1. I suspect dependabot doesn't work with this. Does it? Is this worth giving up dependabot for?
2. What's the threat model? As best I can make out, someone would have to compromise the dependencies in the local .m2/repo since anything downloaded comes over https and is already signature checked. 3. Suppose someone does succeed in compromising this. What's the impact? I suppose if someone changed junit.jar (for one example) they could make maven test exfiltrate local data or run a crypto miner. but I don't think we should be in the business of protecting against local compromises. How does this signature check prevent someone from doing something bad? -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org