►
From YouTube: Brown Bag: Generic Semantic Version Matching
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
You
have
a
unique
version
number
that
you
assigned
to
the
software
project
and
that
the
state
of
the
software
project
is
represented
by
that
quiet
number
and
usually
you
have
like
three
main
components:
that's
called
a
subversion
core
in
the
assembler
specification,
that's
major,
minor
and
patch.
Usually
it's
expressed
like
this
V
1.2.3,
and
this
this
example
version
to
be
1.2.3.
It's
the
major
component
was
one
the
minor
component
too,
and
the
patch
1.3
so
they're
like
separated
by
dots
and
the
they
have
some
meaning
attached
to
them.
A
So
the
major
version
is
usually
incremented
when
you
apply
a
backwards,
incompatible
change
to
your
software,
the
minor
version
is
incremented.
If
you
add
new
backwards,
compatible
functionality
to
your
software
and
the
petrol
version
is
for
usually
for
minor
bug,
fixes
that
are
all
backwards
compatible
and
when
you're,
looking
into
December
spec
specification
that
I've
linked
in
the
actually
the
slides
are
available.
So
in
the
agenda
you.
B
A
This
is
the
the
top
level
top
level
rule,
and
it's
basically
saying
that
valid
semantic
version
consists
of
the
version
core,
which
is
like
these
three
items
here,
plus
suffix,
which
can
be
abbreviated
suffix
or
a
build
suffix
build
suffixes
are
added
with
a
plus
and
primitive
suffixes
with
the,
but
for
for
this
playground
rake.
We
only
consider
these
previous
suffixes,
because
the
build
suffix
can
be
just
dropped.
A
It's
just
meta
information
that
you're
heading
to
the
version,
but
it
doesn't
contain
any
any
information
about
how
this
version
compares
to
other
versions,
and
this
is
done
below
you'll
find
the
list
of
valid
semantic
versions
according
to
the
Sunburst
specifications.
For
this
list,
here
is,
if
you
all
like
valid
semantic
versions,
so
semantic
versioning
learning,
so
the
same.
Respect
particularly
is
very
clear
about
the
structure
of
a
semantic
version
and
also
how
to
use
it
and
how
to
apply
semantic
versioning
using
semantic
versions,
and
but
it's
purposely
simplistic.
A
So
it's
like
a
document
that
you
can
read
in
an
hour
or
two,
and
you
would
basically
understand
everything
you
need
to
know
about
semantic
versioning.
This
is
the
biggest
strength,
but
maybe
also
the
biggest
weakness,
because
this
led
a
lot
of
languages,
ecosystems
and
package
managers
to
define
their
own
non-standard
native
extension
of
semantic
versioning.
A
So
to
give
you
a
small
example
of
prepares,
my
exam
for
that.
So
what
I
wanted
to
do
is
what
I
want
to
do
is
I
would
like
to
take
a
list
of
semantic
versions.
The
same
list
basically
and
I
would
like
to
sort
them
using
the
native
semantic
version.
I
agree
that
pip
is
using
a
native
semantic
version.
I
agree
that
that
maven
is
choosing
just
to
show
you
the
script
scripts
that
I'm,
using
so
from
maven
I,
have
like
a
small
java
class
that
that's
using
a
semantic
version.
A
Library,
that's
part
of
maven,
that's
called
like
default
artifact
version,
and
this
gives
you
some
semantic
versioning
matching
capabilities,
that's
compatible
with
maven
as
many
version.
The
scheme
that
maven
is
using
and
as
input
I
would
provide
a
JSON
file
and
this
this
class.
You
will
basically
go
through
this
file
and
determine
what
is
what
semantic
version
is
greater
than
the
other
and
we'll
do
some
sorting
and
we'll
print
out
the
list
of
started
persons.
A
This
is
basically
all
happening
here,
so
we're
just
invoking
the
native
semantic
version,
library
and
then
I
will
do
the
same
and
for
hi
Python
so
for
Python.
I
also
have
like
a
small
script
that
does
the
same
thing.
It's
using
packaging
version,
that's
also
what
what
pip
is
using.
So
the
same
assembler
match
made
sure
that
it's
integrated
within
Pip
and
it's
we're
using
this
just
to
parse
a
JSON
file
with
semantic
version
of
this
of
semantic
version
and
sorted
and
writes
a
stronger
version.
A
So
for
that
I
have
prepared
a
small
make
fire
and
it's
basically
just
taking
you
can
see.
We
devote
make.
Oh
my
god
here
we
invoke
in
both
both
tools
and
it
will
just
take
the
file
to
sort
the
list
and
the
list
is
just
check,
simple,
JSON.
Okay,
this
is
the
list
of
input
versions
that
we
would
like
to
do.
Sort
and
I
will
take
this
as
input
and
never
run
the
sorting
and
as
output.
You
can
see
the
sorted
semantic
versions
so
for
maven
and
pipe
IPA.
A
We
have
the
same
list
because
this
year
is
just
the
version
core.
So
this
list
you
only
contain
semantic
version,
is
according
to
the
version
core
and
there
are
no
like
pitfalls
and
you
when
you're
just
using
those
versions,
but
then
I've
prepared
another
list
which
is
inconsistent
JSON.
That
is
different,
so
it
contains
only
two
versions,
and
one
of
them
is
again
a
simple
version.
Core
version
and
the
other
one
is
a
version,
that's
specific
to
maven,
so
maven
as
a
concept
of
an
SP
release
which
is
actually
a
post
release.
A
So
it's
it's
Creator
supposed
to
be
greater
than
1,
2
or
3,
and
when
I'm
invoking
the
same
script
with.
If
this
is
input,
the
the
sorting
order
is
different.
So
for
maven
it
considers
this
SP
release
to
be
greater
than
1
point
2
point:
3,
&,
4,
PI,
P
I,
it's
the
other
way
around,
so
actually
PI,
P,
I,
doesn't
know
it
doesn't
even
know
whether
in
SP
releases.
So
it's
actually
it's
basically
an
invalid
version.
