Sonatype applauds GitHub's approach to encourage OSS license selection

July 18, 2013 By Derek Weeks

4 minute read time

GitHub's move to encourage developers to select an open source license for source code published to GitHub highlights the need for organizations to properly manage license concerns. The Central Repository, sponsored by Sonatype, has long since required license information for binaries that are added, but encouraging license selection as part of the source code process is helpful. This is key since organizations have turned to open source components and frameworks to speed their development efforts. Even if GitHub is successful in increasing the number of projects that declare a license, organizations still have to ensure the components that they use have a license that will not expose them to IP risk. This is more difficult than it sounds

  • given the volume, variety and release cadence of components;
  • the fact that components have transitive dependencies on other components with different licenses;
  • and the fact that the declared license is not always the same as the actual license.

It's also not surprising that vendors are trying to ride the GitHub frenzy. Yesterday, Black Duck announced 'industry first" support for embedded license information. a capability that Sonatype has provided since Nexus 2.0, released in 2012.. But we'll give Black Duck a pass on the announcement since any activity that increases awareness about the need to manage open source components is a good thing. Plus their announcement gives us an opportunity to explain how Sonatype takes this a step further. Not only do we provide both observed license and declared license information, we make the component license, security, and quality information actionable.

  • Sonatype integrates this information in the tools used to support the entire software lifecycle. The observed license information, along with other licensing, security and quality information is integrated directly in the Repository Manager, IDE, and Build/CI tools.. Information is available in the tools that developers use. Developers aren't forced to learn a new tool and context switch between tools to access this information.
  • Sonatype provides automated policies that guide and enforce action based on the license, security, and quality data. Criteria is specified using the component meta-data and software lifecycle appropriate actions are fully automated. Developers can be alerted early in the development lifecycle while production environments can be protected by failing builds or stopping deployment activity. This combination of actions allows the flexibility necessary to support agile development efforts while providing control necessary to protect production environments.
  • The Sonatype policy approach does not require the developer to start an approval process that results in blessed components before those components can be used. This approach fails because even with automated workflow, organizations can't keep up with the volume, complexity, breadth and release cadence of components. Sonatype's approach is a natural fit for today's agile development approach and modern DevOps practice.
  • Sonatype support for metadata driven policy support extends production. This is key since applications and vulnerabilities are not static. If new vulnerabilities are detected, or if a change to the license occurs for components that are in production applications, Sonatype alerts you. Sonatype provides ongoing monitoring in a non-invasive manner by matching component intelligence to the production application inventory.
  • Sonatype makes licensing data “instantly available” by mapping known license information to the application inventory. Long running scans are not needed to make this information available.
  • Sonatype is a single source provider for your component management needs. If you want to start with a repository solution, component meta-data is integrated into our Nexus offering. If you want to extend your repository management approach with automated policy management, Nexus provides an option to do this. If you want full lifecycle management support, Sonatype CLM is the answer. Sonatype provides the flexibility that you need and a natural roadmap to complete solution, all from a single provider.

So while we agree with Gartner's take that open source component usage can drive efficiencies…

  • "With Gartner estimating that enterprise end user software spend was $342B in 2012(1), the ability to "unlock" an additional 400,000 OSS projects creates an additional $59B potential cost savings opportunity, $9.5B of that in the financial services industry alone."

We disagree with Black Duck's 'industry first" claim and we feel there is a better approach to managing the entire software lifecycle.

And we applaud GitHub's efforts to encourage selection of an appropriate open source license. Using GitHub as a vehicle to manage and share source code is a natural complement to using the Nexus Repository Manager to manage and share binary files. Together, GitHub, Git, Central Repository and Sonatype Nexus and CLM provide the foundation for agile-based development efforts that are driven by components.


(1) Forecast: Enterprise IT Spending by Vertical Industry Market, Worldwide, 1Q13 Update, published: 18 April 2013, ID: G00249263

Tags: Nexus Repo Reel, Sonatype Says, github, Black Duck, Everything Open Source, AppSec Spotlight

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.