Publishing to maven central isn't particularly difficult, but it is a high friction process.

You have to file an issue on a JIRA board.

Provide proof of owning a namespace(dns txt record, or github).

Wait for a human to review and approve the ticket.

Create a PGP key.

Publish the PGP key to public key servers.

Submit your builds via the webapp.

Wait for the verification process to complete.

Have it fail a bunch of times randomly, because despite uploading your PGP key to as many of the keyservers as you could, there seems to be a huge key replication delay between keyserver instances, and the verification process can't find the key published.

Once verified, actually publish the build.

Most of the pain is one off, once you have gone though it, publishing new builds can be automated.

The PGP signing is pointless, you can sign with any key you like, and change the key as often as you like, just so long as the key is published. 10 years in the industry, I have never heard of anyone checking the signatures on maven artifacts.

> The PGP signing is pointless, you can sign with any key you like, and change the key as often as you like, just so long as the key is published. 10 years in the industry, I have never heard of anyone checking the signatures on maven artifacts.

I check them on every build, with the pgpverify maven plugin: https://github.com/m50d/tierney/blob/master/free/keys.proper... . Presumably I'm not the only one since that plugin exists.

Well, you have ended my streak I guess.

Seconded - the process is fine if you're an Apache project or whatever, but for an individual developer with a handful of small libraries to share, it's not worth it.

The process is also not difficult for individual developers. Most of the steps to publish on Maven Central have to be done only once and there is good documentation about how to do it. Meeting some minimum requirements, such as proving namespace ownership or defining a license, improves the quality of a public artifact repository significantly. Who wants to use artifacts from a repository where everyone can just dump their stuff whithout any checks? Or who wants to use software that is based on such dependencies? Although Maven Central is not a perfect place either, you can at least be sure that the artifacts there meet some basic requirements.

A wast number of the applications in the Android ecosystem use JCenter.

Most of them don't need to. The default project template inserts jCenter() in the buildscript, but most artifacts are proxied from Central.

No I mean that a vast number of the libraries in the Android ecosystem are actually hosted on the free jcenter repository.

Removing jcenter as a source in the buildscript is a trivial step but doesn't remedy the issue as the dependencies are not all mirrored elsewhere.

Complexities of setting up a Maven central account is often listed as the main cause for maintainers simply going for JCenter instead.

> Which serious project would use artifacts from such a place?

Plenty of them, since it's just adding a few lines to either pom.xml or the Gradle script. Sure, maybe there's rules against it in your org, but if it works then a code reviewer might say whatever, there's bigger problems