Definitive media library

Last updated February 06, 2024

A definitive media library is a secure information technology repository in which an organisation's definitive, authorised versions of software media are stored and protected. Before an organisation releases any new or changed application software into its operational environment, any such software should be fully tested and quality assured. The definitive media library provides the storage area for software objects ready for deployment and should only contain master copies of controlled software media configuration items (CIs) that have passed appropriate quality assurance checks, typically including both procured and bespoke application and gold build source code and executables. In the context of the ITIL ^[1] best practice framework, the term definitive media library supersedes the term definitive software library referred to prior to version ITIL v3.

Background

In a controlled IT environment it is crucial that only authorised versions of software are allowed into production. The consequences of unauthorised software versions finding their way into the live environment can be serious. Typically, in a mature organisation, stringent Change and Release Management processes will exist to prevent this occurring, but such processes require a place where the authorised software versions can be safely stored and accessed. The solution put forward by ITIL in its third version is called the definitive media library or DML (replacing the previously named Definitive Software Library or DSL in version two). ITIL proposes that the DML can be either a physical or virtual store and there are benefits and drawbacks with either method. Clearly, however, there are key factors in the success of any DML solution i.e. software required to be deployed into production should be rigorously tested, assured and licensed to perform and also packaged in such a way that it will safely and consistently deploy. Also, the DML should be easily accessed by those, and only those, authorised to do so. In this way, a virtual (electronic) storage area will almost always provide a superior solution, meaning the DML can be centralised and accessed remotely or outside normal business hours if the need arises (see distribution).

Scope

The DML plays a critical role in supporting the transition from development to production phases and DML solutions should be distinguished from other software and source code repositories e.g. software configuration management or SCM (sometimes referred to as software change and configuration management) that supports the development or software evolution phase. This is an important distinction and often causes some confusion. In essence, whereas SCM tools or repositories store and manage all development versions and revisions of code (or work products) up to but not including the final authorised product, the DML stores only the final authorised versions of the code or product. This is analogous to a high-street product lifecycle where the product moves from design house to factory, through to warehouse and then shop, i.e.

records (metadata) are kept about how a product is designed developed and built. This enables the tracking down of which process is to blame where faulty products are discovered either during quality control or even in later service.
records (metadata) are kept in a configuration management database about where the software is installed and deployed from the DML and into the production environment. Each installation or deployment should be authorised by a corresponding production change request and the resulting change recorded in the configuration management database as a relationship between the DML artefact and the platform where it has been deployed.

In a more mature or evolved state there is no distinction drawn between the two forms of configuration management and the process is continuous supporting the whole service delivery and service operation lifecycle. This has been referred to as Enterprise Configuration Management. Even here though the development-based artefacts should still be distinguished from and kept separate from the management of quality assured, definitive master versions available for deployment. In an outsourced or multi-vendor arrangement the existence or otherwise of a consistent and secure form of supplier access will dictate whether or not the software configuration management is performed passively (externally by suppliers adopting their own SCM tools and then delivering the finished product) or actively (overseen internally with suppliers utilising the centrally hosted SCM tool). All finished products, however, (application software) in their authorised deployable form should be stored within the central DML.

Typical CIs that a DML will store include:

Packaged in-house application software
Commercial off-the-shelf (COTS) raw media
Customised COTS software (containing enhancements, tailored configuration etc)
Release packages
Patches (see patch (computing))
Gold builds (clients, servers, network and storage devices etc)
System images
Across multiple technology stacks and distribution technologies (e.g. Wintel, UNIX, ORACLE, mainframe, network, storage etc)

Media release lifecycle

(see "definitive media library and configuration management database in the context of the release management process" diagram above)

The media release lifecycle steps are:

