The general idea certainly seems good. We should have automated checks
to notice if the signing key vanishes or changes and alert developers.

I don't agree with the article that this doesn't belong in dependabot
or other tools. However, defense in depth is good. I think you're
likely right that this should be in the versions plugin. It shouldn't
*only* be in the versions plugin, but it should be there, so this is
useful work to do.

Do note that the versions plugin is a mojohaus project, not an
official Apache Maven plugin. There are probably some folks here who
work on both. I don't know if Mojohaus is ready or able to sponsor
GSoC projcts, but there's no reason to wait until the next GSoC to do
this.

https://www.mojohaus.org/versions/versions-maven-plugin/index.html

On Fri, Jul 3, 2026 at 8:47 PM Andy Law <[email protected]> wrote:
>
> I just read an article on foojay - in info/advert for a tool that checks 
> dependency updates for suspicious signs 
> (https://foojay.io/today/this-dependency-update-looked-exactly-like-an-account-takeover/).
>
> Initially, I thought, “that needs to be converted into a plugin”, and then I 
> realised that there obviously already is one for dependency updates, so 
> should this be something to be considered for adding to the versions plugin?
>
> What are people’s thoughts, and might this be something that a Google SoC 
> participant might like to pick up?
>
> Later,
>
> Andy
> (lurker)
> The University of Edinburgh is a charitable body, registered in Scotland, 
> with registration number SC005336. Is e buidheann carthannais a th’ ann an 
> Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.



-- 
Elliotte Rusty Harold
[email protected]

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to