We know how components from the Central Repository have become critical to your development efforts. We also know that you need to trust those components. Part of that trust is knowing that hackers don’t have visibility into the components you download or that they compromise components using a man-in-the middle or Cross Build Injection (XBI) attack.
We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager. Given the tremendous growth of Central, and the fact that modern applications are largely built from OSS components, this capability is likely to be leveraged by many organizations. SSL has become the standard mechanism for protecting web traffic – across the spectrum of Ecommerce, banking, health care, and so on. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.
As of Nexus Pro 2.2 (available now), SSL is now the default connectivity option for Nexus Pro users. Because we take security of the ecosystem seriously, we aren’t stopping there, we’re making SSL connectivity to Central available to you even if you aren’t using Nexus Pro.
In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes. For the first 60 days all donations will go to the Apache Software Foundation. After that, the donations will go to other open source foundations such as Eclipse. Sonatype will provide a donation on behalf of Nexus Pro customers since we’ve included SSL access to all Pro customers automatically.
If you happen to be using Nexus OSS (any version), support for the SSL token is included already. I’ve already reached out to the Artifactory and Archiva teams and they are working on the changes necessary to enable SSL to Central – we’ll let you know when that support is enabled. If you’re not using a repository manager at all, what are you waiting for?
Central is a critical resource for developers. If you develop Java applications and use Maven, Gradle, or Ivy, Central is what has made it easy for you to consume libraries using dependency declarations in your builds. For more than a decade, Central has been a solid, reliable presence supporting the community and making it easier not just for developers to consume software but also for open source projects to distribute software to the public. Before Central, assembling the dependencies and components that went into your project was a pain in the neck; after Central, the process of downloading dependencies became automatic.
Only a few years ago, Central was a single Dell server running in a Contegix datacenter in St. Louis (you can see it here). From 2007 to 2011 the server was used 12 billion times by 14.3 million unique IP addresses, and since then traffic from a world of developers has only continued to increase. Over the years we’ve invested in both capacity and stability improvements, but today I’m announcing what I consider to be the biggest improvement to date.
Today we announced an agreement with EdgeCast Networks. EdgeCast Networks is a CDN with global reach that we are going to use to both accelerate the delivery and increase the availability of Central. Every Java developer who uses Maven, Gradle, or Ivy (possibly every Java developer in the world) will see immediate improvements in the speed of Central. Index downloads and artifact downloads will be served from one of EdgeCast’s 21 points of presence distributed over four continents. Your builds are going to run faster because of Sonatype’s agreement with EdgeCast.
In addition to this, Sonatype Nexus Pro customers will now have access to end-to-end Secure Socket Layer (SSL) encryption, bringing a greater level of security to their software development processes.
Surely, you didn’t just read a blog title that mentions beer on the Sonatype site? Oh Yes. Yes you did. In honor of St. Patrick’s Day, we’ve decided to give you some tips on how to make sure your organization is compliant with an important (and entirely real) OSS license – “Beerware”.
Beerware is the name for a license that has the following text:
* "THE BEER-WARE LICENSE" (Revision 42):
* wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp
Here’s a license for a library you probably use right now. Notice the clause I circled in an alarmist shade of red:
If you saw this license flagged in a Nexus RHC report it might make you stop, chuckle a bit. “Right, don’t be Evil clause. Ok, whatever.” But, remember, you are a developer, not a lawyer.
A lawyer sees that clause and they have to take it very seriously. You see, lawyers usually don’t have a sense of humor when it comes to the law, and they can’t ignore something in a license. A license is just that, a legal document, everything in it must be taken at face value.
Sonatype is pleased to announce Nexus 2.0, a major update for Nexus including several major features and features that add a new layer of intelligence about the artifacts stored in your repositories.
Today is a big day in the history of Nexus. It has been six years since Nexus was created and the product hasn’t only come along way since then, it has set the standard for repository management. When we started, few people were thinking about running a local repository manager. These days, you’d have to work to find a serious development effort that doesn’t use one. Repository managers are essential.
Today Sonatype is redefining repository management, taking the core ideas of remote proxies and hosted repositories and adding a layer of intelligence. Everyone consumes open source. You couldn’t code anything worth coding without using something like Guice, Spring, or a hundred other essential libraries. Even though OSS is everywhere, very few organizations are paying attention to license and security information about those artifacts. We’re changing that today by making Insight integration a part of Nexus.
Repository Health Awareness
In Nexus 2.0 you have the ability to request a repository health check from the Sonatype Insight service. Our Insight service maintains a database of security vulnerabilities and open source licenses. We scan source distributions to identify inconsistencies between declared licenses and effective licenses, and our security database is constantly scanning for the latest vulnerabilities.
When you submit a repository for a Repository Health Check, the process is non-invasive and non-disruptive. Nexus sends non-identifiable hash codes for artifacts to the Insight service which then returns actionable quality, security, and licensing information about the open source components in your repositories. From the Insight summary report you can see your exposure to both security vulnerabilities and various open sources licenses.
Repositories are scanned for artifacts with known security issues producing summary reports showing how many Critical, Servere, and Moderate vulnerabilities are present in a given repository. Licensing reports generate a overall summary of your exposure to copyleft licenses like GPL, and liberal licenses such as the Apache license. Nexus Professional customers can drill down into a detailed reports identifying specific components with unacceptable licenses or security vulnerabilities.
These reports can be used to implement policies managing your exposure to security risks and tracking the array of open source licensed used by your development teams.
Availability Architecture – Smart Proxy
If you require more than one instance of Nexus, Nexus Professional 2.0 has an entirely new availability architecture making it easier to support distributed teams. If you run several instances, the smart proxy capability new in Nexus 2.0 connects two or more instances of Nexus in real-time. This adds an intelligent, distributed mechanism to keep repositories in sync. One instance of Nexus subscribes to messages from another receiving repository change events notifying it of newly published artifacts.
Before Nexus 2.0, distributed architectures had to resort to a workaround that affected performance, not found caches for snapshot repositories had to be set very low and reduced the benefit of having local caches. After Nexus 2.0, distributed teams can collaborate closely knowing that a Nexus smart proxy is keeping repositories in sync without sacrificing performance. When two Nexus instances and two repositories are related using Smart Proxy, one repository subscribes to events published by the other. This means that changes are communicated immediately.
Smart proxy makes Nexus aware of distributed deployment architectures. This makes Nexus 2.0 ready for the the largest, most mission critical Nexus installations.
.NET Package Repository
If you develop .NET applications, Nexus Professional 2.0 adds support for NuGet. NuGet is a Visual Studio extension that makes it easy to install and update open source libraries and tools. NuGet Gallery is the equivalent of the Central repository for .NET developers and with Nexus 2.0 you can proxy and cache artifacts from NuGet Gallery on your local Nexus instance.
In addition to proxying NuGet repositories in Nexus you can also publish your own .NET packages to hosted repositories. This new ability to use Nexus as a publishing end point for internal .NET applications means that your development teams can start to share libraries using a corporate NuGet repository.
Nexus adds full support for .NET, in addition to proxying and hosting repositories, Nexus 2.0’s .NET support enables you to group NuGet repositories. You can also create virtual NuGet repositories that scan other repositories for NuGet packages and expose them to the NuGet feed.
Nexus 2.0 provides first-class support for .NET artifacts, with this release you get a common place to manage artifacts for both .NET and Java development efforts.
There are other features in the 2.0 release that we’ll be talking about in the coming weeks, but these three major features: Repository Health Check, Smart Proxy, and NuGet support are important upgrades to the Nexus project. To find out more about how you can start your evaluation of Nexus Professional, go to http://sonatype.com/nexus.