Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-5418

Maven repositories handles sha1/md5 files "as one" with main file, but is not locking them

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4
    • Component/s: None
    • Labels:
      None

      Description

      Maven repositories handles sha1/md5 files "as one" with main file, but is not locking them.

      This affects proxy repositories mainly, and does not disturb our main use case (maven), as it is consistent how requests are ordered: main file (JAR, POM or whatever), then is it's corresponding sha1/md5 file requested.

      When remote fetch happens in proxy hash files are removed, main file fetched, checksum files are fetched (during having lock for main file), checksum policy applied (file checked against checksums), and then the main file is served up. For consequent incoming request (for example from maven), there will be no "write" lock needed, as checksum will be up to date.

      Problem is that checksums are operated without corresponding UID locks above. Meaning, if simultaneously two request will fall in, one of main file, and one for checksum, they will not sync properly.

      Again, this was true but rare with Maven, but with SP + preemptive fetch this becomes a problem, as they will remove the files from each other creating wildly looking exceptions. Also, when checksum policy set to "STRICT", this might produce false positives, preventing Nexus serving up a healthy file.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rseddon Rich Seddon
              Reporter:
              cstamas Tamás Cservenák
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title