Given that Composer can work with virtual packages in provide section of composer.json file, how are the versions managed of those virtual packages if no one holds the responsibility?
I mean if anyone can create "evil" package stating it provide-s specific virtual package (for which there is no repo anywhere), than they can specify whatever version they like. This could perhaps collide with other "good" packages, right?
From my experience, this "virtual package" feature hasn't been widely used, and it definitely has its drawbacks due to the way it is currently implemented.
If you take a look at this search result on Packagist, you'll see the three top packages being psr/log (the real interface package), psr/log (a virtual package used by two other real packages, but in the wrong way) and psr/log-implementation (used by plenty of packages, including monolog/monolog).
This example illustrates that people will misunderstand this feature and do the wrong thing. You cannot provide psr/log because that is a real package that has a real interface definition. It makes even less sense to require psr/log and at the same time also provide it.
You also correctly spotted that there is no central entity that decides which versions of a virtual package should exist, let alone which virtual package names should exist. Which isn't that much of a problem because deciding on the names of real packages is done the same way: One developer thinks of a name, and that's all. It's unlikely that this procedure creates involuntary conflicts because usually the Github account name is used as the vendor name, and Github has already made them unique. Malicious conflicts don't really exist in the real world, as Jordi has pointed out in his blog, due to the general structure Composer uses to name packages.
Back to the virtual package feature: There are two blog postings discussing it.
The first explains using this feature with the example of the virtual psr/log-implementation package mentioned above. I won't replicate that tutorial-like text here.
The second (linked and replied to at the end of the first) discusses what's bad about the whole approach of virtual packages.
Some of the points:
1) Strictly speaking (as in, would the code compile), the code from the library itself doesn't need a package that provides psr/log-implementation. It just needs the LoggerInterface (which happens to be in the psr/log package).
4) psr/log-implementation, or any virtual package for that matter, is very problematic as a package. There is no definition of this virtual package. [...]
5) Some day, someone may decide to introduce another virtual package, called the-real-psr/log-implementation (they can easily do that, right?). Such packages may be completely exchangeable with existing psr/log-implementation packages, but in order to be useful, every existing PSR-3 compliant logger package needs to mention that virtual package too in their provide section. [...]
With all these problems and uncertainties existing for good packages, it is no surprise that they do not really use this feature very much.
However, you cannot abuse it for bad things in the way you outline it in your question. Yes, any package can declare that it provides any other package. But just like it happened with psr/log, having a package declaring that it provides another package will not magically make everyone download that package. The way it works is a package declares that it provides another package, and by requiring this package, the virtual package also gets included and will fulfill any dependencies of other packages onto the virtual package.
But not requiring the package providing stuff will leave everything in it out of the equation.
In order to include bad software someone has to require it. This is best done as an indirect dependency of an innocent looking library, and requires the help of an unsuspecting developer that actively pulls this code without properly reviewing it.
Which probably is my central point for everything: If you pull in someones code into your own project, make sure you understand what that code does by reviewing it (which isn't only about malicious things, but also basic code quality, because some day you may be forced to debug a problem), or make sure you can trust that source enough to not do bad things to you. However, your own code base is not affected by packages you do not require (the last bug with such an effect was handling replace information, but I don't find that issue right now).
We currently have many office products and a embedded product. They all have the same version scheme major.minor.build number.svn revision. With nightly and manual builds incrementing the build number.
From a development support front this makes it really easy to manage 'correct version', but the in-field support guys panic when one tool changes from v10 to v200 and we say there's no changes.
Are there any problems with this scheme (all in sync) that we are missing due to our love for it?
Update:
It's the build number that is increasing by leaps, the major minor are only changed on a yearly type scale.
the svn revision is the same for all files at time x, but the nobody really pays that attention.
All .exe's and .dll's etc have the same X.Y.W.Z number. So the office product go from 1.1.10.1234 to 1.1.132.4321 when we do lots of work on the embedded product.
I wouldn't really say this is an issue as long as they can easily look up the change log to see whats changed.
Logically thinking though, if no libraries have been updated in any of the products, nor have there been any changes to the product itself the version number should stay the same.
The only suggestion I could make is moving to a dated version number so that the major and minor versions don't change so rapidly. Something like 9.0417.yyyy.xxxx would be the 17th of April 2009 release with the build number of yyyy and xxxx as the svn revision. If you don't want to change the major number and want to keep the date in the minor you could use Microsoft's versioning style. There's a good blog article on how Microsoft do their versioning at http://blogs.msdn.com/jensenh/archive/2005/11/11/491779.aspx.
