Sonatype Blog
Posts by Tim O'Brien

I was doing a bit of data analysis of the data that drives our Nexus Professional popularity results and I came across some statistics that show demand for Google Guava has been picking up over the last year. Our Top 10 list for general utilities contains the usual suspects. Libraries like Commons Lang and Commons Beanutils are predictably near the top of the list as are both log4j and slf4j. Not only are these the utilities you’d expect to see in almost every Java project, many of the dependencies you depend on also reference these libraries. This list is a list of utilities and projects you’d better be familiar with if you are programming in Java because you will undoubtedly encounter them.

Here is a list of the Top 10 Utilities from April 2012. Note how Google Guava jumped three places from #15 to #12 with a 2.5% increase in demand from March. While I don’t expect Google Guava to surpass the popularity of Apache Commons components any time soon, it will be interesting to see if Guava becomes a standard that challenges Commons Lang. Guava, like Apache Commons, is a collection of utilities and classes that supplement Java, while they have overlapping purposes, I tend to continue to have both on my classpath whenever I’m coding.

Caveat: I’m comparing utility libraries with the exception of JUnit. JUnit is downloaded automatically by a number of tools (tools that don’t appear to cache artifacts between instantiation). Because of this JUnit downloads are off the chart. If you average out the data, JUnit is being downloaded approximately once a second (across the entire month).

One of our customers asked me for a presentation deck making a simple case for bringing Nexus into a development environment: what are the broad stroke benefits of the repository from the perspective of the Enterprise? This video is that presentation, it doesn’t spend too much time enumerating a list of pro features. It focuses on the two core benefits: consuming OSS and internal sharing.

If you have five minutes and you are looking for something that might convince others in your organization, this video will be of use. Here’s the video “OSS and the Enterprise: How Nexus can Help” followed by a very brief summary:

A summary in four sentences:

• The Enterprise has shifted dramatically over the last decade and OSS has been a major force driving the evolution of Enterprise software development.
• As organizations have adopted OSS, developers have a new interest in consuming OSS and bring some of the practices of OSS in-house.
• Nexus was designed to make is easier for you to support your developer’s interest in OSS consumption while giving you the necessary controls.
• Better yet, Nexus allows you to adopt the same mechanism for collaboration that is used by OSS projects.

In other words, it isn’t just about software.

There are over 400,000 components in the Central repository including everything from servlet containers like Apache Tomcat to critical application infrastructure like Spring and Hibernate.    When you are designing an application or trying to update an application’s dependencies, how do you choose which component to use?

Here’s an example of a decision you may have to make in the next few months.    Assume you have the chance to use a newer version of Spring, evaluate Hibernate vs. iBatis, and adopt a new REST-friendly web framework.   For each of these new and updated components you are going to have to ask yourself three questions:

• Which version of the library has the largest “install base”?  It often doesn’t make sense to use the latest version of a component, especially if it is a major release.   If you are looking to reduce risk, don’t code on the “bleeding edge” of technology.  Use the most popular version of a component.
• Which version of the library is free of security vulnerabilities?  The only thing worse than getting hacked is realizing that you got hacked because you weren’t paying attention to known vulnerabilities.   If you are upgrading to a new version of a library, make sure it is secure.
• Which version of the library is compatible with your OSS license policy?

Nexus Professional 2.0.4 brings the answer to all three of these questions to the search results.  Here are the search results showing the results for tomcat-catalina.    We’ve combined popularity data from Central with security and licensing information.

Without the popularity data you might have just selected the latest version of the library, version 7.0.27 which has been available for 37d.   If I were selecting components for an application, I would likely stick with Tomcat 7.0.25 based on the relative popularity of the artifact alone.   7.0.25 is, far and away, the most popular artifact of this group.

Sonatype’s Nexus Professional is the only product that incorporates popularity data directly from Central.   If you are interested in using Nexus Professional to evaluate your dependencies, download a copy and start your trial today.

Sonatype is pleased to announce the release of Nexus OSS 2.0.4. Nexus 2.0.4 OSS is available and ready for download immediately. If you are new to Nexus, or if you are an existing user, go to http://www.sonatype.org/nexus/go, click on the download button and get started.

Nexus OSS 2.0.4: A Focus on Usability

One of the common complaints we hear from new users is that it isn’t immediately obvious how to interact with the tool. How do you connect Maven or other build tools to it? What are the basic benefits to gain from integrating Nexus into your development infrastructure?

If you are new to repository management, a single, Google-style search field isn’t enough. You are looking for answers. In this OSS release, we’ve added some contextual help to the Welcome page as well as some links to new and existing resources for Nexus users.

For years we’ve always tried to go out of our way to document the product: we have a free Nexus book and we maintain a knowledge base covering common tasks. We wanted to connect these resources with the initial Nexus experience and to do that we’ve listed three popular getting pages from our Knowledge Base:

• Configuring Maven to use Nexus
• Adding a New repository
• Proxying a remote repo in Nexus

If you find our Knowledge Base useful, we encourage you to leave comments on existing articles or sign-up and add a new article. We built our new support and knowledge base tools atop Zendesk and they complement our active community-oriented presence on GetSatisfaction.

Staying Connected to Nexus Updates

If you use Nexus OSS, we encourage you to sign-up for the Nexus Newsletter. This is a low-volume mailing list for product and security announcements and a monthly newsletter highlighting new resources for Nexus users. If you depend on Nexus, you should be on this list to be to the first to find out about relevant updates and security patches. To sign-up for this list, click on the first link listed under Stay Connected, or click here and click on “Sign-up for Nexus Newsletter”.

Other resources on the Welcome page of Nexus are Twitter and the Sonatype Blog. Sonatype’s Twitter feed (@sonatypecm) is a steady stream of relevant blog posts, links, and retweets from the community, and our blog is focused repository management.  Our goal with this release is to make sure that every user understands that even Nexus OSS comes with a rich set of community support resources.

Please let us know if you have any feedback, concerns, or requests about our new effort to “forward-deploy” our documentation and support for Nexus.

Nexus OSS 2.0.4 Release Notes

Bugs

• [NEXUS-5024] – Problem reporting doesn’t work through http proxy
• [NEXUS-5032] – XSS vulnerability in /artifact/maven/resolve REST endpoint

Security and License

• [NEXUS-5028] – update embedded eula
• [NEXUS-5031] – Upgrade to latest Jetty 7.x to solve known denial of service security vulnerabilities

Here’s a message to nexus-user from Eric Kolotyluk an active Nexus user who just upgraded his instance of Nexus and sent this message to the Nexus Users mailing list:

OK, I had to move my Nexus to a different server.

1. I installed the latest version of Nexus Pro on the new server.
2. I copied over sonatype-work from the old server to the new server
3. I installed the license
4. It just works.

Great work Sonatype for continuing to improve the ease of administration.

Cheers, Eric

Sonatype invests an huge amount of effort in unit testing, integration test, and regression testing. Engineers are never pressured to sacrifice quality to meet a deadline, and our Engineering team goes out of their way to make sure that upgrades and installations are as straightforward as possible. It’s great to get feedback like this, especially when it contains one of the more famous Apple, Inc slogans: “It just works”.

While this user had a seamless upgrade experience, we still recommend that everyone installing and upgrading Nexus read both the Nexus 2.0 Release Notes and the Nexus Upgrade Instructions.