How secure are the Maven public repositories?
807580Mar 4 2010 — edited Mar 4 2010The main reason why we gave up on Maven is that we had firewall changes that blocked us from downloading .jar files directly onto machines on our LAN. Now, if I could have put my hand on my heart and said to our network administrator that these repositories were absolutely safe I might have got these sites whitelisted. Truth is I couldn't do that.
What concerns me with the increasing, and increasingly automatic (not to say blind) use of these repositories of 3rd party libraries is that a serious bug, or worse a trojan, could silently infect a substantial part of the enterprise software across the whole Java community. There are hundreds of libraries, many of them will find their way into software as second or third level dependencies without the programmer actually even knowing exactly what they do. And these libraries come from many different sources, and have many different responsible teams. By default Maven will automatically update your software with the latest release of libraries you may know nothing about, supplied by teams you probably know nothing about.
And the only warning you'll get will flash past on the console as part of maven's long list of messages which nobody ever reads.
What, exactly, stops a group of hackers infiltrating one of these projects (which often seem to be run on a volunteer basis)?