The State of Open-Source Software

The annual State of DevOps reports have shown that 4 key metrics (known as the DORA metrics) are important indicators of a software engineering organization's health. Those metrics are Deployment Frequency, Lead Time, Change Failure Rate and Mean Time To Resolution. (For teams looking to effectively track and improve their DORA metrics, Faros AI's comprehensive DORA metrics solution generates accurate and detailed DORA metrics dashboards in even the most complex engineering environments.)

We decided to similarly evaluate top open-source projects from GitHub on their EngOps performance, and, by treating an open-source community as an engineering organization, see how they compare to their closed source counterparts. Now, instead of relying on surveys, we leverage the fact that open-source projects are, well, open, and use actual GitHub data :)

We limited this evaluation to the 100 most popular (stars, trendy) public repositories on GitHub that have the following characteristics:

• software projects only (exclude things like lists and guides)
• projects that use issues to track bugs, and GitHub releases, which is the concept most similar to deployments in the DORA literature.

(Appendix)

DORA metrics involve deployments and incident data. However, OSS projects are not centered around those concepts. Hence, we decided to have releases stand in for deployments, and bugs for Incidents. And this is how our adapted DORA metrics for OSS were born:

• Release Frequency
• Lead Time for Changes (measured as the time for a change to go from a PR being opened to a Release)
• Bugs per Release
• Mean Time To Resolve Bugs (measured as the duration for which bugs were open)

We also captured the number of contributors and Github stars.

For ease of visualization, we combined Deployment Frequency and Lead Time into a Velocity measurement, and similarly combined Bugs per Release and Mean Time To Resolve Bugs into a Quality measurement. Here is how they fared on those metrics.

Some interesting takeaways emerged out of this:

A New set of Benchmarks for OSS

Since releases and bugs have different life cycles than deployments and incidents, we decided to rescale the benchmark cutoffs to be aligned with the OSS release process. Ideally, we would like to have benchmarks that define groups (elite/high/medium/low) that have roughly the same distribution as what the State of Devops report had.

In 2021, that distribution was 26/40/28/7. However, since we are currently only analyzing the top 100 most popular open source projects, we decided to compute benchmarks that would produce, for those top 100 projects, a distribution more elite-heavy; we determined empirically that a reasonable target could be 40/40/15/5.

The benchmarks are summarized below.

Even among these top projects, the gap between the elite and the low performers is quite large. Compared to the low performers, elite projects have:

• 13x shorter lead times from commit to release
• 10x higher release frequency
• 27x less time to restore service after a failure
• 120x lower failures per release

There is a positive quality/velocity relationship, but it is not strong

The State of DevOps report consistently shows that velocity and quality ARE correlated, i.e. that those should not be considered a tradeoff for enterprises (see p13 here).

For OSS projects, the correlation is still there, but not as strong. Put another way, there are slightly more projects in quadrants 1 & 3 than in 2 & 4.

Growing pains

Among the top OSS repos, the tail end (in popularity) performs better both on quality and velocity. Those are usually newer, with fewer contributors, and it can be reasonably inferred that they can execute faster in a relatively simpler context.

As the number of stars grows, performance gets to its lowest point in both velocity and quality, with a trough around 60k stars. Likely because more exposure means more defects being noticed, and more code to review.

And finally, things get better again for the most popular ones. Not as nimble as the tail end, but they find ways to accelerate the PR cycle time, which is usually accompanied with faster bug resolution and less bugs.

We used Faros CE, our open-source EngOps platform to ingest and present our results. Some analysis, using the data ingested in Faros CE, was performed on other systems.

Here is a link to the full dashboard.

Interested in learning more about Faros CE?

Contact us today.

Appendix

Repos In this Analysis

1. 3b1b/manim
2. airbnb/lottie-android
3. alibaba/arthas
4. angular/angular
5. ant-design/ant-design
6. apache/dubbo
7. apache/superset
8. apple/swift
9. babel/babel
10. caddyserver/caddy
11. carbon-app/carbon
12. certbot/certbot
13. cli/cli
14. coder/code-server
15. commaai/openpilot
16. cypress-io/cypress
17. denoland/deno
18. elastic/elasticsearch
19. electron/electron
20. elemefe/element
21. etcd-io/etcd
22. ethereum/go-ethereum
23. eugeny/tabby
24. expressjs/express
25. facebook/docusaurus
26. facebook/jest
27. facebook/react
28. fatedier/frp
29. gatsbyjs/gatsby
30. gin-gonic/gin
31. go-gitea/gitea
32. gogs/gogs
33. gohugoio/hugo
34. google/zx
35. grpc/grpc
36. hashicorp/terraform
37. homebrew/brew
38. huggingface/transformers
39. iamkun/dayjs
40. iina/iina
41. ionic-team/ionic-framework
42. julialang/julia
43. keras-team/keras
44. kong/kong
45. laurent22/joplin
46. lerna/lerna
47. localstack/localstack
48. mastodon/mastodon
49. mermaid-js/mermaid
50. microsoft/terminal
51. microsoft/vscode
52. minio/minio
53. moby/moby
54. mrdoob/three.js
55. mui/material-ui
56. nationalsecurityagency/ghidra
57. nativefier/nativefier
58. neovim/neovim
59. nervjs/taro
60. nestjs/nest
61. netdata/netdata
62. nodejs/node
63. obsproject/obs-studio
64. pandas-dev/pandas
65. parcel-bundler/parcel
66. photonstorm/phaser
67. pi-hole/pi-hole
68. pingcap/tidb
69. pixijs/pixijs
70. preactjs/preact
71. prettier/prettier
72. protocolbuffers/protobuf
73. psf/requests
74. puppeteer/puppeteer
75. pytorch/pytorch
76. rclone/rclone
77. redis/redis
78. remix-run/react-router
79. rust-lang/rust
80. scikit-learn/scikit-learn
81. skylot/jadx
82. socketio/socket.io
83. spring-projects/spring-framework
84. storybookjs/storybook
85. syncthing/syncthing
86. tauri-apps/tauri
87. tensorflow/models
88. tensorflow/tensorflow
89. textualize/rich
90. tiangolo/fastapi
91. traefik/traefik
92. vercel/next.js
93. videojs/video.js
94. vitejs/vite
95. vlang/v
96. vuejs/vue
97. vuejs/vue-cli
98. vuetifyjs/vuetify
99. webpack/webpack