Quick thoughts at the CocoaPods SOTU about how enterprises are using CocoaPods at scale.
Presenter Notes:
<1>
There are lots of people using CocoaPods for public projects, and it has a rich ecosystem of tools around the core job of managing dependencies. There are also people and companies creating private spec repos. While this is supported, it's not built into the entire ecosystem by the very nature of being private.
<2>
At Yahoo, we have a private spec repo with just under 100 pods. It's large enough that we have dependencies between pods, and some of the older ones have been deprecated by newer replacements. If somebody publishes an update to a pod, it could affect all of our apps.
<3>
There's a tradeoff of agility vs keeping things running smoothly. I suspect that this is a place where improvements can be made, and I'd love talk with anybody who has gone through these decisions.
<4>
For private specs, trunk isn't yet an option...`push` requires giving access to lots of people. In the end, we decided to revert to pull requests. This allows us to do a bit of manual review at a point where updates are easily visible to every team. It's a bit more strict than Semantic Versioning. We care about API changes, but also about the specific impact those changes will have on our apps.
<6>
Our security team wanted a way to keep pods with known vulnerabities from being deployed. They poke at libraries all the time and keep a close eye on the security community. They also found that developers don't always read their email when they are trying to get work done.
<7>
Favorite part of CocoaDocs, I think, is the automatic docset generation. This lets you easily get docs out to Xcode or Dash. This is hugely beneficial for internal libs.
<9>
Archival of state so we can re-build a specific version if needed. Let's face it repo's move and owners change. This can be an issue for people who need to worry about continuity and reproducibility.
<10>
Seriously, talk about this if you are doing it. I get the feeling that lots more companies have started using private spec repos, but that there are also lots who are holding out.