The general idea certainly seems good. We should have automated checks to notice if the signing key vanishes or changes and alert developers.
I don't agree with the article that this doesn't belong in dependabot or other tools. However, defense in depth is good. I think you're likely right that this should be in the versions plugin. It shouldn't *only* be in the versions plugin, but it should be there, so this is useful work to do. Do note that the versions plugin is a mojohaus project, not an official Apache Maven plugin. There are probably some folks here who work on both. I don't know if Mojohaus is ready or able to sponsor GSoC projcts, but there's no reason to wait until the next GSoC to do this. https://www.mojohaus.org/versions/versions-maven-plugin/index.html On Fri, Jul 3, 2026 at 8:47 PM Andy Law <[email protected]> wrote: > > I just read an article on foojay - in info/advert for a tool that checks > dependency updates for suspicious signs > (https://foojay.io/today/this-dependency-update-looked-exactly-like-an-account-takeover/). > > Initially, I thought, “that needs to be converted into a plugin”, and then I > realised that there obviously already is one for dependency updates, so > should this be something to be considered for adding to the versions plugin? > > What are people’s thoughts, and might this be something that a Google SoC > participant might like to pick up? > > Later, > > Andy > (lurker) > The University of Edinburgh is a charitable body, registered in Scotland, > with registration number SC005336. Is e buidheann carthannais a th’ ann an > Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
