Make mapbox dependencies accessible in repositories without private key

[deinlandel]

allprojects {
  repositories {
    maven {
      url 'https://api.mapbox.com/downloads/v2/releases/maven'
      authentication {
          basic(BasicAuthentication)
      }
      credentials {
        // Do not change the username below.
        // This should always be `mapbox` (not your username). 
          username = 'mapbox'
          // Use the secret token you stored in gradle.properties as the password
          password = project.properties['MAPBOX_DOWNLOADS_TOKEN'] ?: ""
      }
    }
  }
}

• this system is an absolute absurd. No one hides opensource library jars behind a passworded repo. By the way, it protects against nothing as anyone can create an account and download library files. It just makes build process more fragile and dependent on keys which are "secret" for unknown and unexplained reason.

[geeksville]

oh yes - this change in 9.6 broke CI for our opensource project that uses mapbox. Because we have no good way for our maven build to fetch jars now. :-(

[boiler23]

Absolutely agree. Security, which defends from nothing but makes a lot of pain for users. I thought only banking security officers doing such a BS. Also absolutely weird thing: to fix crash on Android 11 you need to update on a version, which does not exists in public repository anymore (last public version 9.2.1 does not work on 11).