Use of Maven Central

This document applies to major releases of the Shibboleth Java software occurring after May 2012.

The Shibboleth developers are, from time to time, asked if we will publish our build artifacts to Maven Central. This document describes our position on the use of artifacts from, and on publishing artifacts to, Maven Central.

Issues with Maven and Maven Central

Maven itself has no support for validating signatures of artifacts (be they signed jars or jars with a detached PGP signature). It assumes that any repository from which artifacts are pulled is trusted and has properly vetted the artifacts before making them available.

Maven Central does not perform adequate vetting of the people uploading artifacts or the artifacts they upload. Thus, the integrity and origin of the artifacts therein is not known or verifiable. As an example, the OpenSAML artifacts currently uploaded to Maven Central are not provided by the Shibboleth project nor are they artifacts that we've released (i.e., the jars out there have been changed in some ways, though we have some general sense of what those changes were).

Taken together, the problems with this setup should be obvious.

Use of Maven Central

Because of the inability to verify the integrity and origin of artifacts, Shibboleth product builds no longer use Maven Central. Instead, all artifacts are pulled from the Shibboleth project repository. Artifacts added to the project repository have been downloaded directly from the author, verified in the manner provided by the author and signed by the Shibboleth developers if not already signed originally.

Publishing to Maven Central

Because of the issues described above, the Shibboleth developers question the value of publishing product artifacts to Maven Central. We are, however, not specifically opposed to it. If other people aren't worried about the veracity of the artifacts they use that's on them. However, Maven Central does require that all the dependencies of an artifact also be in Maven Central and that is currently not the case for some of the Shibboleth products. So, for now, the Shibboleth product artifacts will not be published to Maven Central. This may change in the future as product dependencies and the state of those dependencies in Maven Central changes.