9

I'm interviewing this week for a position at a firm where I would be the sole initial developerplus support the application I am taking over work for. Because positions like this can vary so wildly in the details, I plan to go in advocating a number of specific approaches that would make the job workable.

One thing that I'm considering bringing up is an inclination to move the existing source code out of SourceSafe (where it is currently resident) into a better version control product like Perforce.

I've had a number of bad experiences with SourceSafe causing massive problems like permanent file lock-out and code corruption. Alone, I'm afraid that those anecdotes sound like "I want to change it because I don't like it." If I'm going to bring the subject up, I want to have a slam dunk case.

So, what are the empirical reasons that SourceSafe is viewed as an inferior product?

See also:

Community
  • 1
  • 1
Yes - that Jake.
  • 15,710
  • 14
  • 68
  • 94

12 Answers12

16

Empirically, it makes no sense to trust your precious source code to a piece of software that isn't even up to the level of reliability as Microsoft Access. The product should have been dumped years ago. It's just not up to modern standards.

I'd rate it below any open source product like CVS or SVN, and I don't know of any product I'd rate below it, except maybe an older version of VSS.

John Saunders
  • 157,405
  • 24
  • 229
  • 388
  • 4
    But, why is it considered unreliable and "not up to modern standards?" What is it missing? – Yes - that Jake. Aug 03 '09 at 20:53
  • 4
    A reliable data store. It just stores files on a file share. No transactions. Nothing. Microsoft Access is more reliable than that. – John Saunders Aug 03 '09 at 20:54
  • This is probably the single best answer, but also the hardest to "prove" to someone unfamiliar with SS (and sadly, even some who are). Thing is, many teams just got "lucky" - SS worked just fine for them for years - and they took this as evidence that it wasn't *all that bad.* Like the program with serious concurrency issues that worked fine for a decade on single-processor machines... until someone tried to run it on their brand new dual Pentium Pro, and all hell broke loose. – Shog9 Aug 03 '09 at 21:00
  • @Shog9: Unfortunately, these are also the people who aren't bothered by the fact that the most recent release of VSS is 6.0d. The same "6.0" as in VB6 and VC++ 6 and Visual Interdev 6. – John Saunders Aug 03 '09 at 21:04
  • 1
    @John Saunders. My installed VSS is version 8.0.blah (VSS 2005) http://dl.getdropbox.com/u/1388427/screenshots/sourcesafeabout.PNG – Matthew Lock Aug 26 '09 at 07:06
  • Versioning (6.x, 8.x) wouldn't be a problem if there weren't any issues with the product. – Alfred Myers Nov 26 '09 at 19:23
13

The big one that I've experienced personally is database corruption. It happens and it is painful. Aside from that, it's pretty slow compared to more modern SCMs.

If I were you, I'd recommend moving to at least TFS. The integration with VisualStudio is just as tight, it is much speedier, and the idiom is pretty much the same. I've had no problems with it in the 4 years I've been using it. Perforce is expensive and that's probably not something to toss around in an interview.

bbrown
  • 6,240
  • 5
  • 35
  • 42
  • I used to use VSS on a team of about 30 programmers, with 2 million lines of code, and database corruption was a way of life. Something we just expected and made sure we could cope with. So nice to work with Perforce today instead. – justinhj Aug 27 '09 at 04:14
12

There's a long list of problems here (admittedly from 2002 but the product hasn't really changed since then)

Edit: here's the text from the link, in case it disappears. Page is licensed under CCA3.

Visual SourceSafe: Microsoft's Source Destruction System

by Alan De Smet

There are many fine solutions for revision control systems. SourceSafe isn't one of them.

I used SourceSafe for five years though spring 2002 . It has consistently been an unpleasant experience. New versions failed to improve anything of import. I hope to dissuade you from using SourceSafe, sparing you the bad experiences I have had.

