Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-12482

Inconsistent behaviour with upload to snapshot repository

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.1, 2.14.3
    • Fix Version/s: 3.8.0
    • Component/s: Maven
    • Labels:
    • Story Points:
      2

      Description

      The following two snapshot paths are invalid and should really be rejected with 400 response.

      com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1487857435-ecfcead.tgz
      com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1488295749-d11e956.tgz

      I am seeing inconsistent behaviour in both Nexus 2 and Nexus 3 when using a direct deploy method like below.

      curl -v -u admin:admin123 --upload-file somefile.tar.gz http://localhost:8083/nexus/repository/maven-snapshots/com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1487857435-ecfcead.tgz
      

      com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1487857435-ecfcead.tgz

      • Nexus 2 uploads with 201 response
      • Nexus 3 fails with 400 response

      com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1488295749-d11e956.tgz

      • Nexus 2 fails with 400 response
      • Nexus 3 works with 201 response

      Expected

      Nexus 2.x: We will not be making a change to Nexus 2.x codebase due to the potential regression risks related to users deploying or retrieving non-timestamped SNAPSHOT versions, which Apache Maven 2.x and Maven 1.x did allow.

      Nexus 3.x: Nexus 3.x has dropped Maven 1.x support.

      Nexus 3.x must allow deployments and retrieval of two types of SNAPSHOT versioning schemes:

      • example-1.0-SNAPSHOT.jar ( deprecated and not recommended in industry )
      • example-1.0-20171208.202054-1.jar ( preferred and modern )

      All other invalid paths should be rejected for STRICT policy. Keep in mind there is a very strict layout for Maven 2 format repos.

      The literal example-1.0-SNAPSHOT.jar form of file name is possible in Maven 2.x or versions of Apache IVY. Sonatype does not recommend using non-timestamped snapshot versioning schemes, and we do not optimize for that use case, however if you do it should work.

        Attachments

          Activity

            People

            Assignee:
            jtom Joe Tom
            Reporter:
            msurani Mahendra Surani
            Last Updated By:
            Peter Lynch
            Team:
            Nexus - Formats
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title