Sorry if this question isn't appropriate for StackOverflow, it's not a coding question.
I'm new to Maven and am curious how there can be a Maven Central Repository that appears to be accessible free of charge. As far as I can tell it's maintained by a company called Sonatype. Are they funding it? Why? Does it act as a lead generation vehicle for the rest of their business? I think if I understood their reasons I'd know if or how/when to trust it.
The link for the central maven repository is https://repo.maven.apache.org/maven2/ while the site that is available for searching the maven dependencies available in the central repository of maven is – https://search.maven.org/.
There are 3 types of maven repository: Local Repository. Central Repository. Remote Repository.
As we discovered, the default Maven Central URL has been changed from http://repo1.maven.org/maven2 to https://repo.maven.apache.org/maven2/ . Keep in mind that maven.org is a domain owned by Sonatype, as opposed to apache.org which is owned by the Apache Software Foundation.
Maven central repository is repository provided by Maven community. It contains a large number of commonly used libraries. This repository is managed by Maven community. It is not required to be configured.
Excellent question, especially since using insecure third party libraries is now in the OWASP Top 10. Unfortunately, most people take the trust of Maven Central for granted. I think they are overly optimistic.
A lot of people think that because you have to sign files submitted to Maven, the software can be trusted. Unfortunately what they overlook is that a signature is meaningless if you cannot be sure that the key that signed the library belongs to the original source that provided it to Maven. This appears to be the case with Maven.
To simplify the explanation, consider the following analogy. When you go to the airport to fly somewhere, you are required to provide ID to prove you are who you say you are. For local travel, a drivers license is sufficient. The person who checks your ID has a few things to check:
Now carry the same analogy forward to verifying an object coming from Maven. The Maven documentation claims PGP signatures are required (reference: Guide to uploading artifacts to the Central repository) on libraries that are uploaded there (although Sonatype claims many older packages do not have the signatures). Think of the drivers license being analogous to a key and the ticket being analogous to the Maven artifact, and ask the same questions:
For checking the same source, one simply downloads the public key associated with the artifact from a key server, and verifies that it comes from an email address that is associated with the original source. For example, this can be done the MIT PGP keyserver. For specific details on how this is done, see Verify Dependencies using PGP.
The third of these is actually the easiest to do because it can be entirely automated (see GPG quickstart guide, section on verifying detached signatures). This part requires no manual intervention.
The second part is where the gap is. Even though the signature checks out and the MIT keyserver claims the key is associated with the original source, how do we know it really was created by that original source and not someone else? In fact, just for demonstration purposes, I have created a key for Mickey Mouse on the MIT key server. I could have just as easily created a key that appears to be associated with oracle.com or spring.io or whitehouse.gov.
In a world where people are sending emails out that contain executable malware and the NSA is breaking SSL, it would be naive to think that these same black hats are not targeting software repositories that are bundled into numerous applications around the world. In fact, there are at least three serious examples that were caught.
So to be clear, if I were a black hat, here is exactly what I would do (For the record: I am not a black hat!!!). I would take an open source package that is widely used. I would then sneak my backdoor into the source code of the package and build it locally. The next step is creating a key pair that is associated to an email address of the original source. I upload that key to the MIT key server (which accepts the email address without any validation), and then sign my malicious package. Finally, I upload my malicious package along with the signatures to Maven and snicker as my malware gets adopted in products little by little all over the world. I claim that it is unlikely that this attack is caught any time soon.
Unfortunately, there is no simple answer to this. The more you do to trust the software you are using, the less productive you are going to become. There needs to be realistic tradeoffs that you make which balance security and productivity.
To be brief (since I have already huffed and puffed too much), I will just cite two sources which can help guide you in choosing your third party libraries better. The first is to follow the advice in Section 5 of the Fortify Attacking the Build paper, especially including the security vetting process.
The second recommendation is that Sonatype has a product called CLM which can help your company analyze the software you are using, including provide information about known defects and how many other organizations are using the same product.
In addition to Sonatype's Nexus and CLM products which they can sell, it is also worth reading this article. Sonatype is leading the the balancing act between software development efficiency and trust of open source solutions. They don't quite have everything solved yet (will not reveal private emails I exchanged with them), but they're heading the right direction.
The Sonatype terms and conditions are mentioned by Jason. Contained within is a link on how to submit content:
The requirements section is particularly interesting. In brief all submitters are expected to provide the following:
This information publishes everything you and I need to know about the code, how it was built and more importantly who built it. The use of GPG enables us to verify that the binaries were built by the developers stated in the project POM file. Additionally, Maven Central automatically generates SHA checksums, enabling you to verify that the integrity of files downloaded by your build process.
So what does Sonatype get out of this?
Hope this helps. I would finish by pointing out that what Sonatype is doing is not very different to other open source software packaging initiatives. Redhat, Debian and Canonical spend a lot of effort packaging software for safe and secure distribution with their OS's. Maven Central is something that is perhaps more developer friendly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With