I've used an aggregate versioning scheme. So you say you have many products that each share the same revision number if the deployed field versions - I'm assuming this means if you update your embedded libraries, that the office products do not use the libraries for, the office products still get a new revision number, even though no code has changed in them.
So in an aggregate scheme, the SYSTEM has one big version number, and each sub system has their own. I'm using clearcase notation because I don't know the terminology for the equivelant in svn: The top level component has all sub components under it in a hiearchy (think of a component is like a folder with code in it such that everything in that folder shared the same version, or "baseline", as clearcase calls it).
If I make a new baseline (version) in a top level system component, it tags it with the new version, and all sub components get a new version also (possibly with a different versioning scheme), but only if they've changed.
We use a date-time baseline, and a "release number", for the top level system version. Then, each sub system has the major/minor/build/svn in it. Also, we don't show the svn and build number in the "about->help" or equivelant, only if you go deep into some "system config" file can you pull out the actual build/svn number (like, by looking at the meta data in the executble). That way, users only see major/minor version, and not the gobbledigook of build and svn numbers.
I have been struggling with versioning software for a while now.
I'm not talking about a naming convention, I'm talking about how to actually apply a version in a build system all the way through to a release.
I generally use major.minor.maintenance-[release type]
i.e. 1.0.2-rc1
The problem is managing the version number. I've tried many ways (sticking it in a build file, a properties file, a database, etc,etc) but I haven't found anything that really works well.
The closest thing I came up with is using Jira which I documented here:
http://blog.sysbliss.com/uncategorized/release-management-with-atlassian-bamboo-and-jira.html
I'm wondering if anyone has any good ideas about this.
Also, wondering how people handle releasing a version.... i.e. If I release/deploy version 1.0.0-rc1 do bugs found in this release then get logged into 1.0.0 (the next/production release).
Microsoft uses <major>.<minor>.<patch>-<build number> (or a variation).
I like using <major>.<minor>.<buildnumber>
Where I'm working we use the Maven system: artifact[-major-minor-revision][-SNAPSHOT] which allows us to develop "in progress" versions that change at a moments notice (SNAPSHOT) and those which have been formally released. Some examples are:
email-services-1.0.0-SNAPSHOT.jar
email-web-2.3.11.war
crm-2.5.0.ear
If it has SNAPSHOT in it then it hasn't passed the full suite of tests or is just a developer experiment. If it doesn't have SNAPSHOT then it is a release candidate. We maintain a repository of release candidates and the most recent is sent for deployment once the testers are happy with it.
All of this can be managed with a few simple entries in a build file under Maven. See Maven2 tutorial
This is probably a dead post now, but I'll add my two cents anyways. I'm of the opinion that build numbers should mean something to everyone who sees it. So I personally think that this is a good way to name versions:
major.minor.patch.revision - e.g. 1.1.4.2342
Major/minor numbers are pretty self-explanatory. But from the perspective of the 3rd number, it still needs to mean something to the customer. I've released this new version to you, Mr. Customer, but it wasn't worth a new minor number since we just fixed some bugs. So we've incremented the patch number.
The 4th number usually means absolutely NOTHING to the customer, so you might as well make it useful to you and anyone else in your company that sees it. So for us, that number is the SVN revision number. It tells us exactly which revision was responsible for that version so that we can pull it out any any time to recreate it. Branching code obviously achieves this too, but not to 100% certainty.
Also, another advantage with an all-numeric version number is that it easily integrates into nearly every continuous build system.
Anyways, that's my two cents.
+1 on the Jira/Bamboo solution. The only additional information about the build I would include (for my purposes) is the Subversion Release, although the Tagging operation is 80% of what I want.
Manually maintaining the release/version information is a royal pain. Letting JIRA drive it is a great idea.
On the final question, about where bugs/defects get logged and releasing a version:
Defect/Issue is logged against the release where it appears. A defect in 1.0.0-rc1 gets logged against 1.0.0-rc1
JIRA has (or maybe we added) a 'Fix-For' field that would have the planned release, in this case 1.0.0
If the defect/issue is severe enough, it may be necessary to add another 'rc' release.
The release is made when there are no outstanding critical defects/issues and the customer (or management) agrees that any remaining issues can be deferred
The beauty of managing this through JIRA is that adding releases, generating change-logs, etc. is automated fairly well.
