You’ve just finished developing a great piece of code; you saved your company a bunch of money using open-source components to be faster and efficient. Your colleagues admire you and treat you like a guru. So far so good!
A day later, you receive mail from legal through your boss, updating you that you can’t use these 3rd party libraries and that you’ll have to roll back and start all over again.
You feel you want to whack your managers, you start to be oversensitive with your code and you don’t want to work with these “suits” (buttoned-up managers) that understand nothing about writing a code!
“When was it that they last coded? Was it C or COBOL they used? They really understand nothing about implementing OSS in their code”. BUT, guess what?! You’ll have to roll back and change it; no one will violate a license or ignore reported vulnerability issues for you…
So, you can kill your boss, or, ask a question you probably don’t want to ask yourself: Are you the problem here? Is there a way you can think, work, act as a developer and still get managers off your back?!
Guess what, there is!
For the last few years, we (JFrog) have been developing tools for developers. We’ve started as an open-source shop with Artifactory as our flagship product and got really close to our community. We always said that we “eat our own dog food” and envision a world in which software developers can be served by their tools rather than struggling or “working” for them. We developed quite an amount of open source plugins and integrated with the developer environment to ease her or his pain.
We even embedded a feature into Artifactory to help developers control and scan license of 3rd party software they use during build time. Now, we would like to take it beyond the developers tools stack. We want legal to be involved while we build our software and not after. We would like to provide developers with the power to control the development phase, not just from a quality point of view, but also from licenses and vulnerability perspectives. We picture a clean, “blessed” repository that was “approved” by legal in which developers can act free and consume the binaries they need, use it and get all the information and required approvals while developing and not after.
To do so, as from Artifactory 3.0 ahead, we will provide integration with Black Duck, a well-known trusted partner for open source software adoption, management and governance. The integration between the two products offers developers an automated, non-invasive approach to initiating open source component approvals, in addition to monitoring for security vulnerabilities that may be associated with specific binary components. License, security vulnerability and approval status, among other data, is pulled from the Black Duck Suite and delivered through Artifactory repository solution, providing developers with critical information during the open source selection process.
This integration supports all programming languages, provides governance for both open source and 3rd-party source and binaries, and scales beyond language-specific repository management approaches to meet the needs of global, distributed enterprises.
Sometime a common ground isn’t enough; you need to use a tool that helps you communicate with your organization better. I’m one of those managers, I know we don’t speak “developish,” and I hate nagging my team to make sure they have followed all the procedures. I know that in-house at JFrog we will use this integration and nothing makes me feel better than getting off my developers’ backs while they code!
Enjoy Artifactory, Enjoy Black Duck, Enjoy the integration, Enjoy your work!