Over the past few years, we’ve talked to thousands of organizations using open source as part of their application development process. In fact, our research indicates that 92% of applications contain open source components. Many of these organizations store their open source binaries in JFrog Artifactory to ensure immutability and a consistent way to distribute and share them across the organization.
As open source has become the de facto modern development platform, it has brought with it a blessing (huge productivity boost 😊) but also a curse (maintenance and security headaches 🤕).
In fact, when we ask developers about the biggest challenges they have managing their open source usage, the top three answers are remarkably consistent.
- Maintenance: whose job is it to take care of this stuff? Is it mine?
- Security: who keeps it secure, so our organization and customer data aren’t compromised?
- Licensing: can we use this project without risking legal trouble?
Many organizations are already using the JFrog Platform to manage their open source binaries and take full advantage of the productivity boost that open source provides. They use JFrog Xray to ensure that developers are aware of security issues in their binaries as they are detected and published. But for customers who want more than detection, over the past several months, Tidelift and JFrog have been collaborating on a new way to help development teams more effectively address the maintenance, security, and licensing challenges that come with open source.
Tidelift’s unique approach to addressing these challenges is to partner directly with the independent maintainers behind a broad range of community-led open source projects to ensure that they meet comprehensive maintenance, security, and licensing standards.
This creates the ideal alignment between the users of open source packages and the best experts you could hope to enlist—the actual open source contributors who maintain that software, and often created it in the first place. Because maintainers are paid a reliable income for their ongoing work on behalf of Tidelift’s subscribers, they can dedicate their efforts towards keeping their software enterprise ready.
Recently, we announced that the Tidelift Subscription is now integrated with JFrog Artifactory, the universal repository and core of the JFrog Platform. Now, organizations using open source to develop their applications can be confident that—thanks to the work done by Tidelift and our maintainer partners behind the scenes—the components they are using will “just work” without having to leave their existing Artifactory workflow.
Imagine if your developers had access to catalogs of known-good, issue-free open source packages and versions—across the entire organization. With the combination of JFrog Artifactory and the Tidelift Subscription, your organization will be able to develop applications faster, spending less time managing security issues and build fails, and achieve overall better software integrity.
Want to see it in action? Here’s a brief walkthrough of how The Tidelift Subscription integrates with JFrog Artifactory.
How the Tidelift Subscription and JFrog Artifactory work together
Tidelift has created an Artifactory user plugin for self-managed instances, which can be used by Tidelift customers to integrate their customized open source catalogs into JFrog Artifactory. This will help organizations determine which of the thousands of artifacts in Artifactory are blessed for use by their developers, and prevent developers from using package releases that have been identified as “bad” (e.g. those that are vulnerable, unmaintained or deprecated, or using disallowed licenses) earlier in the development lifecycle.
The Tidelift plugin creates a property called tidelift.status in Artifactory, and sets that status to approved or denied based on whether those releases are approved or denied within your organization’s catalog.
Ultimately, developers will be prevented from using “bad” package releases as early in the process as possible: when they attempt to download the artifact. Tidelift will prevent any package release with a tidelift.status = denied from being downloaded to a local workstation, thereby ensuring that developers are always working with safe package choices.
What does it look like?
This screenshot from the Tidelift web application shows two package releases for the popular npm package Prettier. One release is approved, and the other is denied.
With the help of Tidelift’s Artifactory integration, an organization can now bring the approved-list and denied-list of package releases directly into the Artifactory workflow. The screenshot below shows JFrog Artifactory, including the .tgz file for one release of the Prettier package. It also shows a tidelift.status of denied, which is pulled in from the organization’s catalog by the Tidelift plugin.
This information ultimately gets delivered to developers in the command line, when trying to install the “bad” package release. For example, should a developer attempt to use this denied version of Prettier, they will receive the following error:
The developer can then use Tidelift’s command line tooling to identify the best version of Prettier to use so that they can get on with their work!
Read the full documentation about the integration here.
Upcoming Tidelift + JFrog webinar: Best practices for managing your open source artifacts
Join us for a joint Tidelift and JFrog webinar on October 7 at 10:30 a.m. PT / 1:30 p.m. ET as JFrog senior product manager Mark Galpin and Tidelift product manager Keenan Szulik share the latest best practices organizations can use to manage their open source dependencies well.
During this short, 30-minute webinar, we’ll show you how the Tidelift Subscription integrates with JFrog Artifactory to make it possible to manage open source components without leaving the Artifactory workflow.
You can register here, or by filling out the form below.