May I ask you for some little thing that might change the (development) world? Would you please like to introduce a folder, where people might put their dependency.yml file - this is an effort to finally stop the spreading cancer of "put one more config file into the project root".
I would like to suggest to call that folder simply "config" - all the projects and tools out there should have no problem with that. Optionally there could be one top level config file called "config.rc" - this file points to the actual config dir if it is not "config".
It would be verrry nice if one service just starts with that and hopefully all the others will follow and it will become a defacto standard. The pollution of the top level project directories really must stop.
I've thought of the same thing, but I feel that the horse has well and truly bolted, run back through the barn a few times, kicked some shelving over and then continued out the front and over the horizon at a brisk pace.
beefsack is right, please do NOT make it a github specific thing. Just one config folder. All config files for services, integration, etc. should go there.
In the config.rc file you could call that folder however you want.
I personally do not like ".meta", because it is not clear what kind of information it may contain. "Meta" might be anything, documentation, description, website, design papers, everything is meta. It is a bit like using "Information" as a menu entry for a website.
How about we put each individual config file in its own individual directory? We could name the directory after the file too, so that it is clear where each file is ;)
No but seriously, I don't think this mess of config files in the project root is really a big deal. I already grouped the interesting stuff under /src. If it is a big deal, then lets hash out an RFC that covers the general concept of "configuration" once and for all and be done with it.
I’ve been working on Dependency CI along with https://libraries.io, the service that powers it, in my spare time for the past few months, it’s great to finally get it out into the real world.
Dependency CI works like Travis CI but for the dependencies of your application, checking them for license and status issues every time you push to GitHub.
Hey, Nimble creator here. Just wanted to ask, are there any reasons why it's not currently supported on Dependency CI? (apart from just lack of time on your side :))
Hey Dom, it's mostly because I've not written a parser for the .nimble manifest file, if you feel like adding it to https://github.com/librariesio/bibliothecary then it will be easy to add support for it!
I've known Andrew for a few years and what I love about this is how it reflects him as person: someone who loves bringing people together. Dependency CI seems to me to be a manifestation of that. Hopefully one effect of Dependency CI, if (when) it becomes popular is that it raises the bar for the stability of projects that other people depend on. We're all in this together. Keep up the great and inspiring work Andrew!
Similar to Greenkeeper or requires.io, but with a larger range of languages supported. Very interesting.
As a side note, I recommend creating a separate github account when granting permission to this kind of 3rd party. Don't grant them full read/write on your repos, create an account that's temporarily admin, then make that account read only.
The Debian project's Continuous Integration project [1] re-tests all dependent objects whenever a dependency within the Debian archive changes. This way, changes that might negatively affect dependents can be caught early.
This is immensely useful, especially to the maintainers of libraries.
In order for them to be tested, dependent objects have to declare their testability using the autopkgtest [2] interface.
It appears to me that Dependency CI is focused on dependency metadata, focusing on the state/version/license/etc the dependency declares.
Debian's CI focuses on actual run-time testing, specifically what it calls "as-installed" testing (as opposed to build-time testing). You don't test a specific build result, but whatever is installed in $PATH, $LD_LIBRARY_PATH, and so on.
Because the tested objects also use the as-installed dependencies -- libraries, modules, etc. -- whenever one of the dependencies changes, the dependents can automatically be re-tested for compatibility.
There are plenty of other services in this space (see below for a couple). I hadn't heard of Dependency CI and what immediately impresses me is the number of different package managers supported.
OP- Do you have a roadmap to supporting this outside of GitHub? I think the people that benefit most from it, due to corporate policies and outdated deps, are the people least likely to be using GitHub!
Everyone else - Is this a general problem with people locking these (very cool) tools to GitHub? Is there a generalised solution to the problem of source control integration?
its bad decision making.
but to be fair dependency ci will add gitlab and bitbucket in the future.
it still sucks that awesome tools like this are github first, git is a central tool and tools arround git should not depend on any hoster at all - imho
What alternative decision are you imagining? A service like this can’t depend on Git alone. It needs to know when the repo is updated (e.g. GitHub’s webhooks) and has to publish its results somewhere (e.g. GitHub’s commit statuses). So it only really works with hosted repos.
Since each hosting service has a different API, each integration needs to be built individually. And it makes sense to integrate with GitHub first because it’s the most popular repo host.