We also use <major>.<minor>.<buildnumber> and we manage this with CruiseControl/(.Net) on our build server. And use Wix and CruiseControl Config to manage the Major minor numbers - still increment those by hand - but the build number happens automatically when on the build server. You could set up a rule an increment the major/minor automatically too I believe - we just have like to do that manually so that it takes concious thinking by a dev when it is time to name a particular release level.
Major.Minor.BuildDateNumber.DailyBuildNumber
Major and Minor are set by us, manually incrementing them as we see fit.
BuildDateNumber is the number of months since the project start multiplied by 100, plus the day number of the current month.
DailyBuildNumber is incremented for every build after midnight each day, starting at zero.
E.g. 4th build of release 5.2 on 10 July, where the project started 1 Jan that year, would have version number
5.2.710.3
This is all calculated for us by the Version task in Nant.
This keeps the version numbers unique and also allows us to quickly calculate when an installation was built.
I've always assumed each number delineated by a period represented a single component of the software. If that's true, do they ever represent something different?
How should a version number be structured to start assigning versions to the different builds of my software? As an aside, my software has five distinct components.
In version 1.9.0.1:
1: Major revision (new UI, lots of new features, conceptual change, etc.)
9: Minor revision (maybe a change to a search box, 1 feature added, collection of bug fixes)
0: Bug fix release
1: Build number (if used)—that's why you see the .NET framework using something like 2.0.4.2709
You won't find a lot of apps going down to four levels, 3 is usually sufficient.
There is the Semantic Versioning specification
This is the summary of version 2.0.0:
Given a version number MAJOR.MINOR.PATCH, increment the:
MAJOR version when you make incompatible API changes,
MINOR version when you add functionality in a backwards-compatible manner, and
PATCH version when you make backwards-compatible bug fixes.
Additional labels for pre-release and build metadata are available as
extensions to the MAJOR.MINOR.PATCH format.
It can be very arbitrary, and differs from product to product. For example, with the Ubuntu distribution, 8.04 refers to 2008.April
Typically the left most (major) numbers indicate a major release, and the further you go to the right, the smaller the change involved.
major.minor[.maintenance[.build]]
http://en.wikipedia.org/wiki/Software_versioning#Numeric
Numbers can be useful as described by other answers, but consider how they can also be rather meaningless... Sun, you know SUN, java: 1.2, 1.3, 1.4 1.5 or 5 then 6.
In the good old Apple II version numbers Meant Something. Nowadays, people are giving up on version numbers and going with silly names like "Feisty fig" (or something like that) and "hardy heron" and "europa" and "ganymede". Of course this is far less useful because, you're going to run out of moons of jupiter before you stop changing the program, and since there's no obvious ordering you can't tell which is newer.
The more points, the more minor the release. There's no real solid standard beyond that - can mean different things based on what the project maintainers decide on.
WordPress, for example, goes along these lines:
1.6 -> 2.0 -> 2.0.1 -> 2.0.2 -> 2.1 -> 2.1.1 -> 2.2 ...
1.6 to 2.0 would be a big release - features, interface changes, major changes to the APIs, breakage of some 1.6 templates and plugins, etc.
2.0 to 2.0.1 would be a minor release - perhaps fixing a security bug.
2.0.2 to 2.1 would be a significant release - new features, generally.
In version v1.9.0.1:
This is the explicit versioning scheme used when you don't want to use name for the pre-releases or build like -alpha,-beta.
1:Major version which might break the backward compatibility
9:Adding of new features to support you app along with backwards compatibility with previous version.
0:Some minor bug-fixes
1:Build number(Pre-release number)
but nowadays,you won't find such versioning scheme.Do refer Semantic Versioning [semver2.0]
https://semver.org/
Usually its:
MajorVersion.MinorVersion.Revision.Build
Version numbers don't usually represent separate components. For some people/software the numbers are fairly arbitrary. For others, different parts of the version number string do represent different things. For example, some systems increase parts of the version number when a file format changes. So V 1.2.1 is file format compatible with all other V 1.2 versions (1.2.2, 1.2.3, etc.) but not with V 1.3. Ultimately it's up to you what scheme you want to use.
release.major.minor.revision would be my guess.
But it can vary greatly between products.
It depends, but the typical representation is that of major.minor.release.build.
