-
Suggestion
-
Resolution: Unresolved
-
None
-
None
The Issue:
We have a large development team with many internal packages (artifacts) We have many tools to pull in a mirror external dependancies as well as internal packages/artifacts, we currently use a few open source and free solutions, such as
- https://github.com/verdaccio/verdaccio
- https://www.sonatype.com/products/repository-oss
- https://github.com/composer/satis
But they are a pain to manage and some of the language package managers are not well supported, such as PHP and Composer.
We have explored a few paid options, such as
- https://www.sonatype.com/products/repository-pro?topnav=true
- https://jfrog.com/artifactory/
- https://aws.amazon.com/codeartifact/
Here are a few other offerings
I would encourage Atlassian to enter this space as there is a need for mature tooling that integrates with the existing internal and external dependancies. Possibly could also explore
- vulnerability scanning
- license scanning
- metrics on usage
I'm thinking this might be a good fit for the Datacenter option
[BAM-21331] Bitbucket or Bamboo Proxy :: internal/private artifact/repository with external/public mirroring/caching
added the same suggestion to Bitbucket board https://jira.atlassian.com/browse/BSERV-13107
Posting another vendor offering a solution as well https://www.jetbrains.com/space/features/software-development.html#a-package-management as a reference
Since Cloud Bitbucket does not run in a private VPC, then the Datacenter Bamboo option would be my choice. especially with all the supply chain attacks recently
PS: we use Bitbucket Cloud (not Bamboo) and would be looking for a solution in Atlassian's Bitbucket Cloud offering. I personally think on-prem hosted software delivery pipeline tooling has little or no future.
I fully agree. Most competitors in this software development pipeline space (e.g. AWS, Azure, GitHub, GitLab, Jetbrains Space, etc) already offer this and without it, and without any plans to do so, I think Atlassian will quickly start loosing their market share. At least I see this happening for our customers. These days most vendors offer a 'package manager' solution which not only offers an artefact repository but also a Docker registry, something which we also miss a lot in the Atlassian offering. Of course you can use DockerHub but if you need a private registry you will need additional licensing and so on. I think in this space a one-stop-shop is much preferred.
Would love to see this added to https://www.atlassian.com/point-a