Hi, In maven world all artifacts have pgp signature which is created by current maintainer (from some time pgp signature is required on Maven Central).
You can verify signatures of all your dependencies, you can also track which pgp key is used for specific artifact. So if maintainer of some artifacts will be changed you can easy detect it, and take proper decision about it. Of course is open question how to verify maintainer and reputation of used maven artifacts. pt., 28 lut 2020 o 20:43 Manfred Moser <manf...@simpligility.com> napisał(a): > The order of repositories in a pom, settings and repo manager is crucial. > Some companies use their own repos on top since they trust them the most. I > have seen internal teams deploying patched version into those which then > essentially override the real dep from central. > > This is a feature and is used quite often .. however it also opens the > door for abuse on that level. > > With all sorts of repos out there you really have to check what you > consume. If you consume repos that are not trustworthy or just badly > maintained .. anything is possible including security attacks... however I > have not seen it in practice. > > Overall its important that you use Central and othter trusted repos first > and foremost.. > > Manfred > > Elliotte Rusty Harold wrote on 2020-02-28 11:01 (GMT -08:00): > > > Folks, > > > > A colleague is preparing a presentation on general dependency security > > issues. I'm not aware of any compromises of the Maven repo system such > > that a malicious actor was able to push malware to client systems, but > > I'm not sure it's never happened. > > > > Does anyone know about anything like the attack on npm a couple of > > years ago > > < > https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets > > > > that happened in the Java space? > > > > Even if something just went a little wonky in a way that could have > > been used to serve malware but wasn't, that would be almost as > > interesting. > > > > Of course, I'd love for the answer to be, "No, that's never happened > > to Java, and it can't because..." I suspect we're a little more > > resistant to these classes of attacks than npm because version ranges > > are far less common. However, I can't think of anything that would > > prevent someone from buying and compromising future versions of any > > particular artifact. It's not like intelligence agencies haven't > > bought entire companies before, > > < > https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/ > > > > and most open source projects could be had for a lot less. > > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > > -- Sławomir Jaranowski
