The End of Tribal Knowledge: Why Contextual Policy Is the Foundation for Agentic AI Development
For years, the challenge in software security and governance hasn't been knowing what to do, but instead scaling that knowledge across fast-moving teams. At Sonatype, we invested heavily in solving that through contextual policy. Not just rules, but rules that understood intent. Rules that prioritized based on usage, risk, and ... Read More
The Laws of Software Haven’t Changed. We’re Just Choosing to Forget Them
We're in the middle of something that feels like a renaissance — a golden age of software creation that's less about syntax and more about prompting. At Black Hat 2025 last week, every conversation revolved around AI. As GPT-5 rolls out, the AI arms race intensifies between the U.S. and ... Read More
Free isn’t free: The hidden costs of tooling decisions in open source infrastructure
When I first wrote about the tragedy of the commons and Maven Central, I called attention to a startling reality: a small percentage of users — mostly large enterprises — were unknowingly flooding a public resource ... Read More
Beyond IPs: Addressing organizational overconsumption in Maven Central
When we published Maven Central and the Tragedy of the Commons, we highlighted a disturbing pattern: just 1% of IP addresses accounted for 83% of Maven Central's total bandwidth, often traced back to some of the world's largest organizations ... Read More
Java at 30: From portable promise to critical infrastructure
Thirty years ago, Java introduced the world to "write once, run anywhere."Â What began as a bold promise of portability and simplicity soon transformed into a defining force in modern software ... Read More
What’s happening with MITRE and the CVE program uncertainty
Yesterday's headlines have sent ripples through the cybersecurity and software supply chain communities: MITRE announced that U.S. government funding for the CVE (Common Vulnerabilities and Exposures) database was set to expire today. Overnight, the CVE Foundation emerged with a plan to maintain the program before the Critical Infrastructure and Security ... Read More
Introducing Nexus Repository Community Edition: Enhanced features for growing teams
Over the past decade, Nexus Repository has evolved from a simple accelerator for small development teams into an essential foundation for some of the world's most complex software ecosystems. Our goal has always been to support this diversity of users — from open-source enthusiasts and boutique consultancies to global enterprises ... Read More
Central Publisher Portal now validates Sigstore signatures
As part of our ongoing efforts to enhance security and trust in the Central repository ecosystem, we are introducing Sigstore signature validation in the Central Publisher Portal. Sigstore is a project that is attempting to create a standardized, modern approach to securing the software supply chain. It works in much ... Read More
What’s happening with the CrowdStrike incident: When a software update turns into a cyber crisis
This morning's CrowdStrike incident, where a routine update caused a cascading failure across thousands of critical systems worldwide, is a stark reminder of the fragile interconnectedness of our digital world. While this incident was a misstep, not malice, it exposes the vulnerability of our essential services ... Read More
Maven Central and the tragedy of the commons
The tragedy of the commons is a concept in economics and ecology that describes a situation where individuals, acting in their own self-interest, collectively deplete a shared resource. In simpler terms, it's the idea that when a resource is available to everyone without restriction, some individuals tend to overuse it, ... Read More
