For St. Patrick’s Day: A Compliance Strategy for “Beerware”
Surely, you didn’t just read a blog title that mentions beer on the Sonatype site? Oh Yes. Yes you did. In honor of St. Patrick’s Day, we’ve decided to give you some tips on how to make sure your organization is compliant with an important (and entirely real) OSS license – “Beerware”.
Beerware is the name for a license that has the following text:
/* * ---------------------------------------------------------------------------- * "THE BEER-WARE LICENSE" (Revision 42): *wrote this file. As long as you retain this notice you * can do whatever you want with this stuff. If we meet some day, and you think * this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp * ---------------------------------------------------------------------------- */
Use JSON? Well you’d better not be Evil.
Here’s a license for a library you probably use right now. Notice the clause I circled in an alarmist shade of red:
If you saw this license flagged in a Nexus RHC report it might make you stop, chuckle a bit. “Right, don’t be Evil clause. Ok, whatever.” But, remember, you are a developer, not a lawyer.
A lawyer sees that clause and they have to take it very seriously. You see, lawyers usually don’t have a sense of humor when it comes to the law, and they can’t ignore something in a license. A license is just that, a legal document, everything in it must be taken at face value.
Announcing Nexus Professional 2.0
Sonatype is pleased to announce Nexus 2.0, a major update for Nexus including several major features and features that add a new layer of intelligence about the artifacts stored in your repositories.
Today is a big day in the history of Nexus. It has been six years since Nexus was created and the product hasn’t only come along way since then, it has set the standard for repository management. When we started, few people were thinking about running a local repository manager. These days, you’d have to work to find a serious development effort that doesn’t use one. Repository managers are essential.
Today Sonatype is redefining repository management, taking the core ideas of remote proxies and hosted repositories and adding a layer of intelligence. Everyone consumes open source. You couldn’t code anything worth coding without using something like Guice, Spring, or a hundred other essential libraries. Even though OSS is everywhere, very few organizations are paying attention to license and security information about those artifacts. We’re changing that today by making Insight integration a part of Nexus.
Repository Health Awareness
In Nexus 2.0 you have the ability to request a repository health check from the Sonatype Insight service. Our Insight service maintains a database of security vulnerabilities and open source licenses. We scan source distributions to identify inconsistencies between declared licenses and effective licenses, and our security database is constantly scanning for the latest vulnerabilities.
When you submit a repository for a Repository Health Check, the process is non-invasive and non-disruptive. Nexus sends non-identifiable hash codes for artifacts to the Insight service which then returns actionable quality, security, and licensing information about the open source components in your repositories. From the Insight summary report you can see your exposure to both security vulnerabilities and various open sources licenses.
Repositories are scanned for artifacts with known security issues producing summary reports showing how many Critical, Servere, and Moderate vulnerabilities are present in a given repository. Licensing reports generate a overall summary of your exposure to copyleft licenses like GPL, and liberal licenses such as the Apache license. Nexus Professional customers can drill down into a detailed reports identifying specific components with unacceptable licenses or security vulnerabilities.
These reports can be used to implement policies managing your exposure to security risks and tracking the array of open source licensed used by your development teams.
Availability Architecture – Smart Proxy
If you require more than one instance of Nexus, Nexus Professional 2.0 has an entirely new availability architecture making it easier to support distributed teams. If you run several instances, the smart proxy capability new in Nexus 2.0 connects two or more instances of Nexus in real-time. This adds an intelligent, distributed mechanism to keep repositories in sync. One instance of Nexus subscribes to messages from another receiving repository change events notifying it of newly published artifacts.
Before Nexus 2.0, distributed architectures had to resort to a workaround that affected performance, not found caches for snapshot repositories had to be set very low and reduced the benefit of having local caches. After Nexus 2.0, distributed teams can collaborate closely knowing that a Nexus smart proxy is keeping repositories in sync without sacrificing performance. When two Nexus instances and two repositories are related using Smart Proxy, one repository subscribes to events published by the other. This means that changes are communicated immediately.
Smart proxy makes Nexus aware of distributed deployment architectures. This makes Nexus 2.0 ready for the the largest, most mission critical Nexus installations.
.NET Package Repository
If you develop .NET applications, Nexus Professional 2.0 adds support for NuGet. NuGet is a Visual Studio extension that makes it easy to install and update open source libraries and tools. NuGet Gallery is the equivalent of the Central repository for .NET developers and with Nexus 2.0 you can proxy and cache artifacts from NuGet Gallery on your local Nexus instance.
In addition to proxying NuGet repositories in Nexus you can also publish your own .NET packages to hosted repositories. This new ability to use Nexus as a publishing end point for internal .NET applications means that your development teams can start to share libraries using a corporate NuGet repository.
Nexus adds full support for .NET, in addition to proxying and hosting repositories, Nexus 2.0’s .NET support enables you to group NuGet repositories. You can also create virtual NuGet repositories that scan other repositories for NuGet packages and expose them to the NuGet feed.
Nexus 2.0 provides first-class support for .NET artifacts, with this release you get a common place to manage artifacts for both .NET and Java development efforts.
Conclusion
There are other features in the 2.0 release that we’ll be talking about in the coming weeks, but these three major features: Repository Health Check, Smart Proxy, and NuGet support are important upgrades to the Nexus project. To find out more about how you can start your evaluation of Nexus Professional, go to http://sonatype.com/nexus.
Publishing Your Artifacts to the Central Repository
Sonatype makes it easy to add your projects to the Central Repository with a free, public hosting service called OSSRH. We first blogged about this back in 2009, but given the growth in the community, we thought some of you may not have seen that post, so we decided to update it. (more…)
The Central Repository Is Getting Faster! Are you ready for the new IPs?
We’ve made several improvements to the Central Repository (Maven Central) to support the incredible growth in both the number of components and the number of developers using it. If you use specific IPs to allow access to Central, you’ll need to update your firewall as described below.
Since 2007, Central has been hosted at Contegix in a shared rack with 100mbps data connections to the Internet. We’ve worked with Contegix to acquire a new dedicated switch that will have a 1gb connection directly to their core routers. The routing to the switches is done at the Layer 3 (IP) level and this means we are moving to a new dedicated ip subnet:
- 207.223.241.64/27 (207.223.241.65 – 207.223.241.95)
In addition to the network upgrade, we’ve added an entirely new tool to our belts: Dyn (formerly DynDNS.com) is partnering with us to provide active monitoring, failover and global load balancing along with enterprise DNS services for maven.org via their DynECT Managed DNS solution. DNS resolution time should be noticeably faster as Dyn has DNS servers all around the world.
