Perforce Helix

Architecture

The Perforce Helix server manages a central database and a master repository of file versions.

Metadata

The Perforce Helix database is proprietary, preconfigured, and self-installed. It stores system-related metadata (file state, file attributes, branching and merging history, changelists, change descriptions, users, groups, labels, etc.). Files are identified by namespace (i.e., by OS-neutral filenames). File content itself is not stored in the database. MD5 hashes of file content are stored in the database, however, and can be used to verify repository file integrity.

Database tables are stored as binary files. Checkpoints and journals are written as text files that can be compressed and offloaded. A database that has been corrupted by hardware failure or other catastrophe can be recovered from the most recent journal and checkpoint. Administrators must plan for disaster recovery by configuring database journaling and setting up regular checkpoints.

Depot

Versioned file content is stored in a master directory hierarchy whose top levels are called "depots". Text file revisions are stored as RCS deltas, and binary file revisions are stored in their entirety.

The encoding used for text files in the repository is either ASCII or UTF-8, depending on Perforce server configuration. Repository files are not encrypted. Revisions that are branches or copies of other revisions are virtual copies within the repository. All revisions are preserved by default; limits can be set on the number of revisions preserved. Obsolete revisions and files can be purged by the administrator. Repository files must be included in regular system backups.

Clients

Clients to the Perforce Helix system fall into roughly five categories: Git, command, GUI, web, and plugin. The Perforce system can make part or all of its content available as Git repositories. Users of Git and of other clients can work with the same file content and history. Git commits are visible to users of other clients as Perforce changelists, and vice versa. Users submit changed files together in changelists, which are applied as atomic commits.

The original command interface is P4, the command-line client. P4 can be used in any command shell or script. It produces human-readable output by default, but can also produce tagged text output and marshalled Python and Ruby output. Native C++ and Java APIs to the Perforce client commands are also available, as are Lua, Perl, Python, PHP, Objective-C, and Ruby extensions built upon the C++ API.

The command interfaces support the system's complete client functionality and can be used with OS-native filename syntax, as well as with Perforce's OS-neutral filename syntax.

Two GUI clients are available for users, the cross-platform, Qt-based P4V, and the Windows-only P4Win (in legacy maintenance mode since 2008). Both support the majority of end-user operations. An administration GUI client, P4Admin, supports a subset of administrative operations. P4Admin, like P4V, is cross-platform and Qt-based. P4V and P4Admin can be extended with applets written in JavaScript and HTML.

Plugins are provided for the Eclipse and Visual Studio IDEs. Ultimate version of Intellij IDEA has its own Perforce integration plugin.

A web interface is provided by P4Web, a program that is both a Perforce client and a stand-alone HTTP daemon. P4Web can be run as a shared web server to provide read-only access to the Perforce file repository and metadata. It can also be run on a user's machine, enabling web browsers to become the interface to client operations on the local machine.

The plugin interfaces are behind-the-scenes programs that integrate Perforce client functionality into third-party software. Perforce plugins are available for desktop environments, software development tools, digital asset development tools, software build tools, code review systems, defect tracking systems, office automation tools, SQL clients, and FTP clients.

Distributed and remote revision control

Perforce Helix has four mechanisms for providing revision control to distributed or remote teams; these mechanisms can be used independently or in combination. The first is a proxy server that caches frequently read versions in order to reduce file access times for remote users. This mechanism accommodates closed development organizations where a centrally controlled file repository and a universally accessible database are desired.

The second mechanism, known as remote depots, lets users connected to one server access file versions managed by other servers. With remote depots, each organization has control of its own server and makes parts or all of its repository visible to other servers. This mechanism is used for loosely coupled development organizations where a peer-to-peer approach is desired.

The third mechanism, known as replication, mirrors all (or some) of the repository data to another server. Replicas provide faster response time for remote users.

Finally, Perforce can be replicated to Git repositories, using the standard Git protocol and commands.

Features

Concurrency model

The system offers a hybrid of merge and lock concurrency models. As with similar systems, users do not have to lock files in order to work on them and are required to resolve concurrent, committed changes before submitting their work. Users may optionally lock files to ensure that they won't have to resolve concurrent changes.

However, the Perforce model is slightly different from those of similar systems in that users are expected to let the system know in advance which files they intend to change, even if they don't mean to lock them. Giving advance notice puts files in a pending changelist that can be submitted to the server. It also enables the system to alert other users working on the same files. Thus users can tell when they are working in parallel and can take the opportunity to coordinate with one another before making changes that could otherwise be difficult to merge.

