At first the new URLs for snapshots moved to:

https://central.sonatype.com/repository/maven-snapshots

If you have connection settings defined the upload works as usual.

But when you want to retrieve snapshots from "https://central.sonatype.com/repository/maven-snapshots", bnd uses the connection settings to get the artifacts.

The problem is now with the new repository, that if you request data without credentials, you can access al artifacts. But if you are logged in, you are only able to access artifacts, you have uploaded.

I dont have a solution yet, but I think about something like a property auth=false at a repository definition:

-plugin.2.Central: \
    aQute.bnd.repository.maven.provider.MavenBndRepository; \
	releaseUrl			= "https://repo.maven.apache.org/maven2/"; \
	snapshotUrl			= "https://central.sonatype.com/repository/maven-snapshots/";\
        index=${.}/central.mvn; \
        readOnly=true; \
        **auth=false;\**
        name="Central"

This should lead, not to take the connection settings when reading the snapshots. I am not sure if it is a good ideo to bind it to the readOnly property, because it might be a use case that you need credentials for a nexus even for read only acces.