This document applies to major releases of the Shibboleth Java software occurring after May 2012. |
The Shibboleth developers are, from time to time, asked if we will publish our build artifacts to Maven Central. This page describes our position on the use of artifacts from, and on publishing artifacts to, Maven Central.
Maven itself has no support for validating signatures of artifacts (be they signed jars or jars with a detached PGP signature). It assumes that any repository from which artifacts are pulled is trusted and has properly vetted the artifacts before making them available.
Maven Central does not perform adequate vetting of the people uploading artifacts or the artifacts they upload. Thus, the integrity and origin of the artifacts therein is not known or verifiable. As an example, any OpenSAML artifacts currently uploaded to Maven Central are not provided by the Shibboleth project nor are they always even artifacts that we've released (i.e., the jars we know of there have been changed in some ways, though we have some general sense of what those changes were).
Taken together, the problems with this setup should be obvious.
Because of the issues described above, the Shibboleth developers question the value of publishing product artifacts to Maven Central. We are, however, not specifically opposed to it. If other people aren't worried about the veracity of the artifacts they use that's on them. However, Maven Central does require that all the dependencies of an artifact also be in Maven Central and that is currently not the case for some of the Shibboleth products. So, for now, the Shibboleth product artifacts will not be published to Maven Central. This may change in the future as product dependencies and the state of those dependencies in Maven Central changes.