managing dependencies is more than running composer update
play

Managing dependencies is more than running composer update Nils - PowerPoint PPT Presentation

Oct 25, 2022 •197 likes •533 views

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

  1. Managing dependencies is more than running “composer update” Nils Adermann @naderman Private Packagist https://packagist.com

  2. What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / …) - Software - Libraries - Programs / Tools - External Assets Nils Adermann @naderman

  3. What is Dependency Management? - Assembly - Dependency Change Management - Risk Analysis & Reduction May happen at build time or at runtime Nils Adermann @naderman

  4. Dependency Assembly - Installation of Libraries, Tools, etc. - composer install - apt-get install foo - Application of Configuration Management (Puppet, Chef, Ansible, Salt, …) - Configuration for Connections to Services, external APIs - Authentication - Glue Code - Connection to Services (usually at Runtime) Nils Adermann @naderman

  5. Dependency Assembly Past: - Step-by-Step installation instructions - Readmes, Delete and reinstall individual packages Today: - Description of a system state (e.g. composer.json, top.sls) - Tools to move the system into the state (e.g. composer, salt) Nils Adermann @naderman

  6. Dependency Change Management - Dependency Change - Adding, Removing, Updating, Replacing of Libraries - Replacing APIs - composer update - Dependency Change Management - Balance Risks, Consequences, Cost & Advantages - Architecture Decisions which enable “Change” - Example: Abstraction to replace concrete service Nils Adermann @naderman

  7. Risk Analysis: Availability Affects Assembly Examples: - Open Source Library deleted - Payment Service unavailable - EU VATId Service out of order - Jenkins not accessible Nils Adermann @naderman

  8. Risk Reduction: Availability - Software is available when you have a copy - composer cache - Forks - Private Packagist or Satis - Services are available depending on external factors - Can the service be called asynchronously? - e.g. run VATId check after payment - e.g. Private Packagist inits package in worker, no GitHub access in controller - Are errors clearly presented to users? - e.g. low timeouts, error messages when external Service X not available Nils Adermann @naderman

  9. Risk Analysis: Compatibility Affects Change Management Examples: - BC Break in Library Update - API Semantics change: - Payment API no longer supports credit card tokens, only payment tokens valid for Apple Pay etc., too Nils Adermann @naderman

  10. Risk Reduction: (New) Dependencies Quality Criteria for software libraries (and services) - Number of Maintainers / Developers - Actively Developed? - How many users? - Packagist shows installation count - Where is a library being installed from? - GitHub, self-hosted svn server? -> Availability - Alternatives / how easy to replace? Complexity? - Could you take over maintenance? Nils Adermann @naderman

  11. Risk Reduction: Compatibility Semantic Versioning (Semver) promises Compatibility x .y.z - Must be used consistently - Only valuable if BC/Compatibility promise formalized - See http://symfony.com/doc/current/contributing/code/bc.html - Otherwise choose narrower Version Constraints, check more frequently - e.g. ~1.2.3 instead of ^1.2.3 Nils Adermann @naderman

  12. Risk Reduction: Compatibility - Automated - Tests - Static Analysis - Manual - Read Changelogs (and write them!) - Experience which libraries break BC Nils Adermann @naderman

  13. Risk Reduction: Compatibility - “composer update” - no isolation of problems unless run very frequently - “composer update <package...>” - explicit conscious updates - “composer update --dry-run [<package...>]” - Understanding and preparing effects of updates Nils Adermann @naderman

  14. How do partial updates work? { “name”: “zebra/zebra”, “require”: { “horse/horse”: “^1.0” }} { “name”: “giraffe/giraffe”, “require”: { “duck/duck”: “^1.0” }} Nils Adermann @naderman

  15. How do partial updates work? { “name”: “horse/horse”, “require”: { “giraffe/giraffe”: “^1.0” }} { “name”: “duck/duck”, “require”: {}} Nils Adermann @naderman

  16. How do partial updates work? { “name”: “my-project”, “require”: { “zebra/zebra”: “^1.0”, “giraffe/giraffe”: “^1.0” } } Nils Adermann @naderman

  17. How do partial updates work? zebra 1.0 horse 1.0 Project giraffe 1.0 duck 1.0 Now each package releases 1.1 Nils Adermann @naderman

  18. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update --dry-run zebra/zebra Updating zebra/zebra (1.0 -> 1.1) Nils Adermann @naderman

  19. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update --dry-run zebra/zebra --with-dependencies Updating horse/horse (1.0 -> 1.1) Updating zebra/zebra (1.0 -> 1.1) Nils Adermann @naderman

  20. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update --dry-run zebra/zebra giraffe/giraffe Updating zebra/zebra (1.0 -> 1.1) Updating giraffe/giraffe (1.0 -> 1.1) Nils Adermann @naderman

  21. How do partial updates work? zebra 1.1 horse 1.0 Project giraffe 1.0 duck 1.0 $ composer update zebra/zebra giraffe/giraffe --with-dependencies Updating duck/duck (1.0 -> 1.1) Updating giraffe/giraffe (1.0 -> 1.1) Updating horse/horse (1.0 -> 1.1) Updating zebra/zebra (1.0 -> 1.1) Nils Adermann @naderman

