Publishing to Maven Central for the first time is ...
# random
Publishing to Maven Central for the first time is a nightmare experience 😱
👍 1
I just gave up.
👍 2
Did it via bintray, it was just 3/4 nightmare
Yeah, bintray is quite simple in comparison! They have a good gradle plugin and simple configuration.
@cedric looking forward to it 😵
It’s live! At least it’s quite straight-forward after you’ve got it into Sonatype and all checks have passed…
kotlin-dsl isn’t made for Sonatype publishing yet.
I upload to bintray and then sync to maven central
Of course, you still need the signed artifacts and all
Yeah, signing was one thing which was annoying. As was using the old maven publishing plugin which isn’t kotlin-dsl-friendly at all. Didn’t know that you can sync from Bintray to Maven Central, nice!
I don’t get signing though. If everyone can sign with their own keys - how does that make things more secure?! I didn’t have to register my key with my Sonatype account or something like that.
@Marc Knaup That was a question we wrestled with in the Clojure community (with our own repository). The original idea was that artifacts would have two states: regular and "promoted", and the latter would only be allowed if they were signed. The theory was that Clojurians would exchange public keys to create a "web of trust" so that we could use "promoted" artifacts and check that they'd been signed by "known parties". In reality, not enough people felt the additional hassle of signing-and-sharing was worthwhile and the repository dropped the idea of promoted artifacts. A lot of people publish artifacts there without signing them now, because the hassle isn't worth it (and most Clojure JAR files are source anyway because it's compile-on-demand). TL;DR: signing really doesn't make things more secure if there's no verified "web of trust".
Interesting! Maybe with the rise of blockchain you'll get another shot at it :) But yeah, I'm surprised that Maven Central requires it. Gives a false sense of safety I think.