|
|
|
|
|
|
by symtos
2978 days ago
|
|
|
> In case of Maven - and likely most others - packages are not even digitally signed by the publisher Last time I explored the atrocious state of language-specific package managers, Maven Central was (and I'm guessing still is) the only language repo that requires that packages are signed [1][2]. Now, whether package signatures are verified on retrieval is another question... (they are not, unless you use a plugin such as pgpverify-maven-plugin [3]). Obviously anybody with the private key can still introduce malicious code even if you verify your package signatures, but at least it's better than allowing any oppressive regime with a root CA trusted by Mozilla/Microsoft to MITM rust/python/npm/ruby/whatever packages downloaded by its residents. [1] https://maven.apache.org/repository/guide-central-repository... [2] http://central.sonatype.org/pages/working-with-pgp-signature... [3] https://github.com/s4u/pgpverify-maven-plugin |
|
|