Version control is an integral part of the development and deployment process, and to revert smoothly to a previous version or manage geographically diverse developers, a flexible, easy-to-use VCS is a must. Moreover, today's VCSes can help network administrators keep their ducks in a row as well (see "Version Control: Not Just for Developers Anymore"). We looked at several products in our Real-World Labs® in Green Bay, Wis., and found that today's offerings provide a wide array of support, from the bare-bones essentials required for source-code control to almost complete software-change management.

We invited Merant, Microsoft Corp., Mortice Kern Systems, Perforce Software, Rational Software Corp. and SiberLogic to join our head-to-head comparison, and we also looked at the open-source Concurrent Versions System, or CVS. Rational Software declined -- it's not participating in software reviews at this time -- and Merant never answered our queries. So we downloaded CVS, loaded up the rest of the vendors' products -- Microsoft's Visual SourceSafe, MKS' Source Integrity, Perforce's 2000.2 (commonly known as P4) and SiberLogic's SiberSafe -- and away we went.

Bulletproofing Your Butt

A good VCS should do more than just store files. Plenty of developers use VCSes as a cover-my-ass-in-case-I-lose-my-files system (don't deny it, you've done it too), but to be considered a corporate-class VCS, much more than that is needed, including:

>> Platform support. It won't do you much good to buy a VCS with clients that run on a platform your developers don't use. Regardless of the operating system on which the server runs, your developers won't be able to do much if they don't have clients on their desktops. Client platform support is a must, and, depending on your infrastructure, server platform support may be important as well. After all, if your infrastructure is entirely Microsoft Windows-based, you aren't going to want a version-control server running on a Sun Microsystems Solaris or Linux server.

The products we tested generally supported myriad operating-system options for both the client and the server. CVS, Perforce and SiberSafe received high marks for supporting virtually any operating system you can name -- including CVS' unique support of BeOS. Source Integrity, a Java-based client and server, runs on Solaris, Linux and Windows.

Visual SourceSafe is the notable exception. Support is for Windows operating systems only. For a price, Microsoft partners offer options that port the popular VCS to other platforms; we were not surprised that Linux was not on the list but were pleased with the multiple flavors of Unix supported.

>> Configuration and management. Once you've decided on a version-control system, you'll need to deploy it and perform administrative tasks before developers can begin using the system. All the products we tested were easy to install, and we found no compatibility issues with the RPM (Red Hat Package Manager) on Linux. The one possible exception was the need to install MDAC (Microsoft Data Access Components) on our server before we could install SiberSafe. Not only did the product require MDAC, it also forced us to visit Microsoft's site to download MDAC. Source Integrity requires a Java 1.3 JVM (Java Virtual machine) but distributes the JVM with the product.

One of the biggest variables is license enforcement. Source Integrity uses a third-party tool to perform "flexible" license management. The tool runs only on Solaris or Windows but offers the ability to mix and match your licensing schemes -- by seat, concurrent session or a bit of each. SiberSafe also uses a separate license manager that is supported on any platform on which SiberSafe runs -- that is, any Java-enabled platform. The other systems do not check for licenses, apparently working on the honor system.

Source Integrity (barring its licensing issue) and Visual SourceSafe left us with the warmest fuzzies after installation and initial configuration.

The setup process for each was painless and straightforward. After installation, however, we needed to define users and their rights. This is where the products diverged the most and, quite frankly, was the process that caused the most headaches.

>> Access management. The products also parted ways in their ability (or lack thereof) to provide security not only for the repository but for the individual files stored within the repository.

We loved that Source Integrity provided access on a file-by-file basis and enabled us to specify security access rights on actions that could be performed on each file. We could import users and groups from both Windows NT and Unix systems and dole out access rights on a project-by-project or source-file basis.

Visual SourceSafe can import user data from a Windows NT/2000 domain but cannot deal with Unix users. Perforce frightened us -- it offers no default security to speak of. Protection must be "turned on" and is administered via manually edited permission tables. CVS was a breeze when we used it locally but was a bit more convoluted when we tried to access the server via the network. CVS uses x/inetd control mechanisms to determine access. Source Integrity and Perforce both offer access control via LDAP.

We'd like to see more of Source Integrity's access-management features in other systems. The ability to define not only who can update files but also who can label, promote or demote files throughout the development life cycle is extremely important in a corporate environment, where the group handling release management may not be the same group doing development.

>> Merging and branching. One of the most important feature sets in a good VCS is the ability to create branches and merge files. So what is a branch? Let's say you are working on a project, have just released version 1.0 and are now working on 1.1. A bug is found in the released version, and you need to fix it. You can't afford to risk building a new version with the version 1.1 source because it isn't stable. What to do? Create a branch from version 1.0. Later you can use the merge feature to incorporate the branch into version 1.1.

While branching is standard across the products we tested, the method of merging source is not. All the products incorporate a method of automatic merging as well as a manual process. The manual process is supplemented by a "diff" feature, which provides a visual mechanism for examining two versions of files. Developers can then pick which modifications will be kept and which will not.

Each vendor provides through the client a visual mechanism that offers a complete view of all changes between at least two different versions of files or between a file in your working directory and the source-control system. The most robust of these offerings is from SiberLogic, whose SiberMerge product is integrated with its VCS. With SiberMerge not only could we compare two different revisions, but we could compare both of the revisions simultaneously with a common ancestor. This feature is especially helpful when attempting to merge branched files. Perforce offers an automated merging process as well as a manual method of resolving conflicts. Almost all the vendors whose underlying systems are based on RCS (Revision Control System, a rudimentary VCS) use the standard GNU diff algorithm; the only variation between them is the mechanisms used to display the differences (see "What the Heck Is RCS Format?").

>> Repository. The repository is one of the most important pieces of a VCS. During our testing we examined the repositories created by each of the systems and found that, by and large, RCS is still the most popular format for storing text-based files. Perforce, Source Integrity and, of course, CVS use the RCS format for storing revisions of source files.

We like the RCS format, which stores a single copy of the source that includes information on what to add and remove to return to a previous version. Microsoft still stores a complete version of each revision of your source files, with the result that Visual SourceSafe repositories grow to a much larger size than those in systems based on RCS. SiberSafe uses a Microsoft Access database as its repository. We were unimpressed by this and concerned about size and performance. During testing we found that our concerns were valid: SiberSafe's performance was so poor that we ended up twiddling our thumbs while waiting for commands to complete.

>> Ease of use. If you give your developers a VCS that they can't figure out how to use, you may as well not have bothered. After using the products to manage source code over several weeks, we found that Microsoft and MKS provide the most intuitive, easy-to-use systems, from both a management and a developer standpoint.

Integration into IDEs (integrated development environments) is grand and makes life much easier for the developer, but we looked hard at the CLI (command-line interface) and GUI facets of these offerings. Perforce's Web and client user interfaces were grand at first glance, but actual use showed them to be barely navigable, not to mention annoying. SiberSafe's interface is designed for versioning of Java and XML, and to that end it makes sense. But for giggles we also tried storing C/C++ code and found that while the process worked fine, it was a bit more confusing than storing Java code and binaries. CVS' interfaces (other than CLI) are varied. It's almost Russian roulette as far as functionality and ease of use are concerned. The good news: They're all free, so you can try them out until you find one that suits you. The bad news: It may take a while. The CLI is straightforward, however, and easy enough for anyone to use.

Version-Control Systems Features Click here to enlarge

Cut to the Chase -- Who Won?

After examining all these attributes and trying the products out for weeks -- storing code, checking out code, branching and merging code, and exploring the storage mechanisms of the systems -- we gave our Editor's Choice award to MKS' Source Integrity. Its ease of use, platform support and granular security mechanisms make Source Integrity an excellent choice for a corporatewide VCS. The biggest complaint we have is with pricing. Even though volume discounts are available, all we can say is that those discounts better be large. Microsoft, only two spots away, offers better pricing and, aside from platform-support issues, is just as easy to configure, manage and use as is Source Integrity.

CVS, which came in second, offers myriad choices for platform support plus all the basics provided by the other products in our review -- and the price is right. The system is used throughout the world as a way to manage geographically disparate open-source developers, and it works well. SiberSafe needs a better way to store its data and must raise its performance before it will be a viable corporate-class solution. The SiberMerge facility, however, is excellent, and since it can be purchased separately, you should examine the merge facility in conjunction with your chosen solution. Perforce -- well, Perforce needs to work on its interfaces before it considers moving forward. While it integrates some desirable change-management features (defect and issue tracking), the interface is clumsy and its security features are lacking.