Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2915

Tell Artifactory not to serve up crap as valid

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Artifactory is magicing up checksums for things which are not even valid

      See INFRA-2914 for an example.

      validate that all proxy settings are set to either ignore the cehcksum (if you do not care or are consuming garbage), or fail (to prevent pollution).

      but please ensure you never set it to "Ignore and generate" so that others repositories are not corrupted with the same garbage.

      see https://www.jfrog.com/confluence/display/JFROG/Remote+Repositories#RemoteRepositories-Maven,Gradle,IvyandSBTRepositories for the configuration details

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            All remote Maven repos are now offline and/or use Fail checksum policy.

            Show
            danielbeck Daniel Beck added a comment - All remote Maven repos are now offline and/or use Fail checksum policy.
            Hide
            danielbeck Daniel Beck added a comment -

            Thanks for clarifying. The original description did not identify this (default) setting as problematic.

            Show
            danielbeck Daniel Beck added a comment - Thanks for clarifying. The original description did not identify this (default) setting as problematic.
            Hide
            teilo James Nord added a comment -

            > The remote repo for https://bits.netbeans.org/maven2/ is configured to Generate if absent

            For all proxy repos in repo.jenkins-ci.org ensure that none of them have that setting. (ie this is what allows artifactory to download HTML when an artifact is requested and serve it up with a freshly generated checksum to all consumers).
            This means that consumers can not use "strict" checking, or things like it. missing checksums muss never be created on the fly - it should be a simple garbage in garbage out proxy.

            In other words all proxy rpos should be set to either "Ignore and Pass-thru:" or "Fail".

            Fail should be the default - it was agens since a buggy maven pushed some things with broken checksums, and consuming artifacts without a checksum and caching them means you may well get silent corruptions. However if that is too much of a step for the project due to still consuming some ancient artifact, or a awful maven repo then please use "Ignore and Pass-thru".
            The latter will allow consumers to block these as they so choose.

            Show
            teilo James Nord added a comment - > The remote repo for https://bits.netbeans.org/maven2/ is configured to Generate if absent For all proxy repos in repo.jenkins-ci.org ensure that none of them have that setting. (ie this is what allows artifactory to download HTML when an artifact is requested and serve it up with a freshly generated checksum to all consumers). This means that consumers can not use "strict" checking, or things like it. missing checksums muss never be created on the fly - it should be a simple garbage in garbage out proxy. In other words all proxy rpos should be set to either "Ignore and Pass-thru:" or "Fail". Fail should be the default - it was agens since a buggy maven pushed some things with broken checksums, and consuming artifacts without a checksum and caching them means you may well get silent corruptions. However if that is too much of a step for the project due to still consuming some ancient artifact, or a awful maven repo then please use "Ignore and Pass-thru". The latter will allow consumers to block these as they so choose.
            Hide
            danielbeck Daniel Beck added a comment -

            validate that all proxy settings are set to either ignore the cehcksum (if you do not care or are consuming garbage), or fail (to prevent pollution).

            but please ensure you never set it to "Ignore and generate" so that others repositories are not corrupted with the same garbage.

            The remote repo for https://bits.netbeans.org/maven2/ is configured to Generate if absent, so it's unclear to me what the request is exactly.

            Show
            danielbeck Daniel Beck added a comment - validate that all proxy settings are set to either ignore the cehcksum (if you do not care or are consuming garbage), or fail (to prevent pollution). but please ensure you never set it to "Ignore and generate" so that others repositories are not corrupted with the same garbage. The remote repo for https://bits.netbeans.org/maven2/ is configured to Generate if absent , so it's unclear to me what the request is exactly.

              People

              Assignee:
              danielbeck Daniel Beck
              Reporter:
              teilo James Nord
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: