It’s impossible to discount the reach and impact of open source software. That’s why last year, Sonatype declared February 3 as World Open Source Day.
And this isn’t limited to open source components or software engineers. The world of open source is vast, spanning every industry and garnering interest across many facets of our daily lives.
For example, in the US, NASA’s Jet Propulsion Laboratory (JPL) has open-sourced its rover program so anyone can use the same tools they use. Put another way, open source will likely be at the center of finding life on another planet and researching the vast cosmos.
Government involvement in open source isn’t limited to the US space program, though. Open source has been increasingly at the center of government talking points in the last couple of years (just look at the Executive Order on Improving Nation’s Cyber Security in the US and the Cyber Resiliency Act in the EU). Involvement of this kind is becoming a necessity, but it often focuses more on the negatives, especially with regard to vulnerabilities.
Open source is so much more.
And that’s a big part of our reason for dedicating an entire day to open source. Sonatype believes open source isn’t just about the projects themselves. To support open source means supporting the communities and the volunteers' dedication to these projects. In many cases, there is no other outcome for contributors beyond helping the world solve complex problems and improving the quality of people’s everyday lives. And in most cases, it’s done with little acknowledgement.
We also recognize that supporting open source isn’t just about building software applications. Many teams utilize open source tools such as various flavors of Linux for their operating system of MS Office-like tools such as LibreOffice. Many users find tremendous success with these options as alternatives to commercial products. Our very own Luke Mcbride will discuss this in his post tomorrow.
Of course, not everything utilizing the moniker “open” is open source (looking at you ChatGPT/OpenAI). And not everything open source is what it seems (looking at you dependency confusion). So diligence is always necessary when using, choosing, and supporting open source projects.
Terms aside, no one will deny that open source is at the heart of many conversations today. However, while most look to provide accolades for the progress open source has enabled, others will look to place blame or highlight potential weaknesses. Though unfortunate, issues like the Log4Shell vulnerability gain wide notoriety with the potential to squelch the overwhelmingly positive nature of open source.
This isn’t because Log4Shell, or even the entire Log4J framework, isn’t written well. Mistakes happen. Code will inevitably have bugs. And in contrast, it is the immense value open source provides that enables vulnerabilities to have as great an impact as they do. This is also why Sonatype builds solutions to help teams ensure they can benefit from the tremendous good open source provides.
Sonatype open source involvement
Sonatype isn’t just focused on helping protect organizations from the risk associated with vulnerable open source components. We believe that investing time and money is critical to support open source.
From our custodianship in projects such as Maven Central and Sonatype Nexus Repository OSS, to interaction and support of organizations like CNCF and OpenSSF, Eclipse, and others, we firmly stand on the side of open source being of great public value and commit to continuing our stewardship and support across as many domains as possible.
We hope you join us in celebrating the tremendous value and impact open source has had and continues to have in each of our lives.
Happy World Open Source Day!
How we’re celebrating
First, over the next three days, we’ll provide new posts on ways to engage and appreciate open source. We’ve also dedicated an episode of our podcast, Wicked Good Development. We think it’s one of the best podcasts out there, and this episode shines.
Internally, we’re encouraging every team member to use this week to contribute to open source projects or organizations we rely on. We are especially interested in helping all Sonatypians become a part of the global open source community and will support first-time contributors on their open source journey. Finally, we’re encouraging our non-technical employees to get involved, educated, and excited about the wide range of open source solutions available as well.
Our post on Friday will launch a series of interviews with a few of Sonatype’s open source developers, and we hope you’ll join the Sonatype community and tell us how you support open source.
- Post 2 - My Open Source Tools, an article by Luke Mcbride covering his favorite open source tools.
- Post 3 - Meet an Open Source Developer, the first in a series of articles by Aaron Linskens from his interviews with a few Sonatype employees on their individual experience in the open source community.
- Podcast - Episode 26 - In honor of World Open Source Day, Kadi and guest co-host Theresa Mammarella invite open source contributor, Tom Cools, to share his journey in the world of open source. Sit back and relax as we discuss why he got involved in the community, his first project, and best practices to make projects more accessible for new contributors.
Sonatype’s open source projects
Projects we manage
- Sonatype Nexus Repository Manager OSS: Nexus is an open source Repository Manager for Maven, NuGet, Docker registries, and other binary artifact repositories.
- Sonatype Community: Community projects meant for the Sonatype Platform (formerly known as Nexus Platform). Affiliated with Sonatype, including the work our global contributor community has done!
- Maven Central: The Maven Central Repository is the default repository for Apache Maven, SBT, and other build systems and can be easily used from Apache Ant/Ivy, Gradle, and many other tools. If you’re interested, we even dedicated a podcast episode to it.
Projects we help maintain
- Apache Maven: Software project management and comprehension tool.
- CycloneDX: OWASP CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
- Open Source Software Index Integrations: Our OSSI integrations allow developers to Scan projects for open source vulnerabilities and build security into your development toolchain with native tools and integrations. The following scan tools all utilize the OSS Index public REST API.
- Modello: Data Model toolkit in use by the Maven 2 Project.