Hacker News new | past | comments | ask | show | jobs | submit login

Anyone know if this is also an issue for Java? I've used Maven repository for ages, and I know many big cos depend on it.



It's less of an issue, but it still could be an issue.

Deployed Maven artifiacts from Central are to required to be signed with a PGP key and are only supposed to come from approved hosts. I don't know how strictly that is enforced and how hard it is to become a host, but at least there is some kind of process.

Maven Central also doesn’t allow the removal of artifacts after they've been published, and every artifact requires a unique version and name. And the names are namespaced. So you don't have the issues that you see with npm, where someone can pull a package and break everything people are using, and then some third party can come in and publish anything under the exact same name.

Is this model perfectly secure? No, you still have to trust that the artifact was signed by a non-malicious person from a host that was not compromised.


It's absolutely an issue. I'm pretty sure no one is looking at every jar file added to maven to see if there's an issue.

In your POM file do you have a checksum?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: