managing dependencies is more than running composer update
play

Managing dependencies is more than running composer update Nils - PowerPoint PPT Presentation

Oct 25, 2022 •197 likes •533 views

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

  1. Managing dependencies is more than running “composer update” Nils Adermann @naderman Private Packagist https://packagist.com

  2. What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / …) - Software - Libraries - Programs / Tools - External Assets Nils Adermann @naderman

  3. What is Dependency Management? - Assembly - Dependency Change Management - Risk Analysis & Reduction May happen at build time or at runtime Nils Adermann @naderman

  4. Dependency Assembly - Installation of Libraries, Tools, etc. - composer install - apt-get install foo - Application of Configuration Management (Puppet, Chef, Ansible, Salt, …) - Configuration for Connections to Services, external APIs - Authentication - Glue Code - Connection to Services (usually at Runtime) Nils Adermann @naderman

  5. Dependency Assembly Past: - Step-by-Step installation instructions - Readmes, Delete and reinstall individual packages Today: - Description of a system state (e.g. composer.json, top.sls) - Tools to move the system into the state (e.g. composer, salt) Nils Adermann @naderman

  6. Dependency Change Management - Dependency Change - Adding, Removing, Updating, Replacing of Libraries - Replacing APIs - composer update - Dependency Change Management - Balance Risks, Consequences, Cost & Advantages - Architecture Decisions which enable “Change” - Example: Abstraction to replace concrete service Nils Adermann @naderman

  7. Risk Analysis: Availability Affects Assembly Examples: - Open Source Library deleted - Payment Service unavailable - EU VATId Service out of order - Jenkins not accessible Nils Adermann @naderman

  8. Risk Reduction: Availability - Software is available when you have a copy - composer cache - Forks - Private Packagist or Satis - Services are available depending on external factors - Can the service be called asynchronously? - e.g. run VATId check after payment - e.g. Private Packagist inits package in worker, no GitHub access in controller - Are errors clearly presented to users? - e.g. low timeouts, error messages when external Service X not available Nils Adermann @naderman

  9. Risk Analysis: Compatibility Affects Change Management Examples: - BC Break in Library Update - API Semantics change: - Payment API no longer supports credit card tokens, only payment tokens valid for Apple Pay etc., too Nils Adermann @naderman

  10. Risk Reduction: (New) Dependencies Quality Criteria for software libraries (and services) - Number of Maintainers / Developers - Actively Developed? - How many users? - Packagist shows installation count - Where is a library being installed from? - GitHub, self-hosted svn server? -> Availability - Alternatives / how easy to replace? Complexity? - Could you take over maintenance? Nils Adermann @naderman

  11. Risk Reduction: Compatibility Semantic Versioning (Semver) promises Compatibility x .y.z - Must be used consistently - Only valuable if BC/Compatibility promise formalized - See http://symfony.com/doc/current/contributing/code/bc.html - Otherwise choose narrower Version Constraints, check more frequently - e.g. ~1.2.3 instead of ^1.2.3 Nils Adermann @naderman

  12. Risk Reduction: Compatibility - Automated - Tests - Static Analysis - Manual - Read Changelogs (and write them!) - Experience which libraries break BC Nils Adermann @naderman

  13. Risk Reduction: Compatibility - “composer update” - no isolation of problems unless run very frequently - “composer update <package...>” - explicit conscious updates - “composer update --dry-run [<package...>]” - Understanding and preparing effects of updates Nils Adermann @naderman

  14. How do partial updates work? { “name”: “zebra/zebra”, “require”: { “horse/horse”: “^1.0” }} { “name”: “giraffe/giraffe”, “require”: { “duck/duck”: “^1.0” }} Nils Adermann @naderman

  15. How do partial updates work? { “name”: “horse/horse”, “require”: { “giraffe/giraffe”: “^1.0” }} { “name”: “duck/duck”, “require”: {}} Nils Adermann @naderman

  16. How do partial updates work? { “name”: “my-project”, “require”: { “zebra/zebra”: “^1.0”, “giraffe/giraffe”: “^1.0” } } Nils Adermann @naderman

  17. How do partial updates work? zebra 1.0 horse 1.0 Project giraffe 1.0 duck 1.0 Now each package releases 1.1 Nils Adermann @naderman

  18. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update --dry-run zebra/zebra Updating zebra/zebra (1.0 -> 1.1) Nils Adermann @naderman

  19. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update --dry-run zebra/zebra --with-dependencies Updating horse/horse (1.0 -> 1.1) Updating zebra/zebra (1.0 -> 1.1) Nils Adermann @naderman

  20. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update --dry-run zebra/zebra giraffe/giraffe Updating zebra/zebra (1.0 -> 1.1) Updating giraffe/giraffe (1.0 -> 1.1) Nils Adermann @naderman

  21. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update zebra/zebra giraffe/giraffe --with-dependencies Updating duck/duck (1.0 -> 1.1) Updating giraffe/giraffe (1.0 -> 1.1) Updating horse/horse (1.0 -> 1.1) Updating zebra/zebra (1.0 -> 1.1) Nils Adermann @naderman

  22. The Lock File - Contents - all dependencies including transitive dependencies - Exact version for every package - download URLs (source, dist, mirrors) - Hashes of files - Purpose - Reproducibility across teams, users and servers - Isolation of bug reports to code vs. potential dependency breaks - Transparency through explicit updating process Nils Adermann @naderman

  23. Commit The Lock File - If you don’t - composer install without a lock file is a composer update - Affects Assembly - Conflict can randomly occur on install - You may not get the same code - You no longer manage change Change is managing you! - The lock file exists to be commited! Nils Adermann @naderman

  24. How to resolve lock merge conflicts? - composer.lock cannot be merged without conflicts - contains hash over relevant composer.json values - git checkout <refspec> -- composer.lock git checkout master -- composer.lock - - Repeat: composer update <list of deps> - Store parameters in commit message - Separate commit for the lock file update Nils Adermann @naderman

  25. How to resolve lock merge conflicts? Project Project zebra 1.0 giraffe 1.0 zebra 1.0 giraffe 1.0 Nils Adermann @naderman

  26. How to resolve lock merge conflicts? Project Project zebra 1.1 giraffe 1.0 zebra 1.0 giraffe 1.2 duck 1.0 duck 2.0 Nils Adermann @naderman

  27. How to resolve lock merge conflicts? Project Project zebra 1.1 giraffe 1.2 zebra 1.1 giraffe 1.2 duck 1.0 duck 2.0 duck 2.0 Merge results in invalid dependencies Rerunning update is safe Nils Adermann @naderman

  28. Risk Analysis: Compliance / Legal Affects Change Management Examples: - Viral Copy-Left License not compatible with proprietary product - Terms of Service - May I use an API for my services? Cloudflare / packagist.org - How much time do I have when a supplier terminates the service? - SLA with sufficient support? Nils Adermann @naderman

  29. Risk Minimization: Compliance / Legal - Software dependency license must fit product license or customer requirements - composer licenses - Private Packagist License Review - Terms of Service / SLA / Contracts - Criteria for selection - Negotiable - Strong dependencies justify financial expenses to create security Nils Adermann @naderman

  30. Assessing & Managing Risk - Formulate a Plan B - Identify problems which are probable and which have great effects - Dependencies are great! They can save tons of money and time - Only spend resources on reducing risk until the risk is acceptable Nils Adermann @naderman

  31. Summary - composer update [--dry-run] <package> - Have a plan B - git checkout <branch> -- composer.lock - Don’t waste resources on potential - Formalize BC promises for users of your problems which are unlikely to occur or libraries have insignificant effects - SemVer: Don’t be afraid to increase the - Dependencies are great! major version Benefit usually greater than cost - Document changes to dependencies Developers must consider dependency management from a business perspective Business / Management must not ignore risk from software dependencies Nils Adermann @naderman

