Silverfish Software – Affordable developer portal for everyone

Case study: Carrying out upgrades

Why easy-to-change software creates problems as well as benefits

There was a debate a few years ago around whether software engineering was “real engineering”. The driver behind it was the idea that for example a civil engineering team building a new bridge would spend months, years even, creating models - both physical and mathematical - and testing those models to destruction. Bridges falling down in real life are catastrophic events. Far better that time be spent up front to ensure the models fail than risk lose of life when the real thing fails. But software development doesn’t work that way. Other than with safety-critical systems, a bug in an app is unlikely to be life-threatening. It is relatively quick to fix a bug and, since the birth of the Web, it has become very easy to distribute new versions of that bug fix via upgrades. Therefore software engineers didn’t follow that “spend years designing and testing the design up front”, so aren’t real engineers.

The consensus that grew out of that debate was that there was a misunderstanding around the role of the developer from an engineering perspective. That developer writing code was wrongly being viewed as the builder of the bridge, not as the designer. By treating the code as the design and the compiler as the builder, software development makes sense as an engineering discipline. The engineer creates the design, the compiler takes that design and from it, builds a component of the app. Automated tests are then used to test that component to destruction. Even the whole app can be tested that way with end-to-end tests.

Because it is quick and easy to change the design of the software bridge, then build it afresh and test it to destruction, it is possible to release new versions frequently. The upgrade of a real bridge might take a decade. In comparison, pushing a new version of a microservice to production can take just hours and occur more than once a day. However a consequence of that ease-of-change is that it’s not just an organisation’s own software output that can be rapidly and frequently updated. The third party software tools and libraries they rely on also frequently change. And because they rapidly change, older versions go out of support much more quickly, often within a year of release.

Dealing with the constant stream of new versions of tools and libraries is a challenge for any organisation. A software development team might have 100s, even 1,000s of repositories, some of which need to be kept up to date, some of which are stuck needing to use older tools. Some will produce libraries used by other repositories. There may be legacy systems that need maintaining, but there will also be lots of systems that are in active development and the tools for those repositories need to be updated without impacting on that development flow. Keeping everything up to date can be a huge and costly undertaking.

Fictional Case Study: Mantis Accounts Annual Upgrade

Mantis Accounts have been established for 20 years and produce a range of accounting products, from desktop and mobile applications, through Excel plugins to an online portal. Most of the source is written in C# and .NET 8. The portal uses Angular. One Android app that the company acquired from a merge is written in Java. There are plans to rewrite it, but for now it is updated with the occasional bug fix. The Excel plugins are mainly .NET Framework-based, though some have been rewritten to use TypeScript and the newer APIs, so support the web-based version of Excel.

The development team is conducting it’s annual review of the state of the repos. A shared spreadsheet from last year is sent to the team leads, each tasked with updating it with their set repos and what they contain: apps, libraries, services or something else. The languages frameworks used, along with their versions are recorded. The process drags on for a few weeks as feature development has to take priority. Eventually, the following conclusions are reached:

  1. Repos containing obsolete internal systems can be ignored. There is a brief repeat of last years’ “can’t we just delete them?” discussion, but the decision to keep them “just in case” remains unchanged.
  2. Repos containing .NET 7 or older and Angular 18 or older are identified as using out-of-support versions of frameworks. These will be prioritised for upgrade as it means they weren’t upgraded last year.
  3. The Java repo is felt safe to leave for another year with no upgrade needed.
  4. The older, Visual Studio Tools for Office (VSTO)-based plugins for Excel are stuck on .NET Framework, which has long-term support. But one is found to be using .NET 4.5, which is out of support, so that needs upgrading too.
  5. A map of how the repos relate to each other is created. This is a very time-consuming task as things have changed over the last year and the previous map is found to be an unreliable starting point. The teams examine the code of each repo in turn, noting any internal packages created and consumed, before the information is pulled together to create the dependency map.
  6. The map is complicated by the fact that new versions of .NET introduce breaking changes. As Mantis Accounts has a strict “treat warnings as errors” policy, even deprecated APIs that cause a warning are breaking changes. Repos containing such code will need fixing before they can be upgraded. So any packages they consume cannot be easily upgraded until then.

Finally, Stories and Tasks can be created in Jira to record what needs doing, in what order. One team lead is assigned to coordinate the process, though it proves a frustrating job due to pushback from project and product managers who have their own pressures of on-time feature delivery to deal with and the annual upgrade just causes delays for them. But, over the course of a few months, the job gets done.

How the Silverfish IDP will be able to help

One of the key features of an IDP is that it provides a centralized information hub. In other words it provides a central location for key information that can be used to better plan upgrades:

  1. Repos are automatically scanned to determine their content. And they are rescanned every time a change is pushed to the main branch. The scan determines languages and frameworks used along with their versions. Outputs, such as packages, services or apps can be identified. In addition, repos can be manually tagged with metadata including identifying those that are obsolete, along with which team owns the repo (though that can be inferred to from PR policies, the team most often making changes etc). The information in our example spreadsheet is instantly available as the Silverfish IDP constantly updates that data every time things change.
  2. The Silverfish IDP will have in-depth knowledge of Javascript/Typescript, Python, Ruby, Java, PHP and C#/.NET as a starting point (with many more languages to be added later). As such, it can automatically flag repos using out-of-support version of .NET/.NET Framework, React, Angular, Ruby on Rails, Spring …the list goes on.
  3. By analysing the contents of repos, a “software bill of materials” (SBOM) can be created. This contains dependency information for code within each repo, both in terms of 3rd party packages as well as internal ones. This will allow dependency maps to be auto-generated.
  4. As well as built-in rules for checking repos, Silverfish IDP will support custom rules, too. One such use of these would be to check for breaking changes with new releases. For example, .NET 10 introduces many breaking changes. One such change is the deprecation of WithOpenApi extension methods. A rule could easily be added to check for those methods in C# code and to flag if found. This helps identify fixes needed before upgrades can take place.
  5. Finally, Silverfish IDP will integrate with GitHub issues, Azure DevOps and Jira, allowing Stories and Tasks to be created to map out upgrade work.

Silverfish IDP won’t be able to do Mantis Accounts’ annual upgrade for it, and the pushback from project and product managers will still happen, but the IDP automates all of that preparation work. And because the information is constantly updated, it can become a BAU task that happens throughout the year, allowing that annual upgrade headache to be retired. Now that really is worth that $59.90 a year for each developer.