Hacker News new | past | comments | ask | show | jobs | submit login
MavenGate gets it all wrong and hurts open source (day-to-day-stuff.blogspot.com)
55 points by erikvanoosten 18 days ago | hide | past | favorite | 4 comments



This security theater around supply chain security is getting ridiculous.

What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.


I just want an actual bill of versioned open source software used in each closed source app.


Are packages cryptographically signed by the actual package maintainer or only with the repo owners key?


As package maintainer you are required to sign the packages with a PGP key. Maven Central also requires that you upload that PGP key (the public part only of course) to one of a few well-known key servers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: