Find alternative to jcenter

[kakawait]

You may know or not but jcenter/bintray will shutdown on 1st may 2021

https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/

Maybe publish to sonatype maven central?

[AndroidDeveloperLB]

Same issue of the Android version of here: https://github.com/terl/lazysodium-android/issues/43

[gurpreet-]

Hi all, thanks for raising this with me.

I was hoping that GitHub will step up and will finally allow us to use its package distribution system without signing in. If that doesn't happen then I'll raise a request to MavenCentral at the beginning of March.

[gurpreet-]

Do you know of any other alternatives to Bintray/JCenter (other than MavenCentral)?

[AndroidDeveloperLB]

Well, I use Jitpack as it's very easy and free. If you provide the Github URL, it will auto-generate things for whoever wishes to use the repository. Example for this tiny library I've made a long time ago: https://github.com/AndroidDeveloperLB/AutoFitTextView

So this is what you get: https://jitpack.io/#AndroidDeveloperLB/AutoFitTextView

No need to register. No need to pay. Just one step and that's it.

[kakawait]

Do you know of any other alternatives to Bintray/JCenter (other than MavenCentral)?

Any reason why not MavenCentral? Could help to propose alternative with other design

[AndroidDeveloperLB]

@kakawait What are the advantages of using MavenCentral? Is it free? Is it easy ?

[kakawait]

@kakawait What are the advantages of using MavenCentral? Is it free? Is it easy ?

It's free and a bit the de facto standard. First time it's not easy and you've to sign your jar. But when is automated is ok

[AndroidDeveloperLB]

@kakawait Is there a lot to configure per each new repository and/or update ? On Jitpack, I can't find any way for it to be easier.

[kenyee]

I'd strongly recommend Maven Central...it's a more professional thing to use than stuff like Jitpack....

[AndroidDeveloperLB]

@kenyee I've seen recommendations for both. Jitpack doesn't seem bad at all. Maven-central seem to be way too complex to even begin working with it.

[kenyee]

Maven isn't bad...Marton wrote up a decent article on the steps: https://proandroiddev.com/publishing-android-libraries-to-mavencentral-in-2021-8ac9975c3e52

The main issue w/ jitpack is the changeability...e.g., you can release a new version and then within six hours release it again w/ the same version. This is something that is a bit worrisome for a security library obviously...

[gurpreet-]

Lazysodium for Java has been migrated away from Bintray and is now on MavenCentral 🥳 Please visit the readme on how to install it.

The more rigorous steps for submitting a project into the Sonatype repository meant that the groupId had to unfortunately change 😔 That's the only breaking change.

[AndroidDeveloperLB]

@gurpreet- Please update the repositories' main websites here and for Android. On Android, it still says we should use "jcenter()" :

https://github.com/terl/lazysodium-android#1-install

There is even a link to here:

https://bintray.com/terl/lazysodium-maven/lazysodium-android/4.3.2

[gurpreet-]

@AndroidDeveloperLB I'm still in the progress of moving Lazysodium Android away from Bintray so that's why that hasn't been updated

[AndroidDeveloperLB]

@gurpreet- Can you please update me when it's completely ready, and what to write in gradle file (for Android) ?

[gurpreet-]

@AndroidDeveloperLB Sure, I'll update here.

Currently, Azure Pipelines is being a pain even though it is a great CI tool. With Azure Pipelines not building no matter what I try (I think they have a problem), I can't release Lazysodium.

I'm switching to GitHub Actions.

[kenyee]

Lazysodium for Java has been migrated away from Bintray and is now on MavenCentral 🥳 Please visit the readme on how to install it.

The more rigorous steps for submitting a project into the Sonatype repository meant that the groupId had to unfortunately change 😔 That's the only breaking change.

Thanks...well worth it :-)

[gurpreet-]

Good news. The move to GitHub Actions has been completed for:

• https://github.com/terl/lazysodium-java
• https://github.com/terl/lazysodium-android
• https://github.com/terl/resource-loader

All the above repos now support SNAPSHOTs. In other words, that means that the latest master branch is compiled and uploaded to Sonatype's Snapshot Repository for usage in your projects. One might want to do this if you want to test something in master that's not in a formal release yet.

[gurpreet-]

Further good news: Lazysodium Android version 5.0.0 has now been moved away from Bintray and is now on MavenCentral!

To now use Lazysodium in your projects, ensure you are using mavenCentral as a repository rather than jCenter or Bintray. Further info can be found on the Installation page.

CC: @AndroidDeveloperLB

[AndroidDeveloperLB]

@gurpreet- Nice. I think the jna one has a more updated version though:

    implementation 'net.java.dev.jna:jna:5.8.0@aar'

Maybe you should just link to it instead:

https://mvnrepository.com/artifact/net.java.dev.jna/jna https://github.com/java-native-access/jna/releases

[gurpreet-]

@AndroidDeveloperLB I tried linking to it but some developers complained that the newer versions of JNA broke their builds. Therefore it has remained hardcoded for now.

