[richbell]

> Maven doesn't have this problem because maven central is too obtuse for hackers to use

I have many gripes with Sonatype but Maven Central isn't really one of them. The fact you can publish a packages to the likes of PyPI, npm Registry, or Docker Hub with 0 friction makes those places very attractive to spammers and bad actors. Maven Central having a higher barrier of entry is a feature.

IIRC Brian Fox, the CTO of Sonatype, was actively involved with Maven in the early days and was part of the decision for Maven packages to use domains for namespaces. Namespaces are another valuable feature of Maven that makes supply-chain attacks like typo-squatting harder to pull off.

[GauntletWizard]

The real reason was the second one. That was just a cheap dig at their UX. Both were cheap digs, but also both true.

[richbell]

Lol, I knew you were mostly joking — but you also weren't wrong.

At the same time, some people genuinely shit on Maven Central and think that it's inferior to other registries.

[GauntletWizard]

There's a real problem with maven central and java in general that there's no correlation between the package name - which is nicely domain-name formatted - and actual domain names. If there were a clear "this is really thai domain name and DNS verified" and "this is compatible but not DNS verified" marker, it would be great.

I think golang has the best answer for this, where it's easy to impersonate but it has to be explicit.

[richbell]

Yeah, it's far from perfect but it does get a lot right. It's painful watching all these new package management tools like pip and npm completely ignore what came before them.

I think Go's approach is interesting, though it does rely on some magic that isn't immediately obvious. I agree that being explicit is a tremendous benefit: it avoids the attack used here, and makes it less likely for typo-squatting to succeed (e.g., `npm install axiod`).