The secret life of Maven central

Build & Deploy
Voting no longer possible
Voting enabled when talk has started

It’s just there. Just like the stars, just like electricity, just like Java.

In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central. 

Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.  

Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.

This talk is intended to give you the background into the history of Maven central, explain why Sonatype,( who are the stewards of Maven Central), provide such a critical service and what our philosophy is for dealing with problematic content. We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.

Maven Central is not going away - but it might just get more exciting!

Joel Orlina


Joel Orlina is an Engineering Manager in the Technical Operations group at Sonatype. He joined Sonatype in 2010 and has been part of the care and feeding of Maven Central ever since. When he’s not supporting the Ops team or the open-source community, he’s been known to contribute to Sonatype’s own software products and data pipelines.