5

On the maven centrral, I can see several other Repositories available for some of the libraries. For example - Apache Common BeanUtils is available in Central, Redhat GA, JBoss 3rd-party etc. The library name changes as well. For example, Maven CCentral has versions like 1.9.4, however Redhat GA has versions like - 1.9.3.redhat-1.

Click on this URI to see the details. https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils

My question is - What is the difference between Repo marked as Central and "Redhat GA"?

Attaching an image of :Maven GA; repo as well here. enter image description here

Vicky
  • 5,380
  • 18
  • 60
  • 83
  • 3
    Just to make sure: You know that mvnrepository is _not_ MavenCentral? – J Fabian Meier Oct 07 '19 at 18:42
  • I can acknowledge the comment of JF Meier. – khmarbaise Oct 07 '19 at 19:50
  • 1
    @JFMeier, thanks for clarifying. Yes. I understand that central and "redhat" are two separate Repos. Context of my question is more around - how safe is to use version of a library from other Repos (for example-Redhat in this case) than Central? Or what are the scenarios when an Enterprise application should use a library from other Repos than Maven Central? – Vicky Oct 12 '19 at 14:50
  • Actually, I recently also wondered why redhat "rebuild" a lot of commonly available libraries with their own version numbers. – J Fabian Meier Oct 12 '19 at 16:31

1 Answers1

3

Re:

My question is - What is the difference between Repo marked as Central and "Redhat GA"?

From here: https://access.redhat.com/maven-repository

"Redhat GA" is the general availability JBoss Enterprise Maven Repository.

And the page also mentions:

Artifacts in the repository do not receive automated security patches as Maven requires that artifacts be immutable. As a result, artifacts that are missing patches for known security flaws will remain in the repository to avoid breaking builds that depend on them. Patched artifacts have their version number incremented.

If you checkout the README at the repository: https://maven.repository.redhat.com/ga/README.md

This archive contains Maven repository artifacts for JBoss WFK 2. This is meant to be used as additional Maven repository in development environment with JBoss EAP 6 Maven repository.

So it seems Redhat GA versions are patched versions of Maven Central artifacts, specifically to support JBoss WFK.

My guess is that the patches correct security flaws in the base Maven Central artifact.


Re:

For example, Maven CCentral has versions like 1.9.4, however Redhat GA has versions like - 1.9.3.redhat-1.

For this example, my guess is that 1.9.3.redhat-1 is a security patched version of 1.9.3 from Maven Central.


Re: (comment above)

how safe is to use version of a library from other Repos (for example-Redhat in this case) than Central? Or what are the scenarios when an Enterprise application should use a library from other Repos than Maven Central?

If you need a security-hardened version of a specific Maven Central version, but you can't upgrade to a later version from Maven Central (for any reason: risk, incompatibilities, one does not exist, etc) - the Red Hat version might be a solution.

As to whether it's safe, it's up to whether you trust RedHat vs Maven vs any other organization providing open source.

Bret Royster
  • 541
  • 1
  • 5
  • 15