Demand for new service or product arises.
Decision is made to make or buy the product (service, build or application) based on functional requirements extracted from the requirements traceability tool. Product is created or selected from the service/ product catalogue in accordance with architectural design policies (Service Design). COTS product is procured and stored in the DML with asset status ‘procured’. If new, the product is added to the Approved Products Catalogue. In-house created application source code is managed directly in the software configuration management repository.
If COTS product or gold build is being packaged, media is extracted from the DML.
Product is packaged or developed and packaged (in which case add-on functionality is treated in the same way as in-house applications and builds).
Stub records or original baselines are created in the software configuration management tool.
Development code revisions and package revisions are recorded in the software configuration management tool throughout development.
Unit testing is carried out.
Packaging is completed to create the release package.
Product package is quality assured (inc testing, staging and any rework).
Completed media package (build, service or application) is lodged back in the DML as authorised media ready for deployment.
Following Change Management approval, product is released to the estate via the appropriate distribution system with logical installations being recorded via due process in the CMS (CMDB).
DML entities are archived as soon as:
1. CMS or CMDB indicates that packaged release is no longer in use at any location (a period of grace is required following the last decommission or upgrade to allow for any necessary regressions) and
2. The DML entity has been removed from the technical or user (service) catalogue as a selectable item

Distribution

Even though the DML as an authorised store for media implies a degree of centralisation, Local Media Libraries (LMLs) will be required in order to achieve a global model. In this way, release and deployment of physical instances of media can be achieved in country in a timely manner by avoiding constant downloads over the global network. Replication of authorised media in non-prime windows would make required packages available locally as required, but the DML would remain as ‘master’ for process control reasons.

The DML/LML hierarchy is synonymous with the master/secondary distribution layers seen within many distribution technologies and package management systems. However, whereas distribution tools tend to be biased towards a particular technology stack (e.g. Wintel, Unix, Mainframe etc), one of the main benefits of a DML is its technology-agnostic nature and a true central store for all authorised software. In this way, the distribution tools would connect to the DML to obtain the software package. Application packaging involves the preparation of standard, structured software installations targeted for automated deployment. Packaging is also required for bought-in (COTS) software, as packaging allows software to be configured to run efficiently on a particular platform or environment. Even a slight change in this platform (such as the swapping-out of disk) can prevent a package from successfully deploying so retention of the raw media (ISO) version of software is critical as this will be needed (often in an emergency) should the packaged version no longer deploy e.g. following the upgrade or replacement of the operating platform.

Benefits

The DML supports;

Release and deployment management as a foundation and the central storage area for all releasable deployment packages
Availability and service continuity by providing the source of all packaged applications and raw media for use in service restoration and disaster recovery procedures
Automated server provisioning and rationalisation through the storage of gold builds
Asset management by providing metadata records and licence keys relating to COTS software licence provision. Instances of media and the authorised media set stored together with licences and licence conditions will allow optimised management of software allocations and external compliance in terms of Sarbane-Oxley and BSA recommendations.
Catalogued request fulfilment, either in terms of single-user client-end product requests or repeated requests for deployments of an existing multi-user service/application to other hosting locations.

Related Research Articles

<span class="mw-page-title-main">Configuration management</span> Process for maintaining consistency of a product attributes with its design

Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems. Outside the military, the CM process is also used with IT service management as defined by ITIL, and with other domain models in the civil engineering and other industrial engineering segments such as roads, bridges, canals, dams, and buildings.

A package manager or package-management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer in a consistent manner.

In software engineering, software configuration management is the task of tracking and controlling changes in the software, part of the larger cross-disciplinary field of configuration management. SCM practices include revision control and the establishment of baselines. If something goes wrong, SCM can determine the "what, when, why and who" of the change. If a configuration is working well, SCM can determine how to replicate it across many hosts.

Advanced package tool, or APT, is a free-software user interface that works with core libraries to handle the installation and removal of software on Debian, and Debian-based Linux distributions. APT simplifies the process of managing software on Unix-like computer systems by automating the retrieval, configuration and installation of software packages, either from precompiled files or by compiling source code.

Rational ClearCase is a family of computer software tools that supports software configuration management (SCM) of source code and other software development assets. It also supports design-data management of electronic design artifacts, thus enabling hardware and software co-development. ClearCase includes revision control and forms the basis for configuration management at large and medium-sized businesses, accommodating projects with hundreds or thousands of developers. It is developed by IBM.

