Dependencies and Licenses
1 like3,394 views
The document discusses dependency and license management in software development, highlighting the evolution from manual dependency management to modern tools like Maven and various package managers. It emphasizes the importance of version tracking and the challenges of navigating software licenses, particularly copyleft licenses. The author, Robert Reiz, introduces VersionEye, a tool that monitors over 550k open source libraries for dependency and license issues.
Dependencies and Licenses
- 2. Who I am? • Robert Reiz • Software Eng. since 1998 • I started VersionEye
- 3. What I do? • I write crawlers • I integrate Package Managers • I integrate SCM APIs (GitHub, Stash …)
- 4. VersionEye • 550K Open Source Projects • 10 Package Managers • 3 SCMs Dependency & License Management
- 5. Software Library “In computer science, a library is a collection of implementations of behaviour, written in terms of a language, that has a well-defined interface by which the behaviour is invoked.” http://en.wikipedia.org/wiki/Library_%28computing%29 Wikipedia
- 6. Year 1999 Download Software Libraries via Browser!
- 7. Year 1999 Add it via drag & drop to your project!
- 8. Dependency Management 1999 • Resolving transitiv dependencies by hand. • No version tracking! • Libraries checked in to SCM! • Not reproducible! • Dependency Hell!
- 9. Dependency Management Today with Maven <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpmime</artifactId> <version>2.1</version> </dependency> Define your dependencies in a pom.xml file
- 10. Dependency Management Today with Maven Repository Server Your computer run > mvn compile request dependency sends dependency
- 11. >mvncompile Dependency Management with Maven • It downloads the dependencies. • It resolves transitive dependencies. • It puts the dep. into the right place. • Reproducible. • No need to check in dep. into SCM!
- 12. Dependency Management • Maven (Java) • Bundler (Ruby) • Composer (PHP) • CocoaPods (Objective-C) • …. • PyPI (Python) • Leiningen (Clojure) • NPM (Node.JS) • Bower (JS) • …. Eachlanguagehasapackagemanager!
- 15. 1.MAJOR version when you make incompatible API changes 2.MINOR version when you add functionality in a backwards-compatible manner 3.PATCH version when you make backwards-compatible bug fixes. MAJOR.MINOR.PATCH
- 19. 94% of all new releases are harmless and you can update without doubt.
- 20. How do you get notified about new versions? Version Tracking is a problem!
- 21. https://www.versioneye.com Sign up with your GitHub Account and try it for free!
- 22. Software License “A software license is a legal instrument governing the use or redistribution of software.” http://en.wikipedia.org/wiki/Software_license Wikipedia
- 23. SPDX Licenses ~ 300 http://spdx.org/licenses/
- 24. And there are even more!
- 25. Everybody can invent new licenses!
- 26. DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 2, December 2004 Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed. DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. You just DO WHAT THE FUCK YOU WANT TO.
- 28. The GPL License You should avoid GPL for commercial projects!
- 29. Software License Core Committers candefine a license for their projects!
- 30. The Normalisation Problem The same license can be written in different ways! • Apache License 2 • Apache License 2.0 • The Apache License, 2.0 • The Apache Software License 2.0 • ….
- 31. The Human Factor Internet with millions of open source libraries! pull new OS library pull new OS library pull new OS library Software developers download open source libraries every day and they don’t care about licenses! commercial company
- 32. TheLicenseProblem How to avoid that a software developer pulls in a open source library with a copyleft license?
- 35. www.VersionEye.com Keeps an eye on more than 550K open source libraries! Supports 22 Languages and 10 Package Managers! current status at 5th March 2015!