Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-15734

Proxied yum packages can become undiscoverable

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.8.0
    • Fix Version/s: None
    • Component/s: Yum
    • Labels:
    • Story Points:
      5

      Description

      NXRM Proxy repos should continue to serve packages even if they go missing upstream. However, since we proxy the metadata listing from upstream we're vulnerable to effectively propagating upstream deletions.

      1. Create a yum hosted repo with two RPMs in it.
      2. Wait for the hosted repository to generate the metadata (this defaults to 60 seconds)
      3. Create a yum proxy of the hosted repo.
      4. Fetch the metadata through the proxy, specifically repomd.xml which will automatically fetch primary.xml.gz.
      5. Fetch both the RPMs through the proxy so that they are cached.
      6. Delete one of the RPMs from the hosted repo and wait for the metadata to be regenerated. The primary.xml.gz file in the hosted repository should now only list one RPM.
      7. Invalidate the cache on the proxy and then fetch the repomd.xml again.
      8. The primary.xml.gz file in the proxy will now only list one RPM but both RPMs will be available in the repository.

      (Note another way to reproduce this would using a Centos 6 Docker image and a Centos 7 Docker image and then to point a proxy at a centos 6 remote http://mirror.centos.org/centos-6/6.9/os/x86_64/ install some packages, change the remote url to centos 7 install some packages http://mirror.centos.org/centos-7/7/os/x86_64/ the go back and try and install the 6 packages, which will fail)

      This issue is the Yum version of the NPM-specific NEXUS-15714.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pkundra Parul Kundra
              Reporter:
              mprescott Michael Prescott
              Last Updated By:
              Peter Lynch Peter Lynch
              Team:
              NXRM - Cypher
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title