This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.
We, on the Nexus team, are pleased to announce the arrival of the Nexus 3 Milestone 5 release! Our focus in this milestone release was; hosting and proxying Docker registries, browsing and searching Docker images, browsing components and assets that belong to any repository format. Docker format capabilities in Nexus 3 are brand new and we are excited to have it going out into the wild so we can hear your feedback.
I was astonished to see that many, if not all, of the core Supply Chain Management principles have yet to be or are just starting to be applied to the software industry.
Imagine that you are designing the 2016 Range Rover line of sport utility vehicles. Like all gas powered vehicles, each one needs an exhaust muffler. Range Rover likely has narrowed in on a preferred provider of mufflers. But imagine what would happen if the designers and factory line workers could pick from any one of 27 past versions of that muffler from their preferred provider for the new model year.
“Software may be eating the world, but rework is choking software”, tweeted John Jeremiah (@j_jeremiah). To shed more light on what is choking software, new data was released last week in the 2015 State of the Software Supply Chain Report.
Today I want to focus on the huge ecosystem of open source projects (“suppliers”) that feed a steady stream of innovative components into our software supply chains. In the Java ecosystem alone, there are now over 108,000 suppliers of open source components. Across all component types available to developers (e.g., RubyGems, NuGet, npm, Bower, PyPI, etc.), estimates now reach over 650,000 suppliers of open source projects.
At Josh Corman’s presentation during AppSecEU 2015, he brought up the analogy of buildings codes, those laws and regulations that mandate how architectural buildings are built. It’s the reason earthquakes in some regions of the world are so devastating, while even stronger ones in other areas cause minimal damage.
In April of this year, I embarked on a six-week journey diving deep into an analysis of the world’s software supply chains. I evaluated the practices of 106,000 organizations, the 100,000+ suppliers they relied on, and the billions of software components that fueled their agile, continuous delivery and DevOps practices.
During my second day at DevOpsDays DC, I had the opportunity to catch up with a couple more industry thought leaders. First up, John Willis, DevOps Days core organizer and co-author the upcoming “DevOps Cookbook”.
This past week, I had the opportunity to catch up with some more industry thought leaders at the DevOpsDays DC event in our nation’s capital. This was the first major DevOps Days event to feature a large audience of government participants. It was an awesome event and is certainly going to be on my must-attend list for next year.