Comment by lucideer
2 months ago
I'm not a Java (nor Kotlin) developer - I've only done a little Java project maintenance & even less Kotlin - I've mainly come at this as a tooling developer for dependency management & vulnerability remediation. But I have seen a LOT of varied maven-managed repos in that line of work (100s) and the approaches are wide - varied.
I know this is possible with custom plugins but I've mainly just seen it using maven wrapper & user properties.
There are things that are potentially possible such as templating pom.xml build files or adjusting dependencies based on user properties (this that what you're suggesting?), but what you're describing is definitely not normal, or best practice in the ecosystem and shouldn't be presented as if it's normal practice.
Attackers don't need these practices to be normal, they just need them to be common enough (significant minority of)
You're talking about things that aren't in the significant minority here.