JCenter is deprecated
langford opened this issue · 5 comments
Describe the bug
As of March 2021, jcenter went readonly. See https://developer.android.com/studio/build/jcenter-migration or https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/
The pom.xml directions in https://github.com/uio-bmi/crypt4gh#readme give jcenter.bintray.com as the repository.
Maven central or another repository seems like a good second option to list this project. I know of https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-gradle-registry but do not know the pluses or minuses there.
I know I see some pretty harsh warnings when including this in Android studio. Some sources say jcenter planned to completely shut off some jcenter services as of Feb 2022, I am not sure if they carried through on that or not.
To Reproduce
Steps to reproduce the behavior:
- Go to 'https://github.com/uio-bmi/crypt4gh#readme'
- Copy sections of the pom.xml into Android studio (or ostensibly any other modern IDE that will use/convert these).
- Attempt to sync packages for the v.2.4.3 release
- See error: "Unable to resolve dependency for ':app@debugUnitTest/compileClasspath': Could not resolve no.uio.ifi:crypt4gh:v2.4.3" (The same occurs for no.uio.ifi:crypt4gh:2.4.3 or even no.uio.ifi:crypt4gh:+ which would download the latest of any version available).
Expected behavior
The library artifact is fetchable from a trustworthy repository, and future versions (v2.4.4, e.g) will be fetchable as well.
Screenshots
n/a
Desktop (please complete the following information):
- OS: macOS 11.6
- Browser: Safari (not that it matters)
- Android Studio Bumblebee 2021.1.1
Additional context
As a workaround a user could build directly from GitHub
I see in 907ffac that you switched to GitHub.
Perhaps you know this, but GitHub requires authentication to allow the downloading of packages even (as of March 2022). It's not the same as jcenter/mavenCentral in that respect.
Thanks for raising this issue, @langford!
We switched to GitHub Packages after JFrog decided to shut down Bintray and JCenter. We thought that GitHub Packages would be an easier option to contain everything in one place.
We are open to using other artifactory services to publish our Maven artifacts, but we will also keep using GitHub Packages. Please feel free to suggest any artifactory service you might think would be beneficial.
Thanks for the reply: I'm not strongly opinionated on that front. I do know this was not a very well documented maven host to try to use a library/package from.
My project uses Gradle btw. I only say that for context. Typically Gradle projects can use maven projects.
I did eventually manage to get maven reliably downloading the package at least. For documentation purposes, here what my macOS ~/.m2/settings.xml looked like when I did:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
http://maven.apache.org/xsd/settings-1.0.0.xsd">
<activeProfiles>
<activeProfile>github</activeProfile>
</activeProfiles>
<servers>
<server>
<id>github</id>
<username>my_username</username>
<password>A_read_token_created_according_to_github_doc</password>
</server>
</servers>
<profiles>
<profile>
<id>github</id>
<repositories>
<repository>
<id>central</id>
<url>https://repo1.maven.org/maven2</url>
</repository>
<repository>
<id>github</id>
<name>Github uio-bmi Apache Maven Packages 2nd version</name>
<url>https://maven.pkg.github.com/uio-bmi/crypt4gh/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
</profile>
</profiles>
</settings>
Here is the procedure I followed (only selecting "read packages", not write packages):
(from https://saker.build/blog/github_packages_maven/)
I don't believe you folks did anything wrong with your setup, and I haven't yet tried to use another project's GitHub hosted maven project as of yet. I provide the above in case it's useful for changing your README.md
After spending time working with both Gradle and Maven, I never was able to do much more than the above. I didn't have enough to continue flailing around getting Gradle to be able to find the package, so just vendored the code and manually added the license to our acknowledgements list.
My issue may be more subtle and entirely unrelated to GitHub. Like the correct answer may be for me to be re-packaging it more formally as a library or something then use that repackaging. Either way, If you aren't motivated further to make this sharable by some other impetus, our project for one, is able to manage well enough as we are now.
PS: We are looking to use this implementation to make standard-compliant files durably encrypted in a recoverable format via a key held only by the back office, supported by tools in multiple programming languages. (This is not for genetic data, but medication administration records encoded as json for a medical study conducted using mobile devices which are sometime out of touch with the network). This format seems to essentially be what we were cooking up ourselves (an AES-crypt + RSA thing) and then a lot more. The documented paper on the crypt4gh format is wonderful btw! I'm still on the proof of concept stage for this feature, but as the app is due soon, we should know shortly if it was sufficient to the task.
Thank you so much again, @langford!
Actually, we are doing the exact same thing you described with generating a token from GitHub and adding a similar settings.xml
to other repos that use a Maven artifact as a dependency. You can take a look at how we implemented it in a GitHub workflow step to be able to automatically download the Maven dependency for build here.
We are in the middle of a service launch and we are doing a lot of tidy up work. I have added an issue to update the README.md
file in #55.
PS: This project is used to encrypt human data to be stored for research purposes. The service is called Federated EGA
which can be found here. It is an Elixir project. All the code is open and you can use it for your own purposes.