As leaders of organizations, innovators of technology, and practitioners of continuous development, we must understand the constant changes in the industry to better suit the needs of the business and of our customers.
The role of modern software development has evolved. Developers, IT operations, quality engineering, and security teams have embraced new technologies and cultural shifts to accelerate time to market and identify efficiencies in building applications. Teams who adopt best practices and invest in the right tools, at each phase of the software development life cycle (SDLC), enhance their overall productivity and ROI to meet business goals faster. At Sonatype, we specialize in helping organizations build better, faster software more securely without slowing down innovation. Having the privilege to partner and work with some of the top leading brands, we understand the journey to achieve this mission can be challenging without having a cohesive strategy across the entire software supply chain.
The following material is meant to be a guide for understanding the differences in the marketplace when it comes to source code management and git repositories, application-level building and code repositories, and ultimately open source governance. At a foundational level, we will begin by discussing Sonatype Nexus Repository and an evolving landscape of package and dependency management tools.For the purposes of this writing, we will focus on market trends and the benefits of formulating a strategy for both business and functional objectives. At a conceptual level, Sonatype's Educational Foundations Guide to Package and Dependency Management delivers a deep dive review into the role of package managers in modern software development, key components of application-level dependency managers, and how universal package managers (i.e. binary repositories, such as Sonatype Nexus Repository) differ from source control management tools (i.e. source code repositories, such as GitHub or Azure Git Repos). |
There has been a lot of conversation recently about Microsoft and their Azure DevOps platform. It is no secret, the large enterprise has placed big bets on open source software (OSS) - their biggest being the acquisition of popular code-repository and collaboration service GitHub two years ago. This news was met with excitement by many, giving validation to the emerging market of open source software and modern development practices, which Sonatype has been a leader in pioneering. Addressing some of the most frequently asked questions our teams hear, the following points will provide further context later on when discussing a cohesive strategy from git to governance for software supply chain automation.
Formerly named Visual Studio Team Services (VSTS) and Team Foundation Server (TFS), Microsoft rebranded their decade old products to Azure DevOps Services and Azure DevOps Server. VSTS is an extension of Visual Studio, Microsoft’s integrated development environment (IDE), which was primarily developed for enterprise teams building Windows applications. The Azure DevOps platform includes five different products and services, two being Azure Repos and Azure Artifacts.
It is critical for organizations to manage the flow of open source software through development and source code repositories, into packages and CI/CD pipelines, and eventually production applications. The goal of every technology company to deploy safe and reliable solutions to customers depends on their ability to effectively manage and control open source components across the entire software supply chain.
Azure Repos, similar to GitHub source code repositories, delivers development teams git-level public and private repositories, ability to create pull requests, and collaboration on code review. Source control (or version control) management (SCM) is the foundation for DevOps.
Azure Artifacts is Microsoft’s integrated package manager for binaries and build artifacts. The more direct comparison to Nexus Repository, Azure Artifacts provides teams the ability to manage dependencies to ensure the immutability of open source components and third-party libraries in production applications.
When narrowing the focus on binary repositories at the functional level, it is important to understand the differences between Sonatype Nexus Repository and Azure Artifacts for a single source of truth across each phase of the SDLC. Especially, if organizations and teams have interest to "move everything to Azure DevOps." Going to our very own source of truth, the following key strengths from the voice of our customers describe why organizations and teams continue to choose Sonatype Nexus Repository:
Universal support for all major package formats, build tools and CI servers. Sonatype Nexus Repository is a true universal binary repository that supports a rich set of integrations, REST APIs and all popular formats. Azure Artifacts supports only Maven, npm, NuGet, and Python formats.
Advanced Enterprise Management with active/active high availability, dynamic storage, and container image and docker support.
Robust Performance for large file uploads, caching, and custom metadata tagging for faster build times and increased speed-to-market.
Open Source Community of developers, integrations and plugins with over 10 million Sonatype Nexus Repository users.
Nexus Repository delivers advanced binary management and supply chain performance with a rich set of integrations across all popular build tools. The open source community of Sonatype Nexus Repository developers continue to impact over 10 million users and 100,000 organizations globally.
Sonatype recognizes Microsoft's strategic move to acquire GitHub, rebrand its DevOps platform, and consciously move away from positioning Azure as the platform for only .NET and Windows applications. Microsoft will continue to invest in open source software while bringing the source code projects and GitHub repositories closer to the ultimate objective of Azure compute services.
Our core principles at Sonatype to build and deliver supply chain automation to organizations across every phase of the SDLC have not changed. Sonatype Lifecycle now integrates with Azure DevOps to secure software supply chains in the cloud. With 21,000 new open source releases happening every day, businesses are challenged by managing the quality and policies of open source components from development to delivery. As DevOps teams scale, it is critical to rely on precise intelligence about the quality of open source components within applications. Nexus Lifecycle delivers the most precise intelligence on open source components regarding security vulnerabilities, license risks, and architectural quality directly within Azure DevOps.
"The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster."
- Russell Webster (Financial Services) IT Central Station Review
An organization must exceed, or at least keep pace with, industry innovation. It must adapt to the exponential growth of open source component use and "shift left" while monitoring the entire SDLC. What is the best course of action and long-term strategy to manage these demands?
The key strategy to achieve these objectives is a best-of-breed system: flexibility, depth of capabilities, and deeper intelligence.
As Microsoft continues to align its platform offerings to drive additional consumption of Azure storage and compute services, and push towards standardizing on Azure DevOps, it's important to realize the effects of centralized command and control. As the pendulum swings from over-rotated centralization to federated business units, development teams and tools can become the Wild West. Teams may use several different open source tools if they can create a compelling business case to support them. This creates friction and reduces overall efficiencies within an organization.
Sonatype Nexus Repository provides a robust, truly universal binary repository with the flexibility to integrate into several CI/CD pipelines. Sonatype Lifecycle delivers deep intelligence and policy enforcement with the ability to support more than just one vendor. Industry needs are met with the specialized functionality that can monitor and govern multiple tools and systems across the entire software development life cycle. When considering the risks of standardization across several different business units, make sure the right questions are asked to achieve successful open source governance at scale.