It is exactly as convenient (if not more). You set up a set of 3 repositories (local for your modules, remove to proxy the PyPI, and virtual, which unifies them under a single URL (which solves the #2 you mentioned).
Ouch, that's bad, shouldn't happen and usually doesn't happen. Ping me in DMs on Twitter (@jbaruch) or by email (jbaruch@jfrog.com) and I'll investigate what happened.
Re Bintray isn't standard: There is no standard, both Bintray and Maven Central are just internet repositories. JCenter is bigger, so if you define "standard" as "bigger one", Bintray is the way to do.
If by "standard" you meant "default", like Maven Central is the default in Maven, here I have some news for you as well.
Bintray is the default in Mac OS' Homebrew, Android Studio, Groovy's @Grab, and first class citizen in Gradle, Ivy and SBT.
Look at twitter. Everybody can't be happier because Maven Central is served over SSL now. That's good. But if you can't verify what they serve you over SSL it worth nothing. I glad you understand that. Most of the people seem not to.
Once you understand that, how can you verify the content? Bintray helps with that, Maven Central makes it hard.
I think @iancarroll is pointing out that you seem to be conflating signature and identity verification. They are different concerns, yet both are both necessary for secure software distribution.
Fine if you reject web-of-trust style identity verification, but your notion of "web identity verification" is not in any way a good substitute for code signature verification. What if someone compromises your hosted repository? Unless your artifact were already cryptographically signed, no amount of identity verification is going to help you.
That's very true. That's why Bintray has both "web identity verification" and pgp signing, while Maven Central gives you signing only, without a way to really identify the author.
Full disclosure - I am a developer Advocate with JFrog, the company behind Bintray.
So,jcenter is a Java repository in Bintray (https://bintray.com/bintray/jcenter), which is the largest repo in the world for Java and Android OSS libraries, packages and components. All the content is served over a CDN, with a secure https connection.
JCenter is the default repository in Goovy Grape (http://groovy.codehaus.org/Grape), built-in in Gradle (the jcenter() repository) and very easy to configure in every other build tool (maybe except Maven) and will become even easer very soon.
Bintray has a different approach to package identification than the legacy Maven Central. We don't rely on self-issued key-pairs (which can be generated to represent anyone, actually and never verified in Maven Central). Instead, similar to GitHub, Bintray gives a strong personal identity to any contributed library.
If you really need to get your package to Maven Central (for supporting legacy tools) you can do it from Bintray as well, in a click of a button or even automatically.
You mention both Bintray and Groovy. Look at the Bintray download stats for Groovy [1] and it reports 170,000 downloads in the past month. But 100,000 of them happen on just 6 days, 40,000 of those on just 1 day (18 July). Click on country and see that 120,000 of them came from China. Comparing the numbers suggests 100,000 downloads of Groovy from Bintray during July were faked. Another 900,000 downloads of Groovy were faked during April and May. I'm not sure I trust JCenter when the 2 technologies you recommend for it have together been used to fake one million downloads.
I am not sure how the fact that Bintray is DDOSed from China (and still fully operational without any interruption) dismisses your trust in Bintray.
I am also not sure how you figured out those are fake downloads. For sure the script that DDOSes Bintray from China won't use Groovy, but it's a still a valid download. Not for showcasing how popular Groovy is (they factor out those things when talking about the numbers), but for the raw statistics - for sure. The file was downloaded, wasn't it?
So, both points are incorrect.