Hacker News new | past | comments | ask | show | jobs | submit login

jCenter is the new default repository used with Android's gradle plugin, I haven't used it myself yet but it looks like the site defaults to HTTPS for everything: https://bintray.com/bintray/jcenter

Full disclosure - I am a developer Advocate with JFrog, the company behind Bintray.

So,jcenter is a Java repository in Bintray (https://bintray.com/bintray/jcenter), which is the largest repo in the world for Java and Android OSS libraries, packages and components. All the content is served over a CDN, with a secure https connection. JCenter is the default repository in Goovy Grape (http://groovy.codehaus.org/Grape), built-in in Gradle (the jcenter() repository) and very easy to configure in every other build tool (maybe except Maven) and will become even easer very soon.

Bintray has a different approach to package identification than the legacy Maven Central. We don't rely on self-issued key-pairs (which can be generated to represent anyone, actually and never verified in Maven Central). Instead, similar to GitHub, Bintray gives a strong personal identity to any contributed library.

If you really need to get your package to Maven Central (for supporting legacy tools) you can do it from Bintray as well, in a click of a button or even automatically.

Hope that helps!

You mention both Bintray and Groovy. Look at the Bintray download stats for Groovy [1] and it reports 170,000 downloads in the past month. But 100,000 of them happen on just 6 days, 40,000 of those on just 1 day (18 July). Click on country and see that 120,000 of them came from China. Comparing the numbers suggests 100,000 downloads of Groovy from Bintray during July were faked. Another 900,000 downloads of Groovy were faked during April and May. I'm not sure I trust JCenter when the 2 technologies you recommend for it have together been used to fake one million downloads.

[1] https://bintray.com/groovy/maven/groovy/view/statistics

[2] http://groovy.codeplex.com/wikipage?title=Blog07#2

I am not sure how the fact that Bintray is DDOSed from China (and still fully operational without any interruption) dismisses your trust in Bintray.

I am also not sure how you figured out those are fake downloads. For sure the script that DDOSes Bintray from China won't use Groovy, but it's a still a valid download. Not for showcasing how popular Groovy is (they factor out those things when talking about the numbers), but for the raw statistics - for sure. The file was downloaded, wasn't it?

Please elaborate?

Thanks for pointing this out, this is REALLY new, perhaps added in the most recent build. I didn't see notes for this either.

Yeah, my new projects from Android Studio Beta (released at I/O) use it as the default which was super confusing at first since I didn't see any release notes regarding it.

Nice, I was going to ask if maybe Google or someone invested heavily in Android could step up and provide a secure source of dependencies for everyone.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact