Best Practices of forking git repository and continuing development

Sometimes there’s a need to fork a git repository and continue development with your own additions. It’s recommended to make pull request to upstream so that everyone could benefit of your changes but in some situations it’s not possible or feasible. When continuing development in forked repo there’s some questions which come to mind when starting. Here’s some questions and answers I found useful when we forked a repository in Github and continued to develop it with our specific changes.

Repository name: new or fork?

If you’re releasing your own package (to e.g. npm or mvn) from the forked repository with your additions then it’s logical to also rename the repository to that package name.

If it’s a npm package and you’re using scoped packages then you could also keep the original repository name.

Keeping master and continuing developing on branch?

Using master is the sane thing to do. You can always sync your fork with an upstream repository. See: syncing a fork

Generally you want to keep your local master branch as a close mirror of the upstream master and execute any work in feature branches (that might become pull requests later).

How you should do versioning?

Suppose that the original repository (origin) is still in active development and does new releases. How should you do versioning in your forked repository as you probably want to bring the changes done in the origin to your fork? And still maintain semantic versioning.

In short, semver doesn’t support prepending or appending strings to version. So adding your tag to the version number from the origin which your version is following breaks the versioning. So, you can’t use something like “1.0.0@your-org.0.1” or “1.0.0-your-org.1”. This has been discussed i.a. semver #287. The suggestion was to use a build meta tag to encode the other version as shown in semver spec item-10. But the downside is that “Build metadata SHOULD be ignored when determining version precedence. Thus two versions that differ only in the build metadata, have the same precedence.”

If you want to keep relation the original package version and follow semver then your options are short. The only option is to use build meta tag: e.g. “1.0.0+your-org.1”.

It seems that when following semantic versioning your only option is to differ from origin version and continue as you go.

If you don’t need to or want to follow semver you can track upstream version and mark your changes using similar markings as semver pre-releases: e.g. “1.0.0-your-org.1”.

npm package: scoped or unscoped?

Using scoped packages is a good way to signal official packages for organizations. Example of using scoped packages can be seen from Storybook.

It’s more of a preference and naming conventions of your packages. If you’re using something like your-org-awesome-times-ahead-package and your-org-patch-the-world-package then using scoped packages seems redundant.

Who should be the author?

At least add yourself to contributors in package.json.

Forking only for patching npm library?

Don’t fork, use patch-package which lets app authors instantly make and keep fixes to npm dependencies. Patches created by patch-package are automatically and gracefully applied when you use npm(>=5) or yarn. Now you don’t need to wait around for pull requests to be merged and published. No more forking repos just to fix that one tiny thing preventing your app from working.

This post was originally published on Gofore Group blog at 11.2.2019.

Monthly Notes 38

Warm weather and cold Northern winds just call for a warm mug of cacao and something to read by the fireplace. Here’s monthly notes for February with topics from testing to software development project guidelines and from microservices to tips and tools. Also learning React App.

Issue 38, 19.02.2019

Testing

How to stop hating your tests
I’m not a fan of extensive ui tests. I think they should be mostly about seeing that the whole system functions when all systems are integrated and functional. This talk makes a good case out of it. If you want to skip right to this subject, it starts around at 18:50 or so.

Software development

My Opinionated Setup for Web Projects
“During the past few years, I have worked on multiple smaller and larger projects. In this blog post I explain my default project setup for a typical web frontend project.”

Project Guidelines
“While developing a new project is like rolling on a green field for you, maintaining it is a potential dark twisted nightmare for someone else. Here’s a list of guidelines we’ve found, written and gathered that (we think) works really well with most JavaScript projects here at elsewhen.”

Microservices

Introduction to Kubernetes
Introduces you to Kubernetes.

Building Microservices: Designing fine-grained systems (pdf)
“Distributed systems have become more fine-grained in the past 10 years,
shifting from code-heavy monolithic applications to smaller, self-contained microservices. But developing these systems brings its own set of headaches. With lots of examples and practical advice, this book takes a holistic view of the topics that system architects and administrators must consider when building, managing, and evolving microservice architectures.”

Microservices vs The World
“In the last 5 years microservices have been pretty much the topic on every architectural conversation. The idea is great, small, independent, cohesive, services that can be implemented, tested, maintained and released individually without much impact on the rest of the system. Microservices are then the holy grail of architectures all positives and almost zero negatives. If that is the case, why in the last 2-3 years our holy grail is getting bad press? Some engineers even suggest that a monolith is better. How can a monolith be better? Well, it all comes down to pros and cons and how the business is structured.”

Microservices architecture on paper sounds amazing but unless the business as a whole is not committed to it, then your department will end up with low morale, low productivity, and tones of code debt.

Microservices vs The World

Tools of trade

DockStation
“Application for managing projects based on Docker. Instead of lots of CLI commands you can monitor, configure, and manage services and containers while using just a GUI.” See running containers in histogram-type grapsh, monitor stats, connect with ssh to remote hosts, start/stop containers.

Scrolling inside Screen
Disable the alternate text buffer in the xterm termcap info inside screen so that you can use the scroll bars (and mouse wheel) to scroll up and down. 

~/.screenrc. # Enable mouse scrolling and scroll bar history scrolling termcapinfo xterm* ti@:te@ 

Learn

Learn React App
The goal of this tutorial is to quickly get you off the ground with React concepts. This tutorial has hands-on exercises which I consider to be the most important part of this tutorial.

Something different

MTB Trails Finale Ligure
I wish I was there shredding.

Notes from OWASP Helsinki chapter meeting 36

OWASP Helsinki chapter meeting number 36 was held 12.2.2019 at Veikkaus premises in Pohjois-Haaga. The theme for this meeting was about software security and the topic was covered with two talks and with a card game. Here’s my short notes.

What Every Developer and Tester Should Know About Software Security

The event started with “What Every Developer and Tester Should Know About Software Security” by Anne Oikarinen from Nixu. The main point was that information security isn’t something you can sprinkle over your applications – security needs to be baked in. Take security into account in every step of your software development process, focusing on design and development.

The talk was a great overview to software security and covered the topic from three perspectives: security requirements, threat modeling and security testing. It was nicely practical and theoretical and gave good tips to tools and how to approach the issue. The presentation slides can be seen on SlideShare.

#OWASPHelsinki meeting 36 at @veikkaus_fi started with “What Every Developer and Tester Should Know About Software Security” by @Anne_Oikarinen. Good practical overview to security requirements, threat modeling and security testing. Build security in. #infosec@OWASPHelsinki

@walokra
Building security in: start with security requirements and threat modeling
Venn diagram of building security in
Follow standards and best practices
Use tools for improving software security yourself

Security in Agile Development

Joakim Tauren from Visma continued the event with “Security in Agile Development”and told how they manage security in large scale. The sofware security team provides security as a service to produc teams and utilize OWASP SAMM to empower teams. The in-house built system to manage security maturity matrix was cool.

Next up at @OWASPHelsinki meetup was “Security in Agile Development” by @JoakimTauren from @Visma. Security as a Service. Empower teams. Transparency. In-house tool for security maturity matrix. Effective leadership of self-managing work teams. #infosec#OWASPHelsinki

@walokra
Security as a Service
Empowering teams
In-house built tool for managing security maturity index
You have tools to help you on the way

OWASP Cornucopia

The event was wrapped up with OWASP Cornucopia – a live card game session. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

#OWASPHelsinki meetup 36 came to conclusion with a live game session of #OWASP Cornucopia: https://www.owasp.org/index.php/OWASP_Cornucopi …. Mechanism in game format to assist software development teams identify security requirements. @OWASPHelsinki had clever Star Wars themed system to audit. #infosec

@walokra

The game plays like card game with six suites and cards from one to ace like normal deck of cards. Cards have security themed questions and the players try to answer in the given context if the issue at hand is a problem to be look into. In this case the context was Death Star themed with given architecture diagram.

The card deck can be printed from OWASP site.

But what does cornucopia mean? In modern depictions, the cornucopia is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables. In this context it would relate to can of worms :)

OWASP Cornucopia in Death Star architecture

Monthly notes 37

January is turning over to February and Winter with freezing weather and lots of snow has enlightened our days. Here’s some reading for the moments when Winter wonderland is too much and warm mug of coffee and fireplace is the place to be.

Issue 37, 31.1.2019

Web and mobile development

PWAs on iOS 12.2 beta: the good, the bad, and the “not sure yet if good”
“The first beta of iOS 12.2: the first version since PWA support that responds to all the critics by offering solutions to the two biggest problems on PWAs on iOS.”

Hartington’s tweet’s thread has some information.

Microservices

Choose your tools wisely.

Tools of the trade

Lifehack.
“To test the flow of a potential scenario, storyboarding and comics can really add an extra dimension that your users can relate to (or not) and provide feedback on the types of activities, thoughts and feelings they would be experiencing along the way. “

Privacy and security


Something different

2018 Retrospective

The year has changed and it’s time for traditional retrospective of post done in 2018. By numbers 2018 was total of 23 articles which 11 articles were Monthly notes. I visited couple of conferences and some meetups, did software development and tested technology stuff. Business as usual and I presume that it’s going to continue this way also this year.

Monthly notes

It has been proved to be a good way to ensure that I keep reading what happens in software development and also think about it when I collect interesting articles to my Monthly notes series. The series continued with 11 posts.

Meetups

During the year I attended couple of meetups and if you follow me on Twitter you might have noticed that I went to more meetups than I wrote about. There are several interesting events in Helsinki you can attend almost monthly but you’ve to be quick to participate because usually events fill up quickly. But although the event seems to be full, there’s often spots left as some people don’t cancel if they can’t make it.

Information security related meetups are always interesting and I participated couple of OWASP Helsinki meetings.

OWASP Helsinki chapter meeting 34: Secure API told about “Perfectly secure API” and “Best friends: API security & API management”. The event gave good overview to the topics covered and was quite packed with people. Eficode’s premises were modern and there was snacks and beverages. And also a sauna.

Have you ever wondered how to become a bug bounty hunter or wanted to organize a bug bounty program? OWASP Helsinki chapter meeting 35: Bug Bounty programs told all about bug bounty programs from hacker and organizer point of views with topics of “Hunting for bounties in a web browser”, “How to become a bug bounty hunter” and “Running a successful bug bounty program”.

In August I attended React Helsinki August 2018 meetup at Smartly.io. Topics covered “Splitting React codebases for increased development speed”, “Making your own Ignite generator – for React Native” and “Use GraphQL!”. There are links to recordings of the presentations.

Meetups and conferences are also nice way to both freshen your thinking, hear how other’s do things, get new ideas and meet people working in the same field.

Conferences

Last year there was lots of interesting conferences in Helsinki. In the Spring there was React Finland 2018 conference which told what’s hot in the React world. The two day conference covered topics of React on day one and day two was React and React Native. The two conference days were packed with great talks and new information.

Where the React Finland was a conference from developers to developers, the opposite was Red Hat Forum Finland 2018 which was held at Finlandia-talo. The mainline was “Ideas worth exploring. Come with questions. Leave with ideas.” The event was divided to keynote and to four breakout sessions. I chose to get hands-on with OpenShift.

The developer conference theme continued in Autumn with GraphQL Finland 2018. The first of its kind event in Finland brought a day of workshops and a day of talks around GraphQL. The event was organized by the same people as React Finland and it showed, in good ways. The talks were interesting, atmosphere was cosy and after party was bookie. All of the talks were live streamed and they’re available on Youtube

Software development as usual

I managed to write couple of articles regarding software development and topics surrounding it.

Writing documentation is always a task which isn’t much liked and especially with diagrams and flowcharts there’s the problem of which tools to use. I wrote about generating documentation as code with mermaid and PlantUML as an alternative to crafty Draw.io. Using mermaid or PlantUML has the advantage that you can see the changes clearly in human readable text format and maintain source-controlled diagram.

Developing modern web applications you often come to around checking REST API responses and parsing JSON values. If you’re allowed to install extra tools or use Python then things get easier as you can use command line and combine jq and Python to extract JSON values. And a further note you can also use jp, command line interfacee to JSMESPath.

A more practical approach to visualize things was when I did a build monitor with Raspberry Pi and touch screen. Information is a great tool in software development and it’s useful to have easy access to it. Using build monitor to show continuous integration status and metrics from running services helps you notice problems and get them solved quicker.

And as we know learning and staying current in software development is important and expanding your horizons can be achieved with different ways. One good way I have used is following different news sources, newsletters, listening podcasts and attending meetups.

Awesome times ahead

Years change but the blog stays pretty much the same. Also this year plans are to continue as before, write about technology, collect interesting articles, learn new things about software development and of course ride mountain bike.

Stay tuned by subscribing to the RSS feed or follow me on Twitter. Check also my other blog in Finnish.