Does 'central' need to be immutable though? Feels like an arbitrary policy to me. Or should there be workflows to remove items from there, and replace with a 302? While that could be to repos elswhere, they could also be to HTML pages with mvn.exe handling that and communicating that clearly in the build log.
Some ten years ago a mal-configured WebSense at an airline was flling a corporate Maven cache jars and poms suffixes that were actually HTML error pages. Maven choked silently then and I'm not sure it has ever been fixed. In a quick test now, if I do "ls > ~/.m2/repository/foo/bar/baz.pom" (and jar), the build fails with a proximate cause message. The jars and poms are not checked again for correctness once in the cache. Anyway the jar/pom ingesting side of Maven could easily handle deprecation, obsolesence and outright deletion better than it does.
