tags:

views:

1155

answers:

3
+2  Q: 

Best approach to perform a CMMI Physical Configuration Audit?

The organization I currently work for an organization that is moving into the whole CMMI world of documenting everything. I was assigned (along with one other individual) the title of Configuration Manager. Congratulations to me right.

Part of the duties is to perform on a regular basis (they are still defining regular basis, it will either by quarterly or monthly) a physical configuration audit. This is basically a check of source code versions deployed in production to what we believe to be the source code versions in production.

Our project is a relatively small web application with written in Java. The file types we work with are java, jsp, xml, property files, and sql packages.

The problem I have (and have expressed but seem to be going ignored) is how am I supposed to physical log on to the production server and verify file versions and even if I could it would take a ridiculous amount of time?

The file versions are not even currently in the file(i.e. in a comment or something). It was suggested that we place visible version numbers on each screen that is visible to the users also. I thought this ridiculous also, since the screens themselves represent only a small fraction of the code we maintain.

The tools we currently use are Netbeans for our IDE and Serena Dimensions as our versioning tool.

I am specifically looking for ideas on how to perform this audit in a hopefully more automated way, that will be both accurate and not time consuming.

My idea is currently to add a comment to the top of each file that contains the version number of that file, a script that runs when a production build is created to create an XML file or something similar containing the file name and version file of each file in the build. Then when I need to do an audit I go to the production server grab the the xml file with the info, and compare it programmatically to what we believe to be in production, and output a report.

Any better ideas. I know this has to have been done already, and seems crazy to me that I have not found any other resources.

+4  A: 

You could compute a SHA1 hash of the source files on the production server, and compare that hash value to the versions stored in source control. If you can find the same hash in source control, then you know what version is in production. If you can't find the same hash in source control, then there are untracked modifications in production and your new job title is justified. :)

Greg Hewgill  2008-10-28 21:52:18
I had not consider that, that seems more reliable than the comment idea. The comment idea bothered me because it would be to easy to forget to update it when working on the file, or to just put the wrong version number.
jschoen  2008-10-28 21:58:12
A nice idea with minimal impact on the existing codebase - no need to embed comments in all the source files, and is largely independent of the CM system in use. Good for things like html/xml/etc files where the source itself is deployed. For executables, you'd also need the exe under CM control.
Kevin Haines  2008-10-28 22:39:27
You really should CM everything: including development environment to really comply with the CM process area goals.Just ask yourself: could you _reproduce_ the last release version exactly. Same compiler...jars etc. just being able to redeploy doesn't let you debug it later.
Tim Williscroft  2008-10-28 22:48:17
A: 

can't you use your source control for this? if you deploy a version and tag your sourcecontrol with that deployment, you can then verify against the source control system

Keith Nicholas  2008-10-28 21:53:49
Thought of this, but we are using the source control system to determine what should be in production. The problem is figuring out what is actually is in production.
jschoen  2008-10-28 21:57:04
+3  A: 

The typical trap organizations fall into with the CMMI is trying to overdo everything. If I could suggest anything, it'd be start small & only do what you need. So consider any problems that you may have had in the CM area peviously.

The CMMI describes WHAT an organisation should do, but leaves the HOW up to you. The CMMI specification, chapter 2 is well worth a read - it describes the required, expected, and informative components of the specification - basically the goals are required, the practices are expected, and everything else is informative. This means there is only a small part of the specification which a CMMI appraiser can directly demand - the goals. At the practice level, it is permissable to have either the practices as described, or acceptable alternatives to them.

In the case of configuration audits, goal SG3 is "Integrity of baselines is established and maintained". SP3.2 says "Perform configuration audits to maintain integrity of the configuration baselines." There is nothing stated here about how often these are done, or how long they may take.

In my previous organisation, FCA/PCA was usually only done as part of the product release process, and we used ClearCase as the versioning tool, with labels applied across the codebase to define baselines. We didn't have version numbers in all the source files, nor did we have version numbers on all the products screens - the CM activity was doing the right thing & was backed up by audits, and this was never an issue in any CMMI appraisal. We could use the deltas between labels to look at what files had changed, perform diffs to see the actual code changes. An important part of the process is being able to link those changes back to either a requirement/bug report/whatever the reason was which initiated the change.

Our auditing did use scripts to automate the process, but these were in-house developed scripts are specific to ClearCase - basically they would list all the files, their versions in the CM system, and the baseline/config item to which they belonged.

Kevin Haines  2008-10-28 22:22:43
That was pretty much my understanding of CMMI, with it being more of a guideline with generalizations, that our left up to the implementor to decide how to do it.
jschoen  2008-10-28 22:30:34
Unfortunately where I am I am being told they want basically a comparison of what is in production currently to what we believe is in production based on our baselines.
jschoen  2008-10-28 22:31:05
Oh , thanks for the link, I will read it.
jschoen  2008-10-28 22:32:22

related questions

What are the implications of ISO 9001/CMMI for source control in general, and Git/Mercurial/DVCS in particular?
What is considered to be a mature software development process and why is this definition useful? (You should cover both CMM and CMMI.)
How to track Domain Entities with TFS using the CMMI project template?
How to implement CMMI level 2 with Scrum?
revision vs. version
Good resources for example process definitions of software development methodologies?
Does a process like CMMI really helps a project
Which are the best IT methodology standards for a web development company?
Team Foundation Server reporting stops refreshing after adding a CMMi repository
CMM certification is it really required?
What is the impact of ITIL or CMMI on the development ?
Where to find good examples or Templates for Configuration Management Plans?
Release Management Software
UK Vat change from 17.5 to 15% - How will this affect your code?
Product Line Engineering
What's the best way to build variants of the same C/C++ application.
How to blend CMMI and Scrum?
Software development and engineering
Suggestions for requirements development tools that support CMMI objectives
Does anyone still believe in the Capability Maturity Model for Software?
How do you do lightweight CMMI?
.net solution subversion best practices?
What is the difference between a bug and a change request in MSF for CMMI?