You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mxnet.apache.org by Qing Lan <la...@live.com> on 2018/12/21 01:01:31 UTC
Malformed package uploaded to Maven central
Dear Community,
Recently I tried to improve the Maven automated publish procedure and tested publish the package. However, I accidently used maven to upload a package to a close release branch: https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~/<https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~>. However, it seemed that I didn’t have the access to remove this package since it is controlled by Maven central. In this case, I regretfully request a PMC/PPMC member to file an Apache Infra ticket to remove this package from there so it won’t influence the current maven users to download them. The influence is limited to OSX users who are using official releases of MXNet Scala/Java packages.
I apologize for this act and won’t do any more risky experiment until I am fully aware of the consequence of it.
Qing
Re: Malformed package uploaded to Maven central
Posted by Naveen Swamy <mn...@gmail.com>.
I don't think they will disable PUT because some projects might be manually
uploading artifacts.
Here is the ticket i created :
https://issues.apache.org/jira/browse/INFRA-17489
On Fri, Dec 21, 2018 at 10:23 AM Frank Liu <fr...@gmail.com> wrote:
> If the release procedure is always push to staging and manually promote
> from staging to release, the nexus2 repo should be configured to forbidden
> direct push to release repo.
>
> It currently allows upload files directly via HTTP PUT (works with curl
> command).
> What Qing executed is a simple mvn deploy:deploy-file task in the maven
> which point to https://repository.apache.org/content/repositories/releases
>
> Thanks,
> Frank
>
> On Fri, Dec 21, 2018 at 9:59 AM Naveen Swamy <mn...@gmail.com> wrote:
>
> > Hi Qing,
> >
> > Thanks for bringing this to the attention of the community. I understand
> it
> > was an unintended consequences of publish experiment. I will raise a
> INFRA
> > ticket to remove this package from the releases repo.
> > Could you please file a GitHub issue or MXNet JIRA and mention the
> commands
> > you executed so we can request INFRA to not let packages be published
> > directly to releases without going through the process of deploying to
> > STAGING and then test/close the package to Releases ?
> >
> > Thanks, Naveen
> >
> > On Thu, Dec 20, 2018 at 5:01 PM Qing Lan <la...@live.com> wrote:
> >
> > > Dear Community,
> > >
> > > Recently I tried to improve the Maven automated publish procedure and
> > > tested publish the package. However, I accidently used maven to upload
> a
> > > package to a close release branch:
> > >
> >
> https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~/
> > > <
> >
> https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~
> > >.
> > > However, it seemed that I didn’t have the access to remove this package
> > > since it is controlled by Maven central. In this case, I regretfully
> > > request a PMC/PPMC member to file an Apache Infra ticket to remove this
> > > package from there so it won’t influence the current maven users to
> > > download them. The influence is limited to OSX users who are using
> > official
> > > releases of MXNet Scala/Java packages.
> > >
> > > I apologize for this act and won’t do any more risky experiment until I
> > am
> > > fully aware of the consequence of it.
> > > Qing
> > >
> > >
> >
>
Re: Malformed package uploaded to Maven central
Posted by Frank Liu <fr...@gmail.com>.
If the release procedure is always push to staging and manually promote
from staging to release, the nexus2 repo should be configured to forbidden
direct push to release repo.
It currently allows upload files directly via HTTP PUT (works with curl
command).
What Qing executed is a simple mvn deploy:deploy-file task in the maven
which point to https://repository.apache.org/content/repositories/releases
Thanks,
Frank
On Fri, Dec 21, 2018 at 9:59 AM Naveen Swamy <mn...@gmail.com> wrote:
> Hi Qing,
>
> Thanks for bringing this to the attention of the community. I understand it
> was an unintended consequences of publish experiment. I will raise a INFRA
> ticket to remove this package from the releases repo.
> Could you please file a GitHub issue or MXNet JIRA and mention the commands
> you executed so we can request INFRA to not let packages be published
> directly to releases without going through the process of deploying to
> STAGING and then test/close the package to Releases ?
>
> Thanks, Naveen
>
> On Thu, Dec 20, 2018 at 5:01 PM Qing Lan <la...@live.com> wrote:
>
> > Dear Community,
> >
> > Recently I tried to improve the Maven automated publish procedure and
> > tested publish the package. However, I accidently used maven to upload a
> > package to a close release branch:
> >
> https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~/
> > <
> https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~
> >.
> > However, it seemed that I didn’t have the access to remove this package
> > since it is controlled by Maven central. In this case, I regretfully
> > request a PMC/PPMC member to file an Apache Infra ticket to remove this
> > package from there so it won’t influence the current maven users to
> > download them. The influence is limited to OSX users who are using
> official
> > releases of MXNet Scala/Java packages.
> >
> > I apologize for this act and won’t do any more risky experiment until I
> am
> > fully aware of the consequence of it.
> > Qing
> >
> >
>
Re: Malformed package uploaded to Maven central
Posted by Naveen Swamy <mn...@gmail.com>.
Hi Qing,
Thanks for bringing this to the attention of the community. I understand it
was an unintended consequences of publish experiment. I will raise a INFRA
ticket to remove this package from the releases repo.
Could you please file a GitHub issue or MXNet JIRA and mention the commands
you executed so we can request INFRA to not let packages be published
directly to releases without going through the process of deploying to
STAGING and then test/close the package to Releases ?
Thanks, Naveen
On Thu, Dec 20, 2018 at 5:01 PM Qing Lan <la...@live.com> wrote:
> Dear Community,
>
> Recently I tried to improve the Maven automated publish procedure and
> tested publish the package. However, I accidently used maven to upload a
> package to a close release branch:
> https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~/
> <https://repository.apache.org/#nexus-search;gav~org.apache.mxnet~~1.5.0~~>.
> However, it seemed that I didn’t have the access to remove this package
> since it is controlled by Maven central. In this case, I regretfully
> request a PMC/PPMC member to file an Apache Infra ticket to remove this
> package from there so it won’t influence the current maven users to
> download them. The influence is limited to OSX users who are using official
> releases of MXNet Scala/Java packages.
>
> I apologize for this act and won’t do any more risky experiment until I am
> fully aware of the consequence of it.
> Qing
>
>