Any developer knows that you must have a source code repository (e.g. Git) but from time to time I get the question “why do I need a binary repository”?
Here is the short answer:
Faster and more secure software development – Any company is a software company these days and the best companies release updates on daily/hourly bases. The ability to push updates quickly is a real competitive advantage. The minute you have few engineers on your team you wish to avoid ‘fetching the all internet’ with every ‘npm install’.
A binary repo will give you the option to cache these libraries and make sure you are working with the correct ones (vs a hacked one). From the developer perspective, it is a big boost for their productivity as it saves time during development and on each build. Even better, from the DevOps perspective, the ability to control all the packages/libraries (and scan them for vulnerabilities) is a huge advantage. It enables the internal engineering team to control the releases better as they have full transparency (e.g. quality, performance, security, licenses, etc’) on everything the ‘compose’ the release version. Check the 12-factor app manifesto for more on dependencies (declaration and isolation).
Increase productivity – By sharing libraries and components from a central (and managed) location you bring order into the development cycles. These days, there are so many 3rd party libraries that you use in any project that you must have an effective way to manage them. A binary repository is a right tool for that. It will prevent different teams from using different libraries (e.g. 5 different libraries to parse JSON etc’) to the same tasks and will give you a better way to manage your policies, licenses, and deployments. You can manage your versions more effectively with such a repo due to the rich metadata that it contains on each package/library and artifacts.
Bottom line, using a binary repo will increase your product: Quality, Security and Velocity (=your ability to push updates in rapid speed).
Specific advantages that Artifactory offer:
- Scale – In the past 10 years Artifactory was serving some of the most demanding (and large) companies in the world. If you need it in the scale of Cisco, Netflix, Google, and others – It got you covered. It’s got multi-site replication and high availability as an integral part of the product.
- DevOps Toolset Integration – You got a mature CI/CD pipeline? Good. Since Artifactory is universal, it will connect with you pipeline and tech stack in minutes (not days). It is also a great way to empowers automation and start improving your current state of DevOps.
- Full Artifact Lifecycle – We know that most of your builds/artifact won’t be useful for a long period of time and there are many options to ‘clean’ and control the output of your development team. Without a central place to manage it, it will cost you time and money (e.g. wasted storage and a chaos when it comes to finding who is using which library for each project).
- Hybrid Solution – In case you need a solution for your on-premise site and the cloud. It’s already baked into the product.
- Advanced Storage Management – Since Artifactory is working with a check-sum base it knows to avoid duplicates. Every version of every library/artifacts will be kept only once. This is a not only saving storage but also time (and money) as it’s a more efficient way to work.
…and if you got so far…
Please see below how a combination of Artifactory with Xray can help you improve your security by 10x (or more).
Last but not least, here is an opposite version of this post: “12 Reasons You Don’t Need Software Artifact Management“. Maybe, it’s better from the opposite direction.