OSS Project Viability: Governance

Why It Matters

Project Viability is an aggregate measurement of four categories: Compliance + Security, Governance, Community Engagement, and Strategy. Viability is relevant through the lens of any prospective user of a given project; specifically to provide an understanding of how viable a particular project may be for themselves. Further, this metric focuses heavily on the maintainers and their efforts. Understanding maintainership is a hugely important part of overall project viability, because a project's maintainers are the gatekeepers of incoming changes, new releases, and future project direction. The community surrounding a project matters as well, but Community (another model) will focus more on metrics specific to the community.

User Stories

• As a developer, I want to:
  • Understand if a dependency is viable.
  • Investigate my ability to contribute changes to a project if needed
• As a manager of a project using open source, I want to understand the risk associated with using a project.

Metrics in the Metrics Model

• Issues Inclusivity
• Documentation Usability
• Time To Close
• Change Request Closure Ratio
• Project Popularity
• Libyears
• Issue Age
• Release Frequency

Data Insights

Background of the Investigated Context

In a highly regulated industry, companies like Verizon have interest in ensuring that their dependencies are well understood and within their licensing boundaries for use across a diverse product range. Our OSPO was particularly interested in determining how “viable” a project is for different product lines that Verizon offers, from web applications to products that are shipped to a home and maintained from afar for years on end.

We broke apart the larger context of “viability” across the existing CHAOSS metrics portfolio, and created buckets for each relevant space, reflected through the lens of OSPO’s concerns in the organization.

Insights Drawn from Metrics Model

Context before insights: “Viability” is a term that will have different thresholds for risk tolerances across organizations and industries. The Compliance and Security that does not suit a telecommunications company may be suitable for a startup emerging into a new space with limited resources and libraries that address their problems.

Intended use of this metrics model is to feed into an overall viability determination. Every company, like with risk tolerance, will have different degrees of “viable” based on how the software is ultimately applied to the end users.

Contributors

• Gary White
• Eric Sorenson
• Matt Germonprez

To reference this metric in software or publications please use this stable URL: https://chaoss.community/?p=5411

The usage and dissemination of health metrics may lead to privacy violations. Organizations may be exposed to risks. These risks may flow from compliance with the GDPR in the EU, with state law in the US, or with other laws. There may also be contractual risks flowing from terms of service for data providers such as GitHub and GitLab. The usage of metrics must be examined for risk and potential data ethics problems. Please see CHAOSS Data Ethics document for additional guidance.