Insufficient grace period for community tier

tumbl3w33d · February 13, 2025, 1:46pm

Dear Sonatype,

you recently announced the introduction of the community tier and I would like to provide you with some feedback from your users’ perspective on how you introduced this critical change.

First of all, I have nothing against free services turning into paid services, so you will not find criticism about that part here.

Here is a summary of my understanding of what you communicated (I’ve read several communication channels and was a little confused at first):

the version that was free before introduction of the community tier will remain available
- fewer formats will be supported (e.g. no more rpm, pypi, npm)
- no builds available from Sonatype, so you need to build it yourself from the nexus-public repo
- no usage limitations
- the version receives further maintenance (bug fixes, security, …)
the community tier is basically free as well and even introduces additional formats
- but - it introduces usage limits and if you exceed these, your nexus starts rejecting certain operations
- you grant a grace period of 45d for those who suddenly notice they exceed the usage limits, so they can buy a pro license

Now here is my view: I have used Sonatype Nexus (Free) for more than a decade and always appreciated the service it provided for free. I am also considering buying a Pro license to continue using it, because I am basically satisfied as solution for corporate use.

What I really dislike about your move, though, is that you basically give me no choice other than buying a license, because the transition period you chose is way too short for any corporate scenario to evaluate the situation and, in case we would decide for an alternative, execute the necessary change to our development process, including teaching the users.

I understand that it is economically not your interest to have people looking for alternatives and possibly leaving, but I do not think you need to be afraid of that so much, because your solution works fine and a lot of people would probably jump aboard the licensed train anyway. I would just consider it much more fair to grant a period of +6 months for such transition and I could imagine you already knew a year ago that you would introduce this tier, so either I missed the memo or someone forgot that it would make sense to let people know about the incoming changes.

Why do I feel like having no choice other than buying a Pro license? Because I have several formats in use that will not be supported by the free version anymore, so I cannot just build it for myself and keep going. I also cannot just continue using the pre 3.77.0 version, because as far as I understood, it will not receive (security) updates anymore, so my service turned into an EOL brick all of a sudden and it would not be responsible to keep it running (especially being reachable from WAN). It is not realistic to do a proper evaluation and execute a possible change to a different solution within 45d either.

So I will buy the license. But I do not feel this was a fair move the way it was done. I would suggest you at least offer backporting security fixes to the 3.76 branch for some longer time. Or you extend the grace period of the community tier, if that is easier. Not because you are obliged to continue providing support for something that you have been offering for free for so long, but because the behavior of a vendor in situations like that also influences future choices of people deciding which tools to use/buy, so I think this is in your interest.

batj · February 14, 2025, 8:53am

@tumbl3w33d Overall I agree with your statement, but where did you get the Information of fewer supported formats in the Community Edition?
Introducing Nexus Repository Community Edition: Enhanced features for growing teams says ‘You can still benefit from the exact same core functionality and formats’

I would be thankful for a short answer, because that would change everything for our installation… Thanks!

tumbl3w33d · February 14, 2025, 10:05am

Hi Jochen,

you misread that:

I was referring to the OSS-Version that will still be available without usage limitations (but you must build it yourself). In this one you lose some formats.

In the community tier you even get additional formats, but you have a usage limit and depending on how intensive you use Nexus, you will exceed these and need a pro license.

github.com

sonatype/nexus-public/blob/main/README.md#L19


      
          
              Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
              of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
              Eclipse Foundation. All other trademarks are the property of their respective owners.
          
          -->
          # Sonatype Nexus Repository Core
          
          Sonatype Nexus Repository is the single source of truth for all your internal and third-party binaries, components, and packages. Integrate all your development tools into a centralized binary repository manager so that you can choose the best open source components, optimize your build performance, and ship code quickly while increasing visibility across your SDLC.
          
          This is the open source codebase of Nexus Repository Core. This contains functionality for maven, raw, and APT repository formats, and uses an embedded H2 database that is appropriate for small workloads.
          
          For a fully-featured version of Nexus Repository, download the Community Edition binary from https://www.sonatype.com/products/nexus-community-edition-download. Community Edition includes additional format support such as npm, Docker, NuGet, PyPI and many others. It also allows use of an external PostgreSQL database that allows you to deploy Nexus Repository under Kubernetes.
          
          #### Issues
          
          If you are using Nexus Repository Core or Community Edition and need to report an issue or request an enhancement, [open an issue here](https://github.com/sonatype/nexus-public/issues).
          
          For help with Nexus Repository Core or Community Edition, please join the [Sonatype Community](https://community.sonatype.com/) to get tips and tricks from other users.
          
          To report a security vulnerability, please see https://www.sonatype.com/report-a-security-vulnerability

This is the open source codebase of Nexus Repository Core. This contains functionality for maven, raw, and APT repository formats, and uses an embedded H2 database that is appropriate for small workloads.

jzora · February 14, 2025, 3:21pm

Thanks for your feedback!

We weren’t trying to surprise anyone with the limits, and we imagined that the 45-day grace period would be triggered either by a long-term user of CE who has grown slowly above the limits, or as an extension to normal upgrade cycles. Our data shows that most organizations take months or longer to get onto a newer version, meaning that the typical Nexus Repository deployment will have much longer than just the grace period to absorb the implications of the limits and make their choice on how to proceed.

We applaud your intention to stay ahead of security problems. You’re ahead of most larger organizations in terms of your upgrade speed. Unfortunately this means you face the decision sooner than most.

Backporting security updates is a reasonable request and something we’ve considered. As it turns out, the biggest risks are actually in some of the older and more structural parts of the tech stack. We have some significant work underway now that will land in the next few releases that will make our security posture much better. Unfortunately, the degree of change makes backporting these improvements to a point release impractical, so this does mean that there won’t be security updates to 3.76. However, because open core is updated whenever we release, those security improvements will be available right away there as well.

We’re trying to strike a balance between reasonable notice, supporting our free user base, and encouraging larger organizations to contribute to accelerating the pace of development for the users of all three editions. We realize for a very small set of users already above the thresholds (~5%), this might require an urgent decision, but we hope that the combination of promotional pricing and new features will soften the impact.

A number of us have been discussing your post this week, and it’s really helpful that you’ve given us so much detail on your experience of the changes and your thought process. So again, thanks very much for taking the time to provide us with your feedback.

tumbl3w33d · February 14, 2025, 4:11pm

Thank you for your comprehensive and insightful response, Jonathan. The deepest solace lies in understanding and I sometimes need a reminder that with weekly updates of everything in our infra we are exotic (development for healthcare IT has its challenges). I understand that your decision was based on the data you had (admittedly we turn off telemetry wherever possible) and it is always a tradeoff after all.