Product data management (PDM) is the name of a business function within product lifecycle management (PLM) that denotes the management and publication of product data. In software engineering, this is known as version control. The goals of product data management include ensuring all stakeholders share a common understanding, that confusion during the execution of the processes is minimized, and that the highest standards of quality controls are maintained. PDM should not be confused with product information management (PIM).

Information technology service management (ITSM) are the activities performed by an organization to design, build, deliver, operate and control information technology (IT) services offered to customers.

Maven is a build automation tool used primarily for Java projects. Maven can also be used to build and manage projects written in C#, Ruby, Scala, and other languages. The Maven project is hosted by The Apache Software Foundation, where it was formerly part of the Jakarta Project.

Software deployment is all of the activities that make a software system available for use.

The term configuration item (CI) refers to the fundamental structural unit of a configuration management system. Examples of CIs include individual hardware or software components. The configuration-management system oversees the life of the CIs through a combination of processes and tools by implementing and enabling the fundamental elements of identification, change management, status accounting, and audits. This system aims to avoid the introduction of errors related to lack of testing as well as of incompatibilities with other CIs.

Microsoft Visual SourceSafe (VSS) is a discontinued source control program oriented towards small software development projects. Like most source control systems, SourceSafe creates a virtual library of computer files. While most commonly used for source code, SourceSafe can handle any type of file in its database, but older versions were shown to be unstable when used to store large amounts of non-textual data, such as images and compiled executables.

rPath, Inc. was a technology company based in Raleigh, North Carolina, that developed technology to automate the process of constructing, deploying, and updating software. rPath modeled and managed components and dependencies under version control. It acted as a model-driven and version-controlled repository and software distribution hub.

A configuration management database (CMDB) is an ITIL term for a database used by an organization to store information about hardware and software assets. It is useful to break down configuration items into logical layers. This database acts as a data warehouse for the organization and also stores information regarding the relationships among its assets. The CMDB provides a means of understanding the organization's critical assets and their relationships, such as information systems, upstream sources or dependencies of assets, and the downstream targets of assets.

Customer Configuration Updating (CCU) is a software development method for structuring the process of providing customers with new versions of products and updates production. This method is developed by researchers of the Utrecht University.

In software development, version control is a class of systems responsible for managing changes to computer programs or other collections of information such that revisions have a logical and consistent organization. The following tables include general and technical information on notable version control and software configuration management (SCM) software. For SCM software not suitable for source code, see Comparison of open-source configuration management software.

Build automation is the process of automating the creation of a software build and the associated processes including: compiling computer source code into binary code, packaging binary code, and running automated tests.

A software repository, or repo for short, is a storage location for software packages. Often a table of contents is also stored, along with metadata. A software repository is typically managed by source or version control, or repository managers. Package managers allow automatically installing and updating repositories, sometimes called "packages".

Aldon is a business unit of Rocket Software. It develops, manufactures, licenses and supports software change management products for the enterprise application lifecycle management (ALM) and software change management (SCM) markets.

AnthillPro is a software tool originally developed and released as one of the first continuous integration servers. AnthillPro automates the process of building code into software projects and testing it to verify that project quality has been maintained. Software developers are able to identify bugs and errors earlier by using AnthillPro to track, collate, and test changes in real time to a collectively maintained body of computer code.

<span class="mw-page-title-main">DevOps toolchain</span> DevOps toolchain release package.

A DevOps toolchain is a set or combination of tools that aid in the delivery, development, and management of software applications throughout the systems development life cycle, as coordinated by an organisation that uses DevOps practices.

References

↑ Shirley Lacy and Ivor Macfarlane (2007). ITIL Service Transition. The Stationery Office. ISBN 978-0-11-331048-7.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Shirley Lacy and Ivor Macfarlane (2007). ITIL Service Transition. The Stationery Office. ISBN 978-0-11-331048-7.

[1]