The 2020 State of the Software Supply Chain Report is available!

Study Shows High-Performance Dev Teams Fix OSS Vulns 26x Faster | Press Release

blog-logo Sonatype Blog

Sonatype's 10 Year Journey, with Co-founder Brian Fox

February 16, 2018 By Brian Fox

Let's start at the beginning...

In the beginning, Jason van Zyl was doing a lot of Maven training, Maven consulting, things like that. Maven in those days, in 2007, was really the hot new thing. There was a lot of hype around it and there was sort of an insatiable demand for knowledge. In the early days we were focused on providing products for the Maven ecosystem and quite literally going out and training people how to use Maven, how to do things the right way.

How has Sonatype, and the industry, evolved in the past 10 years...

We've seen development practices mature from pure Agile Scrum into more of a DevOps, DevSecOps type of approach, and we’ve also also seen the rise of containerization. Those two things are pretty important because the DevOps aspect of that has really brought the developers more to the forefront.

A big focus on what works for developers is now really key for how companies develop applications. That was always one of the initial focuses of the company, to make building software easier and more repeatable, and to integrate into the tools that the developers were already using. DevOps has really made that not just a developer problem but an everybody kind of focus.

Containerization, likewise, has taken a lot of the concepts that Maven first introduced around the componentization, and binary reusability, and composability. It has taken that, and extended it beyond just the applications, all the way into, effectively, the operating system and the entire application stack itself. In many ways it's really expanded the scope of what we see as a component-based development process.

What makes you most excited when you look back at Sonatype's legacy...

It's really exciting to see that last year Central had 87 billion downloads. Maven Central Repository, the largest repository in the world of Java, and so pretty much everything Java, has come from something that we've hosted at Sonatype. That's pretty amazing, especially considering when we first started the repository was something like just 20 gigs, and now it's closing in on two terabytes of data. That's pretty awesome.

The fact that we are closing in on 200,000 open source instances of the Nexus Repository Manager, that's great to see. That transcends Maven use. A big popular use case these days is for npm and for Docker. We expect to see that as more languages adopt package managers and things like that. That trend is just going to grow.

How is the conversation around component based security changing the industry...

In the early days, a lot of our customers were asking about, from a risk or a governance perspective, asking how to control things from a licensing perspective. Everybody was afraid of the GPL, and that was the primary focus. Nobody was talking about security issues back then. It's great to see now that there's a lot of tools in the market that are doing that, that are shifting further into development to get developers aware. It's great to see that developers, generally, are paying attention to this and wanting to do the right thing.

It wasn't that many years ago that that wasn't even something that people considered or that, from a development perspective, that was considered to be security's problem. That's also part of the benefit of DevOps and DevSecOps, it's basically made it everybody's problem. And finding a solution that works for everybody is now key.

That's really how we've thought about the problem this whole time.

What does the next 10 years hold for Sonatype and the industry...

The focus on making tooling that works for developers, that are compatible with how developers are producing software and consuming software is pretty exciting, arching back to the beginnings of trying to make Maven work in the IDE and those types of things.

Now what we're seeing is that organizations have matured to the point where that's a key requirement for how they approach solving a problem, whereas before, a lot of places looked down on development and tried to throw toll gates and other restrictive types of processes in place.

It's become very much a top-of-mind concern that they need to out-innovate their competitors. And to be able to do that, they need to empower the developers, not restrict developers. I think that, of all the changes and all the things looking forward, that's probably the most exciting one. That path has lots of ways to go and will continue to make developers even more productive.

Tags: Sonatype Nexus, Jason van Zyl, central maven repository, history

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.