A
If
you
take
the
central
specification-
and
this
is
one
of
the
problems
that
that
you
have
when
when
because
I
mean
the
standard
of
semantic
version-
is
kind
of
nice,
but
then
these
different
packets
with
eco
systems,
they
use
different
flavors
and
there's
a
certain
point.
You
it's
hard
to
unify
them
all
of
this
two
to
one
common
common
system,
because
they
they
use
some
contextual
knowledge
about
different
version.
A
So
as
an
availability,
research
thing,
we
are
basically
are
curating
the
goodlove
advisory
database
for
the
pendency
scanning,
and
this
is
the
collection
of
Saturday
JSON
files
and
we
integrate
different
data
sources,
so
we
have
like
nvd
and
friends
of
PHP
will
be
second
week.
We
take
these
data
sources
and
extract
data
from
them
and
then
generate
advisories
and
yellin
format
that
are
adhere
to
our
own
advisory
format.
Specification
and
indeed,
you
could
have
advisory
data
base.
We
have
different
package
types
that
are
supported,
so
IPI
NPM
may
even
go
packages
and
jam.
A
These
are
the
package
types
of
currently
support
and,
as
I
showed
in
the
previous
example,
all
of
them
they
just
use
different
flavors
of
semantic
versioning.
They
have
different
ways
to
express
an
anti
versions,
but
also
different
ways
to
express
the
version
constraints
between
between
those
versions,
but
all
of
them
at
the
same
time
have
their
own
native
sembra
libraries.
So
when
you're
using
pipe
I
like
a
package
manager,
pip
or
NPM,
where
you
have
like
Pantelleria
under
yarn
or
NPM,
they
they
actually
use
their
own.
A
A
So
for
the
yeah
we
just
wanted
to
shortly
introduce
a
snippet
of
key
advisors,
informant
that
we
are
using
to
motivate
this
a
little
bit
better.
So
in
our
advisory
forward,
we
have
a
couple
of
fields
that
are
related
to
versions.
We
have
an
effective
range
field
and
this
effective
range
field
contains
a
version
ranges
that
say
that
this
advisory
is
related
to
these
versions
of
this
particular
package.
So
this
is
basically
what
this
effected
range
is
about.
A
It
tells
you
that
these
that
this
package
is
available,
starting
from
version
1.9
up
to
version
2.7,
one
point
one
or
a
two
point:
nine
two
point:
eight
is
one,
and
then
we
have
fixed
versions
and
fixed
versions
is
usually
a
mutually
exclusive
we've
affected
range,
so
these
are
versions
that
are
not
affected
per
definition.
Basically,
and
then
we
have
not
impacted
sorry.
B
A
This
distance
X
here
is
package
specific,
so
this
is
I
listed,
the
all
the
standards
or
all
the
rules
that
we
are
using
down
below.
So
this
is
expressed
in
terms
of
the
language
used
by
the
target
package
type.
So
if
you're
using
maven,
then
the
C
would
be
like
the
mavens
and
person
text
if
you're
using
gem.
This
would
be
the
Ruby
constraints
and
text
and
so
on
and
I
linked
them
below.
A
So
these
are
like
the
the
different
specification
and
woods
I
mean
for
for
Python,
it's
even
part
of
the
language
standard,
so
they
have
like
a
tab
that
defines
all
the
different
constraints
and
limits
for
for
semantic
version
matching,
but
this
part
is
specific
to
the
package
type,
so
it
looks
different
depending
on
which
advisory
this
is
form
so
this
this
year,
for
example,
is
Python
this.
This
is
a
snippet
or
an
excerpt
from
and
python
advisory
and
advisory
related
to
a
python
package
and
yeah.
A
A
These
ranges
in
texas,
depending
on
the
target
package
type
oh
yeah,
and
this
is
like
an
example
that
shows
you
the
difference
in
Texas
for
Gem
maven.
So
four
foot,
five
foot,
four
rubygems
you
have
this
basically
is
like
a
disjunction
of
conjunctions.
So
we
have
a
disjunction
is
expressed
with
two
pipes
and
then
you
have
between
these
points.
We
have
these
version
ranges.
So
this
space
is
a
logical
end,
so
this
e
would
be
arranged.
That
goes
from
two
point:
zero,
zero
up
to
two
point:
zero.
A
Four,
and
this
would
be
another
range
that
goes
from
3.00
up
to
four
point:
zero,
zero
beta
seven-
and
these
are
like
connected
through
logical
disjunction.
So
you
would
either
match
this
one
or
that
one
and,
depending
on,
if
you
find
normal
at
return
to
when
you're
going
through
the
affected
range
for
maven,
they
use
a
more
mathematical
notation
where
you
have
brackets
so
ranges
are
for
interests.
You
use
these
brackets
for
no
and
upper
bound
and
disjunction.
Is
the
comma
between
these
segments
and
for
NPM?
A
You
have
also
pipes
that
you
know
logical,
disjunction
and
spaces
for
conjunction
and
yeah,
so
it's
there's
a
lot
of
similarities,
but
some
just
some
minor
differences
between
the
different
syntaxes
that
they're
using
and
the
data.
Just
to
give
you
like
a
general
idea
how
this
data
is
used.
So
we
have
this
data
and
the
advisories,
and
then
we
have
the
gymnasium
analyzers
and
what
they're
doing
is
they
download
the
the
Yama
files
with
the
advisories
from
the
advisory
database
and
then
they
scan
basically
the
source
code.
A
So,
let's
assume
you
have
like
a
Python
project.
What
the
generation
analyzer
does
is
basically
scans
or
parses
the
dependency
file
that
contains
the
for
the
log
file
that
contains
all
of
the
versions
that
I
used
as
dependencies
and
cross
validates
that,
with
the
information
from
the
Advisory
database,
by
trying
to
figure
out
the
steering
advisory
that
relates
to
dependency,
X,
Y
and
then
the
Jame
Eliza
basically
takes
the
affected
range
and
access
this
information
information
onto
what
we
call
the
range
tool.
A
So
at
the
moment,
what
we're
doing
in
international,
what
it
Tunisian
analyzer
does
is
for
every
single
package
type
that
we
support.
It
implements
a
script
in
the
native
language,
implemented
in
the
native
language
that
uses
the
native
semantic
version
library
to
match
those
versions.
