Chapter 3

1. The purpose of software versioning is twofold. First, it allows software engineers to validate whether an external dependency can be safely upgraded without the risk of introducing issues to production systems. Secondly, being able to explicitly reference required software dependencies via their versions is a prerequisite for implementing the concept of repeatable builds.
2. A semantic version is a string that satisfies the following format: MAJOR.MINOR.PATCH:
   • The major component is incremented when a breaking change is introduced to the software
   • The minor component is incremented when new functionality is introduced to the software in a backward-compatible way
   • The patch version is incremented when a backward-compatible fix is applied to the code
3. In the first case, we would increment the minor version as the new API does not break backward compatibility. In the second case, we would increment the major version as the new required parameter breaks compatibility with older versions of the API. Finally, in the third case, we would increment the patch version.
4. One approach would be to tag each build with a unique, monotonically increasing number. Alternatively, we could annotate build artifacts with a timestamp that indicates when they were created.
5. The pros of vendoring are as follows:
   • The capability to run reproducible builds for current or older versions of a piece of software
   • Being able to access the required dependencies locally, even if they disappear from the place where they were originally hosted

The cons of vendoring are as follows:

• • Engineers should monitor the change logs for their dependencies and manually upgrade them when security fixes become available.
  • If the authors of the vendored dependencies do not follow semantic versioning for their packages, upgrading a dependency can introduce breaking changes that must be addressed before it's able to compile our code.

6. Some differences between the dep tool and Go modules are as follows:
   • Go modules fully integrate with the various commands, such as go get, go build, and go test.
   • While the dep tool selects the highest common version for a package, Go modules select the minimum viable version.
   • Go modules support multi-versioned dependencies.
   • Go modules do away with the vendor folder that's used by the dep tool.