  32. Thank you! Questions / Feedback? E-Mail: n.adermann@packagist.com Twitter: @naderman Feedback: https://joind.in/talk/f8b7e

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

569 views • 37 slides
composer.lock demystified Nils Adermann @naderman Private Packagist https://packagist.com

composer.lock demystified Nils Adermann @naderman Private Packagist https://packagist.com

composer.lock demystified Nils Adermann @naderman Private Packagist https://packagist.com composer.lock - Contents - all dependencies including transitive dependencies - all metadata (name, description, require, autoload, extra, ) -

497 views • 12 slides
Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

727 views • 47 slides
Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline The ant Command 1 Build Files 2 Targets Properties File Sets and Lists Path Sets Filters Tasks Case Studies 3

807 views • 59 slides
Demystifying Composer David Hernandez FFW, ffwagency.com Drupal.org: davidhernandez Full

Demystifying Composer David Hernandez FFW, ffwagency.com Drupal.org: davidhernandez Full

Demystifying Composer David Hernandez FFW, ffwagency.com Drupal.org: davidhernandez Full Tutorial https://github.com/david-hernandez/composer-tutorial Why Composer? Builds modern PHP applications https://packagist.org/ Drupal 8

608 views • 33 slides
Brought to you by... What is... Server for running and managing Linux containers. What are

Brought to you by... What is... Server for running and managing Linux containers. What are

in the belly of the Brought to you by... What is... Server for running and managing Linux containers. What are Linux containers? Para-virtualized Linux instances. Why not regular virtualization? slooooooow gigantic images

788 views • 34 slides
Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

apoikos@debian.org Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos DebConf16 - Cape Town 2016-07-04 Outline Introduction Installation Configuration management Package management People 2/26

697 views • 27 slides
Normalization Redundancy causes several anomalies : insert, delete and update

Normalization Redundancy causes several anomalies : insert, delete and update

What and Why Normalization? To remove potential redundancy in design Normalization Redundancy causes several anomalies : insert, delete and update Normalization uses concept of dependencies Functional Dependencies Idea used:

73 views • 5 slides
Airglow CI/CD: Github to Composer (easy as 1, 2, 3 ) Speaker: Jake Ferriero Email:

Airglow CI/CD: Github to Composer (easy as 1, 2, 3 ) Speaker: Jake Ferriero Email:

Airglow CI/CD: Github to Composer (easy as 1, 2, 3 ) Speaker: Jake Ferriero Email: jferriero@google.com Github: jaketf@ Source: https://github.com/jaketf/ci-cd-for-data-processing-workflow July 2020 0 Composer Basics Airglow Architecture

430 views • 20 slides
Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies + abstraction Neil Mitchell http://nmitchell.co.uk Building stuff with Shake Neil Mitchell http://shakebuild.com What is Shake? A Haskell

813 views • 49 slides
Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk

Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk

Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk and Dr. Ray Muzyka Joint CEOs and Co-Executive Producers, BioWare Corp. This talk examines some of the different options available in forming a

73 views • 6 slides
Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Ninth International Workshop on Managing Technical Debt (MTD 2017) Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies Thorsten Haendler, Stefan Sobernig, and Mark Strembeck Vienna University of Economics

286 views • 13 slides
Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline completing an instruction every cycle When a later instruction depends on the result of an earlier instruction, stalls happen There are 3

1.35k views • 122 slides
Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have in your project? Which LICENSES are your dependencies using? You dont know? Goldman Sachs sent a brilliant computer scientist to JAIL ! GPL

529 views • 42 slides
Running and Managing Oracle Databases on OpenVMS (Apr 2016) Maklee Engineering Christian

Running and Managing Oracle Databases on OpenVMS (Apr 2016) Maklee Engineering Christian

Running and Managing Oracle Databases on OpenVMS (Apr 2016) Maklee Engineering Christian Moser Chief Technology Officer cmos@maklee.com Agenda Oracle 11g on OpenVMS Configuration and Tuning Performance monitoring tools Oracle

637 views • 39 slides
INTRO Just a brief introduction for those who may not be familiar with my work. I am a composer /

