Le samedi 29 février 2020, 08:55:14 CET Slawomir Jaranowski a écrit :
[...]
> Of course is open question how to verify maintainer and reputation of used
> maven artifacts.
+1
with Reproducible Builds, another layer of trust is to be able to confirm you
have the sources used to produce the
You are right, native method from maven does not support verifying of pgp
signature.
For pgpverify-maven-plugin you can prepare configuration file which
contains mapping artifact gav to pgp key fingerprint.
Without this configuration any existing key is good.
>From some time I try to collect
On Sat, Feb 29, 2020 at 2:55 AM Slawomir Jaranowski
wrote:
>
> Hi,
>
> In maven world all artifacts have pgp signature which is created by current
> maintainer (from some time pgp signature is required on Maven Central).
>
> You can verify signatures of all your dependencies, you can also track
>
Hi,
In maven world all artifacts have pgp signature which is created by current
maintainer (from some time pgp signature is required on Maven Central).
You can verify signatures of all your dependencies, you can also track
which pgp key is used for specific artifact.
So if maintainer of some
The order of repositories in a pom, settings and repo manager is crucial. Some
companies use their own repos on top since they trust them the most. I have
seen internal teams deploying patched version into those which then essentially
override the real dep from central.
This is a feature and
Folks,
A colleague is preparing a presentation on general dependency security
issues. I'm not aware of any compromises of the Maven repo system such
that a malicious actor was able to push malware to client systems, but
I'm not sure it's never happened.
Does anyone know about anything like the