Is Maven Safe for Production? - Adam Kaplan, Red Hat & Manfred Moser, Chainguard

Join us at the premier vendor-neutral open source conference, where developers and technologists come together to collaborate, share knowledge, and explore the latest innovations and advancements in open source technology. Learn more at https://events.linuxfoundation.org/ Is Maven Safe for Production? - Adam Kaplan, Red Hat & Manfred Moser, Chainguard Apache Maven’s central role in the Java ecosystem is undeniable, however its flexible plugin framework creates significant hurdles for adopting modern secure software practices. Securing the Java software supply chain to meet CRA and other regulatory requirements can feel like a daunting, if not impossible task. This session will dive deep into the technical complexities of producing secured Maven builds through the practical experiences of two open source redistributors. You will learn strategies for producing SLSA artifacts for Maven builds, approaches for signing Java artifacts with Sigstore Cosign, and barriers to producing complete and accurate Software Bills of Materials (SBOMs) with Maven. We will also explore newer developments in the Maven ecosystem for cataloging dependencies and establishing trust in the Maven build process. This talk will conclude with a discussion of current gaps in Maven that could be addressed with the upcoming release of Maven 4.