I have a project which uses 3-4 different open source C/C++ libraries.
I built these libraries for several platforms and checked in include files and static libs for different platforms in my project.
However, I struggle with a couple of problems. All of these projects are around dependency management. And I am looking for best practices advice.
1) How do I know what exactly do I use?
I don't have a way go get a version of a static lib. As result, I need somehow track which version of static lib I am using (may be SHA of a commit from which it was built)?
This is especially important when I need to figure out when to upgrade these libs.
2) How do I reproduce the build?
I could have struggled to build some specific library for a specific platform. It took me a while to figure it out.
The next time when I will need to build the same library could be in a half year (when I will need to upgrade for whatever reason. However, by that time, I won't definitely remember anything and an environment on which it was built will be long gone.
3) Should I fork these libraries to have a copy of source code?
This is a lesser concern. However, it's still a concern. It's nice to make sure that builds are reproducible (and that kind of requires source code).
Best Answer
Do you really need to always use an exact version of a dependent library? Is it badly written/does it break it's API with every minor increase in version?
If you look at open-source projects, their build (
configurepart mostly) scripts check whether various libraries are present and throws an error if not. It is also flexible enough to allow the user to link against a newer version of the library (which probably provides more bug/security fixes than an older one) and also doesn't enforce static or dynamic linking.If you truly need reproducible builds, then you should also pay attention to the exact version of the compiler and it's standard libraries, perhaps even the operating system. In this case, having a build machine with the exact environment that you require is, in my opinion, better than checking in compiled libraries in the source code repository.