Is there any way we can see for ourselves the entity that provides a dependency on the Maven Central Repository?
For example, if we look for the javax.xml.bind dependency on the Maven Central Repository (see here), it's not clear to me who has provided these different artifacts. I would think as a javax package one of them should be provided by Oracle?
I can see that are some guidelines (see here) for producers provided by Sonatype. This suggests that Sonatype ensures the domain is owned by the entity, or that the entity is the "designated maintainer" for the relevant group ID. Is there any way to see which entities Sonatype has assigned to each group ID?
Edit: After reading Robert's comment and this article I was able to get a better understanding of how the Maven Central Repository uses PGP to achieve this goal. I downloaded the .asc file by adding .asc to the end of the dependency URL.
https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api/2.3.0/jaxb-api-2.3.0.jar.asc
And I could then run this command and get the below output:
gpg --auto-key-locate keyserver --keyserver hkps://keyserver.ubuntu.com --keyserver-options auto-key-retrieve --verify jaxb-api-2.3.0.jar.asc jaxb-api-2.3.0.jar
gpg: Signature made Mon, Jul 31, 2017 9:27:23 PM AUSEST gpg: using RSA key 3575E1C767076CA8 gpg: Good signature from "Oracle TopLink Dev Team topdev_cz@oracle.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
Although that doesn't guarantee that "Oracle TopLink Dev Team" is the entity they claim to be (which is where the PGP "web of trust" comes into it), I am at least sure I have a file provided by an entity who signed with that ID and that the file hasn't been changed since it was signed.
