MavenGate gets it all wrong and hurts open source

MavenGate gets it all wrong and hurts open source(day-to-day-stuff.blogspot.com)

55 points by erikvanoosten 1 year ago | 4 comments

This security theater around supply chain security is getting ridiculous.

What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.

rho138 1 year ago | |

I just want an actual bill of versioned open source software used in each closed source app.

rho138 1 year ago |

Are packages cryptographically signed by the actual package maintainer or only with the repo owners key?

erikvanoosten 1 year ago | |

As package maintainer you are required to sign the packages with a PGP key. Maven Central also requires that you upload that PGP key (the public part only of course) to one of a few well-known key servers.