| ▲ | jml78 5 hours ago | |
You forgot to mention it is also tied to provable namespaces. People keep saying that NPM is just the biggest target... Hate to break it to you but from targeting enterprises, java maven artifacts would be a MASSIVE target. It is just harder to compromise because NPM is such shit. | ||
| ▲ | redwall_hp 2 hours ago | parent [-] | |
Maven Central verifies the domain used for the package namespace, too. You need to create a DNS TXT entry with a key. This adds a bit more overhead to typo squatting, and a paper trail, since a domain registrar can have identity/billing information subpoenaed. Versus changing a config file and running a publish command... | ||