MavenGate gets it all wrong and hurts open source
day-to-day-stuff.blogspot.comThis security theater around supply chain security is getting ridiculous.
What we need is true supply chain security, but no one is willing to pay for that; it would mean paying FOSS projects, and companies don't want to pay for their "free" software.
I just want an actual bill of versioned open source software used in each closed source app.
Are packages cryptographically signed by the actual package maintainer or only with the repo owners key?
As package maintainer you are required to sign the packages with a PGP key. Maven Central also requires that you upload that PGP key (the public part only of course) to one of a few well-known key servers.