gitmercurialcmmi

What are the implications of ISO 9001/CMMI for source control in general, and Git/Mercurial/DVCS in particular?


I've been asked this question about distributed source control in general by someone who's familiar with Team Foundation Server.

Is it possible to use a DVCS such as Git or Mercurial for source control and comply with standards such as ISO 9001 or CMMI?

What requirements do ISO 9001 and CMMI place on what source control tools should and should not be capable of?

Are there any things that Git/Mercurial do that ISO 9001/CMMI would Consider Harmful or that would require specific considerations?

I've found some information at http://www.ssqc.com/do25v6new.pdf but at a quick glance it doesn't seem to say much other than the need to keep records of what's changed, which versions of your software you've deployed, and which issues they fix, and there's no reason why DVCS shouldn't be able to handle that in combination with a bug tracker such as FogBugz and a CI server such as TeamCity.


Solution

  • First off, software is not ISO 9001 compilant. Only organizations are ISO 9001 compilant. So the question as stated really makes no sense. The only thing you could ask is if the Git or Mercurial development teams are ISO 9001 compilant. (The same goes for CMMI).

    All ISO 9001 for a software development outfit really means is that you have a written process in place for everything you do (development, bug fixes, etc) and that you follow it. Well, that and you've paid someone to come do an ISO 9001 audit certifying as to the above. CMMI is a lot more involved, but for the purposes of this discussion, we can consider them similar.

    You'd probably have to look pretty long and hard to find a Free Software community project that bothered to go through the massive grunt work required in creating all the process documentation and that scraped together the money to pay for an audit. If you find one, it would probably only be due to some kind of large corporate sponsor wanting it.

    If the question is what those standards specify about the use of Source Control, in the case of ISO 9001 that would be nothing. The old joke is that if you take your product and drop it out a 10 story window to the loading dock below, that's just fine by ISO as long as that's your documented process and you follow it.