Users or organizations who deploy complex pieces of software often depend on a large number of external packages. Those packages have source code written by external and often unknown parties. Also, they need to be retrieved from a bunch of different places. This sets the user up for an unreliable code supply chain with potential security and availability risks due to the fact that there is no layer or step in between mixing external code and internal code. An additional or step which could automatically scan and back up said code. Additionally, it can have an effect upon the speed of pipeline builds as external code needs to be re-fetched again and again. Being able to store and potentially cache that on-site is sure to bring speed improvements to pipeline builds.
The current maturity stage of this category is targeting minimal which implicates that we are just starting out. First priority is to get down the MVC which preferably compliments a major existing feature which is widely used to be more powerful. In that sense implementing proxy packages for our docker registry https://gitlab.com/gitlab-org/gitlab-ee/issues/7934 to better enable Auto DevOps on on-premise GitLab installations is a sound first step since it has the most usage within GitLab, and can also help improve other features like Auto DevOps. This allows for a wider audience to leverage the MVC, and provide important feedback.
Once the MVC has shipped we have the first checkpoint which allows us to receive feedback, gather usage data and more confidently set out next steps. Large impact improvements will be preferred afterwards.
This is part of our 2019 vision due to demand from enterprise customers.
Jfrog, Nexus, and most competitors have a lead on us in terms of shear quantity of package repositories they already support. Their approach to proxy repositories is one of having an additional repository. We should take this same approach but with the management structure that GitLab provides in order to make this much more accessible and simple to understand.
Grafeas shines light upon automatic whitelisting and general package management opportunities. We can further inform our whitelisting rulesets with data gathered from our security tests.
Our added value comes from combining this with our own CI/CD services. Speed improvements and having everything on-premise is a big win.
N/A (None as of yet)
N/A (This is a new category and is yet to receive wide input from the community)
The MVC issue gitlab-ee#7934 will shine new light on the impact this feature has and has a wide reach by making a proxy repository possible for docker images.