Resources Blog Selecting OSS Software: 10 Questions Answered for Sonatype ...

Selecting OSS Software: 10 Questions Answered for Sonatype Nexus

Last month there was an article on TechRepublic entitled "10 questions to ask when selecting open source products for your enterprise". As both a consumer and producer of open source enteprise software, I thought that this list of questions captures the areas that people should be thinking about when they are selecting a technology. Open source technology selection is about much more than just feature comparison. When you are selecting an open source technology, you have to think about licensing issues, the scope of the supporting community, and open source governance models. Since we've been talking a lot about Nexus, I wanted to summarize our efforts by answering these questions for potential users. If you're trying to decide what repository manager to use in your organization I hope that the answers to these questions help you make an informed decision.

1. Are the open source license terms compatible with my business requirements?

There are many possible things to consider here but, I believe, the primary points to consider for an OSS application are:

  • Can I extend as necessary? Is there anything about the license that is going to prevent me from extending the product or fixing a problem?
  • Is there going to be someone around to support the product long-term? Is the license going to provide a way for the organization backing the project to survive well into the future?

We thought for a long while before selecting the GNU Public License (GPL) for Nexus and we made it clear right from the start why we chose the GPL. We knew that we would invest heavily in Nexus. Even though the people involved with Sonatype are traditionally users of Apache style licenses, we didn't know how our business would evolve and we wanted to choose a license that would offer adequate protection for that investment. We were honest and upfront about it. We chose a more restrictive license first this allows us to adapt and use a less restrictive license in the future if we think it is appropriate for the community.

If you are considering software for an enterprise then you want there to be a supporting company, or companies, and the business model of the supporting company is important because you want them to be around for a while. GPL gives us some way to protect our investment, and it allows our end-users to extend and customize an open product.

2. What is the strength of the community?

The people working at Sonatype are the key people in the Maven, Nexus, and m2eclipse projects. Community work is an essential part of the everyday work of each of our developers. While we focus on creating great software, many of the libraries and tools we use are produced within the Maven community - an ecosystem that encompasses several commercial participants, approximately 20 core developers, and millions of users. Nexus Professional helps to maintain the Central Maven repository which is used by millions of developers world-wide.

One of the core goals of the Nexus project is to strengthen the technical infrastructure of the community it supports. This technical symbiosis is evident in the work that Brian Fox, our VP of Engineering, has been doing to help manage important OSS repositories. We are currently working with organizations and companies including Alfresco, Apache, Atlassian, Codehaus, ExoPlatform, Glassfish, Open QA, Scala-Tools, and JBoss to support the creation of quality artifact repositories that feed into the Central Maven repository. This Central Maven repository is the central collaboration point for the entire world of Java developers. In addition to working with the main feeder repositories, there is also an instance of Nexus available to any open source project that wishes to take advantage of the services available at We already have a large number of projects using this service and it's growing by the day.

Nexus is also at the center of an effort to unify disparate languages and technologies on a single repository platform. Our recent efforts to support RubyGems, OBR, and P2 repositories are attempts to unify disparate communities into a single community supported by a platform which favors interoperability.

3. How well is the product adopted by users?

Going back to the previous answer, the adoption of Nexus is something that is evident in the number of OSS "forges" that have selected Nexus. At virtually every important OSS forge there is now an instance of Nexus running, and Nexus has been integrated into the software release process. Nexus is also used to help Maven Central as well which is the largest public artifact repository in the world. Nexus has rapidly become the de facto standard for artifact repository management.

Another data point that reflects adoption by users is the number of times a user will answer a support question on a public list. On the Nexus IRC channel and Nexus user mailing list, we've noticed a trend over the past few months where non-Sonatype employees are starting to answer user questions about Nexus without any involvement from the Nexus development team. This community involvement in the support process is a sign that Nexus users are not just installing the product and going away, they are starting to become productive and active members of the community that surrounds Nexus.

4. Can I get a warranty or commercial support if I need it?

Of course. Sonatype provides professional support for our commercial Nexus offering. When you purchase Nexus Professional you get one year of support which includes commitments to turn-around time for solving critical issues. Nexus Professional users are also given dedicated channels that they can use to communicate directly with the Nexus team. Sonatype currently offers enterprise-level support to some of the largest companies in the world, and this support is built into the product.

