How can I convince my corp employer, than jars from the Maven repositories are safe for use? I've conducted a count of jars on my local repo and it came back as 552. My goal is to setup a corporate repository with approved jars, but I'd like to not have to submit hundreds and eventually thousands of software requests. any suggestions (other than find new emp)?
+2
A:
How can I convince my corp employer, than jars from the Maven repositories are safe for use?
Downloading a jar from a Maven repository is not less safe than downloading a jar from another location. In other words, Maven repositories don't really introduce a problem, the problem is your dependency on an external library.
Now, if your boss is really paranoid, he can always ask you to grab the sources of your 552 jars, audit them line by line, build them and install them in a repository of approved jars. That will "just" cost him a few dollars :)
But since most projects are open source, since they are transparent, since many eyes can inspect them, I personally believe that any malicious attacks would be detected pretty fast and that the cost isn't worth the risk (which is pretty low). Maybe I trust the community too much but, so far, it works.
Pascal Thivent
2010-06-24 20:40:51