[pron]

A very nice project that reduces the barrier-to-entry of Maven artifact publishing, and saves an open-source project author a couple of hours of annoying work, but I have two concerns:

1. It might cause clashes for repositories that are hosted on a public Maven repository. Maven artifacts have one name, and one name only. Now, they may have two (with versions that are not necessarily aligned, to boot). This can wreak havoc on transitive dependencies.

2. Because git tags can be deleted and re-created, this repository breaks one of the strongest guarantees made by all (public) Maven repos, namely, that once a release artifact is published, it can never, ever change. This makes artifact versions unreliable.

In short, release artifacts must be unique and must be immutable; this project breaks both. That will cause actual runtime bugs that are virtually impossible to catch (and are bound to cost much more than the one-time setup -- per organization! -- of Maven hosting).

The sort of capabilities and guarantees required for source code management (and are provided by SCMs like git) are not the same as those required of binaries.

[jitpack]

Thank you for the compliment, Ron. Glad you see an upside to JitPack:) Regarding your concerns:

1. If you add JitPack as a respository then Maven will still check central first. If the artifact is in central it won't bother going to jitpack.io. Also JitPack enforces your group name to point to your GitHub repo to avoid name clashes.

2. Yes, git tags can be deleted but you really shouldn't do that on a public repo anyway. And most of the time people releasing with tags don't change them.

JitPack is built for the common case and not for the edge cases. And we believe that just because there are rare ways to break the system doesn't mean we should keep a high barrier-to-entry. Sharing your work should be easy and it should be easy for others to try your work.

[pron]

> Glad you see an upside to JitPack

Of course! It's very cool! But I don't think it can be used in production (or even in development of important projects).

1. Say I am the consumer and I use a library author's GH repo with JitPack. Then, when the author releases her library to Central/jcenter/Clojars/whatever, she's free to choose any group name she wants (JitPack can't force her to do anything), and once she does that -- and another of my dependencies transitively depends on that artifact -- I am very likely to get a bug that's very hard to track down. Alternatively, once she publishes to central under a different group name, you might choose to simply break my build, which is also undesirable.

2. Maybe people shouldn't, but they do it all the time. I've done it on occasion, and I'm pretty sure I'll do it again. When that happens -- there's another impossible-to-find bug.

> JitPack is built for the common case and not for the edge cases.

Which means it's a binary repository that is undependable. And remember, those edge cases are out of the library consumer's control.

> just because there are rare ways to break the system

Unfortunately, they are not rare. First, most (actually, virtually all) production-quality Java/JVM libraries are already hosted on some public Maven repo, and any library that becomes production quality is likely to publish the artifacts, so breakage 1 is almost certain. As to 2, you should really get the data from GitHub. I think you'll find that deleting and re-creating tags is a lot more common than you think.

But even if those cases were rare, they can be very, very costly. We're not talking about a breaking build, but actual runtime bugs that might take days to track down.

> doesn't mean we should keep a high barrier-to-entry

True, but the barrier-to-entry for the author is already quite low; jcenter makes it almost nonexistent.

What you've done is something else: you've let the library consumer control the artifact, so you've lowered the barrier for them, which is great! However, by doing so you've ensured that the author will almost certainly inadvertently introduce really, really tricky bugs into the consumer's project, bugs that they can neither control nor track down.

Still, JitPack is a great way to try someones work-in-progress code, to see if it might be worth it to help them make it production-quality. I am sure to give a try some time.

[teacup50]

3) This creates an insane MITM opportunity.

Not only are they spitting back opaque binaries, but they're doing so by running arbitrary and untrusted user code.

There are already single-command tools for releasing a project to Maven, including tagging the release, bumping the version number in the build file, building and signing the jars, and uploading the results to a Maven repository.

Given that, why would you SaaS trusted builds!?!

[pron]

Well, to be fair, any public Maven repo is a MITM opportunity.

[teacup50]

Maven artifacts can be GPG signed; GPG signing is required for Maven central.

It would be irresponsible to use a service like this to build binary JARs that you then signed and uploaded with your own signature guaranteeing their providence.

[jermo]

Releases have to be PGP signed, snapshot's don't.

How many people do you know that verify PGP signatures of their artifacts? Do you?

[teacup50]

Yes, we verify signatures at our middleware repository cache.

[pron]

Really? Impressive! Where do you get the public keys? Most projects hosted on Maven Central don't publish them on their website.