Results from analysing the gitlab.opencode.de/dstack group, including repository structure, issue tracker content, and community consultation feedback.
Investigation date: March 2026
The dstack group on gitlab.opencode.de contains one public project:
| Project | Path | Visibility | Description |
|---|---|---|---|
| D-Stack Home | dstack/d-stack-home |
Public | Website content (markdown documents rendered via CI pipeline). Landing page for all D-Stack activities. |
Two public forks exist (OC000017044029/d-stack-home,
oc000052166394/d-stack-home) but no subgroups or additional projects.
The technology landscape at technologie.deutschland-stack.gov.de links in its footer to an OpenCode project at:
https://gitlab.opencode.de/dstack/techstack-landkarte
This repo returns 404 for all public and authenticated users. It appears to be restricted to internal team members only.
Evidence:
- Issue #24 (7 Oct 2025, closed): Reports the broken link. Closed without resolution.
- Issue #48 (10 Oct 2025, closed): Reports the same broken link plus broken Datalab/EU funding graphics. Closed without resolution.
- Issue #99 (13 Oct 2025, open): Reports the same broken link. As of
March 2026 (5 months later), still open. A D-Stack team member
(
oc000002991333) commented on 20 Jan 2026: "Der Link sollte funktionieren, bei mir funktioniert er" -- confirming the repo exists but is accessible only to team members. - A commenter on #99 stated: "das eigentliche Problem hier ist jedoch, dass der Link öffentlich auf der Seite erwähnt ist - und es an der dort sehr wahrscheinlich vorhandenen Datengrundlage der Visualisierung echtes Interesse gibt. Ich z.B. möchte diese Daten mittels eigener KI analysieren um dann auch Input für die Konsultation geben zu können."
Searches across all of gitlab.opencode.de for techstack, landkarte,
landscape, datenlabor, and cncf returned no additional results.
The d-stack-home repository contains the markdown source for
deutschland-stack.gov.de:
d-stack-home/
├── .gitlab-ci.yml (uses md-to-web CI components from open-code)
├── .npmrc
├── LICENSE (empty)
├── README.md
├── assets/graphics/ (logos)
└── dokument/
├── _meta.yaml (menu structure)
├── abkuerzungen.yaml (abbreviations)
├── glossar.yaml (glossary)
├── index.mdx (landing page)
├── aufbau.md (structure / layer model)
├── beteiligung.md (participation)
├── gesamtbild.md (strategic overview)
├── kriterien.md (evaluation criteria)
├── landkarte.md (landscape description -- links to external viz)
├── barriere-melden.md
├── datenschutz.md
├── erklaerung-zur-barrierefreiheit.md
├── impressum.md
└── leichte-sprache.md
The CI pipeline uses open-code/document-writing-tools/document-writing-ci-components/md-to-web@v2 to convert markdown to a web site, deployed on the kernux theme.
The landkarte.md file in the repo describes the landscape's architecture:
- Adapted from the CNCF Landscape
- Built by the Datenlabor des BMI (BMI Data Lab)
- Data source: "inhaltliche Basis zum Tech-Stack in openCode" (content basis from the Tech-Stack in openCode)
- Views: Grid (swimlanes by stack layer, groups horizontal) and Card (grouped tiles with short info)
- Per-technology profiles: Logo, name, responsible organisation, type, classification, description, tags, maturity level, value proposition, source, status, licence, dependencies, external links, and conformity assessment against the six D-Stack criteria
- No automated data collection: "Aktuell erfolgt kein automatisiertes Auslesen von Informationen zur Digital-/IT-Landschaft."
- No permanent governance for external content providers yet
As of March 2026, the d-stack-home project has 707 open issues. The tracker serves as the primary channel for both public consultation rounds.
The majority of issues are feedback submissions from the two public consultation rounds (Konsultationsrunden). They can be categorised as:
| Category | Approximate count | Description |
|---|---|---|
| Generic page feedback | ~400+ | Auto-generated "Feedback für die Seite /..." issues from the website feedback form. Many contain substantive content despite the generic title. |
| Organisational statements | ~40 | Formal consultation submissions from companies, associations, and government bodies |
| Technology addition requests | ~30 | Specific requests to add technologies to the landscape |
| Process/governance feedback | ~20 | Suggestions for improving the D-Stack's structure, criteria, and processes |
| Bug reports | ~10 | Broken links, typos, misclassifications |
| Labels/triage | Minimal | Very few issues are labelled. Issue #229 is one of the rare exceptions with labels: "Erweiterung", "To be Done", "Änderungsvorschlag" |
| Issue | Problem | Status |
|---|---|---|
| #77 | Typo: "NQdrant" should be "Qdrant" in the landscape | Open since Oct 2025 |
| #542 | PostgreSQL misclassified as "STANDARD" instead of "TECHNOLOGIE". Also flags YAML classification ambiguity. | Open since Jan 2026 |
The following issues contain detailed technical analysis from practitioners
and organisations. Many independently identify the same gaps documented in
our MISSING-FROM-LANDSCAPE.md.
