只使用jcenter还是同时使用jcenter和mavenCentral存储库更稳定？

Question

我有一些库只在jcenter存储库中，而不是在mavenCentral存储库中，所以在我的项目的build中，我必须添加严格必要的jcenter()存储库。但我想知道，对于我的应用程序来说，将来只使用jcenter()还是使用jcenter()和mavenCentral()会更稳定？

这将使我的项目的build仅使用jcenter()存储库：

buildscript {
    repositories {
        google()
        jcenter()
        
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:7.2.1'
        classpath 'com.google.gms:google-services:4.3.13'
        classpath 'com.google.firebase:firebase-crashlytics-gradle:2.9.1'

    }
}

allprojects {
    repositories {
        google()
        jcenter()
        maven { url "https://jitpack.io" }
    }
}

task clean(type: Delete) {
    delete rootProject.buildDir
}

这可以让我的项目使用jcenter()和mavenCentral()存储库构建gradle：

buildscript {
    repositories {
        google()
        jcenter()
        mavenCentral()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:7.2.1'
        classpath 'com.google.gms:google-services:4.3.13'
        classpath 'com.google.firebase:firebase-crashlytics-gradle:2.9.1'

    }
}

allprojects {
    repositories {
        google()
        jcenter()
        mavenCentral()
        maven { url "https://jitpack.io" }
    }
}

task clean(type: Delete) {
    delete rootProject.buildDir
}

Answer 1

首先，你不应该再使用jCenter了。这是不支持的，只是因为生态系统的反弹而保持在线。jCenter的所有者计划完全关闭它

至于问题，拥有多个存储库是没有问题的。请记住，库是按声明存储库的顺序搜索的。

所以当你宣布

repositories {
  google()
  jcenter()
  mavenCentral()
  maven { url "https://jitpack.io" }
}

然后，gradle将搜索每个存储库，以搜索您声明的库。如果它是在谷歌回购-罚款，让我们使用这一点。否则，在jcenter中搜索它，等等。

我在适当的次序上的建议是：

mavenCentral() // most of libraries lives there and it's quite secure. Maven central requires domain ownership verification
google() // It's from google so it should be safe. But i'd move it after mavenCentral since there is not that much libraries from there. Proper repositories order might boost your gradle performance!
jitpack // Jitpack has many issues. The most pressing one is that it does not require domain ownership verification. So, if you move it to the top, somebody might create a copy of library you want to use under the same domain, upload it to jitpack and insert some malicious code. Jitpack should always be at the end of the chain to avoid that!
jCenter() // shouldn't be there. If there are some libraries still using that - create an issue on github pushing their owners can migrate to something else