Re:
My question is - What is the difference between Repo marked as Central and "Redhat GA"?
From here: https://access.redhat.com/maven-repository
"Redhat GA" is the general availability JBoss Enterprise Maven Repository.
And the page also mentions:
Artifacts in the repository do not receive automated security patches as Maven requires that artifacts be immutable. As a result, artifacts that are missing patches for known security flaws will remain in the repository to avoid breaking builds that depend on them. Patched artifacts have their version number incremented.
If you checkout the README at the repository: https://maven.repository.redhat.com/ga/README.md
This archive contains Maven repository artifacts for JBoss WFK 2. This is meant
to be used as additional Maven repository in development environment with
JBoss EAP 6 Maven repository.
So it seems Redhat GA versions are patched versions of Maven Central artifacts, specifically to support JBoss WFK.
My guess is that the patches correct security flaws in the base Maven Central artifact.
Re:
For example, Maven CCentral has versions like 1.9.4, however Redhat GA has versions like - 1.9.3.redhat-1.
For this example, my guess is that 1.9.3.redhat-1 is a security patched version of 1.9.3 from Maven Central.
Re: (comment above)
how safe is to use version of a library from other Repos (for example-Redhat in this case) than Central? Or what are the scenarios when an Enterprise application should use a library from other Repos than Maven Central?
If you need a security-hardened version of a specific Maven Central version, but you can't upgrade to a later version from Maven Central (for any reason: risk, incompatibilities, one does not exist, etc) - the Red Hat version might be a solution.
As to whether it's safe, it's up to whether you trust RedHat vs Maven vs any other organization providing open source.
