Do I need to be careful which Maven Repositories I hook into?

Question

Generally speaking, should one only add the central Maven Repository to a pom.xml + optionally any local Maven Repositories ? In theory (I think?) anybody can set up a repository - is there a 'Maven Repository<->Maven Repository' circle of trust or something ?

How do I know for instance that I'm really downloading (say) the log4j compiled JARs and not some bastardized / evil version ?

Answer 1

Few things you can do to feel comfortable:

• Use a local repository manager like Nexus or JFrog, and proxy any repositories that you want to use. There are few benefits to this:
  • A local manager can keep track of the SHA hashes to make sure that a jar didn't change under your feet.
  • You can limit the repositories that your developers can access.
• Stick with Maven Central when you can - so many people use it that if someone switched out the log4j version with something untrustworthy everyone would know very quickly (because the hashes wouldn't line up). Generally this argument will also hold true for any other repositories that hold popular libraries (eg sourceforge, google code, codehaus, etc)
• Things are only likely to get risky if you're using some dude's repo who wrote some library that's not very popular out in the wild. In practice this rarely happens. In those cases, maybe you can just build the code yourself to be sure.