So
for
Python.
What
would
what
would
happen
is
that
we
have
a
rear-engine
script
written
in
Python
that
uses
the
native
semantic
version.
A
Matching
library
and
gymnasium
passes
on
the
effective
range,
together
with
the
information
from
the
log
file
to
the
view
range
tool
for
to
check
the
version
for
Python
the
same
form
for
for
PHP
and
for
other
languages.
So
the
kind
of
dispatch
this
to
to
the
tools
that
can
cope
of
the
all
the
quirks
of
the
native
sender.
Libraries
in
the
gymnasium
analyzer
just
wanted
to
add
this
to
to
basically
give
you
the
context
in
which
this
data
is
being
used
and
how
it's
being
used
at
the
moment.
A
And
so
the
so,
the
first
motivation
was
about
generating
the
effective
range
in
terms
of
the
different
like
targets
in
Texas.
That
types
in
Texas
that
we
support
and
and
another
goal
that
we
had
was
we
wanted
to
leverage
with
Allen
sees
that
we
have
in
the
advisories.
So
to
give
you
an
example,
affected
range
and
fixed
versions
are
correlated.
A
So
if
you
know
affected
range,
you
can
basically
infer
fixed
versions
because
from
affected
range,
you
can
compute
the
non
affected
range
and
if
you
know
the
non
affected
range,
you
can
basically
collect
information
from
the
package
registry
to
see
what
versions
have
been
released
that
fall
into
the
one
affected
range
and
those
are
the
fixed
versions
for
not
impacted.
That's
the
same,
so
not
impacted
been
affected.
The
range
is
kind
of
connected,
so
just
not
impacted
field
by
the
way
is
only
a
textual
description
that
we
used
to
tell
the
user.
A
What
are
the
versions
that
are
not
impacted,
so
it's
visible
or
readable
by
the
user,
and
for
that
we
can
just
invert
the
affected
range
and
generate
a
textual
description
from
from
the
inverted
range
and
solution
can
be
inferred
from
fixed
versions.
So
we
can
generate
the
solution
from
the
fixed
versions,
bending
and.
A
Instead,
we
would
like
to
inform
range
from
these
from
this
list.
So
in
this
case,
so
this
is
actually
taken
from
a
real
example.
You
have
like
four
versions
and,
as
you
can
see,
they're
consecutive,
because
the
patch
version
is
always
incremented
by
one
and
and
I
would
say
99.99%
of
the
cases.
This
means
that
this
is
this
is
a
version
range,
so
this
range
spans
from
two
point.
A
You
you
need
to
have
some
knowledge
about
semantic
versioning
and
no,
but
and
whether
or
not
two
versions
have
an
offset
of
one
or
not
in
order
to
collapse
them
and
the
fourth
motivation
was
about
advisory
validation
and
so
for
a
get-together
advisory
database
is
open.
So
we
hope
that
in
the
future,
more
users
will
contribute
to
the
other
advisory
database
and
we
would
like
to
automate
the
validation
of
advisories
as
much
as
possible,
so
find
inconsistencies
between
affected
and
fixed
versions.
A
It's
one
of
these
validation
tasks
and
that
we
that
we
have
implemented
in
a
CI
job
for
noodle
advisory
database
and
the
second
part
is
since
we
have
I
think
one
month
we
are
now
a
CNA
and
the
vulnerability.
Research
team
is
also
responsible
for
issuing
CV
numbers
so
and
we
can
reuse
the
semantic
version.
Generic
semantic
version,
library
that
we've
developed
also
to
find
and
consists
consistencies
in
version
information
that
is
attached
to
CVS,
that
are
submitted
through
our
CD
workflow.
A
And
so
there
is
like
a
couple
of
motivations
that
we
have
to
to
build
a
unified
semantic
version
matching
system,
and
this
is
just
just
a
summary
of
what
I
don't
use.
Of
course,
we
want
to
generate
effective
range
based
on
the
semantic
version
dialect
for
the
target
package
type
we
want
to
and
make
use
of
these
redundancies
that
we
have
and
the
advisories
to
automatically
generate
information
as
much
as
possible
ability
to
collapse
versions
for
NVD
and
automating
the
de
validation
as
much
as
possible.
A
So
this
is
also
the
point
where
we
we
kind
of
I
mean
we
didn't
really
go
through
requirements,
for
it
was
more
like
I,
just
were
thinking
about
what
we
when
we
started,
but
we
thought
through
crime,
went
to
work
and
when
we
developed
the
first
version
so
I
provide
this
list
which,
which
contains
all
the
functionality.
Here
we
wanted
semantic
or
generic
semantics
generic
semantic
version
Metra
to
support.
A
So,
first
we
wanted
to
to
provide
a
unified
interface
to
the
language,
specific
semver
dialects,
and
we
want
to
make
semantic
persons
in
a
language
agnostic
way.
So
we
want
to
be
independent
from
from
the
package
type
or
the
ecosystem.
We
want
to
be
able
to
collapse,
concrete
versions
that
was
the
NVD
issue.
That
I
showed
you
earlier.
Android
ranges
the
the
approach
to
be
using
should
be
able
to
cope
of
scattered,
non-consecutive
ranges
and
what
I
mean
by
that?
A
What
I
mean
by
that
is
that
if
you
have
a
version
constraints
that
spans
multiple
ranges,
you
using
you,
you
want
to
match
over
against
all
of
them.
So
it's
like
having
a
disjunction
of
conjunctions,
where
you
have
multiple
personal
angels
that
you
want
to
know.
That's
this
version
fit
into
one
of
them,
and
otherwise
you
cannot
really
realize,
or
you
can't
really
implement
a
semantic
version
constraint,
measure
it's
based
on
burden
constraints
and
then,
last
but
not
least,
we
wanted
the
measure
to
match
versions,
gracefully
and
handles
the
constraints
in
the
best
of
effort.
A
So
I
was
talking
about
the
the
range
hoods
earlier
that
that
implement
the
semantic
version
matching
according
to
the
rules
of
the
ecosystem
or
language
target
language
that
you're
using
and
you
can
consider
them
as
a
baseline
so
and
they
because
they
do
exactly
what
the
what
the
people
are
using
the
ecosystem
want
them
to
do.
If
you
have
like
Python,
for
example,
and
you're.
A
Looking
at
the
pep
specification
implementation
of
this
native
September
matching
library,
it
does
exactly
what's
specified
in
the
specification
and
if
you
implement
the
generic
semantic
version
match
for
for
this
measure
to
be
solved
and
complete,
it
should
behave
exactly
the
same
as
all
the
native
December
matched
up,
but
it
never
can.
So.
This
is
like
some
goal
that
we
can
never
achieve
and
because,
if,
if
we
want
to
stop
a
guarantee
server
so
needs
a
completeness.
Our
as
our
matches
should
behave
exactly
the
same
as
native
several
library.
A
It
should
fail
in
the
same
situations
that
should
match
gracefully
in
the
same
situations
so
which
basically
means
we
have
to
re-implement
and
matching
algorithm,
which
we
don't
want
to
do
so.
This
is
like
the
trade-off
in
our
context.
We
can
make
the
sacrifice
we
don't
need,
such
as
the
completeness,
because
we
have
control
over
the
input
data,
so
we
can
make
assumptions
about
the
input
a
that
they're
getting,
and
we
have
some
knowledge
about
the
input
data.
A
A
Okay,
so
this
was
like
just
a
disclaimer
and
now
I
wanted
to
show
you
some
of
the
tools
that
you
could
use
with
the
December
dialects
library,
that's
T,
so
we
have
developed
a
small
gem
that
you
could
use
and
the
source
code
is
also
available.
I
think
I
linked
it
in
the
agenda,
so
you
could
play
with
it
and
look
at
the
implementation.
The
test
cases
that
we
implemented
there
and
I
just
wanted
to
walk
you
through
some
of
the
the
features.
A
So
first
we
have
a
semantic
version
representation,
so
we've
implemented
try
to
come
up
with
a
generic
semantic
version,
representation
based
on
the
version
core
and
the
suffix.
So,
generally
speaking,
a
semantic
version
just
called
just
consists
of
the
version
core,
which
is
major
minor
and
patch,
released,
plus
the
previous
suffix,
and
this
is
basically
how
we
implement
it.
A
So
we've
been
looking
at
the
example
source
and
Ruby
code
here
when
you're,
creating
and
using
adding
versions,
which
is
also
the
interface
of
several
dialects
of
the
we
create
creating
a
new
version
1.2.3,
and
it
will
divide
this
version
into
three
segments.
You
can
see
these
three
segments
divided
by
Collins,
one
two
or
three,
and
you
can
ask
for
the
major
minor
and
Petra
version
in
this
semantic
version
string.
A
Then
the
second
part
is
about
how
to
if
you
have
liked
automatic
versions,
how
you
can
compare
them
to
one
another
and
for
that
we've,
basically
using
a
very
generic
representation
that
eliminates
all
the
trailing
zeros.
So
this
is
one
step
that
we're
doing
when
we,
when
you,
for
example,
compare
two
verses
like
2.00
and
2.0.
A
We
only
keep
the
the
nonzero
prefix,
and
so
this
example
by
eliminating
these
zeros
for
the
forest
too.
So
you
can
see
we're
creating
two
semantic
versions
too,
and
as
well
as
two
and
the
stores
2.00,
and
by
eliminating
the
two
trailing
zero.
We
ensure
that
both
of
these
versions
are
actually
the
same,
so
they
compare
and
they
when
you
comparing
them
with
the
quality
they
basically
basically
true.
A
And-
and
then
the
next
part
is
about
dealing
with
these
language,
specific
suffixes
that
you
may
encounter
when
you
use,
for
example,
maven
or
or
generally
speaking,
these
previous
suffixes,
they
have
to
be
translated
to
something
that
can
be
compared
and
what
we're
doing
is
we
would
take
these
version
suffixes
and
we
translate
them
into
the
numerical
main,
and
we
can
safely
do
this
because
forests
for
december
specification,
it
doesn't
know
about
negative
integers
or
negative
numbers
in
general.
It
only
come.
It
only
could
is
concerned
about
positive
positive
numbers.
A
So
if
you
have,
for
example,
like
a
risk
candidate,
usually
this
kind
that
is
smaller
than
the
actual
police.
So
this
version
here,
like
2.0
0
C
1,
is
smaller
than
2.00,
which
is
a
full
release
petty,
and
what
we're
doing
is
we
replace
our
C
or
met
our
C
to
a
numeric
value
which
is
minus
11
in
this
case?
A
So
this
I
think
we
have
now
overall
about
a
dozen
of
different
mappings
that
are
commonly
used
for
the
different
package
types
and
and
our
C
is
mapped
to
this
number
and
for
what
we're
doing
then
is
we.
We
essentially
use
these
different
segments
and
compare
compare
them
one
by
another.
I
will
show
an
example
shortly
so
this
years,
like
Erie,
creating
like
four
different
semantic
versions:
2.0
RC
12.00
towards
you
release
and
final
and
suspected
the
corresponding
output,
and
you
can
see
that
we
said
we
have
like
these
three
segments.
A
So
RC
is
translated
to
minus
eleven
for
both
of
them
and
but
we
keep
the
suffix,
so
RC
1
s
minus
level
1
and
our
c2
is
minus
11
to
because
this
version
here,
like
RC
2,
is
greater
than
RC
1.
So
we
have
to
to
keep
the
tested
trailing
number
for
this
kind
of
that,
and
then
we
and
this
for
five
commands.
We
basically
comparing
the
difference
versions
to
find
our.
So
here
we
compare
2.0
for
release
with
the
other
release,
and
it's
the
same
so
it
deals
true.
A
Here
we
compare
when
this
would
find.
It's
also
the
same
so
for
maven
release.
It's
the
same
as
a
final
version,
then
we
compare
which
acronym
final
and
it's
greater
than
our
c1,
which
is
also
true
because
it's
just
a
release
candidate
and
the
same
here
and
and
for
release
it
smaller
file-
and
this
is
false
because
releasing
final
are
basically
the
same,
and
this
is
the
way
how
we,
how
we
make
these
dislike
with
specific
suffixes
or
the
release
information
comparable.
A
A
A
So
we
add
two
trailing
zeroes
to
this
tool
to
make
to
ensure
that
both
of
the
person
segments
or
the
version
numbers
have
the
same
length
so
that
we
can
just
iterate
through
the
segments
and
compare
them
and
that's
what
the
next
thing
that
we
are
doing.
Is
we
iterate
over
every
single
segment?
So
we
would
start
with
these
two
segments.
A
These
are
like
the
first
two
like
2
2,
so
we
would
compare
this
2
with
this
2
and
since
they
are
equal,
we
we
go
on
and
check
the
next
segment
and
the
next
segment
would
be
0
and
minus
11
and
0
is
greater
than
minus
11.
And
so
we
can
already
stop
here,
because
so
that
constraint
or
the
diversion
check
would
be
satisfied
as
we
were
looking
for
or
we
were.
A
We
wanted
to
know
where
the
dispersion
is
greater
then
attend
that
person,
which
is
true,
so
we
can
stop
when
we
check
the
second
segment.
Essentially
so
so,
basically,
what
we're
doing
is
we
take
these
semantic
versions?
We
divided
into
segments
and
then
we
iterate
over
the
segments
and
compare
them
americlean
and
that's
basically
the
way
how
we
implement
semantic
version
comparison
and
but
but
that
is
some.
So
are
there
any
like
questions
or
concerns
or
could
I
explain
something
not
well.
B
A
A
Yeah,
so
the
the
first
part
was
about
the
structure
of
a
semantic
version
and
how
to
compare
to
semantic
versions
and
but
then
we
also
want
to
be
able
to
express
semantic
version
constraints,
and
this
is
where
we
can
use
linear
interval,
arithmetic,
which
is
quite
quite
useful,
because
it's
very
generic.
So
we
can
do
everything
we
want
within
the
interval
metic
because
it
treats
it
like
intervals
as
a
set.
A
So
we
can
use
all
the
the
standard
set
operations
to
to
resolve
version
version
constraints
and
just
as
a
to
give
a
little
bit
of
background
support
for
its
linear
interval
of
metric.
We
have
different
types
of
intervals:
I,
just
abbreviated,
left
and
right
with
ll
R
and
a
and
B
are
lower
and
upper
bounds.
So
these
are
like
the
lower
and
upper
ones
for
the
different
numeric
granges
that
we
have
usually
I'll,
sometimes
also
call
them
just
cuts
or
version
cuts.
Just
use
this
interchangeably.
A
So
in
linear
intergrate
think
you
can
have
different
types
of
intervals
and
the
first
type
is
left
right
close.
So
this
is
interval,
that's
left
right
close
and
you
have
a
lower
bound
of
a
and
not
the
point
of
P,
and
what
this
range
basically
says
is
that
it
covers
all
the
numbers
that
are
greater,
equals,
10
to
and
or
smaller
and
equals
4
x
1
equals
10
B.
A
Then
we
have
like
left,
open
and
right
closed
intervals,
which
means
that
all
the
net
values
are
covered
that
are
greater
than
a
so
a
is
not
included
basically
and
our
smaller
equals
B.
Then
you
have
left
closed
and
right
open
intervals
where
you
say
that
this
decorator
equals
a
and
smaller
B
and
left-right
open,
which
is
greater
a
and
smaller
B,
and
then
you
also
have
unbounded
intervals,
which
is
like
minus
infinity
and
plus
infinity.
So
this
is
for
smaller
or
smaller,
equal
or
greater,
quite
equal
to
constraints.
A
You
would
use
these
sort
of
intervals
to
to
express
them
and
for
simple
dialects.
We
implement
that
this
T's
or
the
generic
representation
we
use
to
express
version
constraints.
It's
just
Americans
about
that's,
basically,
the
representation
we
are
using
and
as
a
small
utility,
we
have
created
a
version
parser
that
that
takes
our
unified
like
syntax,
that
we
are
using
and
generates
an
interval
from
that.
So,
for
example,
this
here,
this
first
statement
you
can
see
here
creates
an
interval,
that's
great.
It
equals
1
and
small
equals
2.
A
So
this
is
a
and
left
left
right,
closed
interval
and
you
can
see
the
output
here.
So
this
is
like
1
2
and
for
the
second
one
it
would
create
and
left
open
right,
closed
interval
and
the
third
one
creates
a
left
cross
right,
open
interval
and
you
can
see
the
outputs
here
down
below.
So
this
is
the
representation
we
use
for
4
constraints
and
version
constraints.
We'll
provide
more
examples
on
the
next
slides
about
that.
A
So
the
the
reason
why
we
use
linear
interval
arithmetic
is
that
you
can,
as
imaginary
intervals,
are
just
sets
and
you
can
use
set
operations,
so
you
can
use
Union
intersection
and
complement
and
that
it
just
basic
you
all.
You
need
to
do
semantic
version
matching
and
the
first
one,
the
first
operation,
that's
important
to
us,
is
like
intersection
and
intersection
is
important
to
us,
because
you
can
use
this
to
check
whether
a
version
nice
within
a
certain
range
or
not.
A
So,
let's
suppose
you
have
your
affected
range
from
the
advisory
that
I
showed
earlier,
which
is
which
gives
you
like
a
set
of
ranges,
and
then
you
would
like
to
know
whether
a
version
falls
into
this
affected
range,
and
you
can
do
this
by
intersection
and
intersection
is
defined
like
this,
so
we
have
like
first,
we
have
like
ranges:
I
defined
them
like
like
this
way.
If
you
have
a
lower
bound,
which
is
so
good.
A
First,
you
have
two
intervals
x
and
y,
and
every
interval
you
have
a
lower
and
upper
bound,
so
the
lower
bound
would
be
an
Excel
and
upper
one
would
be
X
you
for
for
x
and
y
a
lower
bond
would
be
y
el
and
why
you
upper
bound,
and
if
you
want
to
compute
the
intersection
for
x
and
y,
you
can
generate
in
U
and
divide
by
applying
this
recipe.
Where
you
take.
