Yes, more in-depth talks would be appreciated. 👍🏻

I get most of them from qwertee.com

In general my advice is to use simple unique ID versioning, and then if you need it, layer semantic versioning on top as a kind of "display name" for the version. I generally prefer to use an ID generated by a version control system as the unique ID of a release candidate.

It is covered to some degree in the "CD Pipelines" book, but there are no plans for an update to "Continuous Delivery".

Try this: kzbin.info/www/bejne/bZzSdpZunr1qd68

Do you think security is different in this respect to any other behaviour of the system? It is not that I expect everyone to get things perfectly right at the start, but that instead of building things that you then gate-keep later, you build your assumptions, the same ones you check in your gatekeeping, into automated evaluations of the system. Of course, this means that you need to find ways that make automating those assumptions easy, but the saving is that once they are automated you don't need to repeat them with every gate-keeping event. So this scales really very well. Naturally we may miss things, but so will the gatekeeping, so in both cases when we find the mistake we add something to prevent it in future, in the gatekeeping world, that means ever more time and effort, in the automated world it means, maybe some more capacity to run the tests.

@@ContinuousDelivery security is different because there is active malice on the attack side. Security testing is much more difficult. See all the issues with CPU branch prediction.

@@ContinuousDelivery I agree that you can generate decent security tests by trying all known vulnerabilities to every interface and parameter. Doing it this way probably make the tested software more secure than most. Doing more is way above my level anyway. When it gets more difficult is when a new type of vulnerability is discovered: then all the existing tests must be updated, even if the application software itself never changed. So you have to monitor newly discovered vulnerabilities, even in applications not related to yours. That is unusual, and I am not sure how CD helps with this. It is not like _not_ using CD would help either. I am just uncomfortable with the sales message that CD is _the_ one and only solution to _all_ software issues.

@@pascalmartin1891 ...or just add an additional test that covers the new case.

@SuperWhisk A close source stack is a different discussion. Certainly, not many companies can afford develop entire tech stack on their own. Apple, Google, probably few more. Yes, benefits are great, but costly. Certainly not many can take the risk. I am lucky having all JavaScript code on my own.

why explore it by hand ? run a pipeline with a few popular security, quality and legality tools, and be done with it :)

@@AleksandarIvanov69 Do not give hackers the clue - do not use hacks based on "popular security, quality and legality tools" caught ones.

@SuperWhisk I work a lot with fintech companies, they won't accept your claim. But if you develop a game or other entertainment app, why do not use OSS? I am with you.

@SuperWhisk I agree, it is an interesting topic. For example European and American institutions have different rules. But most will require escrow your code too. The worst thing you can't argue, they will select other vendor. But we can keep the discussion