If you're freaking out because JFrog announced it's sunsetting Bintray and JCenter, and are concerned about moving your Java components into Maven Central, I want to first and foremost say - don't worry. We're here for you and I personally want to make sure you feel prepared for that transition.
Based on a number of conversations taking place across social media, I wanted to address a few questions - here's what you need to know.
- Central is actually two parts. The part most of the world knows as Central is where everyone downloads their Java components. This has been fronted by a highly scaled CDN for years and it's very infrequent that anyone has trouble consuming components. We served 345 billion component download requests last year. OSS Publishers have had some troubles with the other part of Central we refer to as OSSRH which is a forge repo we run for projects that don’t have any other place.
-
It's not the OSSRH you used to know: Lots of less visible improvements have been made since you probably last deployed to http://oss.sonatype.org years ago. The validation and onboarding process has been automated, making the approval of your coordinates happen much faster and in many cases, automatically.
-
Yes, we do still validate. It's a matter of safety - We started validating coordinates 16 years ago, and it isn't going to stop. Validation of coordinates is the way that we ensure people can't (as easily) pretend to be a project they are not. We recently wrote about this here. To drop those requirements is to embrace the type of easy brandjacking that happens in other repositories.
-
We're standing up new infrastructure - To address the overwhelming demand we've seen recently, even preceding this recent announcement regarding Bintray, we have stood up new infrastructure and are in the process of preparing to announce it more broadly soon. Some large projects have already moved over to it quite successfully.
If you are currently, or have recently had issues pushing your builds, reach out and let’s get you over to the new infrastructure. If you have a very large project that might justify dedicated infrastructure, we want to talk to you as well.
Create a ticket and ask us to migrate you. Starting next week, net-new signups will automatically be added to the new infrastructure. This, combined with moving larger, higher volume projects will create a better experience for existing users who don't move. Everyone wins.
-
If you were promoting to Central, from Bintray, you're set - Many people were already deploying to Bintray but promoting to Central. If that was you, you have already been configured in our system so you should have what you need to begin deploying directly. If you're not sure though, create a ticket and we'll help you out.
-
If you were just deploying to Bintray AND NOT promoting to Central, let's discuss - For those of you who were previously deploying to Bintray but not, promoting to Central, we will have to get you set up. Figuring out how to handle your coordinates might be a conversation. You can see our long standing requirements here.
-
Project security analysis is coming - We've been working on a feature that allows projects deploying to Central to see a security analysis report of their dependencies. Another way we're hoping to keep the Central Repository a safe place. This is brand new - we were just about to launch an Alpha Program, but given the news of the day, we're opening that program up a bit early. Reach out to us and we’ll share previews with you.
I hope this helps clear up many of the questions you have about what's happening with The Central Repository, and what you need to know coming from Bintray and JCenter.
If you take nothing else away from this though, know we're here to help. If you're confused or struggling, just ask. If you think the coordinate requirements won't work for your project, lets discuss and try to figure it out. Get in touch on Twitter with me directly @Brian_Fox, with our Central Repository team at @sonatype_ossrh or create a Jira ticket.
Written by Brian Fox
Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.
Explore All Posts by Brian Fox