The
maximum
of
Excel
and
Y
are
the
minimum
of
X.
U
iy!
U
and
you
have
your
intersection.
A
So
to
give
it
a
a
concrete
example,
if
you
have
25
and
3
and
10
just
for
simplicity,
I'm
using
just
normal
integers,
no
semantic
versions
in
this
case,
if
you
have
you
intersect
them,
this
was
like
3,
&
5,
because
3
&
5
is
are
the
numbers
that
appear
in
both
both
of
these
ranges.
So
this
is
like
the
intersection
for,
but
to
five
through
10.
A
If
you
want
to
intersect
two
and
five
and
seven
and
ten,
this
is
not
possible
because
there's
no
overlap
between
these
two
ranges,
so
the
disk
which
is
nearly
empty
set-
and
this
is
something
that
we
and
mentor
that
as
part
of
our
of
our
interval
representation.
So
again,
I
have
something
like
a
ruby
code
that
that
just
creates
like
arranged
to
two
to
five.
So
this
is
like
the
same
examples
that
we
see
here
and
it
does
exit
with
310,
which
is
basically
these
examples.
A
So
the
first
line
here
corresponds
to
this
exam,
and
the
second
line
here
corresponds
to
that
example,
and
you
can
see
that
the
output
is
exactly
the
same
as
as
here
in
the
end
is
example.
So
this
is
the
use
case
again
for
why
we
need
intersection.
Instead,
we
just
have
to
be
able
to
check
whether
a
version
that's
part
of
a
dependency
fire
falls
into
the
affected
range
that
is
contained
in
the
Advisory
know.
Advise
me
let.
A
B
A
B
A
Union
is
the
other
important
operation
that
we
that
we
need
and
for
Union
operation.
It's
there's
also
recipe.
So
if
you
have
x
and
y
in
order
to
to
build
a
Union
Union,
you
just
can
take
the
minimum
of
x
ly
enter
maximum
of
x
uy
us
the
upper
bound,
that's
the
lower
bound,
and
then
you
have
your
if
X&Y
have
points
in
common,
if
they
don't
have
points
in
common
like
in
the
second
example
here,
then
you
you
create
something.
That's
called
I,
think
disjoint
union,
where
you
have
like
a
range
of
intervals.
A
Basically,
and
and
that's
that's
basically
how
we
implemented-
and
this
is
interesting
for
matching
affected
ranges,
because
what
this
means
is
basically,
you
have
fewer
ranges
and
which
are
connected
to
an
implicit
disjunction,
so
we
can
just
iterate
through
it
and
then
check
the
versions
against
against
this
range,
and
this
is
some
Ruby
code.
That's
using
the
code.
That
corresponds
corresponds
to
the
example
again
here
we
have
like
two
and
five
and
three
and
ten.
So
this
is
example.
This
corresponds
to
this
line
and
the
Union
is
two
to
ten.
A
So
just
low
don't
want
an
upper
bound
to
this.
Like
corresponds
to
this
example
here
and
then
we
have
a
version
range,
and
that
is
something
that
we
used
to
organize
intervals.
So
that's
that's
touching
on
on
the
second
example
here,
where
we
have
arranged
intervals,
and
here
we
create
a
version
range
first
and
then
we
are
adding
the
different
versions
to
this
interval,
and
the
nice
thing
about
that
is
we
can.
We
can
match
the
different
versions
to
the
part
of
this
version
range
and
one
functionality
to
be
implemented.
A
Here
is
the
collapsing
operation
and
where
you
can
take
two
versions
like
here.
We
have
two
five
and
three
ten
and
four.
This
is
the
output
that
corresponds
to
this
line
here,
which
shows
you
the
every
single
item.
That's
part
of
this
of
this
version
range,
and
but
if
you
want
to
collapse
them
you
can
just
invoke
collapse
and
then
both
of
them
will
be
merged
together
because
they
have
an
overlap.
So
you
can
just
use
basically,
this
single
range
to
express
the
same.
B
Okay,
this
is
amazing
Julian.
If
I'm
understanding
this
correctly,
this
can
be
used
outside
of
just
affected
version.
For
example,
if
I
wanted
to
say,
take
a
gemspec
where
I've
got
different
constraints
represented
in
the
Ruby
syntax.
I
could
then
convert
those
into
this
intermediate
grammar
and
from
that
grammar
I
could
actually
resolve
the
gym
fouled
up
the
equivalent
of
the
gemfile
that
flock.
That's,
that's
the
space
that
we're
starting
to
approach
with
with
these
tools
right,
yeah.
B
A
A
B
A
Oh
yeah,
it
was
like
this,
like
previous
information,
of
course,
release
information
and
a
build,
build
information
then
just
attach
to
the
to
do
to
the
where
the
follow
build
information.
This
is
what
we
are
doing
at
the
moment.
We
just
drop
it
because
we
don't
not
an
interpret,
really
think
it's
relevant
for
comparing,
at
least
so.
We
just
eliminate
this
part,
because
it's
usually
just
used
to
attach
meta
information
D.
The
version
itself
that
it's
not
really
related
to
I
think
semantic
version
comparison,
almost
many
person
matching
now.
A
The
last
piece
is
about
a
union
and
intersection
used
together.
So,
as
I
mentioned
earlier,
we
need
to
be
able
to
have
like
disjunction
of
conjunctions,
so
like
inversion
range
that
contains
multiple
intervals
and
we
we
want
to
be
able
to
collapse
versions,
especially
in
the
context
of
nvd.
When
we
take
fetch
data
from
anybody
and
and
this
example,
we
we
create
a
version
range
and
we
add
several
intervals,
like
interval,
which
is
going
from
two
point.
A
One
point
two
to
five
point:
one
point:
two
and
gathering
tomorrow,
that's
going
from
three
point,
one
to
ten
and
then
in
in
the
first
command.
Here
we
check
whether
our
run
overlaps
with
every
interval.
That's
greater
equals
zero
or
smaller
to
point
one
which
is
not
the
case
because
they
are
like
disjunctive,
so
there's
no
overlap,
I
thought
returns
false
and
in
the
second
example,
we
tried
to
figure
out
whether
the
version
5.5
so
this
years,
like
a
concrete,
basically
a
single
version
that
we
would
like
to
check
could
also
in
our
syntax.
