The PHP Roundtable podcast has posted their latest episode, part two in a series looking at semantic versioning, open source support expectations and licensing. This new episode features guests Colin O'Dell and Chris Tankersly.

Part 2 of an on-going series on open source. We discuss a number of open source topics including what the expectations are for support of an open source project. We also discuss how to use SemVer to successfully maintain an open source package and what we can do when SemVer is not an option. And finally we take a look at licensing and discuss why we need to be concerned with it.

You can listen to this latest episode by checking out the video of the live recording, coming in at about 1 hour. If you enjoy the show, be sure to subscribe to their feed to get the latest updates on when new episodes are available.

In his latest post Phil Sturgeon talks about a point that's been argued on both sides of the Composer users out there - whether or not to commit the "composer.lock" file. Phil talks some about it in his article and suggests that you should commit it for applications but not for components.

If you and your employees are a little vague with your composer.json specifications and you don't have a composer.lock then you can end up on different versions between you. Theoretically, if component developers are using SemVer and you're being careful then you should be fine, but keeping your lock in version control will make sure that the same version is on your dev teams computers. This will happen every time you run $ composer install. If you are on Heroku or EngineYard then this will be used for the deployment of your production components as a built in hook, which is awesome.

He mentions an article from Davey Shafik, this being his reaction to it. He suggests, though, that an absolute of "always commit for components" may be too much and could potentially cause other problems. He points out that since the "composer.lock" handling is local to the directory, you can hit up against version requirement issues between them in your application as a whole. He wonders "how strict is too strict" when defining dependencies and some things to think about (like your users) when making the choice to upgrade the libraries you use.