Perforce enforces this advanced notification requirement loosely by setting read-only permission on workspace files as it fetches them from the repository. Users can bypass the requirement, by choice or by necessity (when working offline, for example), simply by hijacking file permissions and modifying files as they see fit. It is up to the user, in these cases, to remember to use Perforce to reconcile offline work and put hijacked files in a pending changelist so they can be submitted. (It is also up to users to leave hijacked files writable after changing them. A read-only file that is not in a pending changelist is assumed by Perforce to be a candidate for update by replacement.)

Branching and merging

A file is uniquely identified by its complete filename, e.g., //depot/trunk/src/item.cpp. Any non-deleted revision of a file can be branched. Perforce Helix uses inter-file branching, wherein branching creates a new file with a new name. For example, my/index.php may be branched into your/index.php and each file may then evolve independently. Repository paths are typically designated as containers for branched sets of files. For example, files in the //depot/trunk path may be branched as a set into a new //depot/rel1.0 path, resulting in two sets of files evolving independently and between which changes can be merged.

In Perforce Helix, the operation that merges changes from one branch to another is called integration. Integration propagates changes from a set of donor files into a set of corresponding target files; optional branch views can store customized donor–target mappings. By default, integration propagates all outstanding donor changes. Donor changes can be limited or cherry-picked by changelist, date, label, filename, or filename pattern-matching. The system records all integrations, uses them to select common ancestors for file merging, and does not by default perform redundant or unnecessary integrations.

Merging is actually only one of three possible outcomes of an integration. The others are ignoring (aka "blocking") and copying (aka "promoting"). Merging is used to keep one set of files up to date with another. For example, a development branch may be kept up to date with its trunk through repeated merging. Ignoring disqualifies changes in one set of files from future integration into another. It is often used when a development branch must be up to date with, and yet divergent from, its trunk. Copying is typically used to promote the content of an up-to-date development branch into a trunk.

Branching also supports renamed and moved files. The 'move' command branches originals to new files and deletes the originals. A branched file is no different from an added file; branched files are peers, not offshoots, of their originals. The system keeps track of file origins, however, and refers to them when displaying the history of renamed files.

Perforce streams offer a way to capture more information about a branch, including ancestry and included paths. This information is used to provide guidelines for branching and merging operations.

Access control and security

The Perforce Helix server stores file content in a master repository that, when properly installed, is inaccessible to users. User access to files is controlled by one or more Perforce superusers. A range of file access protection levels can be granted. Protections can be set for repository file paths, users, groups, and IP address subnets. The server can maintain an audit log of client access events for Sarbanes-Oxley Act (SOX) and other compliance requirements.

User authentication is controlled by the Perforce system administrator. Password strength is configurable; ticket-based authentication can be configured as well. Triggers (custom scripts or programs that run at predefined events) can be set on many but not all Perforce user commands and used to extend user authentication (with LDAP or SSO, for example), to block or allow user commands, and to constrain or normalize file modifications. Triggers are run by the Perforce server and do not have access to client machines or workspaces.

Perforce Helix, like most version control systems, does not encrypt file content in the master repository or on user machines. Perforce versions prior to 2012.1 cannot encrypt file content sent over the network. A tunneling protocol (like VPN or SSH) must be used to secure network transfers with those versions.

The Perforce Helix client completely trusts the server, including writing arbitrary files anywhere in the local filesystem, and therefore running arbitrary code from the server. That means the server has complete control over the client user's account, including reading and writing and sending all non-source code files of the user. In environments where the Perforce server is managed by a third party, this poses a significant threat to the client's security and privacy.

Availability

Use of the Perforce Helix server is unrestricted and free for up to 5 users, 20 workspaces and unlimited files, or unlimited users and up to 1,000 files, without a license. A license must be purchased for more users or workspaces; licenses may be purchased in perpetuity or on a subscription basis. The Perforce versioning engine, clients, plugin software, tools, and APIs are also freely available.

Free licenses are available for open-source software development, school or classroom projects, and trial/evaluation periods. Use of the Perforce client and plugin software is unrestricted, as is online access to Perforce technical documentation.

The server and client software are released as pre-built executables for Microsoft Windows, macOS, Linux, Solaris, FreeBSD, and other operating systems.