That’s good news. Thanks.
This is starting to feel rather brattle and, particularly without any staging mechanism, it makes the risk of uploading a plugin to the Portal start to outweigh the benefits.
I don’t think the pom can be considered an implementation detail as it leaks out in some obvious places. It’s apparent from the m2 in the plugin repository’s url (https://plugins.gradle.org/m2/) that Maven and therefore a pom is involved. Users can also see log messages for a pom being downloaded when the plugin isn’t already cached locally.
I also have a more general concern about what should be the same artifact being in different repositories with different metadata. If a user reports a problem with the plugin that could be caused by a faulty pom (perhaps a dependency is in the wrong scope), I don’t what to have to ask how the plugin was installed to know which pom will be involved.
Another point in favour of allowing plugin authors to provide their own pom is that it means that the automatic pom generation doesn’t have to understand things like jarjar. Perhaps it already does? However, providing an escape hatch that allows a user to specify their own pom would appear to be more robust as it gives the plugin author complete control when needed.
I think it’s a shame that the new approach replaced the old approach. While it is undoubtedly simpler, that simplification has come at a cost that’s too high for us. Could the old approach be run in parallel for plugin authors with more sophisticated requirements? It worked very well for us, providing all of the control and safeguards that are missing from the new plugin-based approach.