For Nexus Open Source we are very responsive to users on our mailing list, and we are constantly available on an IRC channel to answer any questions from users who have any questions for us.

5. What quality assurance processes exist?

Sonatype is fanatical about quality. We are so committed to quality that we'll delay our software releases indefinitely if they don't meet our strict quality assurance procedures. We'd rather release nothing than release software before it is ready because we know how frustrating it is to use software that feels like it is half completed. If you don't take our word for it, take a look at our issue tracker's release notes for the 1.4.0 release to get a feel for the level of detail you can expect from us with a release. Nexus has, without a doubt, the best QA process for any of the repository manager that exists. You only need to look at our unit tests, integration tests, and full manual regression test suite to get an idea of how stringent we are.

While our internal development process revolves around quality, sometimes the only way to really shake out the bugs is to run your product in a production environment. Sonatype has the great benefit of running Nexus on the most active OSS forges in the world. We run Nexus instances for open source projects that serve gigabytes of artifact data every day, and we often find problems with Nexus long before our users even had a chance to notice. Our product also ships with automatic error detection and error submission mechanisms that will communicate problems to our support staff as they happen in the field. We are proactive about finding problems before our users and customers.

6. How good is the documentation?

Sonatype views documentation as a key differentiator. "Repository Management with Nexus" is a free book, available on the web, as a PDF download, or as a printed book from This 325-page book contains 19 chapters and five appendices that detail every facet of Nexus Open Source and Nexus Professional. Complete with an introduction to the concepts and motivation behind repository managers, this book is a comprehensive reference. The Nexus book is available from:

7. How easily can the system be customized to my exact requirements?

Nexus follows the Open Core principle where we have a solid kernel that is extended by plug-ins. We have many OSS and commercial users who have extended Nexus and we are trying to make that even easier to do. Damian Bradicich, one of our core developers, wrote a blog recently about our efforts to make developing Nexus plugins simple. We're focusing on ways to make it even easier to start a Nexus plug-in project, and develop and debug these plugins inside Eclipse.

Nexus, as a platform, is about as extensible as it gets. We've designed the system to be agnostic about the types of artifacts is manages, and you could extend it to manage, index, and distribute any kind of binary artifact. It really wouldn't even need to be limited to software. We've considered developing some proof of concept demonstrations to show people how Nexus could be used to store, index, and distribute audio and video content using the extensible RDF metadata capabilities to store metadata and the customizable UI to present multimedia content. The point isn't that you would ever need to do this, it is to prove that Nexus could be customized to satisfy any requirements you could throw at it.

8. How is this project governed and how easily can I influence the road map?

The Sonatype development team includes a number of key participants in the Maven community. We're very familiar with the importance of open source governance models because we're actively involved in one of the most active and open communities in open source. Even though Nexus is a Sonatype project, we appreciate the need to adhere to the core values of other successful open source project. First and foremost, the project is run as a meritocracy, good ideas trump status and hierarchy. Second, we value transparency for the Nexus Open Source project, and we understand the need to adhere to a common set of policies and procedures to make it easier for external contributors to contribute and participate.

The Nexus project currently includes four external developers who have contributed enough to the project to merit commit rights to the source repository. If you are motivated enough to volunteer and contribute your time to this open source project, we welcome your contribution.

9. Will the product scale to my enterprise’s requirements?

If you are talking about scalability in terms of number of users or projects using Nexus, there is no greater proof than the fact that Nexus is used to manage two of the largest feeder repositories for the Central Maven repository. Nexus is used to manage the Apache release and snapshot repositories and the Codehaus repositories. Both of these projects approximate the largest corporate environments in the world with thousands of developers distributed across the globe, enterprise LDAP servers, and a high volume of requests from clients requesting artifacts.

Nexus was designed, from the beginning, to meet the requirements of global-scale open source development.

10. Are there regular security patches?

Sonatype tends to make a point release of Nexus once every month. We're currently about to cut the 1.5 release of Nexus, and, with every release, we fix a number of bugs that have been uncovered by our testing procedures. Because we run some of the highest profile repositories on the internet, we are constantly patching Nexus to meet security issues that most of our customers would never need to worry about. We've dealt with distributed denial of service attacks and other security issues as part of maintaining the central maven repository. Nexus is battle tested and secure.

Picture of Jason van Zyl

Written by Jason van Zyl

Jason is a co-founder and the former CTO of Sonatype.