How secure is Central?⚓︎
How secure is Central?
Sonatype Central Terms of Service include this:
User Bears Risk. You understand that Sonatype does not pre-screen Materials, and you agree to assume all risks in using them. These risks include, but are not limited to, errors, viruses, worms, time-limited software that expires without notice, and the possibility that the Materials infringe or misappropriate the intellectual property rights of others. You agree to assume all such risks.
The purpose of the https connection to Central is to prevent man in the middle attacks against artifact downloads.
Note that we do have fairly strict requirements for what can be submitted to central.
In addition, we maintain a database of known security vulnerabilities for central artifacts which is made available through our Nexus Lifecycle product offering. A limited version of this is built into Nexus Repository Manager as the Repository Health Check feature.
The language in the TOS is explicitly correct. We take the security of components in Maven Central seriously, but it is not possible for us to make guarantees about their safety.