1

I need few clarifications regarding releasing the artifacts in maven central. I could see in the requirements that for SCM information project URL need to be added, which means whether we supposed to share the source via SCM. Since my understanding as maven central is public repo and so they expect source need to be shared or we can share our github link (which may point to source related demos).

Since working in an organization we are not interested in share as open source. It is will be commercial project, whether we can release the artifacts in maven central with SCM Url pointing to source demos . Can anybody share your valuable suggestions?

Note: Artifact to be hosted is for commercial purposes.

Karthikk
  • 326
  • 2
  • 7
  • Maven Central does not care. That is just meta data. But why would you host on Maven Central if you don't want to share it? Java is trivially decompilable, whether people have the source or not. If you want to protect your IP, you should not serve your bytecode to the whole world. If you're doing that, you may as well share the source too. – Michael Oct 30 '20 at 10:56
  • @Michael Thanks for your feedback. We plan to distribute the artifacts in maven central. However, we enforce licensing which excepts key by the user if its invalid we restrict the usage of the library. So, can you provide your suggestions to proceed further or any better approach from your view? – Karthikk Oct 30 '20 at 11:14
  • 1
    How do you plan to enforce your licensing when a bad actor can decompile your bytecode, remove the part of your code which does the licensing check, and then recompile it? In Java this is trivial, it would take 5 minutes and doesn't require any particular expertise. – Michael Oct 30 '20 at 11:50
  • @Michael Then what would be your suggestion in this? – Karthikk Oct 30 '20 at 12:00
  • 1
    The usual way to prevent this is to market your app as a service behind a web app, that way your code never leaves your servers. But that requires you to factor it into your design from the start. – Michael Oct 30 '20 at 12:12
  • 2
    If you can't do that (i.e. you've already written the app), the usual route is obfuscation (makes it harder to change the bytecode, but still quite easy) and to limit who you distribute the JAR to. That is, don't make it available on Maven Central because you are inviting the whole world to crack it if they want to. If you only distribute the JAR to your few corporate clients, you are lowering this risk of piracy because you know exactly who has been given access. You can factor in terms-of-use to your contract with them, which you cannot do with strangers downloading your JAR from Central – Michael Oct 30 '20 at 12:14

1 Answers1

0

Maven Central requires you to share the source. From your own link:

Supply Javadoc and Sources

Projects with packaging other than pom have to supply JAR files that contain Javadoc and sources.

While there's no technical requirement that your SCM is world-readable, there's no point in trying to hide it.

Artifact to be hosted is for commercial purposes.

That's not what Maven Central is for. If you have a commercially-licensed, closed-source library and want to provide Maven integration, then set up your own private repository for your customers. You'll also need to invest in some heavy obfuscation if you don't want people trivially decompiling or modifying it though.

OrangeDog
  • 36,653
  • 12
  • 122
  • 207