[zeromq-dev] Software versioning / contracts / SBOM

[Pieter Hintjens]

Hi all,

After that fun and helpful thread on multipart et al, I'd like to open
another discussion, on software versioning.

I've written up a proposal at http://hintjens.com/blog:85.

Mainly, I'd like to try to deliver a manifest of contracts (draft,
stable, legacy, retired), rather than a stable version of any given
project.

This is meant to allow much more reliable packaging of github master,
and long term interoperability.

It depends on two non-trivial cultural shifts, already in process:

1. much more emphasis on documented contracts (RFCs, APIs, file formats)
2. contract-based testing, rather than product-based testing.

For example, I'd like to make test cases for libzmq that are separate
from the library and which can be run on all versions of the software,
old and new and future. This is far more secure than having the tests
part of the software. E.g., we broke some contracts in 4.x because
people modified the test cases along with their code.

I will start with either libzmq or czmq, with separate -sbom projects
that test the contracts for arbitrary versions of these projects. I'll
probably end up using GSL to generate the necessary code, as this has
worked well in zproto and zproject.

Thoughts and comments welcome, particularly from packagers and those
who build on top of libzmq, czmq, etc.

-Pieter