A
You
could
also
just
use
equals
five
point:
five,
which
translates
to
this
interval
where
this
lies
in
this
version
range,
and
the
result
is
true.
In
this
case,
I
mean
until
the
Union
part
is
basically
here.
This
is
the
first
party
really
inversion.
This
is
about
Union,
our
unifying,
adding
them
to
the
person
range
and
the
second
part
here
overlapping
checking
the
overlap
is
about
intersection
values,
intersect
check,
intersection
to
check
whether
version
falls
into
this.
This
version
range.
A
A
So
this
is
just
some
examples:
how
the
how
the
compliment
is
used-
and
this
is
the
relative
complement.
So
if
you
have
like
two
intervals,
you
can
create
a
relative
complement,
but
for
us
the
relative
complement
is
not
really
that
important.
It
really
just
needed
to
to
compute
the
total
complement
which
is
ever
just
like
defined
here
and
and
the
if
you
take
the
total
compliment.
A
I
just
want
to
quote
I
just
should
call
complement
political
total,
because
it's
a
it
better
made
me
read
it
to
understand,
because
it's
like
relative
I
would
just
want
a
total
compliment.
You
you
can
just
create
the
compliment
between
the
like
Universal
range.
This
basically
matching
the
whole
universe,
which
is
like
minus
infinity
to
plus
infinity
minus
the
the
range
you're
interested
in
and
the
cool
thing
about.
A
You
can
use
this
to
infer
a
fixed
version,
and
these
are
things-
and
this
is
an
example
here-
we're
using
example
dialects
to
especially
the
example
corresponds
to
the
second
line.
Here
we
have
like
arranged
that's
going
from
1
to
3
and
we
inverted
where
we
get
the
range
from
minus
infinity
to
1
and
note
that
this
is
exclusive,
so
this
is
actually
going
to
zero
instead
of
goes
to
the
second
one
is
excluded,
and
this
is
starting
from
4
going
to
plus
infinity.
A
A
This
this
is
because
we
will
be
support
for
December
bionics.
We
support
all
the
different
kind
of
intervals
that
we
saw
at
the
beginning,
and
this
in
this
case
we
just
write
it
like
this,
but
it
just
uses.
Actually
you
could
you
could
translate
it
into
until
closed
data
by
2
by
beta
P,
incrementing
or
decrementing
one.
You
know
if
you
decrement.
B
A
A
B
A
Know
this
is
the
use
cases
that
you
you
take
a
disaffected
range
use
case.
Essentially
you
take
the
affected
range
and
complemented
to
get
the
non
effective
range,
and-
and
that
was
the
point
that
you
mentioned
earlier-
most-
that
you
can
you
can
translate
the
special
operators
into
introverts.
Basically,
so
the
carrot
operator
could
be,
if
you
have,
a
version
could
be
translated
to
this
range.
B
So
what
I'm
gonna
do
Julien
is
I'm
going
to
go.
Take
a
palm
XML
parser
with
the
dependency
versions
in
there.
Try
to
convert
the
Maven
description
of
those
dependencies
into
the
interval
syntax
and
then
from
there
safe.
We
can
resolve
what
would
effectively
be
the
the
runtime
dependencies
from
that
just
the
declared
dependencies.
B
A
Yeah,
what's
what
some?
What
unfortunately
Berkeley
with
the
gem
we
that
was
dis
song
as
a
completeness
issued
that
we
that
we
had
or
that
I
mentioned
earlier-
is
that
we
cannot
guarantee
that
it
behaves
exactly
the
same
as
the
native
package
measure
would
automatic
version
library
excuse
in
this
package
manager
would
would
do
because
to
guarantee
that
we
would
have
to
re-implement
the
bezzie
which
were
to
be
implemented.
A
A
semantic
version
made
sure
they're
using
which
is
I
think
from
maven,
because
I
think
maven
is
one
of
the
one
of
the
big
outliers
there,
because
they
use
so
many
different
non-standard
suffixes
for
the
other
ones.
That
may
be
a
bit
easier,
but
for
maven,
that's,
like
level
is
a
bit
special
there.
It's
not
even
it's
not
even
valid
semantic
versioning,
what
they
are
doing,
because
they
just
use
a
dot
and
then
they
put
suffix
after
after
you
know,.
B
So
Gillian,
maybe
you
could
be
the
champion
of
just
sharing
the
knowledge
on
this
interval
grammar
so
that
all
the
different
package
managers
can
start
adopting
a
shared
standard
for
describing
constraints
and
their
work
don't
have
to
really
implement.
Okay
for
satisfying
the
constraint
resolution,
one.
A
B
A
It's
not
really
part
of
thing
of
the
language
standard.
It's
just
a
way.
How
composer
most
probably
does
it
I'm
not
even
sure
if
there's
like
a
standard,
PHP
way
of
dealing
with
semantic
versions-
and
this
makes
things
sometimes
a
bit
bit
tricky
and
amazing
if
I
may,
even
it's
because
maven
itself
is
it's
also
specific
to
the
ecosystem
that
I
think
most
of
the
tools
that
are
part
of
the
Maven
ecosystem.
They
they
adhere
to
the
maven,
not
really
specific
ation,
but
the
maven
way
of
dealing
with
or
semantic
versions.
A
You
know
oh
yeah,
that's
the
last
part
is
about
the
coping
with
two
different
semantic
version
constraints
in
Texas.
So
what
I'm?
One
of
just
mostly
described
up
to
this
point
was
how
to
how
we
represent
semantic
versions.
And
how
do
we
want
what
our
generic
approach
is
to
to
match
them
by
means
of
the
antibiotic?
But
we
also
have
to
be
able
to
to
process
at
the
different
version
constraint
strings
ourselves,
so
we
have
to
be
able
to
parse
them
and
to
translate
them
into
our
generic
representation.
A
A
We
basically
have
like
a
version,
translator
class
that
you
can
see
here
and
and
for
this
class
we
use
a
function
called
translate
packages
nor
translate,
maybe
which
takes
a
string,
that's
specific
to
D
to
the
target
package
type
and
translates
this
into
our
generic
representation.
