Tidelift ✨

Volkan Yazıcı
Volkan Yazıcı

Posted on

 

MFA for Maven/Java projects

TL;DR – Sonatype Nexus, the de facto package repository for Java, doesn't support 2FA. What shall Java package lifters do?

Sonatype Nexus is the de facto repository manager software in the Java ecosystem. Sonatype, next to hosting the biggest package repository in the Java world (i.e., Maven Central Repository), is used by major Java software providers, e.g., Apache Software Foundation. Even though Nexus supports 2FA, it is not available for Maven Central and Apache Repositories. This makes it impossible for lifters of Java packages to address "Packages that need 2FA enabled on the Package Manager" tasks in their dashboards. How shall Java package lifters address this shortcoming?

Top comments (2)

Collapse
 
joan profile image
Joan Liu

Hi Volkan, thanks for bringing this to our attention. We'll work on removing that task for Java packages since it's impossible to complete.

Collapse
 
joan profile image
Joan Liu

Hi Volkan,
We just rolled out a change to not have this task affect Java packages. Thank you again for bringing this to our attention.
-Joan