Missing Features

SourceSafe lacks usable branching support

A revision control system should provide powerful branching support. With strong branching support, developers can easily make minor revisions of old versions while work toward the next major release continues. Highly experimental code can be checked into a branch, keeping it separate from mainstream development but backing it up and making it available to other developers. If the project is "frozen" while a milestone or final release is built, a developer can continue development toward the next version on a branch. (Or more commonly, a new branch can be created for the freeze while general development continues on the main branch. When the release is done, changes on the frozen branch can be merged back into the main branch.) SourceSafe's branching support fails to effectively support any of this.

With powerful branching, a revision control system must also provide strong merging support to reconcile different branches. At the least, the system must allow a developer to examine the differences between two branches, modify them to create a merged version, and when satisfied check them in. SourceSafe's merge support is tightly integrated with checking in, making it difficult to examine differences and test the proposed merge before checking it into the tree. With this weak level of support, it's easy to check non-functioning code into the revision control system.

SourceSafe cannot be safely extended

It should be possible to easily extend your revision control system with additional functionality. The ability to send out emails summarizing check-ins is essential. When working with a team, regular email messages listing files checked in and the check in messages associated with them really help keep everyone up to date with recent changes. You might also want to add filters to prevent check-ins of code that doesn't meet certain requirements (standard copyright statements or doesn't compile). SourceSafe barely supports this. While it is possible, every single client needs to have the additional functionality installed. If a single client lacks the extension, it will quietly fail to behave as expected. (For details, see Visual SourceSafe 6.0 Automation. Check the section "Trapping SourceSafe Events? An Overview".) You can pay even more for a third party solution, but does it make sense to invest more money in a fundamentally broken product?

SourceSafe silently leaves stale files on your local system

When updating your local workspace to match the server, files which were deleted on the server should brought to your attention. (Or deleted, since the old version can be retrieved from the revision control system.) Failure to do so risks out of date files being used in your project, often causing problems. I've frequently run into this problem when an out of date header file is incorrectly included into my project. SourceSafe fails to delete the out of date file or provide any warning.

SourceSafe badly handles slow networks and the public internet

SourceSafe is unusable over slow network connections. It's effectively unusable over the public internet. In addition, because SourceSafe works over network shares, if you place a SourceSafe server on the internet, you're exposing any weaknesses in your servers file sharing implementation to the entire world. Of course, if you're willing to invest more money in your ineffective revision control system, you can buy a third party product to solve this problem.

Managing third party modules is difficult with SourceSafe

It's not uncommon for a developer to use third party modules in your project to quickly add required functionality. For example, you might use Codejock Software's Xtreme Toolkit. It's natural to check these third party modules into your revision control system. This way, when you step backward in time to examine a previous revision, you can get the same versions of supporting libraries and third party modules that were used to build your code at this time.

Unfortunately, SourceSafe makes tracking a third party module extremely difficult. Initially checking the first version in isn't hard. Checking a new version in requires a good memory and attention to detail. To add a new version, you first recursively check the folder holding the module out. Now delete the directory on disk and replace it with the new version. Check in new version in. You now need to identify any files or directories added in the new version. Right click on the module's folder in SourceSafe and use "Show difference" to recursively generate a list of files which have been added. Note which directories hold files which have been added and which directories have been added. Now close the report of differences (the report is modal, preventing you from using SourceSafe while visible). Add the new directories as you would normally add directories. To add the new files, visit each directory holding new files and use File > Add Files to add them. Again, use the "Show difference" command to recursively generate a list of files which have been removed. Note these files and close the the report of differences again. Now delete each of these files in SourceSafe.

If you've actually tweaked the third party module, SourceSafe provides no particular help in tracking down the differences and merging them into the new version.

(For comparison, to check in a new version of a third party module using CVS, you would simply run the command "cvs -q import -m 'Import of Xtreme Toolkit 1.9' xtremetoolkit Codejock XT_1_9". That's it. If you've made changes to the module that need to be integrated, you would use "cvs checkout -j XT_1_8 -j XT_1_9 xtremetoolkit". That will give you a local copy of the merged changes which you can immediately check in if satisfactory.))