And
then
we
could
basically
take
this
generic
representation
and
create
intervals
from
them
from
that,
so
that
we
can
compare.
B
A
Compute
them,
so
this
is
just
an
example
where
we
take
the
two.
These
two
constraints
are
essentially
the
same
just
expressed
in
different
dialect,
so
the
first
one
is
expressed
and
I
could
just
die
like
the
second
one
is
expressed
in
the
navin
dialect,
and
then
we
translate
them
and
we
end
up
with
the
same
basically
the
same
output,
which
is
our
representation
we
are
using
and
then
there's
just
some
funds
like
there's
a
key
about
it
about
know
how
we
generate
textual
descriptions
from
from
conversions.
A
So
if
we
have
like
a
version
interval,
we
can
also
directly
just
generate
textual
descriptions
that
provides
the
text,
basically
natural
text
that
describes
the
version
range.
So
to
give
an
example
here,
in
this
case,
we
take
a
version
range.
We
again
at
a
couple
of
intervals
to
this
version
of
prison
range
and
and
the
first
code
line.
This.
A
Was
the
front
part
of
the
natural
text
output
that
may
actually
use
this
for
the
advisor
generation
part
because
we
want
to
text
to
be
consistent
across
all
the
advisories,
and
so
the
first
time
translates
this
version
interval
to
gem
to
the
constraints,
the
second
one
to
the
Maven
constraint
and
then
the
desirous
to
natural-like
description
text,
your
senior
advisory
and
really
this
is
just
the
same-
twenty
inverted
version
and
come
by,
which
is
basically
the
these
two
lines
here.
It's
the
text
now.
A
B
This
was
amazing,
Julian
I'm,
just
gonna
toss
some
feedback
at
you
like
the
semper
dialect
gem.
It
looks
like
it's
got
some
helper
methods
and
utilities.
It
doesn't
seem
to
follow
some
of
the
idioms
for
ruby
gem
in
terms
of
like
name
spacing,
underneath
the
gem
name
itself
and
the
readme
has
link
to
go
install
the
gem
from
Ruby
gems,
which
we
can
fix.
These
are
all
solvable
problems.
A
And
I
didn't
like
fill
in
all
the
gaps
yet
so
it's
still
VIP
as
a
work
in
progress,
WIP
so
and
yeah.
That's
something
you
have
to
finish,
I,
think
and
to
be
able
to
publish
it
on
rubygems,
but
we
already
use
it
for
advisor
generation
and
we
also
integrate
this
into
the
CI
job
for
the
good
of
advisory
database
to
verify
whether
inconsistencies
or
something
between
the
factor
that
explosions,
just
something.
D
B
Have
one
question
but
I
don't
know
I
can
ask
you
offline.
There
was
a
slide
where
you
listed
the
affected
version
and
then
the
I
think
the
candidate
versions
like
explicitly
declared
each
of
the
versions
that
fall
into
the
affected
versions.
Are
you
keeping
that
list
up
to
date
based
on
published
versions
for
that
package
manager,
because,
as
new
versions
are
published,
you
have
to
reopen
okay
and.
A
Yet
the
so
what
the
way,
how
we
do
it
at
the
moment
is
we
for
every
advisory
we
generate.
We
keep
the
the
publication
date
and
date
of
which
the
advisory
was
last
modified.
So
if
there
is
an
entity
update,
we
update
the
advisory
and
if
we
just
triggered
only
by
the
by
a
new
advisory,
that's
published
by
MVD,
and
then
we
also
fetch
the
new
version
information
from
the
package
registry
itself,
but
open
its
triggered
still
by
an
update
on
the
Nvidia
site.
So
we
we
don't.
A
B
A
Anybody
doesn't
update
the
advisory
or
the
affected
versions
that
are
listed.
Then
we
wouldn't
be
able
to
to
capture
this.
That's
true,
so
we're
basically
dependent
on
updates
that
are
made
on
the
data
sources
that
we
use,
but
for
the
first
time
capture
yeah,
you
know
it's
basically
all
based
on
the
time
stamps
to
be
attached
to
the
advisories
and
then
be
forever
your
advisory
sync.
B
A
B
A
B
That
makes
more
sense,
then
you
don't
have
to
keep
that
list
up-to-date
and
at
the
when
we're
determining.
If
the
version
is
vulnerable,
we
would
just
have
to
look
at
the
minimum
and
the
maximum
you
see
if
it
falls
into
that
range
rather
than
trying
to
keep
the
database
up-to-date
with
every
range
or
every
version.
A
Aloud
here
and
yeah,
so
the
we
think
we've
also
generated
in
the
description
text.
So
when
we,
when
we
have
a
fixed
version
and
which
is
always
the
smallest
release
with
inside
the
non
effective
range
version
that
we
have
long
frequent
range,
we
always
say
that
please
upgrade
as
a
solution,
for
you
basically
say:
please
upgrade
to
version
X,
Y
or
later
we're
saying
that
okay,
everything
after
these
versions
is
okay,
so
you
can
just
upgrade
to
to
those.
This
is
like
the
sort
of
work
around
that
we're
using
for
this
kind
of
situation.
B
A
So
the
the
semantic
versions
are
represented
as
segments
basically
sort,
and
every
segment
contains
only
it's
more
or
less
like
having
an
area
of
integers,
basically,
and
because
we
want
to
compare
them
the
mercury
and
then
the
version
constraints
are
represented
as
in
terms
of
linear
intervals.
That's
when
your
intro,
because
that
was
like
the
most
I
think
most
generic
way
to
to
solve
these
kind
of
constraints.
A
Having
for
for
I,
think
similar
stuff
is
used
also
in
constraint.
Solving
for
domain
domain
pruning.
So
if
you,
if
you
use
a
constraint
solver
that
that
solves
integer
constraints
jury,
they
also
do
some
sort
of
domain
pruning
upfront
where
they
try
to
eliminate
part
of
the
search
space
that
we
required.
So
if
you
have
like
X
like
a
symbolic
variable,
X
smaller
than
five,
you
can
already
approve
a
lot
of
the
search
space
upfront.