INTRO Just a brief introduction for those who may not be familiar with my work. I am a composer /

INTRO Just a brief introduction for those who may not be familiar with my work. I am a composer / producer and over the past 10 years I have been focusing primarily on the international export pitching my productions to major festival,

412 views • 3 slides
Camden Unweighted undirected k-spanners Peleg and Ullman 1987 Input: An undirected graph

Camden Unweighted undirected k-spanners Peleg and Ullman 1987 Input: An undirected graph

A survey on approximating graph spanners Guy Kortsarz, Rutgers Camden Unweighted undirected k-spanners Peleg and Ullman 1987 Input: An undirected graph G(V,E) and an integer k Required: a subgraph G so that for every u and v V:

650 views • 44 slides
Dictionaries CSSE 120 Rose Hulman Institute of Technology Data Collections Frequently

Dictionaries CSSE 120 Rose Hulman Institute of Technology Data Collections Frequently

Dictionaries CSSE 120 Rose Hulman Institute of Technology Data Collections Frequently several individual pieces of data are related We can collect them together in one object Examples: A list or tuple contains an ordered

111 views • 7 slides
The 2006 PASCAL Visual Object Classes Challenge Mark Everingham Luc Van Gool Chris Williams

The 2006 PASCAL Visual Object Classes Challenge Mark Everingham Luc Van Gool Chris Williams

The 2006 PASCAL Visual Object Classes Challenge Mark Everingham Luc Van Gool Chris Williams Andrew Zisserman Challenge Ten object classes bicycle, bus, car, cat, cow, dog, horse, motorbike, person, sheep Classification

1.22k views • 88 slides
4/30/2018 Massachusetts School Building Authority (MSBA) Story of a Building Norfolk County

4/30/2018 Massachusetts School Building Authority (MSBA) Story of a Building Norfolk County

4/30/2018 Massachusetts School Building Authority (MSBA) Story of a Building Norfolk County Agricultural High School May 1, 2018 MEET THE PANEL TUROWSKI2 ARCHITECTURE, INC. Peter J. Turowski PrincipalInCharge Role and

454 views • 26 slides
Direct or Indirect Match? Selecting Right Concepts for Zero-Example Case Speaker: Yi-Jie Lu

Direct or Indirect Match? Selecting Right Concepts for Zero-Example Case Speaker: Yi-Jie Lu

Direct or Indirect Match? Selecting Right Concepts for Zero-Example Case Speaker: Yi-Jie Lu Yi-Jie Lu 1 , Maaike de Boer 2,3 , Hao Zhang 1 , Klamer Schutte 2 , Wessel Kraaij 2,3 , Chong-Wah Ngo 1 1 VIREO Group, City University of Hong Kong, Hong

487 views • 26 slides
Practical Promises As opposed to impractical promises 1 what is asynchronous code? Asynchronous

Practical Promises As opposed to impractical promises 1 what is asynchronous code? Asynchronous

Practical Promises As opposed to impractical promises 1 what is asynchronous code? Asynchronous (aka async ) just means: takes some time or happens in the future, not right now and JavaScript won't wait for it. 3 what is

277 views • 27 slides
September 25 - Increasing Park Access &amp; Amusements The Gift That Altered the Parks

September 25 - Increasing Park Access &amp; Amusements The Gift That Altered the Parks

t o r y o f A H i s Golden Gate Park Fromm Institute - Fall 2019 - John Freeman September 25 - Increasing Park Access &amp; Amusements The Gift That Altered the Parks Original Concept Gifted: 1877, Completed: 1878-9 James Lick

180 views • 14 slides
Towards Robust Detection of Adversarial Examples Tianyu Pang, Chao Du, Yinpeng Dong

Towards Robust Detection of Adversarial Examples Tianyu Pang, Chao Du, Yinpeng Dong

Towards Robust Detection of Adversarial Examples Tianyu Pang, Chao Du, Yinpeng Dong and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL NeurIPS | 2018 Adversarial Examples From

590 views • 10 slides

More recommend