Document status: ⚠️ DRAFT

[!CAUTION] What you see here is a DRAFT of an overview of Open Source project life-cycle conditions and needs, created by the CPAN Security Group (CPANSec). As long as this document is in DRAFT, all of the points and ideas below are suggestions, and open to revision, deletion or amending – by you!

This document is background material and notes for the CycloneDX OSS Sustainability WG.

Project Need Indicators

States in bold exist on CPAN.

Needs Maint = 0 Maint = 1 Maint > 1 Maint needs increase Maint is declining Response time Claim source
NEEDHELP no YES YES YES no LOW Maintainer
HANDOFF no YES no YES YES LOW Maintainer
ADOPTME YES no no YES no NONE Ecosystem
NEEDFUNDING no YES YES no no LOW Maintainer
NEEDSUPPORT no YES YES no no LOW Maintainer
  1. NEEDHELP – The project is understaffed, and requires additional co-maintainers for sustainable and continued development. (Ref: PAUSE-2017)
    • (number of maintainers is higher than 0)
    • (number of maintainers is too low)
  2. HANDOFF – The project maintainer is looking for someone to take over the project as a new maintainer (Ref: PAUSE-2017)
    • (number of maintainers is 1)
    • (number of maintainers is about to reduce to 0)
  3. ADOPTME – The project is abandoned, or the project maintainer has been confirmed beyond reasonable doubt to be unresponsive, and therefore the project is made available for adoption (Ref: PAUSE-2017)
    • The project needs a new maintainer
    • (number of maintainers is 0)
    • (number of maintainers is too low)
  4. NEEDFUNDING – This project needs funding
    • Workload is unsustainable with only a volunteer-level commitment
    • (number of maintainers is 1 or higher)
    • (number of maintainers does not need to change)
  5. NEEDSUPPORT – This project needs non-funding support
    • Project growth and sustainability is hindered by lack of non-code contributions
    • Examples: Branding development; Code security audit; Event organizing; Documentation writing;
    • (number of maintainers is 1 or higher)
    • (number of maintainers does not need to change)
    • See Enumeration of NEEDSUPPORT items for examples

Enumeration of NEEDSUPPORT items

When a project signals they NEEDSUPPORT, this can imply any of a number of activities are needed assistance with.

Needs in bold are found in CHAOSS-2020.

  1. Brand Development
    • Brand Strategy
    • Brand Management and Implementation
  2. Bug Triage
  3. Code Review
    • Security review
    • Development process
    • Maintainability review
  4. Code Writing
    • Internationalization/I18N
  5. Community Building and Management
    • Culture and conduct
    • Diversity, Equity, Inclusion
    • Forum management, moderation and support
    • Governance development
    • Recruitment and on-boarding
  6. Content Creation
    • Audio or Video Editing
    • Podcast Hosting or Participation
  7. Creative Work and Design
  8. Documentation Authorship
    • Automation and Completeness
    • Consistency and Voice
    • Indexing, Findability and SEO
    • Localization/L10N and Translation
    • User or Stakeholder Relevance
  9. Event Organizing
    • Conferences, Meetups, Hackathons or other gatherings for social knowledge-sharing
    • Online events, webinars or classes/training
    • Social and networking events
    • Program committee work
  10. Financial Management
    • Fund-raising
  11. Legal Counsel
    • License Conflict Resolution
    • License Enforcement
    • Trademark Registration
    • Trademark Defense
  12. Mentorship (Ref: MSFTOSS-2024)
    • Security
    • Governance
    • Outreach and Communication
    • Documentation
    • Code contribution
  13. Open Source Steward (EU Cyber Resilience Act)
  14. Outreach
    • Industry/Stakeholder/OSPO Outreach and Assistance
    • Marketing and Campaign Advocacy
    • Media relations
    • Public Relations - Interviews with Technical Press
    • Social Media Management and presence
    • Speaking at Events and Conference Presentations
    • Writing Articles
    • Website Development
  15. Quality Assurance and Testing
  16. Technical infrastructure and hosting
    • DNS and Email hosting
    • Chat forum hosting
    • Other hosted community services
  17. Security-Related Activities
    • Hardening
    • Writing automated security tests
  18. Skill and contribution gaps compensation (Ref: MSFTOSS-2024)
    • Language
    • Technology/platform
    • Specialized skills
  19. Teaching and Tutorial Building
    • Course/training material development
  20. Troubleshooting and Support
    • User Support and Answering Questions
  21. User Interface, User Experience, and Accessibility
    • Accessibility audit

