How do we know we can trust the Maven Central Repository?

Question

Sorry if this question isn\'t appropriate for StackOverflow, it\'s not a coding question.

I\'m new to Maven and am curious how there can be a Maven Central Repository th

Answer 1

The Sonatype terms and conditions are mentioned by Jason. Contained within is a link on how to submit content:

• http://central.sonatype.org/pages/ossrh-guide.html

The requirements section is particularly interesting. In brief all submitters are expected to provide the following:

1. Javadoc and source code
2. Digitally sign the submitted files
3. Correct project metadata
   • GAV identifiers (Group, Artifact, Version)
   • Name and description fields and project URL
   • Developers working on the project
   • License information
   • Location of source code repositories

This information publishes everything you and I need to know about the code, how it was built and more importantly who built it. The use of GPG enables us to verify that the binaries were built by the developers stated in the project POM file. Additionally, Maven Central automatically generates SHA checksums, enabling you to verify that the integrity of files downloaded by your build process.

So what does Sonatype get out of this?

1. It's a great publicity tool when selling the professional edition of their repository hosting software.
   • One useful professional feature is the ability to restrict the artifacts that may be downloaded from Maven Central. Useful for enforcing standards or concerns about 3rd party software.
2. Maven Central has become the world's largest repository of open source Java software. Sonatype uses this to offer a number of products to their corporate customers.
   • These provide detailed reports on the security vulnerabilities associated with 3rd party libaries used by a company's software. Impressively these tools can be integrated right into the software development and build processes.
   • Sonatype can also provide reports on the software licencing associated with their code's 3rd party dependencies. Very important for compliance and difficult to do in practice without this kind of tooling.

Hope this helps. I would finish by pointing out that what Sonatype is doing is not very different to other open source software packaging initiatives. Redhat, Debian and Canonical spend a lot of effort packaging software for safe and secure distribution with their OS's. Maven Central is something that is perhaps more developer friendly.