  22. The Lock File - Contents - all dependencies including transitive dependencies - Exact version for every package - download URLs (source, dist, mirrors) - Hashes of files - Purpose - Reproducibility across teams, users and servers - Isolation of bug reports to code vs. potential dependency breaks - Transparency through explicit updating process Nils Adermann @naderman

  23. Commit The Lock File - If you don’t - composer install without a lock file is a composer update - Affects Assembly - Conflict can randomly occur on install - You may not get the same code - You no longer manage change Change is managing you! - The lock file exists to be commited! Nils Adermann @naderman

  24. How to resolve lock merge conflicts? - composer.lock cannot be merged without conflicts - contains hash over relevant composer.json values - git checkout <refspec> -- composer.lock git checkout master -- composer.lock - - Repeat: composer update <list of deps> - Store parameters in commit message - Separate commit for the lock file update Nils Adermann @naderman

  25. How to resolve lock merge conflicts? Project Project zebra 1.0 giraffe 1.0 zebra 1.0 giraffe 1.0 Nils Adermann @naderman

  26. How to resolve lock merge conflicts? Project Project zebra 1.1 giraffe 1.0 zebra 1.0 giraffe 1.2 duck 1.0 duck 2.0 Nils Adermann @naderman

  27. How to resolve lock merge conflicts? Project Project zebra 1.1 giraffe 1.2 zebra 1.1 giraffe 1.2 duck 1.0 duck 2.0 duck 2.0 Merge results in invalid dependencies Rerunning update is safe Nils Adermann @naderman

  28. Risk Analysis: Compliance / Legal Affects Change Management Examples: - Viral Copy-Left License not compatible with proprietary product - Terms of Service - May I use an API for my services? Cloudflare / packagist.org - How much time do I have when a supplier terminates the service? - SLA with sufficient support? Nils Adermann @naderman

  29. Risk Minimization: Compliance / Legal - Software dependency license must fit product license or customer requirements - composer licenses - Private Packagist License Review - Terms of Service / SLA / Contracts - Criteria for selection - Negotiable - Strong dependencies justify financial expenses to create security Nils Adermann @naderman

  30. Assessing & Managing Risk - Formulate a Plan B - Identify problems which are probable and which have great effects - Dependencies are great! They can save tons of money and time - Only spend resources on reducing risk until the risk is acceptable Nils Adermann @naderman

  31. Summary - composer update [--dry-run] <package> - Have a plan B - git checkout <branch> -- composer.lock - Don’t waste resources on potential - Formalize BC promises for users of your problems which are unlikely to occur or libraries have insignificant effects - SemVer: Don’t be afraid to increase the - Dependencies are great! major version Benefit usually greater than cost - Document changes to dependencies Developers must consider dependency management from a business perspective Business / Management must not ignore risk from software dependencies Nils Adermann @naderman

  32. Thank you! Questions / Feedback? E-Mail: n.adermann@packagist.com Twitter: @naderman Feedback: https://joind.in/talk/f8b7e

Recommend

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

569 views • 37 slides
composer.lock demystified Nils Adermann @naderman Private Packagist https://packagist.com

composer.lock demystified Nils Adermann @naderman Private Packagist https://packagist.com

composer.lock demystified Nils Adermann @naderman Private Packagist https://packagist.com composer.lock - Contents - all dependencies including transitive dependencies - all metadata (name, description, require, autoload, extra, ) -

497 views • 12 slides
Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

727 views • 47 slides
Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline The ant Command 1 Build Files 2 Targets Properties File Sets and Lists Path Sets Filters Tasks Case Studies 3

807 views • 59 slides
Demystifying Composer David Hernandez FFW, ffwagency.com Drupal.org: davidhernandez Full

Demystifying Composer David Hernandez FFW, ffwagency.com Drupal.org: davidhernandez Full

Demystifying Composer David Hernandez FFW, ffwagency.com Drupal.org: davidhernandez Full Tutorial https://github.com/david-hernandez/composer-tutorial Why Composer? Builds modern PHP applications https://packagist.org/ Drupal 8

608 views • 33 slides
Brought to you by... What is... Server for running and managing Linux containers. What are

Brought to you by... What is... Server for running and managing Linux containers. What are

in the belly of the Brought to you by... What is... Server for running and managing Linux containers. What are Linux containers? Para-virtualized Linux instances. Why not regular virtualization? slooooooow gigantic images

788 views • 34 slides
Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

apoikos@debian.org Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos DebConf16 - Cape Town 2016-07-04 Outline Introduction Installation Configuration management Package management People 2/26

697 views • 27 slides
Normalization Redundancy causes several anomalies : insert, delete and update

Normalization Redundancy causes several anomalies : insert, delete and update

What and Why Normalization? To remove potential redundancy in design Normalization Redundancy causes several anomalies : insert, delete and update Normalization uses concept of dependencies Functional Dependencies Idea used:

73 views • 5 slides
Airglow CI/CD: Github to Composer (easy as 1, 2, 3 ) Speaker: Jake Ferriero Email:

Airglow CI/CD: Github to Composer (easy as 1, 2, 3 ) Speaker: Jake Ferriero Email:

Airglow CI/CD: Github to Composer (easy as 1, 2, 3 ) Speaker: Jake Ferriero Email: jferriero@google.com Github: jaketf@ Source: https://github.com/jaketf/ci-cd-for-data-processing-workflow July 2020 0 Composer Basics Airglow Architecture

430 views • 20 slides
Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies + abstraction Neil Mitchell http://nmitchell.co.uk Building stuff with Shake Neil Mitchell http://shakebuild.com What is Shake? A Haskell

813 views • 49 slides
Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk

Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk

Managing the Hydra: Successfully Running Multiple Projects in a Videogame Studio Dr. Greg Zeschuk and Dr. Ray Muzyka Joint CEOs and Co-Executive Producers, BioWare Corp. This talk examines some of the different options available in forming a

73 views • 6 slides
Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Ninth International Workshop on Managing Technical Debt (MTD 2017) Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies Thorsten Haendler, Stefan Sobernig, and Mark Strembeck Vienna University of Economics

286 views • 13 slides
Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline completing an instruction every cycle When a later instruction depends on the result of an earlier instruction, stalls happen There are 3

1.35k views • 122 slides
Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have in your project? Which LICENSES are your dependencies using? You dont know? Goldman Sachs sent a brilliant computer scientist to JAIL ! GPL

529 views • 42 slides
Running and Managing Oracle Databases on OpenVMS (Apr 2016) Maklee Engineering Christian

Running and Managing Oracle Databases on OpenVMS (Apr 2016) Maklee Engineering Christian

Running and Managing Oracle Databases on OpenVMS (Apr 2016) Maklee Engineering Christian Moser Chief Technology Officer cmos@maklee.com Agenda Oracle 11g on OpenVMS Configuration and Tuning Performance monitoring tools Oracle

637 views • 39 slides
INTRO Just a brief introduction for those who may not be familiar with my work. I am a composer /

INTRO Just a brief introduction for those who may not be familiar with my work. I am a composer /

INTRO Just a brief introduction for those who may not be familiar with my work. I am a composer / producer and over the past 10 years I have been focusing primarily on the international export pitching my productions to major festival,

412 views • 3 slides
IQCS Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS

IQCS Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS

IQCS Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS - New MRS initiatives for 2019/20: Launch of the MRS/AQR RAS Training Update to the MRS Code of Conduct Update to ISO 20252: 2019 Update on GDPR

351 views • 33 slides
Composer Best Practices Nils Adermann @naderman Private Packagist https://packagist.com

Composer Best Practices Nils Adermann @naderman Private Packagist https://packagist.com

Composer Best Practices Nils Adermann @naderman Private Packagist https://packagist.com Dependency Management - Dependency Management vs Package Management - System state vs installation/update instructions - Configuration Management -

843 views • 48 slides
Composer Best Practices 2018 Nils Adermann @naderman Private Packagist https://packagist.com

Composer Best Practices 2018 Nils Adermann @naderman Private Packagist https://packagist.com

Composer Best Practices 2018 Nils Adermann @naderman Private Packagist https://packagist.com 2018? Delete your lock files 2018? Delete your lock files Composer Ecosystem Reality Update 2018 Nils Adermann @naderman Best Practices? Nils

838 views • 68 slides
Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data Lynne Billard University of Georgia lynne@stat.uga.edu Tribute to Professor Edwin Diday: Paris, France; 5 September 2007 Naturally occurring

635 views • 44 slides
IQCS AGM Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from

IQCS AGM Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from

IQCS AGM Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS - New MRS initiatives for 2019/20: Launch of the MRS/AQR RAS Training Update to the MRS Code of Conduct Update to ISO 20252: 2019 Update on

539 views • 33 slides
SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it

SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it

SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it Takes To Deal With It Jiri Kuthan, iptel.org sip:jiri@iptel.org Outline Status update: where iptel.orgs operational experience comes from

579 views • 25 slides
COMPOSER IN DRUPAL WORLD Johannes Haseitl - @derhasi ME Johannes Haseitl @derhasi everywhere

COMPOSER IN DRUPAL WORLD Johannes Haseitl - @derhasi ME Johannes Haseitl @derhasi everywhere

#drupaldevdays / Composer in Drupal World / @derhasi COMPOSER IN DRUPAL WORLD Johannes Haseitl - @derhasi ME Johannes Haseitl @derhasi everywhere Maintainer of Master Search API Override , , ... CEO of undpaul GmbH WHAT IS

820 views • 42 slides
Metadata composer for NeXus Jan Kota nski Deutsches Elektronen-Synchrotron Oct 8, 2017 Jan

Metadata composer for NeXus Jan Kota nski Deutsches Elektronen-Synchrotron Oct 8, 2017 Jan

Metadata composer for NeXus Jan Kota nski Deutsches Elektronen-Synchrotron Oct 8, 2017 Jan Kota nski (DESY) Metadata composer for NeXus Oct 8, 2017 1 / 13 Modular structure of the NeXus Framework Experimental Configuration Control

315 views • 13 slides

More recommend