How can I convince my corp employer, than jars from the Maven repositories are safe for use?
Downloading a jar from a Maven repository is not less safe than downloading a jar from another location. In other words, Maven repositories don't really introduce a problem, the problem is your dependency on an external library.
Now, if your boss is really paranoid, he can always ask you to grab the sources of your 552 jars, audit them line by line, build them and install them in a repository of approved jars. That will "just" cost him a few dollars :)
But since most projects are open source, since they are transparent, since many eyes can inspect them, I personally believe that any malicious attacks would be detected pretty fast and that the cost isn't worth the risk (which is pretty low). Maybe I trust the community too much but, so far, it works.
发布评论
评论(1)
从 Maven 存储库下载 jar 的安全性并不比从其他位置下载 jar 的安全性低。换句话说,Maven 存储库并没有真正引入问题,问题是您对外部库的依赖。
现在,如果你的老板真的很偏执,他总是可以要求你获取 552 个 jar 的源代码,逐行审核它们,构建它们并将它们安装在已批准的 jar 的存储库中。这将“仅仅”花费他几美元:)
但是由于大多数项目都是开源的,因为它们是透明的,因为许多眼睛可以检查它们,我个人相信任何恶意攻击都会很快被检测到,而且成本并不高。不值得冒这个风险(风险很低)。也许我太信任社区了,但到目前为止,它是有效的。
Downloading a jar from a Maven repository is not less safe than downloading a jar from another location. In other words, Maven repositories don't really introduce a problem, the problem is your dependency on an external library.
Now, if your boss is really paranoid, he can always ask you to grab the sources of your 552 jars, audit them line by line, build them and install them in a repository of approved jars. That will "just" cost him a few dollars :)
But since most projects are open source, since they are transparent, since many eyes can inspect them, I personally believe that any malicious attacks would be detected pretty fast and that the cost isn't worth the risk (which is pretty low). Maybe I trust the community too much but, so far, it works.