Author Archives: Tim O'Brien

Introducing the Sonatype Support Portal and Knowledge Base


June 18, 2012 By Tim O'Brien

When we launched our Support portal as a part of our relaunch of the sonatype.org site we didn’t make a big deal out of it. We didn’t jump up and down and tell everyone to come and participate. Instead, we sat back and waited for Google to find us to see if the resource was going to be useful to users. Well, the results are in, without much promotion the resource is getting tens of thousands of visits a month and we’re getting good feedback. So…

This month we’ve decided to turn on the support features of Zendesk and start directing our users to our Support Portal. Both customers and non-customers can file support requests and anyone can comment or ask questions. Have at it.

Continue reading

Does Nexus Pro support your Gradle builds? Yes it does.


June 15, 2012 By Tim O'Brien

In support of this week’s release of Gradle 1.0, here’s an evaluation guide for Nexus Professional using two, very simple Gradle projects. If you are evaluating Nexus Professional, or if you are just looking for some sample projects that configure a Gradle build to use a repository take a look at this guide. Take a look at this evaluation guide and download the associated sample projects. These two projects have build.gradle files that demonstrate the simplest case of configuring a Gradle build to:

  • Download dependencies from a Nexus Repository Group with Gradle
  • Deploy an Artifact to a Nexus Snapshot Repository from Gradle
  • Staging an Artifact to a Nexus Staging Repository from Gradle

Update 2013-05: The evaluation guide has been updated and is now available in HTML and PDF format.

Reinventing Wheels and Opportunity Cost (or Why you Need to use Nexus)


June 13, 2012 By Tim O'Brien

I hear two sentences.. often. It’s either:

  • “We’re not big enough for a repository manager.”
  • Or, the increasingly popular, “We built our own repository manager. It’s just a caching HTTP Proxy.”

I can understand the first statement. People usually think “they are not big enough” for a repository manager when they haven’t understood that running a repository manager yields benefits regardless of scale.

It’s the second statement that I find problematic. (First, it’s *way* more than a caching HTTP proxy… Just saying that demonstrates that this person never bothered to try one out.) If someone has implemented a custom repository manager it suggests a certain amount of self-assuredness that is going to complicate things going forward. It suggests that whoever I’m talking to hasn’t yet understood the value of focus and making pragmatic decisions about technology.

Continue reading

The Time to Pay Attention to Application Security is Now


June 12, 2012 By Tim O'Brien

When we announced Insight for CI a few weeks ago, our message was simple “Get Proactive about Security with Insight”. A few months ago, when we introduced the Repository Health Check in Nexus Professional, we had a similar message about licensing, “Lead or Be Led to OSS Compliance”. For months we’ve been making the case that the time to worry about application security is now.

Another thing we’ve been saying is that it is our responsibility, as developers, to start paying attention to security vulnerabilities, and if we don’t take responsibility for application-level security, someone else will impose this requirement on us…

…and that’s exactly what’s we’re seeing both in the EU’s reform of Data Protection Laws and as the US Congress responds to the latest data breach at LinkedIn. Now, who knows what sort of regulations we’re going to see in the coming months, but one thing is sure, the fact that lawmakers feel compelled to act is proof that we’re not doing enough as an industry to address security.

The best security is a layered approach: multiple levels of network security, security policies for production resources that limit access to individuals that need it, secure password policies, and application security. Sonatype’s focused on that last item, application security, and our approach focuses on the components you assemble to create your applications. If you develop software today, you understand that much of your work is spent creating applications that sit atop frameworks like Spring and Hibernate. It isn’t enough for your own software and infrastructure to be secure. These days, you need to account for vulnerabilities in your dependencies.

And, again, this isn’t operation’s responsibility. Security is a shared responsibility across both development and operations. This is something that developers need to take ownership of. While we’ll probably never know how sites like LinkedIn, eHarmony, and Last.fm were compromised, there’s a good chance that some of these sites were compromised via known vulnerabilities in outdated components. Components like Tomcat or frameworks like Struts are among the list of artifacts that have known problems.

Don’t get hacked because you didn’t upgrade to the latest version of Tomcat or because you happened to be using some ancient version of Spring with a known vulnerability. If you are consuming artifacts from Central (and if you are a Java developer, you probably are), you need to start using Nexus Professional to keep track of your dependencies. If you are using Hudson or Jenkins, take some time to evaluate Insight for CI.

Nexus Professional 2.0.5 Released: It’s Easier to Evaluate Awesomeness


June 6, 2012 By Tim O'Brien

Nexus Pro has enhanced search capabilities that make it easy to identify which components are popular versus which components you might want to avoid.

With Nexus Pro you can track your exposure to security vulnerabilities and licensing issues. With Nexus Pro you gain control over your releases so you can place release candidate binaries in a temporary staging repository while QA tests and qualifies a release. With Nexus Pro you can control which OSS components you allow into your organization with Procurement. You can proxy the most popular source of components for Java developers (Central) alongside the most popular source of OSS components for .NET developers (NuGet Gallery). If you have distributed teams you can set up two Nexus instances and setup a Smart Proxy so that your distributed teams are always working with the latest artifacts in a distributed environment.

This impressive list of features is only available to you if you can sit down and evaluate these features and come to your own conclusions. Some of our customers take the time to go through the motions of an evaluation, but many are asking for an easier evaluation experience. In the 2.0.5 release, we’ve done just that.

A few months ago the engineering team took a long look at Nexus Professional from the perspective of a new user. What does it take to get started? What were the assumptions we were making about what users know before they download the product? And, how can we make it easier to evaluate the product?

After this exercise it became clear to us that we needed to make sure our Nexus Professional trial bundle contained a few preconfigured features along with a set of simple example projects.

Put simply, it has to be easier to evaluate the product. Our new Nexus Professional bundle “forward deploys” the following features:

  • Nexus has been preconfigured to download the search index from Central. Download Nexus Professional and give it a few minutes to download the index from Central . Once downloaded, you can start searching for artifacts. Since Nexus Professional adds valuable information to the search interface, we wanted to make sure this data was available immediately without asking users to click through a flurry of configuration screens.
  • A Staging profile has been configured to demonstrate release management. Since Staging is a primary draw for many of our customers, this version takes a step toward making it easier for a first time user to understand Staging. A Staging profile has been configured, and a sample project has been configured to stage an artifact to this profile. A new user can deploy and release via this Staging profile without having to run through pages and pages of introduction and configuration instructions.
  • Procurement has been preconfigured so you can quickly define rules for the OSS components. If you need to control your OSS components, this Nexus Professional trial bundle creates a procured repository and adds this repository to your Public group. If you need to start procuring artifacts, Procurement is up and running.
  • Nexus proxies NuGet Gallery so that you can quickly evaluate support for .NET development. This is one of the most important changes. Our Nexus Professional bundle ships with no .NET repositories configured and we were asking users to jump through pages and pages of instructions. With this trial bundle, NuGet Gallery is proxied, a new NuGet hosted repository is available, and these two repositories are combined into a NuGet group. To start using Nexus for .NET all you need to do is copy the NuGet API key into Visual Studio for authentication.

In addition to these configuration changes to our Nexus Professional trial, users can now download two simple Maven projects that are preconfigured to download and deploy artifacts from and to a local Nexus Professional instance along with a short evaluation guide to walk you through the process. Download Nexus Professional today and get started.