Lock your rebar dependencies or die

When developing with erlang and using libraries outside of OTP you’ve most probably come across rebar. Rebar is a build tool that aids in handling dependencies, doing releases, eunit, etc. In short, rebar is a pretty awsome tool.

What’s not awsome is when rebar deps, either your own or your dependencies deps break their API which in turn render your app broken. Luckily there’s a simple fix for this. Let me explain.

This is a pretty common sight in a typical rebar.config

{deps, [{oauth2, “.*”, {git, "git://github.com/kivra/oauth2.git", “master”}}]}.

Well, maybe not using oauth2 as a dep, but specifying “master” or “HEAD” as the branch to track. This means that every time someone commits anything to oauth2 that breaks the API it will render your app broken.

When using rebar for dependency handling it accepts three types of forms:

{deps, [app]}.
{deps, [app, "1.0.*“]}.
{deps, [app, {VCS, "URI”, REV}]} 

where VCS is one of: git, hg, bzr, svn, and rsync. URI tells VCS where to find the dep, i.e. “git://github.com/kivra/oauth2.git” and REV is the dependecies revision. When using git you have a plethora of ways to specify revisions (This only applies to git). Here I’ll list the possible ways:

{git, "git://github.com/kivra/oauth2.git"}
{git, "git://github.com/kivra/oauth2.git", “”}
{git, "git://github.com/kivra/oauth2.git", “HEAD”}

These will all get translated to “git checkout -q origin/HEAD” the equivalent of doing:

{git, "git://github.com/kivra/oauth2.git", {branch, “HEAD”}} 

The last two methods are:

{git, "git://github.com/kivra/oauth2.git", {tag, “TAG”}}
{git, "git://github.com/kivra/oauth2.git", {branch, “BRANCH”}}

Which get translated to “git checkout -q TAG” and "git checkout -q origin/BRANCH“ respectively.

This means that it’s pretty simple to lock the versions your app depends on. A good strategy is to go on a descriptive "tag” if it exists, such as “v1.0”. What we end up doing a lot when using a lib that isn’t tagged is to use the git hash such as:

{git, "git://github.com/kivra/oauth2.git", {tag, “4cf6d7e686”}}

The git hash can be a prefix, git supports shorter hashes if they are found to be unique. I.e. in the above case we could’ve just written {tag, “4cf6”}.

But even if you’re a good citizen and correctly lock your deps you might still get hit by your deps deps not being locked, or your deps deps deps. The rabbit hole goes deep.

Recent comments

Blog comments powered by Disqus