Tag Archives: The Central Repository

Today’s Security Brief: Application security is widely neglected (by some surprising companies)


March 26, 2012 By Tim O'Brien

Today we published a paper with Aspect Security, and it’s a shocking look at how few people are paying attention to application security. If you consume dependencies from the Central Repository and you don’t want to get hacked, I’d suggest reading the report and understanding some of the challenges, I’d also check out some of these statistics. Here are three that jumped out at me:

  • Global 500 organizations downloaded more than 2.8 million insecure components in one year.
  • Financial services firms are the most exposed: Global 100 financial services firms alone downloaded more than 567,000 insecure components in one year.
  • 48% (a little under half) of organizations don’t have an inventory of Open source software used in production. (If there’s a new vulnerability discovered in something like GWT, who knows if we have that in production.)

To access the executive brief, “Addressing Security Concerns in Open-Source Components,” visit www.sonatype.com/securitybrief. You can follow the conversation on Twitter using the hashtag #OSSsecurity.

NOTE: Now, Developers, I know what you are thinking, you see the word “Executive Brief” and immediately dismiss this as C-level corporate-speak. Sure, there’s a little bit of that, but you’ll also learn how to own any unpatched Struts 2 application with a known vulnerability. If you use Struts, maybe you should read this report before your boss uncovers a vulnerability in your application?

Ken Rimple Interviews Brian Fox: Maven 3, Running Central, and Nexus


March 22, 2012 By Tim O'Brien

Brian Fox sat down with Ken Rimple of Chariot Solutions to talk about Nexus and to put repository management in the context of recent developments with Maven. Ken Rimple and Chariot have been long-term partners with Sonatype supporting our Maven training efforts, so Ken has a lot of background about Maven to ask some interesting questions.

Listen to Chariot TechCast, Episode #71, Brian Fox of Sonatype on Nexus 2

The Legacy of Maven: Binary Reusability

The interview leads off with a discussion about Maven, Maven’s history, and some of the recent developments surrounding the Maven ecosystem. Brian identifies binary reusability and declarative builds as the two important legacies of Maven:

“One of the unique things that Maven brought to the table, and what may in fact be the legacy for Maven years down the road, is that it introduced the concept of having binary reusability and not rebuilding the world as everybody was used to doing. The other aspect was making things more of a declarative model especially the dependencies. That was all unique at the time.”

What it takes to Run Central?

Ken and Brian discuss the introduction and development of Central from the beginning of the repository to the current iteration. From the initial efforts to create a single coordinate system for artifacts in 2001 and 2002. Brian’s very involved in the effort to maintain Central so this is your chance to hear Brian discuss some of the internals of the effort: how much bandwidth does Central consume? how much effort is involved in maintaining Central? and what are the day-to-day operations for running Central?

Key quotes about Central: “We’re approaching half a Terabyte for artifact storage” and “We’re seeing 50 to 60 new projects added every day”.

You will hear about how Nexus is used to enforce standards for artifacts added to Central from forges like Apache, JBoss, java.net, Codehaus, as well as the instance of Nexus that Sonatype provides for independent projects: http://oss.sonatype.org.

New Features in Nexus 2.0

Brian then discusses the important features we’re introducing with Nexus 2.0. Including support for .NET, the Repository Health Check, and our support for distributed proxies.

Again, if you haven’t listened to it, you should. Go over to Chariot Solutions and listen to Chariot Techcast Episode #71 – better yet, why don’t you just open up iTunes and subscribe to Chariot’s podcast? here.