Where:
major is the major release version of your software, think .NET 3.x
minor is the minor release version of your software, think .NET x.5
release is the release of that version, typically bugfixes will increment this
build is a number that denotes the number of builds you have performed.
So for instance, 1.9.0.1, means that it's version 1.9 of your software, following 1.8 and 1.7, etc. where 1.7, 1.8 and 1.9 all in some way typically add small amounts of new features alongside bugfixes. Since it's x.x.0.x, it's the initial release of 1.9, and it's the first build of that version.
You can also find good information on the Wikipedia article on the subject.
Major.Minor.Bugs
(Or some variation on that)
Bugs is usually bug fixes with no new functionality.
Minor is some change that adds new functionality but doesn't change the program in any major way.
Major is a change in the program that either breaks old functionality or is so big that it somehow changes how users should use the program.
Everyone chooses what they want to do with these numbers. I've been tempted to call releases a.b.c since it's rather silly anyway. That being said, what I've seen over the last 25+ years of development tends to work this way. Let's say your version number is 1.2.3.
The "1" indicates a "major" revision. Usually this is an initial release, a large feature set change or a rewrite of significant portions of the code. Once the feature set is determined and at least partially implemented you go to the next number.
The "2" indicates a release within a series. Often we use this position to get caught up on features that didn't make it in the last major release. This position (2) almost always indicates a feature add, usually with bug fixes.
The "3" in most shops indicates a patch release/bug fix. Almost never, at least on the commercial side, does this indicate a significant feature add. If features show up in position 3 then it's probably because someone checked something in before we knew we had to do a bug fix release.
Beyond the "3" position? I have no clue why people do that sort of thing, it just gets more confusing.
Notably some of the OSS out there throws all this out of wack. For example, Trac version 10 is actually 0.10.X.X. I think a lot of folks in the OSS world either lack confidence or just don't want to announce that they have a major release done.
Major.minor.point.build usually. Major and minor are self-explanatory, point is a release for a few minor bugfixes, and build is just a build identifier.
Yup. Major releases add big, new features, may break compatibility or have significantly different dependencies, etc.
Minor releases also add features, but they're smaller, sometimes stripped-down ported versions from beta major release.
If there is a third version number component, it's usually for important bugfixes, and security fixes. If there are more, it really depends so much on product that it's difficult to give general answer.
Generally then number are in the format of version.major.minor.hotfix, not individual internal components. So v1.9.0.1 would be version 1, major release 9 (of v1), minor release (of v1.9) 0, hot fix 1 of (v1.9.0).
From the C# AssemblyInfo.cs file you can see the following:
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
/ You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
The paradigm of major release.minor release.bug fix is pretty common, I think.
In some enterprise support contracts there is $$$ (or breach of contract liability) associated with how a particular release is designated. A contract, for example, might entitle a customer to some number of major releases in a period of time, or promise that there will be fewer than x number of minor releases in a period, or that support will continue to be available for so many releases. Of course no matter how many words are put in to the contract to explain what a major release is versus a minor release, it is always subjective and there will always be gray areas – leading to the possibility that the software vendor can game the system to beat such contractual provisions.
People don't always recognize the subtle difference between version numbers like 2.1, 2.0.1, or 2.10 - ask a technical support person how many times they've had trouble with this. Developers are detail oriented and familiar with hierarchical structures, so this is a blind spot for us.
If at all possible, expose a simpler version number to your customers.
In the case of a library, the version number tells you about the level of compatibility between two releases, and thus how difficult an upgrade will be.
A bug fix release needs to preserve binary, source, and serialization compatibility.
Minor releases mean different things to different projects, but usually they don't need to preserve source compatibility.
Major version numbers can break all three forms.
I wrote more about the rationale here.
version: v1.9.0.1
where-
. v is abbreviation of version. It varies with company to company depend on nomenclature adopted in his organisation. It may silent in some organisation like 1.9.0.1
. 1 indicates major version, will be updated on Architectural modification in application stacks, infrastructure (platform) or exposed networks interface
. 9 incates minor, will be updated on activity like adding new components like ui, api, database etc; under a specific architecture
. 0 indicates feature, will be updated on any enhancements on existing components (ui, api, database etc)
. 1 indicates build counter across all phase major, minor and feature. It also include hotfixes post production release.
A combination of major, minor, patch, build, security patch, etc.