Maybe server-side git hooks would do the trick? Can we assume that any "decent" git server will be able to run a bash script? A service could instruct the user to download a couple scripts and put them in .git/hooks. Or just copy and paste a wget command from within the repo root.
> It needs to know when the repo is updated (e.g. GitHub’s webhooks)
post-receive hooks work well for this. I use them to push changes from my laptop up to my server and GitHub (which I use as a free mirror). My server uses a post-receive hook to regenerate a HTML view of the repo.
> has to publish its results somewhere (e.g. GitHub’s commit statuses)
For JavaScript and Python developers, there is a newish service called Doppins (from Norway!) that I've really been enjoying for my open source projects: https://doppins.com/
No conf required other than your normal requirements.txt, sends you a PR whenever there are new versions available. Cracking stuff.
Having gotten to know Andrew a bit over the last few months, I can wholeheartedly say that he cares a lot about the open source community. DependencyCI and Libraries.io are labours of love and craftsmanship!
Great idea! My company requires external libraries licenses to be revieved every half a year and it usually takes a couple of days to do so. Your project could be a real time-saver. Unfortunately the integration with Maven does not seem to work in most cases, if it did I would already have sent the link to our CTO.
You could use the VersionEye Maven Plugin for that: https://github.com/versioneye/versioneye_maven_plugin. It checks your dependencies against a license whitelist on the VersionEye server and if there is a violation it breaks your build on your CI server. That way you can enforce a license policy continuously. It's much better than just checking licenses once a year ;-)
I'm working on VersionEye since a couple years, it's a similar project and I open sourced it last week: https://blog.versioneye.com/2016/06/28/versioneye-goes-open-.... I'm following Andrews activities since a while and like what he did with libraries.io. Great job! As both projects have a big overlap and are open source now I'm open for collaboration :)
Pivotal Labs have a similar problem -- ensuring that only whitelisted licenses are represented in a codebase -- and developed License Finder for this kind of auditing: https://github.com/pivotal/LicenseFinder
We also use it for Cloud Foundry. It's fairly robust.
Isn't this the actually the wrong solution? I thought I was told I should be pulling my dependencies into my own cloned repos. Then my project uses my clones. When I want an update I test it out, update the cloned repo and update the project to use the latest tag/hash of my cloned repo. Isn't that what pretty much all the top projects do?
This way everything is under my control. What good is it if I'm told my dependencies has been deleted? And then I what? Copy my old dep from my dev machine to a cloned repo and point to that? Isn't that the same step as above?
You're not wrong, but you can use that technique and benefit from Dependency CI too.
Typically, you can define your dependencies in a file specific to a certain package manager. NPM uses `package.json`, RubyGems uses `Gemfile`, etc.
It is a reasonable practice to "vendor in" your dependencies, as you suggest. But given the declaration of your dependencies in some manifest file, Dependency CI can give you valuable insights.
Cool concept! Is the spec for the dependency.yml file open source? Would be cool to see something like it become a standard: it's a concern for the project owner, but also for the project clients/users.
What would be really interesting is a service that would tell me the build status and code coverage metrics for each version of a dependency I use in my project (and each dependency they use their projects and so on).
Even more interesting would be something that would attempt to force code coverage analysis on projects that use a standard testing framework, have a certain amount of tests present, but don't have CC configured in their project.
At first I was thinking that is what this service did but it doesn't appear to be the case.
There's also a somewhat similar service a friend and myself evaluated a couple of months ago, we had similar ideas but we eventually let go of our prototype because of "fear" of said competition ...
DepdendencyCI already did better than us in that regard and it seems like they are doing an an all-around great job (I especially like the multi language support)! :)
Very proud of Andrew's tenacity and ability to offer a simple solution to a problem that strengthens the open source community rather than ruminating and/or grand standing about it.
May I ask you for some little thing that might change the (development) world? Would you please like to introduce a folder, where people might put their dependency.yml file - this is an effort to finally stop the spreading cancer of "put one more config file into the project root".
I would like to suggest to call that folder simply "config" - all the projects and tools out there should have no problem with that. Optionally there could be one top level config file called "config.rc" - this file points to the actual config dir if it is not "config".
It would be verrry nice if one service just starts with that and hopefully all the others will follow and it will become a defacto standard. The pollution of the top level project directories really must stop.
Thank you!