External threat of removal from Maven Central #77
Pinned
esaulpaugh
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I feel I have a duty to warn users of headlong that at 3:25 AM eastern time July 17, 2025, Brian Fox of Sonatype has threatened to purge headlong from Maven Central because I referred once to the Sonatype documentation as a "terrible dungheap" in a private email to support requesting help with the new publishing process.
@duneanalytics @chainbase-labs @HalbornSecurity @hashgraph @hiero-ledger @okx @unstoppabledomains @wavesplatform
Currently my namespace has been removed from my account and I am not able to publish any new artifacts. headlong's Sonatype Safety Rating remains at 9 of 10.
I don't intend for headlong to become the next left-pad, but let the importance of decentralization and avoiding infrastructure chokepoints never be in doubt.
The good news is that headlong is easier than ever to build from source via maven, gradle, or ant.
For recent versions at least, it is possible to reproduce release versions locally bit-for-bit by checking out a tagged commit, running
./gradlew clean buildusing JDK 11 after the following modifications to build.gradle:-SNAPSHOTsuffix from the version. e.g.version = "13.3.1-SNAPSHOT"-->version = "13.3.1""Created-By": "Gradle",from the manifest attributes sectionBuild-Datevalue to the date the artifact was published (UTC),e.g.
"Build-Date": todayUTC()-->"Build-Date": "July 16 2025"Then verify that the SHA-256 hash of the resulting jar matches the expected one, e.g.
359e41ed56cbc04ae1bb0071f8615d2a2457ac49c6bc3926a450bd819cd679d8forv13.3.1Beta Was this translation helpful? Give feedback.
All reactions