Description
Looking at the source code I see that
spark/pom.xml
lens/pom.xml
spark-dependencies/pom.xml
use cloudera's repo for the dependency resolution. All these projects are Apache TLPs, hence their artifacts and their dependencies should be pulled either from ASF server or public Maven server.
We shouldn't be pulling Apache projects dependencies from a 3rd party source that could be outdated, contain non-Apache bits or outright malicious artifacts.