A Halloween Short Story: Having access to the (Maven) Central Repository is like living next to the world’s coolest neighbor. He passes out candy like it’s Halloween every single day of the year; it’s unlimited candy, unlimited quantities, take as much as you like, as often as you like! The only problem: your generous neighbor has to get “candy” from somewhere. No single distributor can supply all those free treats.
Your neighbor doesn’t have time to hand check every treat in his hand-out basket, much less keep track of the billions of kids that show up on his doorstep each year. He’s only concerned with passing out candy… or is he?
I can’t tell you when I stopped believing in Santa Claus, but with complete certainty I remember the moment I stopped trick-or-treating. Let me take you back to 1991…
While my parents were likely concerned with the end of the Cold War, and front page fodder carried headlines of using “nukes” to end the Gulf War, I was more worried about an awesome new (to me) band that called themselves Nirvana. In addition to music that would influence the amount of flannel I wore for a number of years to come, I also had yet to learn the difficult lesson that odd-numbered Star Trek movies would be a best described as “totally lame.”
More importantly though, 1991 is the year I stopped taking free candy from my neighbors.
Though my friends would continue on for years to come, I’d had enough. This reached crescendo when a man about three houses into my last tour answered the door and commented on my impromptu “GI Joe” costume of camouflage pants, bandolero-covered chest. As he gave me a single tootsie roll, he felt it necessary to comment, “Aren’t you too big to trick-or-treat?” This was not a vertically-oriented question, and was certainly rhetorical.
I suppose it could have been worse. My early adolescent obesity might have prompted a more sinister neighbor to request a truffle shuffle. To this day, I don’t like dressing up.
The Obligatory Halloween “Candy Check”
In truth, it wasn’t all about being a rather large pre-teen. It wasn’t really about being unfit for duty either. The whole thing had become a hassle. Especially the candy-screening process. There I’d be, marveling at my haul, and just as I’d unwrapped the first delicious piece of taffy, my mother’s hand would come down in front of my mouth. She’d follow this by confiscating, every last, diabetes-laden piece of goodness and remind me that no candy could be consumed until the all-important “candy check.”
I hated the candy check. Candy-checks sucked.
She’d see my face, and launch into pontification, weaving vivid tales of children having their mouths and throats cut with candy full of razor blades and needles. Thanks for the nightmares mom.
The thing is, she was right. Candy tampering is a real thing, and while unlikely, what parent wants to be the one that didn’t provide a simple check of their kid’s candy. As a new parent myself, and of a child that has a few good trick-or-treat seasons to go, it’s certainly a part of our post-tricking, treat-consuming routine.
And like me, I’m certain she hates the controls her parents have put in front of her own consumption. Especially the part where some of the best candy gets on-the-spot tested, you know, better safe than sorry. But you know what, it’s for the best.
The Ultimate Treat-Giver for Developers
Having access to the (Maven) Central Repository is like living next to the world’s coolest neighbor. He passes out candy like it’s Halloween every single day of the year; it’s unlimited candy, unlimited quantities, take as much as you like, as often as you like! The only problem: your generous neighbor has to get “candy” from somewhere. No single distributor can supply all those free treats.
That means, quality can differ, but that’s not his problem right? He doesn’t have time to hand check every treat in his basket, much less keep track of the billions of kids that show up asking for treats each year. He’s only concerned with passing out candy… or is he?
That’s the really interesting part. In this case, your neighbor is Sonatype and we do a “candy check” on every one of the components, in every version. As a matter of fact, we have spent two to four hours, examining each component so that you can be absolutely sure of the risk associated with each one.
The Seasonal “Candy Check” for Your Applications
The real problem is, how are we going to put all of that information into your hands? How are we going to let you know what’s in your application bag, not just the name and number of times used, but the good stuff like the high quality candy bars that even moms would approve, while highlighting components with known vulnerabilities and licensing issues?
Don’t panic; you aren’t doomed. We just need a little check, a “candy check” if you will. No, not for you. Rather a seasonal ‘candy check’ of your applications, or as we like to call it, an Application Health Check.
“Don’t You Touch My Candy!”
We’re not your mom, we don’t want to take anything away from you; not your open source components, not your applications, not your repositories. But we do want you to have the ability to make better component choices. We want you to be able to tell if there’s a probability of a risky piece hidden within your application bag, and what the impact of consuming that piece will be. I like to call it a merging of telekinesis and x-ray technology, with a hint of black-cat magic thrown in for good measure.
So let’s have a look at your hoarding bag. What’s in it? If I could tell you within 6 minutes what’s in that bag, and what the potential impact will be, would you want to know? That’s a rhetorical question. Of course you would.
The best part is an Application Health Check let’s you see whether or not what you are consuming is safe, component by component. We’ll list all of the components found in your application, let you know which ones have known vulnerabilities and then show you how to exchange that component for a more tasty, safe version.
We want to be the best, coolest, most-awesome neighbor in the community, not just on Halloween, but every day of the year.
So, we’re providing the AHC completely free, just like candy on Halloween, to all of our friends. There’s no installation, just a simple download. Nothing’s deployed in your “house”, and we don’t even have to know what your application is. In fact, we don’t WANT to know what your application is. That’s just too scary. We’re all about the treat and not the trick.
Latest posts by Jeff Wayman (see all)
- Nexus Lifecycle and IntelliJ IDEA - May 3, 2016
- Book Review: The Phoenix Project Recognizes IT as Heroes - March 25, 2015
- Tips from the Trenches: Exploring Nexus 3.0 Milestone 3 [VIDEO] - February 12, 2015
- Nexus 3: New Milestone Release - February 12, 2015
- Open Source Components and the Halloween “Candy Check” - October 28, 2014