Details
Description
The following two snapshot paths are invalid and should really be rejected with 400 response.
com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1487857435-ecfcead.tgz
com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1488295749-d11e956.tgz
I am seeing inconsistent behaviour in both Nexus 2 and Nexus 3 when using a direct deploy method like below.
curl -v -u admin:admin123 --upload-file somefile.tar.gz http://localhost:8083/nexus/repository/maven-snapshots/com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1487857435-ecfcead.tgz
com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1487857435-ecfcead.tgz
- Nexus 2 uploads with 201 response
- Nexus 3 fails with 400 response
com/sonatype/test/testapp/0.0-dev-SNAPSHOT/testapp-0.0-dev-1488295749-d11e956.tgz
- Nexus 2 fails with 400 response
- Nexus 3 works with 201 response
Expected
Nexus 2.x: We will not be making a change to Nexus 2.x codebase due to the potential regression risks related to users deploying or retrieving non-timestamped SNAPSHOT versions, which Apache Maven 2.x and Maven 1.x did allow.
Nexus 3.x: Nexus 3.x has dropped Maven 1.x support.
Nexus 3.x must allow deployments and retrieval of two types of SNAPSHOT versioning schemes:
- example-1.0-SNAPSHOT.jar ( deprecated and not recommended in industry )
- example-1.0-20171208.202054-1.jar ( preferred and modern )
All other invalid paths should be rejected for STRICT policy. Keep in mind there is a very strict layout for Maven 2 format repos.
The literal example-1.0-SNAPSHOT.jar form of file name is possible in Maven 2.x or versions of Apache IVY. Sonatype does not recommend using non-timestamped snapshot versioning schemes, and we do not optimize for that use case, however if you do it should work.