Technologies requested by multiple community members that match our gap analysis:
| Technology | Our section | Community issues |
|---|---|---|
| Keycloak | 2.4 (IAM) | #229, #475, #496 |
| OpenStack | 1.4 (Cloud) | #229, #683 |
| SCS (Sovereign Cloud Stack) | 1.4 (Cloud) | #229, #683 |
| Prometheus | 2.1 (Observability) | #229 |
| Grafana | 2.1 (Observability) | #229 |
| Ansible | 2.2 (IaC) | #229 |
| Helm | 2.2 (IaC) | #229 |
| OpenTofu | 2.2 (IaC) | #229 |
| Harbor (registry) | 2.3 (Supply chain) | #229 |
| Matrix Protocol | 2.12 (Other) | #221 (15 upvotes) |
| SPIFFE / SPIRE | 2.4 (IAM/Zero-Trust) | #475 |
| WebAuthn / FIDO / Passkeys | 2.4 (IAM/Zero-Trust) | #475 |
| Linux / OS layer | 2.10 (Endpoint/OS) | #229 |
| Redis / Valkey | 2.7 (Databases) | #229 |
| cert-manager | Related to 1.6 (crypto) | #475, #496 |
| HashiCorp Vault / OpenBAO | 2.4 (IAM) / Compliance | #229 |
Community issues identified technologies we did not cover:
| Technology | Issue | Context |
|---|---|---|
| Proxmox | #229 | Hypervisor / virtualisation platform. We identified the hypervisor gap but did not name Proxmox specifically. |
| Podman | #229 | Container engine alternative to Docker. Rootless, daemonless. |
| Ceph | #229 | Distributed storage. Underlies many OpenStack and Kubernetes deployments. |
| RabbitMQ | #229 | Message broker. We listed AMQP 1.0 as a standard but not RabbitMQ as a product. |
| Thanos | #229 | Long-term Prometheus storage. Complements our observability gaps. |
| Playwright | #475, #496 | Browser E2E testing framework. No testing frameworks on the landscape. |
| JUnit / Testcontainers | #475 | Unit and integration testing. No testing frameworks at all. |
| k6 | #475, #496 | Load testing tool. No performance testing on the landscape. |
| Chaos Mesh | #475 | Chaos engineering for Kubernetes. |
| cert-manager | #475, #496 | Kubernetes certificate management. No cert lifecycle tooling on the landscape. |
| Pandoc | #496 | Document format conversion. Relevant to ODF/PDF/UA gaps. |
| JasperReports | #496 | Report generation. |
| KoliBri | #200 | Federal government's own accessible component library. Already in use. |
| KERN UX | #467 | UX standard for German public administration. |
| GA-Lotse | #496 | Inter-agency process platform already on openCode. |
| IronCalc | #484 | Sovereign spreadsheet calculation engine. |
| F-Droid | #500 | Sovereign open-source app distribution for Android. Legitimate alternative to Google Play for government-managed devices. |
| OpenProject / Redmine | #428 | Project management. No PM tools on the landscape. |
| BlueSpice / XWiki | #428 | Knowledge management / wikis. |
| Docling / Langflow | #710 | AI document processing and workflow frameworks. |
| vLLM / llm-d | #709 | LLM inference servers for AI model operations. |
| Exasol | #549 | Sovereign European analytics database. |
Formal consultation responses filed as issues:
| Organisation | Issue(s) | Key points |
|---|---|---|
| ALASCA-FOCIS (Saxony open cloud) | #229 (8 upvotes) | Infrastructure-as-a-Service layer missing; OS layer missing; SCS should be added; warns about "sovereignty-washing" of US cloud services subject to Cloud Act / FISA 702 |
| OSBA (Open Source Business Alliance) | #279, #283, #286, #288, #679 | Open-source filter as default; SEAL badge and jurisdiction flag per component; exit/migration path documentation; open-source priority in procurement |
| Bitkom (digital industry association) | #415, #666 | Formal position papers for both consultation rounds |
| Cloudogu GmbH | #428, #691 | Tech inventory needed; transparent admission process; warns landscape risks becoming "CNCF Landscape meme"; suggests "Golden Path" approach and tech radar |
| VITAKO (municipal IT association) | #700 | Feedback from municipal IT perspective |
| IT-Referat München (Munich IT dept) | #319-#321, #327, #328, #333, #337, #339 | Series of 8 issues covering: AI runtimes/UIs/observability, deployment tooling (Argo CD, Flux, Helm, Kustomize), registries (Harbor, GitLab Registry), CRI tooling, development environments, low-code |
| ekom21 (Hessian municipal IT) | #459, #713 | Feedback for both consultation rounds |
| secunet | #669 | Security company statement |
| G DATA CyberDefense AG | #658 | Cybersecurity company statement |
| KGSt (municipal management assoc.) | #668 | Administrative management perspective |
| Bündnis F5 (civil society alliance) | #479, #718 | Civil society perspective on both rounds |
| DXC Technology | #667 | IT services company statement |
| KfW (development bank) | #688 | Banking/finance perspective |
| publicplan GmbH | #506, #620 | Both consultation rounds |
| enclaive GmbH | #686 | Confidential computing perspective |
| SCS Forum | #683 | Sovereign Cloud Stack standards community |
| FSFE (Free Software Foundation Europe) | #347, #624 | Free software as foundational principle |
