MavenGate gets it all wrong and hurts open source (opens in new tab)

(day-to-day-stuff.blogspot.com)

55 pointserikvanoosten1y ago4 comments

4 comments

This security theater around supply chain security is getting ridiculous.

What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.

rho1381y ago

I just want an actual bill of versioned open source software used in each closed source app.

rho1381y ago

Are packages cryptographically signed by the actual package maintainer or only with the repo owners key?

erikvanoostenOP1y ago

As package maintainer you are required to sign the packages with a PGP key. Maven Central also requires that you upload that PGP key (the public part only of course) to one of a few well-known key servers.

j / k navigate · click thread line to collapse

4 comments

gavinhoward1y ago

This security theater around supply chain security is getting ridiculous.

What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.

rho1381y ago

I just want an actual bill of versioned open source software used in each closed source app.

rho1381y ago

Are packages cryptographically signed by the actual package maintainer or only with the repo owners key?

erikvanoostenOP1y ago

j / k navigate · click thread line to collapse