Viewing and retrieving historical versions is extremely slow

It's not unusual to need to get a historical version of the source code. You might need an older version to investigate a bug report, or the current code is malfunctioning and you need to get a functioning version. SourceSafe supports this, but it's extremely slow for non-trivial projects. To get a historical version, you first need to generate a history for the entire project you're interested in. On a project with hundreds of files and just over one year of history, this can easily take over five minutes (even if you restrict the actual search to the last 48 hours of changes). Once this history is generated, you specify the version to get by selecting the last check-in to accept. The slow speed at which this process is completed discourages developers from examining previous versions, defeating much the purpose of a revision control system.

Difficult to maintain multiple local copies of one project

While making extensive changes to a copy of the project, you may be asked to make a small change to the project. The most efficient and safest way to do this is to get another copy of the project to make the change on. SourceSafe presents two problems in doing so. First, SourceSafe only recognizes a single copy of the project on your system. You'll need to either move the project directories back where SourceSafe expects the canonical copy, or you'll need to reset SourceSafe's notion of where the canonical copy exists. Using either technique, it's easy to accidentally point SourceSafe at the wrong project and check the wrong versions of files in. Secondly, SourceSafe's weak merging features mean that if you need to change the same file in both copies of the project, you'll need to be very careful that changes to one project don't destroy changes in the other.

Safety

SourceSafe degrades on large projects

Microsoft recommends that your database not exceed 5 GB. (Source: Microsoft Best Practices) While this is a large database, it's not unreasonable for a large project, especially if you check in large binary files (like Microsoft Word documents).

SourceSafe integration can crash Visual Studio

SourceSafe can hang or crash when your system loses connection to the SourceSafe database. While this is irritating for Visual SourceSafe, this can cause you to lose work when Visual Studio is using SourceSafe integration. Simple having a SourceSafe managed project open in Visual Studio is enough to open yourself to the risk. To minimize this risk (and speed up ClassView), I suggest you follow Microsoft's directions on disabling SourceSafe integration.

SourceSafe relies on dangerous file sharing

SourceSafe doesn't really run as a server, but as a set of files shared over SMB. As a result, you're relying on each individual client to not misbehave. A single misbehaving computer can destroy the database. A problem in the file sharing implementation on your operating system can damage the database. Users only needing read-only access to the revision control system need write access to the server, increasing the risk (Required Network Rights for the SourceSafe Directories).

SourceSafe should be scanned for corruption weekly

Of course, with this high risk of corruption, Microsoft recommends that you run the Analyze diagnostic program weekly. (Source: Microsoft Best Practices) While Analyze is running all of your developers are locked out of the system (I hope everyone remembered to quit from SourceSafe first!). My experience with SourceSafe shows that a 2 gigabyte system running under Windows 2000 takes several hours to check if run weekly.

SourceSafe handles multiple time zones badly

If you have teams using the same SourceSafe repository in different time zones, you're likely to have problems. (See Microsoft's details on the time zone bug.) The only solutions Microsoft provides are to incorrectly set the clocks of the computers to a single time zone, or to purchase a third party product.

Relatedly, this is a potential problem if any of the client computers using SourceSafe fail to have synchronized clocks. Differences of several minutes between computers can cause strange behavior from SourceSafe with it tries to reconcile information that appears to come from the future.

SourceSafe becomes corrupted

Your revision control system must be trustworthy. You're entrusting your hard work to your revision control system. If your data is corrupted, the system is worthless. SourceSafe's fundamental design assumes that clients are trustworthy, always function correctly, and that nothing interferes with the communication causing corrupted data. As a result, SourceSafe is fragile and untrustworthy. I have worked with SourceSafe at three different jobs. In each case, eventually the SourceSafe database became corrupted. Data has been corrupted, work has been lost, time has been wasted on the problem. Speaking with other developers, I have learned that my experiences are not unique.

Irritations

  • Minor actions like changing the directory erase the entire contents of the output window, making it difficult to examine past actions.

  • Comparing your local version to the remote repository is clumsy. You select the directory you're interested in SourceSafe and select Compare Differences. The resulting report is modal, preventing you from working with SourceSafe while examining the report.

  • When getting the latest version of files from SourceSafe, each file changed locally causes a dialog to pop up to confirm the update. The update action entirely stops while the dialog waits for your response. This is particularly irritating if you get the latest version, step away from your computer for a while, then return to discover that SourceSafe is only 10% done and waiting for your response. You can prevent the dialog from returning in several ways, but in doing so you get no indication that any such files were encountered. So when you return to the finished update, you will have no idea that SourceSafe encountered potential problems. SourceSafe should note these files in the output window when encountered, making it easy to scan the output window for files to be investigated.

Conclusion

If you're considering SourceSafe, consider something else. If you're using SourceSafe now, migrate away as soon as possible. Here are just a few.

If you simply must use SourceSafe, definitely take the time to look at Microsoft's list of bugs in Visual SourceSafe 6.0 and list of fixed bugs in Visual SourceSafe 6.0 so you know what to expect. (These links were originally taken from Microsoft's Bugs page. This page may be useful if you have a different version of SourceSafe or the above links fail.)

stuartd
  • 62,136
  • 13
  • 120
  • 150
  • To be fair, the 2005 upgrade was a little more substantial. But it had been standing still before that. Still +1 for the link. Good ammo. – Henk Holterman Aug 03 '09 at 21:05
4

Back in 2002/2003 in a former job, I ended up being the guy who had to babysit our VSS installation.

We gave VSS it's own dedicated server - real physical hardware - in order to minimize disruptions, and still we had regular problems.

Once a week I had to go and fix broken locks - locks that couldn't be released by the developer who placed them.

Around twice a year I had to recover from a corrupted repository - there seemed to be some kind of built-in limit at around the 1G mark, whenever the repository grew much past 1G things went bad pretty quickly.

Given that there are better tools - with better integrations - that are now available at zero-cost, switching from VSS (to me) is a no-brainer.

Bevan
  • 40,925
  • 10
  • 77
  • 128
4

I agree that VSS is a horrible piece of software but other than the possible database corruption problem, it seems like your situation will be a difficult one to sell people on. For example, you can't say VSS has terrible merge support because, well, you're the only developer. You can't complain about locking checkouts for the same reason. Unless your app is pretty good sized, you can't argue from the suggested 1 GB maximum database size that VSS suggests.

I personally think that in an interview like you're suggesting, you'd be better off looking for lower hanging fruit to suggest like iterative development, TDD or a wiki for documentation. I have fought the good fight to move from VSS to Perforce in an enterprise situation and that was hard enough. I can't imagine trying to convince management of a major source control change on an application that has one developer. YMMV.

Brett Bim
  • 2,934
  • 4
  • 25
  • 26
  • 2
    Yeah. If you're the only one using it it's not so bad. It _probably_ won't trash your files too often. You _probably_ won't need any decent branching and merging functionality too often. I actually found the UI halfway decent. It didn't originate at MS, so the command-line interface wasn't so bad either. – Marsh Ray Aug 04 '09 at 01:02
  • Yeah, but the dialog boxes were created for 640x480 monitors, and most were not resizable! Though I have a vague recollection that the final release allowed some of them to resize? – John Saunders Aug 04 '09 at 11:40
3

SourceSafe is an antiquated technology built upon Windows shares. The storage mechanism (non-transactional "flat files") is a recipe for poor performance and bugs. Its adoption has nothing to do with what it has over other SCM's, and everything to do with the fact that it was "already there".

I can't comment on Perforce, but I can say that VSS compared to, say, Team Foundation Server is a very weak offering and should be used only in circumstances where there is already a large investment in it and NO money can be spent.

Adam Robinson
  • 171,726
  • 31
  • 271
  • 330
  • There are plenty of excellent VCS systems. A migration might cost a bit of time, but your source code is your crown jewels. It should be stored safely. – Kristof Provost Aug 03 '09 at 20:58
3

Microsoft does not use it internally. Instead, they got a source license to Perforce, and they've hacked it up to suit their needs. This is telling, since Microsoft proudly dogfoods their other products, like Windows and Office.

Michael Donohue
  • 11,606
  • 5
  • 29
  • 44
  • Interesting. Do you have a citation? – Bevan Aug 03 '09 at 20:59
  • 1
    You have some proof of this? See http://blogs.msdn.com/bharry/archive/2009/07/17/a-dogfooding-milestone.aspx for a counterpoint. – John Saunders Aug 03 '09 at 21:03
  • While this may have been true at one time, I believe they've now moved on to Team Foundation Server. – Gregory Higley Aug 03 '09 at 21:04
  • Gregory is right, and when TFS was released they had import options for ClearCase (marketleader) and Perforce. – Henk Holterman Aug 03 '09 at 21:41
  • My information is a bit old, but neither SourceDepot (the internally hacked Perforce SCM) nor TFS are Visual Source Safe, so the point stands that Visual Source Safe is not used internally. TFS appears to be a huge improvement, which Microsoft does use internally. – Michael Donohue Aug 04 '09 at 13:29
  • Microsoft still uses SourceDepot (aka Perforce) for the Windows source. I have no cite for this other than personal experience. No idea what gets used outside of the Windows team, but I'd bet there's virtually no one at Microsoft using VSS. – Michael Burr Aug 11 '09 at 23:10
2

My last experience with Sourcesafe was years ago, so take this with a grain of salt. In my experience, it doesn't scale well as the number of developers touching the same code goes up.

There is no way to have multiple people working on the same code, and then merging their changes together on check-in. Instead, each developer has to lock the files they are working on, while the other developers can't make progress on anything touching those same files.

Chase Seibert
  • 15,061
  • 5
  • 48
  • 58
  • 4
    Oh, you CAN. Concurrent checkouts can be enabled. Then much prayer must be offered to the VSS gods that the merge doesn't explode. – Adam Robinson Aug 03 '09 at 20:52
2

See also Better SCM Initiative: Version Control Systems to Avoid.

One of the issues that I have read there, and I haven't seen mentioned so far in the answers, is that VSS has no support for deleted then recreated files: either you purge history of file (and can never recover old version), or you can create file with the same name as some deleted file had. Even CVS (which is also file-based) tried to did this right by using 'Attic' area.

cp.engr
  • 1,862
  • 3
  • 24
  • 37
Jakub Narębski
  • 268,805
  • 58
  • 209
  • 228
2

Because it makes your source unsafe even when in repository.

User
  • 28,268
  • 17
  • 74
  • 107
2

The issue I'm wreslting with now is Visual Source Safe's insistence that my project's folder structure cannot possibly be represented within the target working directory. It always thinks that a service setup project is trying to encroach on the service project and refuses to check it in. When you add a project to source control, it invariably adds another folder to its path in source control. Version control should just represent a file structure that is ALREADY WORKING on a developer's machine, without complaint.

CZahrobsky
  • 637
  • 6
  • 7
1
  1. Code Corruption (including your entire history stack)
  2. Binary file corruption (we had this issue specifically with PDF templates)
  3. Poor integration into Visual Studio IDE (very buggy)
  4. Constant file lockouts
  5. Did i forget to mention repository corruption...eeek
  6. No branching

I can go on and on. The bottom line is to absolutely avoid this product. I think it may go well with smaller projects, but developing enterprise level applications should not involve dealing with constant codebase repository issues.