| Info |
|---|
This document applies to major releases of the Shibboleth Java software occurring after May , 2012. |
The Shibboleth developers are, from time to time, asked if we will publish our build artifacts to Maven Central. This document describes our position on the use of artifacts from, and on publishing artifacts to, Maven Central.
...
Maven Central does not perform any real adequate vetting of the people uploading artifacts or the artifacts they upload. Thus, the integrity and origin of the artifacts therein is not known or verifiable. As an example, the OpenSAML artifacts currently uploaded to Maven Central are not provided by the Shibboleth project nor are they artifacts that we've released (i.e., the jars out there have been changed in some unknown waysome ways, though we have some general sense of what those changes were).
Taken together, the problems with this set up setup should be obvious.
Use of Maven Central
Because of the inability to verify the integrity and origin of artifacts, Shibboleth product builds no longer use Maven Central. Instead, all artifacts are pulled from the Shibboleth project repository. Artifacts added to the project repository have been downloaded directly from the author, verified in the manner provided by the author and signed by the Shibboleth developers if not already signed originally.
Publishing to Maven Central
...