[AndroidDeveloperLB]

@gurpreet- It did? How odd. What was the error?

[gurpreet-]

Not sure, please open a new issue if you want to investigate that further. I want to keep this issue on the topic of moving away from Bintray

[AndroidDeveloperLB]

@gurpreet- OK sorry. Can you at least show the issue they complained about? Maybe if reproduced, it's an error with IDE/gradle.

[gurpreet-]

@AndroidDeveloperLB please see https://github.com/terl/lazysodium-java/issues/103

[kenyee]

Further good news: Lazysodium Android version 5.0.0 has now been moved away from Bintray and is now on MavenCentral!

Nice work..thanks :-)

[AndroidDeveloperLB]

@gurpreet- Weird. For me those work fine (use canary/beta version of the IDE and the gradle version of it too) :

    implementation "com.goterl:lazysodium-android:5.0.0@aar"
    implementation 'net.java.dev.jna:jna:5.8.0@aar'

But then I've noticed some build errors for these imports:

import com.goterl.lazycode.lazysodium.LazySodiumAndroid
import com.goterl.lazycode.lazysodium.SodiumAndroid
import com.goterl.lazycode.lazysodium.interfaces.PwHash.Alg
import com.goterl.lazycode.lazysodium.interfaces.SecretStream

Seems the packages changed a bit. Should be:

import com.goterl.lazysodium.*
import com.goterl.lazysodium.interfaces.*

[gurpreet-]

Now that I have migrated to Maven Central, it's now time to remove jCenter from the projects.

Lazysodium Java

This has been done in the following commits/PRs for Lazysodium Java https://github.com/terl/lazysodium-java/commit/72b4cee997e3c02cf759db1ab05ee21df4f4143c and is in release 5.0.1.

Lazysodium Android

For Lazysodium Android it is currently a work in progress in this PR https://github.com/terl/lazysodium-android/pull/48. It's blocked due to trove4j not being found.

Could not find org.jetbrains.trove4j:trove4j:20160824.

There are issues already raised to get it in Maven Central: https://youtrack.jetbrains.com/issue/IDEA-261387, https://youtrack.jetbrains.com/issue/KT-44730

The recommended solution of adding the following is not unreasonable but I would rather not do this:

jcenter {
    content {
        // https://youtrack.jetbrains.com/issue/IDEA-261387
        includeModule("org.jetbrains.trove4j", "trove4j")
    }
}

[AndroidDeveloperLB]

@gurpreet- I think that if you use the canary (or beta) version of the IDE, together with a newer version of gradle, you can avoid jcenter completely. That's what I did: https://github.com/terl/lazysodium-android/issues/15#issuecomment-813214466

[gurpreet-]

I think it's unfeasible to ask developers to upgrade to the latest canary versions of their IDEs. Some crazy people might not even use an IDE and may just use the command line 😄

With jFrog now keeping their jCenter repository open till next year, I've made a decision to keep using jCenter for the trove4j dependency specifically till that linked issue above is resolved.

This is available in Lazysodium Android 5.0.1 👍

[gurpreet-]

With that being said, I think this issue has now been resolved as everything has been migrated away from jCenter (minus, of course, the above trove4j dependency for LS Android) in version 5.0.1.

I will keep this issue open for a little while longer. Let me know in here if you see any problems.

[AndroidDeveloperLB]

@gurpreet- That's true, but the gradle plugin will get updated to support it officially soon. If people want to avoid jcenter, they can't do it on stable version yet (with or without using your repository).

[Salzian]

Are you planning on uploading other major versions to Maven Central as well? We still require 3.8.0.

[AndroidDeveloperLB]

@Salzian If it's urgent, you can use beta/canary versions of Android Studio (with the update gradle plugin, of course) .

[Salzian]

Nevermind, I have misunderstood something. I'll have to triage if 3.8.0 -> 5.0.1 is a drop in replacement anyways and we'll just bump.

[gurpreet-]

@Salzian I could release older versions of lazysodium but with jCenter being deprecated it would mean that those older libraries that rely on jCenter would go defunct at some point.

Version 5 of lazysodium brings a lot of bug fixes anyway. The underlying library resource-loader is constantly improving to load native libraries under all kinds of circumstances in all kinds of environments. In fact, creating a wrapper over Libsodium was the easy part. It's actually the seamless loading of the native libraries (.so, .dll, .dylib) out of (nested) JARs and out of different operating system file structures that has proved to be a huge challenge.

It is indeed a drop in replacement. The only thing you will have to do is find and replace the package ID.

[Salzian]

I was not taking into account that a version bump is needed to update the dependencies of lazysodium itself. However the upgrade was easy and painless, only the namespace change was required, nothing has seemed to break since then. We simply bumped the version and are now running on 5.0.1 successfully without jCenter. Thanks for considering anyways! 👍

[gurpreet-]

Looks like we're fully migrated now. Closing...