| mgm technology partners | #687 | Second consultation statement |
| TeleTrusT (IT security association) | #727 | IT security industry perspective |
| Bundesverband Green Software | #433, #436, #437 | Sustainability and green software criteria |
| Issue | Proposal |
|---|---|
| #293 | Introduce a Tech Radar maturity indicator (Adopt/Trial/Hold/Deprecate) based on the ThoughtWorks model, using Zalando's open-source tech radar. Would replace the current binary graduated/sandbox model. |
| #428 | Cloudogu: conduct a tech inventory of existing federal/state IT; create a transparent admission process; avoid becoming a larger CNCF Landscape; implement "Golden Path" reference architectures for common use cases. |
| #487 | D-Stack should include Architecture Decision Records (ADRs) and best practices alongside the technology landscape. |
| #504 | Introduce an RFC (Request for Comments) process for the D-Stack. |
| #296 | Add a technology blog to the landscape for communication and context. |
| #285 | OSBA: move from landscape listing to use case documentation showing how technologies combine. |
| #475 | Landscape should set expectations for operational reality -- listing technologies without deployment/testing/monitoring context creates a false sense of readiness. |
Community feedback strongly validates our gap analysis. The most frequently
requested additions by external stakeholders (Keycloak, OpenStack/SCS,
Prometheus/Grafana, Ansible, Helm, Matrix, Linux/OS layer) are all
identified in our MISSING-FROM-LANDSCAPE.md.
The ALASCA-FOCIS submission (#229) independently identifies the same structural gap we documented in Section 2.10 (Endpoint Security & Operating Systems): the stack lists container orchestration but not the OS layer beneath it.
Based on community feedback, the following areas warrant consideration for our analysis:
| Area | Rationale |
|---|---|
| Testing frameworks (unit, integration, E2E, load, chaos) | The landscape lists Selenium but nothing else. Multiple issues (#475, #496) identify this. Testing is a DevSecOps essential. |
| Virtualisation / hypervisors (Proxmox, KVM/QEMU) | The IaaS layer is entirely absent. Issue #229 documents this thoroughly. |
| Container registries (Harbor, GitLab Registry) | Munich IT dept (#328) identifies this. Registries are essential to container supply chain. |
| Project management (OpenProject, Redmine) | Issue #428 notes the Atlassian Data Center licence end as a sovereignty pressure point. |
| Certificate management (cert-manager) | Multiple issues. Critical for TLS/PKI lifecycle. |
| Distributed storage (Ceph) | Underlies OpenStack and Kubernetes storage. |
| Accessibility testing tools | Identified in #475 and our compliance doc but not in gap analysis. |
| Sovereign app distribution | Issue #500 (F-Droid). GrapheneOS and LineageOS from the same issue are out of scope -- most government users cannot flash custom ROMs onto managed devices, and mobile OS choice is not a government technology stack responsibility. F-Droid as an app store alternative remains relevant. |
-
Issue triage is minimal -- and that is a contradiction. Of 707 open issues, very few have labels or assignees. The D-Stack actively solicited this feedback: two public consultation rounds invited developers, government agencies, and industry associations to contribute. The Beteiligung page explicitly encourages participation. The result is 707 issues that are demonstrably not being processed. Bug reports like the "NQdrant" typo (#77) sit open for 5+ months. Misclassifications like PostgreSQL (#542) sit open for 3+ months. The private landscape repo (#24, #48, #99) has been reported three times over 5 months without resolution -- and a team member's response ("works for me") suggests the report was not understood. Asking for input and then not processing it is worse than not asking at all: it erodes the trust of the practitioners the D-Stack depends on for legitimacy. If the team lacks capacity to triage, it should say so publicly and set expectations rather than letting issues accumulate silently.
-
The landscape repo being private contradicts stated principles. The D-Stack mandates open source preference and transparency, yet its own landscape tool is not publicly accessible.
-
The consultation process is issue-heavy. The feedback form auto-generates issues, creating volume that may be difficult to process. Multiple organisations have noted this concern.
-
The LICENSE file is empty. The
d-stack-homerepo has an emptyLICENSEfile, meaning the content has no explicit open-source licence. Issue #749 asks about the logo licence specifically. -
The MPK deadline of 31 March 2026 is imminent. Standards and governance were to be established by this date. The criteria are still self-described as "only orientation" and not suitable for automated compliance assessment.