As a long time conference attendee and sometimes speaker, I always get excited for Red Hat summit. Maybe it’s because I have always admired Red Hat the company and have been a fan of many of their technology solutions, or maybe it’s because I often see a lot of folks I know.

This year is exciting for me, because in my new role at Sonatype I help manage our emerging relationship/partnership with Red Hat, and we have some exciting things to share. SPOILER ALERT: Be on the lookout for a press release announcing Sonatype Nexus Repository is recognized as a certified OpenShift solution.

Perhaps most importantly, though, I’m excited about our emerging partnership with Red Hat, because our two companies have some shared passion for software hygiene. At Sonatype, the leader in software supply chain automation, we are intensely focused on helping our customers choose, and use, only the best open source components from the best open source projects. A few years ago, our CEO, Wayne Jackson, authored a paper entitled, Open Source Needs Help. This was the first quantitative assessment of the software ecosystem that we knew of at the time. In assessing the ecosystem, we focused on mean time to remediate (MTTR), or how long it took projects to fix their known security issues in their projects, or one of its dependencies. The results were illuminating, and the summary is as follows. On average, projects needed approximately 300 days to remediate to fix these issues. If we looked at just level 10 defects (as bad as it gets), the average dropped to 224 days. Not good, and why we felt open source needed help. But the real story here was a statistical outlier in JBoss. Their remarkable attention to these issues produced an incredible MTTR of less than (Read more...)