The first two are major & minor-- the rest will depend on the project, company and sometimes community. In OS's like FreeBSD, you will have 1.9.0.1_number to represent a security patch.
Depends a bit on the language, Delphi and C# for example have different meanings.
Usually, the first two numbers respresent a major and a minor version, i.e. 1.0 for the first real release, 1.1 for some important bugfixes and minor new features, 2.0 for a big new feature release.
The third number can refer to a "really minor" version, or revision. 1.0.1 is just a very small bugfix to 1.0.0 for example. But it can also carry the Revision number from your Source Control System, or an ever-incrementing number that increments with every build. Or a Datestamp.
A little bit more detail here. "officially", in .net, the 4 numbers are "Major.Minor.Build.Revision", whereas in Delphi there are "Major.Minor.Release.Build". I use "Major.Minor.ReallyMinor.SubversionRev" for my versioning.
The first number is typically referred to as the major version number. It's basically used to denote significant changes between builds (i.e. when you add many new features, you increment the major version). Components with differing major versions from the same product probably aren't compatible.
The next number is the minor version number. It can represent some new features, or a number of bug fixes or small architecture changes. Components from the same product which differ by the minor version number may or may not work together and probably shouldn't.
The next is usually called the build number. This may be incremented daily, or with each "released" build, or with each build at all. There may be only small differences between two components who differ by only the build number and typically can work well together.
The final number is usually the revision number. Often times this is used by an automatic build process, or when you're making "one-off" throw-away builds for testing.
When you increment your version numbers is up to you, but they should always increment or stay the same. You can have all components share the same version number, or only increment the version number on changed components.
The version number of a complex piece of software represents the whole package and is independent of the version numbers of the parts. The Gizmo version 3.2.5 might contain Foo version 1.2.0 and Bar version 9.5.4.
When creating version numbers, use them as follows:
First number is main release. If you make significant changes to the user interface or need to break existing interfaces (so that your users will have to change their interface code), you should go to new main version.
Second number should indicate that new features have been added or something works differently internally. (For example the Oracle database might decide to use a different strategy for retrieving data, making most things faster and some things slower.) Existing interfaces should continue working and the user interface should be recognizable.
Version numbering further is up to the person writing the software - Oracle uses five (!) groups, ie. an Oracle version is something like 10.1.3.0.5. From third group down, you should only introduce bugfixes or minor changes in functionality.
the ones that vary less would be the first two, for major.minor, after that it can be anything from build, revision, release, to any custom algorithms (like in some MS products)
Every organization/group has it's own standard. The important thing is that you stick to whatever notation you choose otherwise your customers will be confused. Having said that I've used normally 3 numbers:
x.yz.bbbbb. Where:
x: is the major version (major new features)
y: is the minor version number (small new features, small improvements without UI changes)
z: is the service pack (basically the same as x.y but with some bug fixes
bbbb: is the build number and only really visible from the "about box" with other details for customer support. bbbb is free format and every product can use it's own.
Here is what we use:
First number = Overall system era. Changes every couple of years and typically represents a fundamental change in technology, or client features or both.
Second number = database schema revision. An increment in this number requires a database migration and so is a significant change (or systems replicate and so changing the database structure requires a careful upgrade process). Resets to 0 if the first number changes.
Third number = software only change. This can usually be implemented on a client by client basis as the database schema is unchanged. Resets to zero if the second number changes.
Subversion version number. We populate this automatically on build using the TortoiseSVN tool. This number never resets but continually increments. Using this we can always recreate any version.
This system is serving us well because every number has a clear and important function. I have seen other teams grappling with the major number/minor number question (how big a change is major) and I dont see the benefit to that. If you dont need to track database revisions just go to a 3 or 2 digit version number, and make life easier!
Despite the fact that most of the previous answers give perfectly good explanations for how version numbering could and should be used, there is also another scheme, which I would call the marketing versioning scheme. I'll add this as an answer, because it exists, not because I think it's worth following.
In the marketing versioning scheme, all those technical thoughts and meanings are replaced by bigger is better. The version number of a product is derived from two rules:
bigger (higher) numbers are better than smaller (lower) numbers
our version number should be bigger (higher) than any of the competitors' version numbers
That takes version numbering out of the hands of the technical staff and puts where it belongs (sales and marketing).
However, since technical version still makes sense in a way, the marketing versions are often accompanied under the hood by technical version numbers. They are usually somehow hidden, but can be revealed by some info or about dialog.