Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am new to Maven and trying to use it for Android build. I have this doubt in my mind which was also triggered by Jason Van Zyl’s interview here.
My Question
How to ensure that the dependency we have downloaded from Maven Central is free from Malware or is not corrupted?
You can never be sure it is free from malware, i.e. it is always possible.
Maven Central host open source projects so the source code is always available from somewhere, so if you need to be sure of malware free and also sure of compatible licensing terms you should download the source and build it yourself and not use Maven Central.
I am sure if an artifact did have malware in it the people running Maven Central have a policy to be contacted to investigate such things and deal with it.
…
Re corruption free. Maven makes use of hash digests for many things to ensure corruption free data, your Maven client and Maven Repository can be configured to always validate. Files on the server also usually have a *.md5 or *.sha1 URL of the data checksum.
Also JARs themselves have intrinsic checksums. They are based on ZIP files and these do have a checksum scheme that should detect most corruption. The ZIP directory is always at the end of the file so short/truncated files will also be detected.
Obviously these mechanisms are not 100% reliable but maybe considered 99.99% reliable.
…
As a software producer putting things up on Maven central. I would urge you to always SIGN your JARs. This is a mechanism that allows each independent software producer to sign the original JAR they produce and then distribute it via any mechanism across the internet. Any user can (theoretically) download it from any source and be able to verify that it has not been tampered with.
Unfortunately Maven Central does not have a policy to ensure source code is available alongside binaries, or have a policy enforcing JAR signing. So from a security stand point Maven Central is useful to get things going with your local development but if you do care about security do not use it.
You nee to implement your own security policy (or pay someone else) to implement it on your behalf.
To manage your secured environment you might wish to take a look at one of the Maven repositories you can run on your local network such as Sonatype Nexus (this comes in open-source and free edition with most features enabled).
…
NB I did not read the link you provided yet will do now.