Project Support Indicators

Offers Maint = 0 Maint = 1 Maint > 1 Maint needs increase Maint is declining Response time Claim source
MAINTAINED no YES YES no no OK Maintainer
CASUAL no YES YES YES no LOW Maintainer
DONE no YES no no no LOW Maintainer
LEASTEFFORT no YES YES no no MINIMUM Maintainer
DEPRECATED no YES no no no SECURITY Maintainer
SECURITYONLY no YES YES YES no SECURITY Maintainer
UNMAINTAINED no YES YES YES no NONE Maintainer
  1. CASUAL – This project is only maintained on a casual basis (Ref: CASUAL-2016)
    • Response time expectations should be low
    • (number of maintainers is 1 or higher)
    • (number of maintainers increase may be desired)
  2. DEPRECATED – The project maintainer recommends that this project is not to be used
    • (number of maintainers is 0)
    • (number of maintainers does not need to change)
  3. DONE – The project is considered “Done”, and while it is maintained, no further development is needed or expected
    • (number of maintainers is 1 or higher)
    • (number of maintainers does not need to change)
  4. MAINTAINED – The project is maintained (default state)
    • (number of maintainers is higher than 0)
    • (number of maintainers increase may be desired)
  5. SECURITYONLY – The project receives security fixes only
    • (number of maintainers is 1 or higher)
    • (number of maintainers increase may be desired)
  6. UNMAINTAINED – This project is not actively maintained (Ref: UNMAINTED-2023)
    • Response time expectations should be none
    • (number of maintainers is 1 or higher)
    • (number of maintainers increase may be desired)

Project Ecosystem States

States in bold exist on CPAN.

States Maint = 0 Maint = 1 Maint > 1 Maint needs increase Maint is declining Response time Claim source
COMPROMISED no YES YES no no NONE Ecosystem
CUSTODY YES no no YES no SECURITY Ecosystem
DELISTED YES YES YES no no NONE Ecosystem
DUAL no YES YES no no OK Ecosystem
NOXFER no YES no no no NONE Ecosystem
UNREACHABLE no YES YES no no ERROR Ecosystem

Project State Indicators

  1. COMPROMISED – This project has a prevailing and substantial security compromise
    • Project has removed from the index due to security issues that have prevailed for a substantial time.
    • The project is expected to revert to it’s previous state after the offending issues have been resolved or mitigated.
    • (number of maintainers is not relevant)
  2. CUSTODY – This project is under custodianship
    • The project is deemed as important for the ecosystem, and needs a trusted maintainer
    • (number of maintainers is 0)
  3. DELISTED
    • The project has been removed from the ecosystem index due to extraordinary circumstances
    • The project is expected to revert to it’s previous state after the offending issues have been resolved or mitigated.
  4. DUAL-LIFE – The project is a core component in the language, with updates published in the language ecosystem as well
    • This project is maintained by the language core team itself.
    • The project is both published as part of the core language, and through the language ecosystem.
    • Equivalent to the P5P special user on CPAN (Ref: PAUSE-2017)
  5. NOXFER – The project is prevented from being transferred to new maintainers (Ref: PAUSE-2017)
    • The project maintainer has requested that this project is to be prevented from being adopted.
    • The project may still be forked under a new name.
    • (number of maintainers is not relevant)
  6. UNREACHABLE – The project maintainers are not reachable
    • The project maintainer(s) has not been reachable through registered communication channels for a substantial time, due to reasons outside the control of the project.
      • e.g.: Expired domain, Email bounce, compromise/hijacked forums or channels, or other Forces Majeures beyond the Maintainer’s control.
    • The project is expected to revert to it’s previous state after the offending issues have been resolved or mitigated.
    • (number of maintainers is not relevant)

Other project states, claims and metadata

  1. Intended for commercial use (EU CRA signal for OSS Stewards)

For consideration

  1. CE_DECLARATION – A URL, linking to declaration of conformance to the EU Cyber Resilience Act, as required in Annex II, point 6; and Chapter III, Article 28; and in Chapter II Article 13(20).
  2. CE_DOCUMENTATION – A URL linking to supporting information and instructions (Annex II, point 8)
  3. CE_CONFORMITY_BODY – A URL pointing to the Conformity Assessment Body where this component has been registered (CRA Article 22(4) and Article 58(1))
  4. CE_SUPPORT_END_DATE – The date for when the support for the component expires (Annex II, point 7)

License and use of this document

You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.

Acknowledgements

Several people have been involved in the development of this document

  • Salve J. Nilsen (main author)
  • Georg Link

References