Yes they need something like `mavenCentral()` to add to the build.gradle/pom.xml.
Otherwise the whole feature is useless IMO.
It's not entirely useless, since it's still convenient for private artifacts, but it's extremely limiting, for sure.
This mandatory authentication is quite strange decision for public NuGet packages. How it's supposed to work for big decentralized team?
So I want to start using a package from github. And I don't want to send everyone instructions how to make solution build after it. I can add repository in nuget.config to avoid everyone in team to add github source. What should I use for credentials here - seems keep it empty? But then what? Everyone in team have to create github account and do authentication? So it looks like it's usable only for personal projects.
They'd not only have to use a personal access token, but one that is scoped with "read:packages" on your repo, and SSO enabled, if applicable, so it's not just a matter convenience. I agree that it's very unfortunate.