How do you store third party libraries in your source control?

Question

How do you store third party libraries that you use in your project in your source control?

When would you store binaries in your source control?

When would you store the code in your source control?

Would you ever store both? In what situations would you do this?

(Btw, I'm using .NET but it doesn't really matter for this question)

Answer 1

On source code and compiled libraries (most likely standalone):

If I don't use the third party components (compiled libraries) or provided source to build inhouse software components, I simply take them off the shelf and install them as prescribed (which might include a compile, pl/sql code for example). I would not install them in a dependency management repo or any source control system for the simple reason that I don't want them incorporated accidently or otherwise in components I'm building and I don't want to track them in any software cycle. This is an asset (software asset) that should be tracked with other tools. If I'm not using them for software development, I don't and shouldn't see them in tools I use for software development.

If I depend on them for building my own software, I would store them all day long.

Answer 2

If you are using git (which I recommend), and you have the source of the third party library, then storing the library in its own git repository and including it as a submodule is an excellent setup.

• http://book.git-scm.com/5_submodules.html
• http://git-scm.com/docs/git-submodule

If the source library is also using git then you can clone their library and push it to your own server so you'll never lose it.

Git submodules allow you to specify which revision of a library is required for a project, which is great for maintaining compatibility.

Answer 3

When would you store binaries in your source control?

I store binaries in source control when I want they ability to quickly revert back to the old version of an application. There are number of reason I would do this, those include the following:

• Application testing in an environment that exactly matches production is not always possible.
• The previous programmer may not have used source control or may have used it incorrectly. So it can be difficult to be sure the source code you are changing is the version that matches what the user is working with.

Answer 4

On a recent Java project I switched to using Maven - this was quite nice since it meant I didn't need to store any third party jars in a lib/ directory. At compile time maven would pull in the dependencies. One nice side affect is the jars have the version number in their filename.

Answer 5

• How: a vendor branch is generally a good approach

• When (thirdparties): for minimizing the number of referential involved: you could add those libraries into a separate external referential (like Maven), but that mean you need to access that extra referential for each of your environment (development - integration - homologation - preproduction - production)

• When (code): for managing the complexity of the changes, when you know updates and fixes for current versions running into production will be needed while new development are in progress.

• Why (store both): for deployment reason: you can manage a complete configuration (list of elements you need) in one referential and query it wherever and whenever you need for:

  • development (you query what you need to develop and execute your code, including thirdparties needed for compilation/execution)
  • tests (integration, homologation): you query the exacts tags you want to update your testing workspace with
  • production: you identify exactly what goes into production from one source: your SCM.

For test and production environments, that also mean your own product (the packaged result of what you are building) should also go into your SCM (only the official releases, not the intermediate ones used internally).
If other projects depend on your product, they will build their own project against your packaged version stored in the SCM, not against your source code they somehow recompiled.

Why this is important ?
Because in the end, what will run in production is that packaged version of your product, not your "source code re-compiled". Hence the importance to make all your test with the target final form of your product, clearly stored and tagged in your SCM.

---

Martin Lazar raises a legitimate point in his answer

Source control is called "source" control, because it is supposed to control sources.

While that may have been historically true, every current RCS have evolved toward SCM (Source Code Management), which does not just control sources, but also manages changes to documents, programs, and other information stored as computer files.
Binaries can then been stored (even stored with binary-delta)

Plus that allows some of those SCM to propose S"C"M feature (as in Source Configuration Management).
That SCM (Configuration) not only stores any kind of "set of files", but also their relationships (aka dependencies) between those sets, in order for you to query one set of file, and to "pull" every other deliveries on which that set depends on (to build or to deploy or to run)

Answer 6

Generally speaking, I would do roughly what has been prescribed by other users.

In the case of Subversion, and I admit I can't speak to the inclusion of the feature in the case of other systems, one can use an External to link in a repository maintained elsewhere. In a checkout/export, you'll get a full copy of the source including the updated code from that external repository all in one go.

This was particularly nice for me with PHP/JS development as there is no issue regarding storing binaries. I'd keep an external of the Zend Framework, Doctrine ORM, and jQuery all in a /lib/ folder of the project. Every update would give me a complete, updated copy of -all- the necessary files without any more work than adding that repository URL to an svn property.

Answer 7

Source control is called "source" control, because it is supposed to control sources..

In Java it's common pattern to use some version control system to store sources and other resources like configuration XML files or pictures, and than to use some dependency management tool like Apache Maven, which will store, download and manage your project's dependencies on 3rd party libraries. Then when you reinstall your OS, Maven can automatically download your dependecies from central repository (or your own private repositories as well) and store them in a local cache on your disk. You don't even have to know where the cache is :)

Maven can be also used with other languages and as far as I know plugins for .net and C/C++ are available, but I haven't used it with anything else than Java.

Answer 8

How do you store third party libraries that you use in your project in your source control?

As binary or source or both. Depends on the library.

When would you store binaries in your source control?

A third party library for which we don't have the source or an internal library which we haven't made any changes to or the library is too huge to be built around.

When would you store the code in your source control?

Say, we use an internal library A but have made some bug fixed specific to product X. Then product X's depot will keep the source and build it.

Would you ever store both? In what situations would you do this?

Yes, all the latest binaries are stored in source control.

So the tree looks like this:

product

 |-- src

 |-- build

 |-- lib

       |- 3rdparty

       |- internal

...

Answer 9

I don't put 3rd party source or binaries in SC. My rationale was that I would not have to update SC just to update the libraries. I am starting to regret this though. When I have had to recreate the project I find myself running around looking for the lib sources instead of just syncing to SC.

Answer 10

You don't need to store third party libraries in your source control repository. Those libraries (think of SDL, libcurl, etc.) should always be available on the web.
Just two raccomandations:

• make sure to state clearly in your code which version of the library you should compile against
• be sure that that specific version is always available on the web

Answer 11

Assuming you are using .Net:

I create a "Libraries" folder in my project and source control that contains any third party assemblies.

My solution then references those assemblies and my build process pulls that folder down to our build server.

Any one pulling your code from source control should be able to compile it without having to hunt down references and assemblies.

Answer 12

It depends on how big they are. When binaries or installers are too big, it can cause havoc for remote users. The upside of storing binaries and installers is that everything a developer needs to get up and running is in source control and the versions are correct. If you have a separate installation location, versions can get messed up. So, in general I like to store small or moderate binaries in source control, but larger ones I leave out.

Edit: Oh, and I call mine "BinRef" :)

Answer 13

You should be able to install a fresh OS, get your sources from source control, built and run. So yes, you should put them in source control.

Answer 14

My experience has been to create a "lib" folder and keep all 3rd party binaries in there. I will create a totally separate tree for the Source Code to these third parties if it is available.

Some places where this might be different is if you are using an open source vs. a retail 3rd party, with open source solutions I tend to just include the code in my projects and not check-in the binaries.

Answer 15

Conceptually you need to store at least the binaries (and the headers if you do C/C++) That's usually the only way with third party libraries where you don't have the source.

If you have the source you can opt to store the source and build the third party libraries in your build process.