13 – Artifact Repositories

Last episode recap

  • In the last episode, we discussed the Sarbanes-Oxley law and how it impacts publicly traded companies, what regulatory controls that have to be in place for a company, and what the impact is for non-compliance or fraud.

Summary of this episode

  • In this episode, we are going to discuss where you should store your compiled or “built” artifacts. These tools are referred to as binary repositories or artifact repositories. We will discuss the types of repos that you can create, what artifact types you can store and also the security features for each of the tools.

Episode Content
What’s in it for you?

  • After listening to this episode, my hope is that you will have a better understanding of what a binary repository is and what it is used for as well as some of the capabilities of 2 of the offerings in the industry.

What is a binary repository?

  • A binary repository is simply a place to store your compiled or “built” artifacts. Some people have in the past used shared network drives or a folder on their laptop. These are not optimal solutions since you can accidentally delete single items or the whole folder itself.

What can you put in it?

  • There is no limit to the items that can be uploaded to a binary repository. Simple rule of thumb, no un-compiled or un-packaged source code should be uploaded to a binary repo.

What are the types of repositories that you can use?

  • Release – release-able artifacts – ready for installation into an environment
  • snapshot – used for builds that are done on a set schedule (daily, hourly, etc.)
  • dependency – used to hold artifacts that your build will need to complete successfully but may not be readily available from another source.

What are the major binary repositories?

  • Sonatype Nexus
  • Jfrog Artifactory

What are remote proxies in a binary repository?

  • Remote proxies are typically sites hosted internally to your organization that points to an external site. This is usually done to enhance security to sites that you cannot verify that the content has been properly secured. Here are some examples:
  • Maven central
  • npm
  • docker hub
  • etc…

What security tools come with the binary repository?

  • Nexus Firewall – add-on product (has a cost)
  • Jfrog Xray – add-on product (has a cost)

What are some of the similarities of the 2 vendor tools?

  • The both allow you to upload various types of artifacts.
  • They both have download mechanisms for existing artifacts.
  • They both support release and snapshot repos.
  • They both can maintain a dependency repo for internal artifacts needed by builds.
  • They both support versioning and tagging of artifacts.

What are some of the differences?

  • They both store the artifacts in a different way
  • They both store metadata in a slightly different method.

What are the pro’s of each tool?

  • Nexus has a built in capability around Maven Central since that company maintains Maven Central itself.
  • In my experience, Jfrog Artifactory was the first to support all the different flavors of remote proxies, but both currently support the majority.

What are the con’s of each tool?

  • Confusing documentation on both parts. I have experienced random documentation updates in the middle of an installation that required that I re-do part of the work I had just completed.

Recap of this episode

  • In this episode, we discussed what binary repositories are, what you can store in them, what the similarities are between the products, and some of the differences.

Next Episode: Wyze home automation hardware review