Skip to content

Latest commit

 

History

History
61 lines (56 loc) · 3.82 KB

6. Package Management.md

File metadata and controls

61 lines (56 loc) · 3.82 KB
Raw

Package management

  • It's possible to manage all aspects of software such as installation, configuration, upgrade, and uninstall.
  • Benefits:
    • Reusability: reuse same package in multiple solutions
    • Download a package into your solution whenever required.
    • Leads to faster development
  • Issues with public package managers
    • Maintaining governance and control
      • E.g. people can use different versions of packages
    • Security
      • Does it have loopholes? Concerns?
      • Developer can use any package to ensure application works.
  • Need for managing dependencies
    • Applications can just get swarmed into using application dependencies
    • There can be no control over the packages being used in application
    • Security can also be concern when you are looking at working with public packages

Some package managers

  • apt for Debian Linux environments
  • yum for CentOS Linux environments.
  • Chocolatey: software management solution built on PowerShell for Windows operating systems.
  • nuget for .NET applications
  • npm for JavaScript packages
    • package.json
      • resides in project root folder
      • lists the packages your project depends on
      • specifies versions of a package that your project can use using semantic versioning rules
      • makes your build reproducible, and therefore easier to share with other developers
    • .npmrc
      • npm gets its config settings from the command line, environment variables, and npmrc files.
      • Can be defined as
        • per-user: in home directory of the user ($HOME/.npmrc)
        • per-project: project root ($PREFIX/etc/npmrc)
        • global: $PREFIX/etc/npmrc
        • built-in: unchangeable, in path/to/npm/itself/npmrc
      • Azure DevOps Services recommends using two .npmrc files:
        1. One .npmrc should live at the root of your git repo adjacent to your project's package.json.
          • Should define registries
        2. On the development machine, .npmrc in $home for Linux or Mac systems or $env.HOME for win systems
          • Should contain credentials for all of the registries that you need to connect to.
          • 💡 The NPM client will look at your project's .npmrc, discover the registry, and fetch matching credentials from $home/.npmrc or $env.HOME/.npmrc
          • I[n build task, you give credentials in npm Authenticate task
  • maven: most popular build and dependency resolution tool for Java
    • gradle is a Java build tool that can use Maven or Ivy repositories for dependency resolution.

Security and Compliance

  • Developers make use of publicly available packages on the Internet
  • Security concerns: Are all security vulnerabilities addressed?
  • Licensing problems: e.g. some licenses if you change the code in the package you must make the package publicly available.
  • Some tools
    • BlackDuck by Synopsys
      • Scan all open source dependencies in your application
      • Get issues reported on all possible security vulnerabilities
    • WhiteSource Bolt
      • tool for scanning open-source dependencies for vulnerabilities and licensing
    • You can install them as extensions for those services for your organization in Azure DevOps
      • You must also install them in a server & buy a license
      • Create a service connection that points to your server