I hope a more convenient way is created. I've deployed some projects via Sonatype in the past. And while they are friendly and responsive, it's a complicated process that involves manual approvals by them (for your first release), setting up gpg keys, etc. It takes days for this to happen. It's a big reason jCenter became so popular: it removed a lot of the friction for publishing a simple jar.
One thing with jcenter is that you can actually propagate your jars to maven central if they meet minimum requirements (like having javadoc and sources and the right meta data). Many popular jars are actually propagated to maven central that way. I've done that with one of my projects and it already is in maven central. Once there, it will stay there.
The issue here is not Sonatype but the fact that the Apache Foundation is understandably very selective about which companies they allow jars to propagate to maven central. Unlike python, ruby, node.js, etc. there is no public repository where you can sign up and publish your jars. Instead you publish to one of a select few of repositories they replicate from, which effectively means Sonatype or JCenter.
For a long time, Sonatype's repository for OSS jars was the only way to get into maven central. Basically you publish your jars on their repository and then some time after that, maven central picks up the changes. I expect the Sonatype people will be very busy in the next months dealing with the fallout of JCenter disappearing. So, expect some delays. That may be a good moment for them to reconsider some of their processes around this.
A more modern/user friendly way would be helpful. Maybe Amazon, Microsoft/Github, or Google could step up and provide something. Or all of them. Or maybe they can even work together to make that happen. After all, MS bought npm as well.
If you think you don't need all the checks Sonatype performs for you even after this week's security exploit came up on npm and other less secure repos, you can use this for JVM libs:
EDIT: notice that I am not criticizing jitpack, it's great to be able to point at a git repository and get its jar as a simple dependency... but it's not as secure as Maven Central IMO because it requires you to fully trust `jitpack.io` to not insert malicious code in the jars it serves, as well as the GitHub/BitBucket/GitLab account owner to not have been hacked or "become" malicious... still much better than npm's ridiculous resolution that will just trust anything at all.
A lot of projects publish to Central from cloud CIs. That means that private keys are stored in config/secrets. It is debatable whether that makes the artifacts more reliable since you have to trust the CI.
Yeah, I agree. The process is not so easy and this can cause barriers to entry.
And that's why 5 years ago I've published my first libraries on JCenter. Back then I was still at the university, never worked yet in the field and JCenter seemed to me the least painful path.
I've been doing Android development (incl. publishing libraries) since 2010 and the Android community is way behind every other community in the tools available for library publishers. iOS has Cocoapods and SPM, Web has NPM (and Yarn), Flutter has pub, etc.
JCenter/Bintray made it possible for an independent dev to figure out how to share their utilities with others but even then it was too hard. Everyone has their own hacked together Gradle publishing script to assemble the right AARs, JARs, POMs, etc.
But the Android community has a really bad habit of accepting things that are too hard because simplicity is for Bad Programmers. So we will accept this, and 10 years from now we'll continue to be in a place where Google and Square publish 90% of the good Android libraries and the community is still hugely underdeveloped.
That does not propagate to maven central (at least not that I know). So you have to add a custom repository. You can also use jitpack.io or rsync artifacts to your websiter (I've done both).
One thing with jcenter is that you can actually propagate your jars to maven central if they meet minimum requirements (like having javadoc and sources and the right meta data). Many popular jars are actually propagated to maven central that way. I've done that with one of my projects and it already is in maven central. Once there, it will stay there.
The issue here is not Sonatype but the fact that the Apache Foundation is understandably very selective about which companies they allow jars to propagate to maven central. Unlike python, ruby, node.js, etc. there is no public repository where you can sign up and publish your jars. Instead you publish to one of a select few of repositories they replicate from, which effectively means Sonatype or JCenter.
For a long time, Sonatype's repository for OSS jars was the only way to get into maven central. Basically you publish your jars on their repository and then some time after that, maven central picks up the changes. I expect the Sonatype people will be very busy in the next months dealing with the fallout of JCenter disappearing. So, expect some delays. That may be a good moment for them to reconsider some of their processes around this.
A more modern/user friendly way would be helpful. Maybe Amazon, Microsoft/Github, or Google could step up and provide something. Or all of them. Or maybe they can even work together to make that happen. After all, MS bought npm as well.