seems to me that the fundamental problem is that our customers trust us with their data, and we implicitly trust the dependencies we use not to do anything bad

maybe something like IPFS really is all we need

and not even sign jars at all

There’s a few trust issues I think: 1. How do we verify that JARs we download from an untrusted source like Clojars haven’t been tampered with? 2. How do we verify that dependencies don’t do anything bad? 2. Seems to come down to auditing JAR updates before updating deps, I’m not sure how else you can verify that a dependency isn’t doing anything bad. 1. seems a little more tractable, by defining a mechanism for trusting a developer and therefore trusting their releases

you could go the other way i suppose

and just care about whether you have used those jars before in the past

and you don't do any verification of gpg signatures or anything

maybe IPFS provides such a mechanism

something like https://github.com/WhisperSystems/gradle-witness ?