[brabel]

If you think you don't need all the checks Sonatype performs for you even after this week's security exploit came up on npm and other less secure repos, you can use this for JVM libs:

https://jitpack.io/

EDIT: notice that I am not criticizing jitpack, it's great to be able to point at a git repository and get its jar as a simple dependency... but it's not as secure as Maven Central IMO because it requires you to fully trust `jitpack.io` to not insert malicious code in the jars it serves, as well as the GitHub/BitBucket/GitLab account owner to not have been hacked or "become" malicious... still much better than npm's ridiculous resolution that will just trust anything at all.

[jermo]

A lot of projects publish to Central from cloud CIs. That means that private keys are stored in config/secrets. It is debatable whether that makes the artifacts more reliable since you have to trust the CI.