Repository Management with Nexus


2.3. Repository Management

Repository Management is a critical practice that is part of your Component Lifecycle Managment implementation. Without repository management your component usage is effectively out of control and cannot be governed and managed. This makes it impossible to track security, license, and quality issues you are exposed to due to the components you use from your source code through your build environments and releases to production usage.

Repository managers serve two purposes: they act as highly configurable proxies between your organization and the public repositories and they provide an organization with a deployment destination for its own generated artifacts. Just as Source Code Management (SCM) tools are designed to manage source artifacts, repository managers have been designed to manage and track external dependencies and artifacts generated by your build. They are an essential part of any enterprise or open-source software development effort, and they enable greater collaboration between developers and wider distribution of software.

2.3.1. Proxying Public Repositories

Proxying and caching a remote public repository can speed up your builds by reducing redundant downloads over the public Internet. If a developer in your organization needs to download version 2.5 of the Spring Framework and you are using Nexus, the dependencies (and the dependency’s dependencies) only need to be downloaded from the remote repository once.

With a high-speed connection to the Internet this might seem like a minor concern, but if you are constantly asking your developers to download hundreds of megabytes of third-party dependencies, the real cost savings are going to be the time it takes Maven to check for new versions of dependencies and to download dependencies over the public Internet.

Proxying and serving Maven dependencies from a local repository cache can save you hundreds of HTTP requests over the public Internet, and in very large multi-module projects, this can shave minutes from a build.

2.3.2. Managing Releases and Snapshots

If your project is relying on a number of snapshot dependencies, Maven will need to regularly check for updated versions of these snapshots. Depending on the configuration of your remote repositories, Maven will check for snapshot updates periodically, or it might be checking for snapshot updates on every build. When Maven checks for a snapshot update it needs to interrogate the remote repository for the latest version of the snapshot dependency. Depending on your connection to the public Internet and the load on the Maven Central repository, a snapshot update can add seconds to your project’s build for each snapshot dependency you rely upon.

When you host a local repository proxy with Nexus, you reduce the amount of time it takes for Maven to check for a newer version as your build interacts with a local repository cache. If you develop software with snapshot dependencies, using a local repository manager will save you a considerable amount of time, as your 5-10 second snapshot update checks against the public Central Repository are going to execute in hundreds of milliseconds (or less) when they are executed against a local resource.

2.3.3. Getting Control of Dependencies

In addition to the simple savings in time and bandwidth, a repository manager provides an organization with control over what is downloaded by Maven. You can include or exclude specific artifacts from the public repository, and having this level of control over what is downloaded from the Maven Central repository is a prerequisite for many organizations which have a need for strict standards for the quality and security of the dependencies used in an enterprise system.

If you want to standardize on a specific version of a dependency like Hibernate or Spring, you can enforce this standardization by only providing access to a specific version of an artifact in Nexus. You might be concerned with making sure that every external dependency has a license compatible with your legal standards for adopting and integrating open source libraries. If you are producing an application which is distributed, you might want to make sure that no one inadvertently adds a dependency on a third-party library covered under a copy-left license like the General Public License (GPL). All of this is possible with Nexus.

Repository managers are a central point of access to external binary software artifacts and dependencies upon which your systems rely. Nexus provides a level of control that is essential when you are trying to track and manage the libraries and frameworks your software depends upon.

2.3.4. Nexus for Collaboration

Aside from the benefits of mediating access to remote repositories, a repository manager also provides an important platform for collaborative software development. Unless you expect every member of your organization to download and build every single internal project from source, you will want to provide a mechanism for developers and departments to share binary artifacts (both snapshots and releases) for internal software projects. Internal groups often consume the APIs and systems which are generated by other internal groups. When you adopt Nexus as a deployment platform for internal artifacts, you can easily share components and libraries between groups of developers.

Nexus provides you with a deployment target for your software components. Once you install Nexus, you can start using Maven to deploy snapshots and releases to internal repositories, which can then be combined with other repositories in repository groups. Over time, this central deployment point for internal projects becomes the fabric for collaboration between different development teams and operations. Nexus is the secret ingredient that allows an organization to scale its development effort without sacrificing agility.