[vbezhenar]

I wish Java would move to more distributed artifact storage. Just specify URL and let your build tool download library there. Why does it have to be some kind of central storage? It's not like they perform some curating or static analysis or something like that.

[flurdy]

Mostly to avoid a situation like this https://www.bleepingcomputer.com/news/security/researcher-ha...

(This week's hack using npm, gems etc to trick non-java build tools to not use internal repos but the hacker's compromised packages instead)

[kuschku]

And with signed artifacts that wouldn't have happened.

https://docs.gradle.org/current/userguide/dependency_verific...

> Note that a variation of a compromised library is often name squatting, when a hacker would use GAV coordinates which look legit but are actually different by one character, or repository shadowing, when a dependency with the official GAV coordinates is published in a malicious repository which comes first in your build.

Best part is that the documentation literally describes the attack used here.

Another example where npm and co are reinventing the same issues that Java has already solved long ago.

[TheRealBrianFox]

Actually we do validate several aspects of things being published to Central and always have. There have been many other repos that have come and gone over the years, many of them without the same standards and it ultimately creates a federated tragedy of the commons. More about the history here https://blog.sonatype.com/why-namespacing-matters-in-public-...

[hocuspocus]

> Just specify URL and let your build tool download library there.

All build tools let you do just that. Many companies set up internal mirrors and encourage/force employees not to use Maven central and third party repositories. In fact, Maven central will blacklist IPs that generate too much traffic.

[stepbeek]

You have to prove ownership of a domain to publish to maven central fwiw.