1. I suspect dependabot doesn't work with this. Does it? Is this worth giving up dependabot for?
2. What's the threat model? As best I can make out, someone would have to compromise the dependencies in the local .m2/repo since anything downloaded comes over https and is already signature checked. 3. Suppose someone does succeed in compromising this. What's the impact? I suppose if someone changed junit.jar (for one example) they could make maven test exfiltrate local data or run a crypto miner. but I don't think we should be in the business of protecting against local compromises. How does this signature check prevent someone from doing something bad? -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
