Maven repositories handles sha1/md5 files "as one" with main file, but is not locking them

Maven repositories handles sha1/md5 files "as one" with main file, but is not locking them.

This affects proxy repositories mainly, and does not disturb our main use case (maven), as it is consistent how requests are ordered: main file (JAR, POM or whatever), then is it's corresponding sha1/md5 file requested.

When remote fetch happens in proxy hash files are removed, main file fetched, checksum files are fetched (during having lock for main file), checksum policy applied (file checked against checksums), and then the main file is served up. For consequent incoming request (for example from maven), there will be no "write" lock needed, as checksum will be up to date.

Problem is that checksums are operated without corresponding UID locks above. Meaning, if simultaneously two request will fall in, one of main file, and one for checksum, they will not sync properly.

Again, this was true but rare with Maven, but with SP + preemptive fetch this becomes a problem, as they will remove the files from each other creating wildly looking exceptions. Also, when checksum policy set to "STRICT", this might produce false positives, preventing Nexus serving up a healthy file.