Hey, remember when I wrote about a bunch of GitHub repositories distributing malware?
It turns out there were a lot more, since I was only looking in Compose-related repositories. Like, 10,000 or so repositories exhibiting the same pattern that I pointed out in December. 😮
Hopefully, this will get a bit more attention and will result in GitHub actually doing something to stop these attacks.
This week, Sonatype announced that, in the not-too-distant future, developers who publish a lot of files through Maven Central, or publish frequently, will need to start paying for that privilege. The thresholds for “a lot of files” trip up nearly 100% of Kotlin Multiplatform projects, and the threshold for “frequently” will trip up many active developers with 3+ libraries.
This epic Kotlinlang Slack thread suggests that Sonatype does not intend to drag open source developers into a paid tier. They are looking to revise their policies a bit to help Kotlin Multiplatform developers, and JetBrains is looking into ways to trim the bloat of published KMP libraries.
My take on this: it feels like we are considering the issue purely through Sonatype’s framing of that issue.
Presumably Maven Central is reasonably expensive for Sonatype to operate, and so doing something to increase their revenue makes sense from Sonatype’s perspective. Tactically, I have no qualms with that. Strategically, my question is: why is Maven Central special?
In the world of Android, we have been down this road before. In the very early days, I advocated for us having a wide range of Android app distribution channels. I got push-back from some experts, who argued that there must be One True Distribution Channel, in the form of the Android Market, now known as the Play Store. As a result of handing a monopolist a monopoly, we get wonderful things like monopolistic behavior and more monopolistic behavior, to cite just two examples out of many.
In a healthy ecosystem, Maven Central would be one player among many. At present, though, Maven Central dominates the artifact distribution space. For a long time, I maintained my own Maven repo for my own libraries, but that approach is uncommon. Once you get past Maven Central, Google’s own Maven repo, and jitpack.io, we are deep into the “long tail” of public artifact repositories.
As it stands, we are banking on Sonatype’s good graces. If Sonatype collapses, Maven Central may well be toast. We will be left trying to pick up the pieces of our development ecosystem.
While I am all for trying to improve Sonatype’s situation and for making KMP libraries more svelte, I hope that some attention gets paid to trying to make artifact distribution more federated, so that Maven Central’s theoretical demise might have less impact.
IOW, and IMHO, we centralized too much.
(post revised based on reader feedback to remove a dated reference to private equity)
This wave brings us a new artifact group, androidx.core.locationbutton, with three artifacts:
androidx.core.locationbutton:locationbuttonandroidx.core.locationbutton:locationbutton-composeandroidx.core.locationbutton:locationbutton-testingIn other new-to-us artifacts, iOS is getting some Ink:
androidx.ink:ink-brush-iosarm64androidx.ink:ink-brush-iossimulatorarm64androidx.ink:ink-geometry-iosarm64androidx.ink:ink-geometry-iossimulatorarm64androidx.ink:ink-nativeloader-iosarm64androidx.ink:ink-nativeloader-iossimulatorarm64Overall, we got more than 800 artifact updates this time – check them out here!
The cw-json repository now has version 0.4.0 of kmp-jsonpointer and kmp-jsonpointer-kxs.
In addition to the official JSON Pointer means of navigating JSON, this release adds unofficial-but-popular dot notation. It is the sort of syntax you see in template languages like Mustache, Handlebars, and Liquid. foo.bar.goo in dot notation is equivalent to /foo/bar/goo in official JSON Pointer syntax.
JsonPointer.from() now accepts all three core syntaxes:
There are dedicated functions like JsonPointer.fromDotNotation() for cases where you know the exact syntax that you want to support.
There is also a toDotNotation() function on JsonPointer instances that will give you the dot notation form of the pointer.
The Dokka documentation has been updated for 0.4.0.
No new-to-us artifact groups or artifacts this week, but we did get new versions of nearly 400 existing artifacts – check them out here!
