Add 2025 Hyperledger Iroha annual review

[VladislavPopovSR]

No description provided.

[tkuhrt]

@matthew1001 @mbrandenburger : Please let me know when you would like to review this in a future TAC meeting.

[matthew1001]

Marcus and I have put together our review of the report for discussion on the next TAC call.

Health & recent activity

• Github pulse insights show regular PRs being merged, including changes that appear to be for related to a variety of both new feature and bug fixes.
• Activity according to LFX insights is down towards the end of the year, in terms of both contributors and commits, but appeared to be relatively consistent for most of 2024.
• Contributions from organisations other than Soramitsu appear to account for ~ 20% of contributions over 2024
• There have been several releases across the various Iroha repositories, e.g. 1 main and several RC releases for Iroha, several for Iroha-javascript, 1 for Iroha-python.

LFDT project criteria

• The activity according to LFX insights appears to indicate contributions from a number of different organisations. However, the MAINTAINERS.md file in the iroha GH repository has only 1 member who is not from Soramitsu. It's not completely clear which organisation they are from as they used a gmail email address.

• The LFX best practice score across the Iroha projects is 33%.

• There does not appear to be an ADOPTERS.md file in any of the main GH repositories. It might be useful to add the Palau Invest Project to an adopters file along with other projects that emerge over 2024.

• There does not appear to be a SECURITY.md file in the main Iroha repository or the Iroha Java repository, although it looks like this was specifically removed (see issue [documentation] Update security policy hyperledger-iroha/iroha#3384). Iroha-javascript does include a SECURITY.md file.

• OpenSSF score for the main Iroha project is 5.3. Of the specific checks in the project lifecycle document, this which are not compliant are:

  • Token permissions (0)
  • Vulnerabilities (0)
  • Branch protection (?)
  • Signed releases (?)

• Some of the subrepos (e.g. Iroha Javascript, Iroha Python) also did not meet all of the MUST requirements, and Iroha Java is missing an OpenSSF scorecard entirely.

Performance against last year's objectives

• Iroha has achieved its primary goal of delivering an MVP release of Iroha 2. This is a big achievement for the project given the scale of the rework involved in moving from Iroha to Iroha 2.

General recommendations & suggestions for improvement

• The project appears to be going through a period of flux as the project and community move to Iroha 2. As the project points out, this has included a drop in activity on discord and email comms, and also appears to have paused contributor calls as there are no community meeting minutes since August 2024.
• As the project ramps up on Iroha 2 it would be good to see contributor calls resume, along with more active comms on Discord etc.
• Some of the repositories are not very clear on whether they are Iroha 1 or Iroha 2. In some cases it appears that a branch is being used for Iroha 2 development. In others it's not clear. Some clarity around how Iroha 2 development relates to previous work might be beneficial to those looking to contribute to the project.
• The OpenSSF scores across the Iroha repositories are not currently meeting those required of the LFTD guidelines. Some of these may be easy to fix and will give potential end users more confidence in the project.
• The expectation is that activity will resume again as Iroha 2 gains more adoption

Overall recommendation

• We agree with the annual report's proposal to remain as a graduated project and are recommending that to the TAC. There are areas that require some focus over 2025 but some of these are common to other graduated projects, particularly the work on OpenSSF scores.