Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Does maven really reliably validate packages these days?

I once did a mvn build on a southwest flight and got stuff like "Syntax error: <h1>Click here for free TV..." all over my console.

This was ~4 years ago. If I remember right, maven "supported" package validation, but it was certainly not the de facto standard.



Great point. I think that Maven Central is great about checking incoming packages. But most maven clients are really bad.

The default in maven client is usually to download via http. The default is usually to _not_ check the hash. There is not a great way to pin a library to a repository which, when coupled with the ease of third-party repositories slipping into your project, means that you can download things like your crypto oauth library from some random server on the web.

Many of these issues can be mitigated by running your own repository that mirrors what you need. Most big corporate shops do this. I think that approach works for any package management system. I guess open source devs and hobbiests are screwed?


The repository enforces it. The client doesn't check by default which is a poor default, but at least checking is possible for those who care.


Yes

https://github.com/s4u/pgpverify-maven-plugin

There's also this,

https://jeremylong.github.io/DependencyCheck/dependency-chec...

Because you want to know when a dependency has a vulnerability, even when the developers are legit.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: