Securing deployment of released artifacts

[Arnaud Bailly <ab...@oqube.com>]

Hi to all,
I would like to ensure it is impossible to upload twice the same
artifact for a given project with a given non-SNAPSHOT version and a
given repository to upload to. I checked with standard deploy plugin but
this is not done (ie. I can upload twice same version).

I checked with configuration parameters for nexus but could not find
anything related. Is there a standard way of doing this ?

Regards,
-- 
Arnaud Bailly -- OQube
<software engineering>
http://www.oqube.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Securing deployment of released artifacts

[Wendy Smoak <ws...@gmail.com>]

On Tue, Sep 8, 2009 at 6:17 AM, Arnaud Bailly<ab...@oqube.com> wrote:
> I would like to ensure it is impossible to upload twice the same
> artifact for a given project with a given non-SNAPSHOT version and a
> given repository to upload to. I checked with standard deploy plugin but
> this is not done (ie. I can upload twice same version).
>
> I checked with configuration parameters for nexus but could not find
> anything related. Is there a standard way of doing this ?

Change the permissions on the underlying file system?  (But from irc
conversations, I thought Nexus would prevent this already.)

There are feature requests in JIRA for both the deploy plugin and Archiva:
* http://jira.codehaus.org/browse/MDEPLOY-74 Add an option to be able
to abort if an artifact is already present in the deployment
repository
* http://jira.codehaus.org/browse/MRM-747 Archiva should prevent
re-deployment of released or non-snapshot versioned artifacts

If it depends on the metadata being correct, it may not be foolproof...

-- 
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Securing deployment of released artifacts

[Anders Hammar <an...@hammar.net>]

You can update the metadata file, there's a separate priv define for that.

/Anders

On Wed, Sep 9, 2009 at 14:06, Arnaud Bailly <ab...@oqube.com> wrote:

> Anders Hammar <an...@hammar.net> writes:
> >>
> >>
> > That's not how I read the FAQ entry. The role has permission to create
> and
> > read as well. But, I'm waiting for Nexus 1.4 to do this instead.
> >
>
> You are right, I probably misread/overlooked the FAQ. It says that the
> repo-custom-deploy can:
>  - update All Metadata (Maven2)
>  - create All M2 Repositories (content)
>  - read All M2 Repositories (content)
>
> So it cannot update repositories content, even metadata, something which
> is derived from the fact that I can create/read *any* content in
> repositories which includes metadata. Am I right ?
>
> Thanks again,
> --
> Arnaud Bailly -- OQube
> <software engineering>
> http://www.oqube.com/
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: Securing deployment of released artifacts

[Arnaud Bailly <ab...@oqube.com>]

Anders Hammar <an...@hammar.net> writes:
>>
>>
> That's not how I read the FAQ entry. The role has permission to create and
> read as well. But, I'm waiting for Nexus 1.4 to do this instead.
>

You are right, I probably misread/overlooked the FAQ. It says that the
repo-custom-deploy can: 
 - update All Metadata (Maven2)
 - create All M2 Repositories (content)
 - read All M2 Repositories (content)

So it cannot update repositories content, even metadata, something which
is derived from the fact that I can create/read *any* content in
repositories which includes metadata. Am I right ?

Thanks again,
-- 
Arnaud Bailly -- OQube
<software engineering>
http://www.oqube.com/



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Securing deployment of released artifacts

[Anders Hammar <an...@hammar.net>]

>
> > The thing about doing this on the user side is (as always) that you can't
> > really be 100% sure it's taking place. Doing it on the server is safer.
> >
>
> Doing both is safer yet :-) Problem is I want to ensure 2 things:
>  - only specific users have deployment rights on release
>  - unicity of deployed artifacts in release mode is guaranteed even for
>  authorized deployers
>

I don't see why this can't be done on the server side. I normally never even
think about doing stuff on the client side if I want to ensure it to always
happen.


>
> > Regarding Nexus and allowing the role to update the metadata file: It
> (the
> > metdata file) has to be updated when you add new artifacts. So the role
> of
> > the person deploying the new artifact must have that permission.
> >
>
> Sure, but the given FAQ entry creates a specific role w/ only "Update
> Metadata" rights, so this role cannot update artifacts themselves but
> only their metadata. What's the point of doing this ?
>
>
That's not how I read the FAQ entry. The role has permission to create and
read as well. But, I'm waiting for Nexus 1.4 to do this instead.

/Anders

Re: Securing deployment of released artifacts

[Arnaud Bailly <ab...@oqube.com>]

Anders Hammar <an...@hammar.net>, Thanks for your answer

> The thing about doing this on the user side is (as always) that you can't
> really be 100% sure it's taking place. Doing it on the server is safer.
>

Doing both is safer yet :-) Problem is I want to ensure 2 things:
 - only specific users have deployment rights on release
 - unicity of deployed artifacts in release mode is guaranteed even for
 authorized deployers 

> Regarding Nexus and allowing the role to update the metadata file: It (the
> metdata file) has to be updated when you add new artifacts. So the role of
> the person deploying the new artifact must have that permission.
>

Sure, but the given FAQ entry creates a specific role w/ only "Update
Metadata" rights, so this role cannot update artifacts themselves but
only their metadata. What's the point of doing this ? 

regards,
-- 
Arnaud Bailly -- OQube
<software engineering>
http://www.oqube.com/



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Securing deployment of released artifacts

[Anders Hammar <an...@hammar.net>]

The thing about doing this on the user side is (as always) that you can't
really be 100% sure it's taking place. Doing it on the server is safer.

Regarding Nexus and allowing the role to update the metadata file: It (the
metdata file) has to be updated when you add new artifacts. So the role of
the person deploying the new artifact must have that permission.

/Anders

On Wed, Sep 9, 2009 at 07:11, Arnaud Bailly <ab...@oqube.com> wrote:

> Thanks for the answers. I already thought about using nexus management
> rights as a possible solution, but was looking for a client-based
> solution (ie. more along the MDEPLOY-74). I can see from
>
> http://www.nabble.com/-deploy-plugin--Abort-deploy-when-a-target-is-present-to16329568s177.html#a16353467
> that this feature is in 2.1 and I will check this.
>
> About the proposed solution in Nexus, I was wondering why the created
> role still allow update permission of metadata (this may be more a
> nexus question...)? It seems rather odd to me as this seems to imply
> metadata
> would not be in sync with the real artifacts, but I am surely missing
> something.
>
> Regards,
> --
> Arnaud Bailly -- OQube
> <software engineering>
> http://www.oqube.com/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: Securing deployment of released artifacts

[Arnaud Bailly <ab...@oqube.com>]

Thanks for the answers. I already thought about using nexus management
rights as a possible solution, but was looking for a client-based
solution (ie. more along the MDEPLOY-74). I can see from
http://www.nabble.com/-deploy-plugin--Abort-deploy-when-a-target-is-present-to16329568s177.html#a16353467
that this feature is in 2.1 and I will check this.

About the proposed solution in Nexus, I was wondering why the created
role still allow update permission of metadata (this may be more a
nexus question...)? It seems rather odd to me as this seems to imply metadata
would not be in sync with the real artifacts, but I am surely missing
something.

Regards,
-- 
Arnaud Bailly -- OQube
<software engineering>
http://www.oqube.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Securing deployment of released artifacts

[Anders Hammar <an...@hammar.net>]

There was recently a discussion about this on the Nexus mailinglist. There
will be better support (and easier to configure) for this in Nexus 1.4 that
is due soon.

/Anders

On Tue, Sep 8, 2009 at 18:32, Nord, James <JN...@nds.com> wrote:

> > I would like to ensure it is impossible to upload twice the
> > same artifact for a given project with a given non-SNAPSHOT
> > version and a given repository to upload to. I checked with
> > standard deploy plugin but this is not done (ie. I can upload
> > twice same version).
> >
> > I checked with configuration parameters for nexus but could
> > not find anything related. Is there a standard way of doing this ?
>
> http://nexus.sonatype.org/about/faq.html#QHowdoIdisableartifactredeploym
> ent
>
> Doesn't work with if you use staging though :-(
>
>
> **************************************************************************************
> This message is confidential and intended only for the addressee. If you
> have received this message in error, please immediately notify the
> postmaster@nds.com and delete it from your system as well as any copies.
> The content of e-mails as well as traffic data may be monitored by NDS for
> employment and security purposes. To protect the environment please do not
> print this e-mail unless necessary.
>
> NDS Limited. Registered Office: One London Road, Staines, Middlesex, TW18
> 4EX, United Kingdom. A company registered in England and Wales. Registered
> no. 3080780. VAT no. GB 603 8808 40-00
>
> **************************************************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

RE: Securing deployment of released artifacts

["Nord, James" <JN...@nds.com>]

> I would like to ensure it is impossible to upload twice the 
> same artifact for a given project with a given non-SNAPSHOT 
> version and a given repository to upload to. I checked with 
> standard deploy plugin but this is not done (ie. I can upload 
> twice same version).
> 
> I checked with configuration parameters for nexus but could 
> not find anything related. Is there a standard way of doing this ?

http://nexus.sonatype.org/about/faq.html#QHowdoIdisableartifactredeploym
ent

Doesn't work with if you use staging though :-(

**************************************************************************************
This message is confidential and intended only for the addressee. If you have received this message in error, please immediately notify the postmaster@nds.com and delete it from your system as well as any copies. The content of e-mails as well as traffic data may be monitored by NDS for employment and security purposes. To protect the environment please do not print this e-mail unless necessary.

NDS Limited. Registered Office: One London Road, Staines, Middlesex, TW18 4EX, United Kingdom. A company registered in England and Wales. Registered no. 3080780. VAT no. GB 603 8808 40-00
**************************************************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org