Open source software (OSS) is no longer a fringe technology used by leading-edge risk-takers, but has become a mainstream technology in building applications, and its use will only increase going forward, says research by International Data Corporation (IDC) analysts. This is also backed by survey results reported by the State of the Software Supply Chain: Open Source Edition 2022, which indicates that OSS is clearly fulfilling stakeholder expectations for cost efficiency, increased flexibility, and developer productivity. But despite the growing adoption of OSS across the globe, security concerns and packaging complexities remain major hurdles for enterprises looking to scale up with OSS.
VMware Bitnami-packaged OSS applications aim to address the growing OSS-related security and packaging challenges in the industry and promote seamless and sustainable adoption of OSS. Bitnami-packaged content is made available to customers in a standard open source version, as well as an enterprise version. In this blog, we will explore the value delivered by both and help you understand how each can be used to meet your open source needs.
The standard open source version: Bitnami Application Catalog
Bitnami Application Catalog is the standard, free-to-consume library of over 100 Bitnami-packaged OSS applications. The content from Bitnami Application Catalog is made available to users through multiple channels, including the Bitnami website, VMware Marketplace, GitHub, Docker Hub, and certain public cloud marketplaces.
Bitnami Application Catalog is a VMware open source project, and its content has been downloaded by developers millions of times (cumulatively) across various channels. Bitnami Application Catalog content is configured to work right out of the box, packaged and delivered in accordance with security best practices. This ready-to-use nature and consistent configuration across all Bitnami-packaged OSS content accelerates developers’ ability to use them.
The enterprise version of Bitnami Application Catalog: VMware Application Catalog
VMware Application Catalog is the enterprise version of Bitnami Application Catalog, which comes with added features to make Bitnami-packaged applications more suitable for enterprise deployments. With VMware Application Catalog, development teams can consume the OSS applications they need through a superior self-service experience and build software more quickly; while platform engineering teams can seamlessly enforce compliance, security, and operational best practices to meet the stringent security requirements of enterprise IT. It is delivered as a cloud service by VMware and aims to help enterprises adopt OSS in a scalable and sustainable manner.
How does the enterprise version deliver added value on top of the standard open source Bitnami Application Catalog?
The following is a brief look at the capabilities and differences between the open source and enterprise edition of the VMware Bitnami Application Catalog.
Customization options
The base operating system of all Bitnami-packaged content is the Debian operating system (OS) by default. Users of the standard Bitnami Application Catalog do not get any provisions to change the base OS according to their needs; whereas the enterprise version—VMware Application Catalog—provides users with the option to choose multiple Linux distributions (including the VMware offering Photon OS as the base OS). Photon OS being a VMware-maintained project provides us the control we need over vulnerability response to ensure timely security fixes at the base OS level, and in turn, deliver secure OSS applications with minimal vulnerabilities. Photon OS in combination with Bitnami’s continuous upstream monitoring mechanism, can help customers who desire a perfect zero from their common vulnerabilities and exposures (CVE) scanners get close to their goal.
In addition to Photon OS, VMware Application Catalog provides the latest versions of third-party Linux distributions (e.g., Red Hat Universal Base Image, Ubuntu, and Debian) as base image options, and lets customers use their own custom-configured base image. This provides them the flexibility they need and enables them to be compliant with their internal enterprise policies.
Support and catalog refresh commitments
Bitnami Application Catalog is known for the great support that our team provides to the community and for delivering well-maintained up-to-date software. However, we need to consider that this is an open source project delivered on a best-effort basis and so there is not a guaranteed response time. VMware Application Catalog, being a commercial offering from VMware, commits to strict service level objectives (SLOs)—both in update releases and support. Additionally, requests for new features and adding new OSS images to the catalog made by VMware Application Catalog customers are prioritized.
Recently, we have started offering enterprise support for two other VMware open source projects—Kubeapps and Sealed Secrets—to help our customers maximize the value they get from their VMware Application Catalog subscription. Kubeapps allows customers to consume the OSS artifacts from VMware Application Catalog easily and more efficiently; while Sealed Secrets helps customers keep sensitive information such as database passwords, OAuth tokens, SSH keys, or Slack tokens securely stored as encrypted Kubernetes secrets in shared Git repositories.
Software bill of materials, VEX, and other build-time reports
The artifacts in Bitnami Application Catalog do not provide any metadata that would enable modern-day enterprises to gain visibility into their upstream components. Whereas, all artifacts in VMware Application Catalog come with a detailed software bill of materials (SBoM) delivered in Software Package Data Exchange (SPDX) format—an international open standard developed by the Linux Foundation for communication of SBoM information. With this SPDX standard SBoM from VMware Application Catalog, businesses can consume SBoM in a standardized, understandable, and reusable way, achieve compliance with National Telecommunications and Information Administration (NTIA) standards, as well as optimize and automate security-related decision-making processes by working with tools which can directly consume SPDX formats as inputs. The SPDX format SBOM can also be converted to CycloneDX format—another international standard for SBoM communication—by following certain simple steps.
Additionally, VMware Application Catalog delivers Vulnerability Exploitability eXchange (VEX) to help customers gain actionable visibility into exploitable upstream vulnerabilities, make well-informed security decisions, and avoid spending time and effort trying to fix unexploitable vulnerabilities in their applications.
Last, the artifacts in VMware Application Catalog are security-scanned and tested for use across all major cloud and Kubernetes platforms, and these security scan reports and test reports are also delivered along with the artifacts. By combining VEX documents with SBoM and CVE scan reports provided by VMware Application Catalog, customers receive an assessment of their upstream vulnerabilities to help make well-informed, risk-based security decisions.
Storage and distribution
The Bitnami Application Catalog content is stored in and distributed through DockerHub’s public registries and made available to users from across the globe, and Bitnami-packaged content available in public cloud marketplaces is hosted on their respective public storage spaces. However, users of VMware Application Catalog get their content delivered to their own private Open Container Initiative (OCI)-compliant registry. This enables enterprise customers to follow best practices to achieve a stronger security posture.
A summary of Bitnami Application Catalog compared to VMware Application Catalog
So, what’s the right solution for you?
If you were looking for a binary answer, that’s difficult to provide.
For developers looking for easy-to-use, off-the-shelf open source images in test environments or as part of individual development projects, the open source Bitnami Application Catalog alone will be perfectly sufficient. You can start using the OSS images from Bitnami Application Catalog right away from the Bitnami website, VMware Marketplace, Docker Hub, or GitHub.
On the other hand, if you are from the platform engineering or DevOps team of a large enterprise and are looking to take OSS applications to your production environments, you should make use of VMware Application Catalog in addition to the open source Bitnami Application Catalog. You will then have options to customize OSS across a choice of Linux distributions as per your needs, and the ability to deliver them to your developers and scale up OSS usage in a compliant, secure, and transparent manner. Your developers can continue using OSS artifacts from the open source Bitnami Application Catalog for development and test environments, while they can use the more production-ready, compliant OSS artifacts from VMware Application Catalog for mission-critical use cases. Thus, a team can extract the maximum value by using VMware Application Catalog in tandem with Bitnami Application Catalog.
Next steps
To learn more about VMware Application Catalog, check out our product webpage. If you are interested in a free trial or live demo of VMware Application Catalog from our experts, please fill out this form, and our team will get in touch with you shortly!