And yet world + dog manages fine with a lot less complexity in the Rust, Php, Python, Javscript, Ruby, C++, docker, etc. communities. They all have tools for publishing packages and using them is straightforward and easy.
JCenter managed to work around some of the maven limitations and make the process similarly usable (but you need their gradle or maven plugin). And of course they were allowed to sync packages to maven central. I've done this. It works and was very easy to setup.
So, Sonatype can do better and they should consider doing so. Unless they look forward to manually approving gazillions of requests from stranded JCenter users in the next weeks. Maybe business is that good that they don't care about the overhead. Or alternatively, JFRog's move has prompted them to reconsider whether they want to keep on doing this at all. They are a for profit company after all and they must be similarly affected by big cloud providers putting up their own repositories.
In any case, their process is expensive and convoluted; it always was. It suffers from them having had no competition for being gatekeepers for maven central. There are multiple alternate ways of verifying identity and ownership that don't involve manual approvals, keypairs, etc. It's what everybody else does. Including JCenter and whatever they did seems to have been acceptable to Apache (who own and run maven central).
> Unless they look forward to manually approving gazillions of requests from stranded JCenter users in the next weeks. Maybe business is that good that they don't care about the overhead.
Getting approved for a groupId took me literally 2 minutes. It's really not that complicated.
Not sure yet about the process for actually getting releases approved, I'll see about that tomorrow.
Took me about half a week last time I tried this. That's from signing up to getting all the approvals needed and finally getting my jar out via maven central. I imagine they may have improved their processes a bit since then but as far as I know it still involves creating tickets in their issue tracker and a human doing stuff with it.
My package is now released. 24 minutes to go from "opening the ticket" to it being approved, and another 14 minutes to go from "first publish to staging" to it being publicly available on repo1.maven.org.
Sure, a human is still involved, but it’s definitely faster than anything else in the release process.
If there’d be something to improve, it’d be (a) having a built-in publish plugin in gradle with a publish.json that easily defines the variables and adds a super simple way to publish, and (b) automating the TXT verification akin to google-site-verification (plus potentially github oauth login to validate com.github namespaces).
https://blog.sonatype.com/why-namespacing-matters-in-public-...