accessibility
- Accessibility audit
Project Support Indicators
| Offers | Maint = 0 | Maint = 1 | Maint > 1 | Maint needs increase | Maint is declining | Response time | Claim source |
|---|---|---|---|---|---|---|---|
| MAINTAINED | no | YES | YES | no | no | OK | Maintainer |
| CASUAL | no | YES | YES | YES | no | LOW | Maintainer |
| DONE | no | YES | no | no | no | LOW | Maintainer |
| LEASTEFFORT | no | YES | YES | no | no | MINIMUM | Maintainer |
| DEPRECATED | no | YES | no | no | no | SECURITY | Maintainer |
| SECURITYONLY | no | YES | YES | YES | no | SECURITY | Maintainer |
| SUPERSEEDED | no | YES | YES | no | no | NONE | Maintainer |
| UNMAINTAINED | no | YES | YES | YES | no | NONE | Maintainer |
- CASUAL – This project is only maintained on a casual basis (Ref: CASUAL-2016)
- Response time expectations should be low
- (number of maintainers is 1 or higher)
- (number of maintainers increase may be desired)
- DEPRECATED – The project maintainer recommends that this project is not to be used
- (number of maintainers is 0)
- (number of maintainers does not need to change)
- DONE – The project is considered “Done”, and while it is maintained, no further development is needed or expected
- (number of maintainers is 1 or higher)
- (number of maintainers does not need to change)
- MAINTAINED – The project is maintained (default state)
- (number of maintainers is higher than 0)
- (number of maintainers increase may be desired)
- SECURITYONLY – The project receives security fixes only
- (number of maintainers is 1 or higher)
- (number of maintainers increase may be desired)
- SUPERSEEDED – This project is considered by the Maintainer have been replaced by another project
- (number of maintainers is 0 or higher)
- (number of maintainers does not need to change)
- UNMAINTAINED – This project is not actively maintained (Ref: UNMAINTED-2023)
- Response time expectations should be none
- (number of maintainers is 1 or higher)
- (number of maintainers increase may be desired)
Project Ecosystem States
States in bold exist on CPAN.
| States | Maint = 0 | Maint = 1 | Maint > 1 | Maint needs increase | Maint is declining | Response time | Claim source |
|---|---|---|---|---|---|---|---|
| COMPROMISED | no | YES | YES | no | no | NONE | Ecosystem |
| CUSTODY | YES | no | no | YES | no | SECURITY | Ecosystem |
| DELISTED | YES | YES | YES | no | no | NONE | Ecosystem |
| DUAL | no | YES | YES | no | no | OK | Ecosystem |
| NOXFER | no | YES | no | no | no | NONE | Ecosystem |
| UNREACHABLE | no | YES | YES | no | no | ERROR | Ecosystem |
Project State Indicators
- COMPROMISED – This project has a prevailing and substantial security compromise
- Project has removed from the index due to security issues that have prevailed for a substantial time.
- The project is expected to revert to it’s previous state after the offending issues have been resolved or mitigated.
- (number of maintainers is not relevant)
- CUSTODY – This project is under custodianship
- The project is deemed as important for the ecosystem, and needs a trusted maintainer
- (number of maintainers is 0)
- DELISTED
- The project has been removed from the ecosystem index due to extraordinary circumstances
- The project is expected to revert to it’s previous state after the offending issues have been resolved or mitigated.
- DUAL-LIFE – The project is a core component in the language, with updates published in the language ecosystem as well
- This project is maintained by the language core team itself.
- The project is both published as part of the core language, and through the language ecosystem.
- Equivalent to the P5P special user on CPAN (Ref: PAUSE-2017)
- NOXFER – The project is prevented from being transferred to new maintainers (Ref: PAUSE-2017)
- The project maintainer has requested that this project is to be prevented from being adopted.
- The project may still be forked under a new name.
- (number of maintainers is not relevant)
- UNREACHABLE – The project maintainers are not reachable
- The project maintainer(s) has not been reachable through registered communication channels for a substantial time, due to reasons outside the control of the project.
- e.g.: Expired domain, Email bounce, compromise/hijacked forums or channels, or other Forces Majeures beyond the Maintainer’s control.
- The project is expected to revert to it’s previous state after the offending issues have been resolved or mitigated.
- (number of maintainers is not relevant)
- The project maintainer(s) has not been reachable through registered communication channels for a substantial time, due to reasons outside the control of the project.
Other project states, claims and metadata
- Intended for commercial use (EU CRA signal for OSS Stewards)
For consideration
- CE_DECLARATION – A URL, linking to declaration of conformance to the EU Cyber Resilience Act, as required in Annex II, point 6; and Chapter III, Article 28; and in Chapter II Article 13(20).
- CE_DOCUMENTATION – A URL linking to supporting information and instructions (Annex II, point 8)
- CE_CONFORMITY_BODY – A URL pointing to the Conformity Assessment Body where this component has been registered (CRA Article 22(4) and Article 58(1))
- CE_SUPPORT_END_DATE – The date for when the support for the component expires (Annex II, point 7)
License and use of this document
- Version: 0.2.0
- License: CC-BY-SA-4.0
- Copyright: © Salve J. Nilsen sjn@oslo.pm, Some rights reserved.
You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.
Acknowledgements
Several people have been involved in the development of this document
- Salve J. Nilsen (main author)
- Georg Link
References
- (SJN-2022) What kind of non-technical “nice-to-haves” you would expect to see in a healthy #OpenSource #FLOSS community?, Published 2022-11-14.
- (CHAOSS-2020) CHAOSS Types of Contributions, First created 2020-02-20.
- (arXiv:2408.06723v1) Sustaining Maintenance Labor for Healthy Open Source Software Projects through Human Infrastructure: A Maintainer Perspective, Published 2024-08-13.
- (MSFTOSS-2024) 5 things we learned from sponsoring a sampling of our open source dependencies, Published 2024-06-27.
- (NEILB-2016) It takes a community to raise a CPAN module, Published 2016-02-13.
- (PAUSE-2017) The PAUSE Operating Model Version 2 (section 4.5), published 2017-10-27.
- (UNMAINTED-2016)
unmaintained.tech, Published 2016-01-13. -
(CASUAL-2023) 
[casuallymaintainedtech](https://casuallymaintained.tech/), Published 2023-09-25.