Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-35640

PyPi INDEX asset still has '#md5=<hash>' in the link after upgrading to 3.41

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.41.0, 3.42.0
    • Fix Version/s: None
    • Component/s: PyPI
    • Labels:
    • Story Points:
      3
    • Sprint:
      NXRM Sentinels Sprint 46, NXRM Sentinels Sprint 47
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      Problem:

      After upgrading to 3.41, the HTML page of the /repository/pypi-group/simple/<package>/ still contains '#md5=<hash>' .

      Impact:

      This could cause some issue to use this repository with Poetry.

      Reproduce:

      1. Install NXRM 3.38 with OrientDB
      2. Create pypi-hosted, pypi-proxy, and pypi-group
      3. Upload some package to pypi-hosted (eg: Unit-0.2.2.tar.gz)
      4. Confirm the HTML generated from /repository/pypi-group/simple/unit/ has links with "../../packages/unit/<version>/<filename>#md5=<hash>"
      5. Upgrade to 3.41 or 3.42

      Expected:

      May need some upgrade (or normal) task so that all links in the Index pages are converted to '#sha256=<hash>'

       

      Note:

      Actual behaviour:

      HTML contains either all "md5" or mix of "sha256" and "md5" like below:

      <!DOCTYPE html>
      <html lang="en">
      <head><title>Links for unit</title>
        <meta name="api-version" value="2"/>
      </head>
      <body><h1>Links for unit</h1>
          <a href="../../packages/unit/0.2.0/Unit-0.2.0-py3-none-any.whl#sha256=0b118d68cfc129aa508d16fc207dc12fb73d1a2a05d5f9f6b44c48561979f11a" rel="internal"       data-requires-python="&gt;=3.5" >Unit-0.2.0-py3-none-any.whl</a><br/>
          <!-- snip -->
          <a href="../../packages/unit/0.2.2/Unit-0.2.2.tar.gz#md5=edf50034b867504ce4d20935ca56ea9e" rel="internal"       data-requires-python="&gt;=3.5" >Unit-0.2.2.tar.gz</a><br/>
      </body>
      </html>
      

      Workaround:

      Reupload the assets which show "#md5=..."

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dtovar Alejandro Tovar
              Reporter:
              hosako Hajime Osako
              Last Updated By:
              Dawid Sawa Dawid Sawa
              Team:
              NXRM - Sentinels
              Owner:
              Alejandro Tovar Alejandro Tovar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title