Note: This post was inspired by my attempts to find a direct download for the MongoDB Java driver, but I've left the category as "Unspecified" because it could apply to any driver download for which the official sites say to "Just use Maven/etc"

Right now the documentation for the MongoDB Java driver (https://mongodb.github.io/mongo-java-driver/4.2/driver/getting-started/installation/) indicates that "The recommended way to get started using one of the drivers in your project is with a dependency management system." However, as far as I could tell from my own research, the official MongoDB sites have no official direct download link for the driver/dependency jar files - only the Maven groupId/artifactId are provided. If for some reason a developer is restricted such that they cannot use a dependency manager for their project and must obtain the jar files as a direct download, they must find the official Apache Maven repository on their own, and download the files from there.

I understand that this seems like a problem that can be solved by saying "just suck it up and use Maven", but please understand that at its core, this actually constitutes a security issue, as it makes it difficult for developers to find a download that they know they can trust.

Consider the following situation: Due to some situation, a developer is unable to use a dependency manager for their project. They must use a direct download of the driver/dependency jar files for the MongoDB Java driver in order to do their job. The first thing they will likely do (rightfully so) is go to the official MongoDB sites to try and find a download. They will not find it, and will instead look elsewhere.

Performing a Google search for "mongodb java driver" returns first the official MongoDB sites, which the developer already knows will not help them, and then returns an unofficial Maven Repository browser (mvnrepository). I haven't looked into the validity of this site, and I'm usually one to assume the best of intentions, but the fact remains that it's run by a person who is not affiliated with Apache/Maven or MongoDB, from which the developer will likely download several unverified jar files and include them with their project. This is a big security risk, as theoretically speaking, for all we know this site could be malicious, but it remains the most convenient option for the developer, because the official MongoDB sites do not include one. The safest option for the developer is to use the official Maven repository at search.maven.org, but this site only appears at the very bottom of the first page of the Google results, and the developer may not even see this during their search.

I feel like this problem could be fully solved by creating a section on the "Downloads" page (https://www.mongodb.com/try/download) for drivers, and including the most recent normally-supported release of each driver, including its dependencies. This may not be the recommended method, and it could very well include prominent text encouraging developers to consider using a dependency manager if possible, but it would effectively remove the potential for developers to accidentally download a malicious jar file from an unverified source and include it with their project.

TL;DR: If you don't include a direct downloads for MongoDB drivers/dependencies, a malicious actor on the internet will.