-1

I have some libraries that are only in jcenter repository and not in mavenCentral repository so in my project's build gradle I have to add strictly necessary jcenter() repository. But I was wondering what would be more stable for my app in the future, to use only jcenter() or to use either jcenter() and mavenCentral()?

This would me my project's build gradle only using jcenter() repository:


buildscript {
    repositories {
        google()
        jcenter()
        
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:7.2.1'
        classpath 'com.google.gms:google-services:4.3.13'
        classpath 'com.google.firebase:firebase-crashlytics-gradle:2.9.1'

    }
}

allprojects {
    repositories {
        google()
        jcenter()
        maven { url "https://jitpack.io" }
    }
}

task clean(type: Delete) {
    delete rootProject.buildDir
}

And this would me my project's build gradle using both jcenter() and mavenCentral() repositories:


buildscript {
    repositories {
        google()
        jcenter()
        mavenCentral()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:7.2.1'
        classpath 'com.google.gms:google-services:4.3.13'
        classpath 'com.google.firebase:firebase-crashlytics-gradle:2.9.1'

    }
}

allprojects {
    repositories {
        google()
        jcenter()
        mavenCentral()
        maven { url "https://jitpack.io" }
    }
}

task clean(type: Delete) {
    delete rootProject.buildDir
}
Eldestornillador
  • 77
  • 6

1 Answers1

3

First of all - you shouldn't be using jCenter at all anymore. It's not supported, just kept online because of the ecosystem backlash. Owners of jCenter planned to shut it down completely

As to question - there is no problem in having multiple repositories. Just keep in mind that library is searched by the order of declared repositories.

So when you declare

repositories {
  google()
  jcenter()
  mavenCentral()
  maven { url "https://jitpack.io" }
}

Then gradle will search each one of the repositories in search of library you declared. If it is in the google repo - fine, let's use that. Otherwise search for it in jcenter and so on.

My adwise on the proper order would be:

mavenCentral() // most of libraries lives there and it's quite secure. Maven central requires domain ownership verification
google() // It's from google so it should be safe. But i'd move it after mavenCentral since there is not that much libraries from there. Proper repositories order might boost your gradle performance!
jitpack // Jitpack has many issues. The most pressing one is that it does not require domain ownership verification. So, if you move it to the top, somebody might create a copy of library you want to use under the same domain, upload it to jitpack and insert some malicious code. Jitpack should always be at the end of the chain to avoid that!
jCenter() // shouldn't be there. If there are some libraries still using that - create an issue on github pushing their owners can migrate to something else
Jakoss
  • 4,647
  • 2
  • 26
  • 40
  • In other post they suggested me to put google() at the top, "You can specify both. The addition of other repositories has no effect on the way Firebase works, as everything for Firebase is hosted out of google. Just make sure google is always listed first.". Would it be okay to use 1-google()2-mavencentral(),3-jitpack(),4-jcenter()? – Eldestornillador Aug 24 '22 at 11:04
  • You can do whatever you like. But we can't tell you what will be best in the long term because that will depend on future business decisions of the commercial entities who run the respective repositories. We are not clairvoyant. But hey, does it really matter? You can change the Gradle build file ... – Stephen C Aug 24 '22 at 12:03
  • @Eldestornillador if you really need jCenter keep it before Jitpack to avoid fake libraries. As to google on top - i have more libraries from mavenCentral than from google so it's just a little bit faster to resolve all libraries this way. But this is not a game changer or anything (unless you are using huawei maven repo, this repo is CRAZY slow) – Jakoss Aug 24 '22 at 12:36