You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@archiva.apache.org by EJ Ciramella <ej...@upromise.com> on 2008/09/06 15:32:57 UTC
RE: How does archiva determine if a remote file exists
That's a pretty big assumption on the part of archiva, no?
Most corporate env's will be blocking various sites, potentially some
sub directories of some well known opensource sf.
It's a shame there isn't some kina validation (is this a valid xml file
or is this a valid pom or zip/jar/war/etc).
-----Original Message-----
From: Brett Porter [mailto:brett.porter@gmail.com]
Sent: Friday, September 05, 2008 9:17 PM
To: users@archiva.apache.org
Subject: Re: How does archiva determin if a remote file exists
That's correct, Archiva will assume if it gets HTTP 200 trying to proxy
a
file that it was valid.
If you change the proxy connector to fail if checksums don't match, this
problem won't occur. I'd highly recommend this setting in an environment
such as yours (or ensure the filter blocks with a more appropriate code
like
403).
Cheers,
Brett
2008/9/6 Michael Delaney <md...@upromise.com>
> All,
>
>
>
> How does Archiva determine if a remote file (say something housed on
> repo1.maven.org/maven2, for example) is valid? Does it determine this
by
> the HTTP return code (404 versus 200)?
>
>
>
> The reason I ask is that I have seen a very odd behavior. We have a
> goal that attempts to download an artifact from our Archiva server.
This
> artifact doesn't exist, it's an optional dependency, but during one of
> our maven goals, it appears our network filter went a-wall and blocked
> people.apache.org (which is set up on our Archiva server as a remote
> repository). So instead of getting a 404 error code when trying to
> access a file off of people.apache.org, it received a web page (from
our
> filter) stating the site was blocked. This web page appears to have
been
> downloaded as a pom.xml file and the artifact in question.
>
>
>
> Mike Delaney.
>
>
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
Re: How does archiva determine if a remote file exists
Posted by Brett Porter <br...@gmail.com>.
For proxying the default is not to fail on the checksum because of a number
of known problems in the main repository.
It can be configured on the proxy connector, see:
http://archiva.apache.org/docs/1.1.1/adminguide/proxy-connectors.html
Cheers,
Brett
2008/9/8 EJ Ciramella <ej...@upromise.com>
> You are correct - some where along the line our content filters at work
> intercepted the "mvn deploy" request, and either during the "go check
> for updates" bit of a regular maven build or during the actual deploy
> portion, our content filters said, "nope, can't go there" (they
> shouldn't have and that's been fixed".
>
> The content filters provided a html page and a 200 response code so
> archiva happily put all those artifacts (that we would normally build
> out of our SCM system) that it was trying to proxy into the repository
> earmarked for external, third party artifacts.
>
> Again (maybe more for my benefit) here are the steps:
>
> 1 - mvn deploy
> 2 - Archiva goes to check to see if it has the latest and scans remote
> repositories
> 3 - upon scanning people.apache.something, our filters cried foul and
> displayed the html page (returning a valid response code)
> 4 - Archiva saw that and took the returning stream of bits (the web
> page) and opted to install/proxy things into the repository we have set
> up for external third party jars
>
> This gave us a handful of jars and poms that were nothing more than the
> html page. So I don't think it was even looking at checksums for these
> things and if it could, how would I turn this feature on? Isn't it on
> out of the box?
>
> I'll ask our is/it department if they couldn't get the content filter
> system to return some other code instead of an "all clear" code....
>
> -----Original Message-----
> From: Brett Porter [mailto:brett.porter@gmail.com]
> Sent: Monday, September 08, 2008 7:17 AM
> To: users@archiva.apache.org
> Subject: Re: How does archiva determine if a remote file exists
>
> 2008/9/8 EJ Ciramella <ej...@upromise.com>
>
> > So how/where do I turn on the checksum validation?
>
>
> This is on the proxy connectors, which is where I assumed the problem to
> be.
>
>
> >
> >
> > The "false 200" code we had was for a module we are building locally
> and
> > installing into an archiva managed repository.
> >
> > I understand your respose with regard to remote repositories (say repo
> 1)
> > but the pom and jar that was goofed was put into archiva via mvn
> install not
> > by an archiva proxy process.
>
>
> This sounds unusual - so you're saying that the network infrastructure
> intercepted your PUT request and modified the content? Sorry if i I
> misunderstood.
>
> We don't currently have a checksum on deployment feature as the files
> are
> not placed in a single transaction.
>
> - Brett
>
> --
> Brett Porter
> Blog: http://blogs.exist.com/bporter/
>
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
RE: How does archiva determine if a remote file exists
Posted by EJ Ciramella <ej...@upromise.com>.
You are correct - some where along the line our content filters at work
intercepted the "mvn deploy" request, and either during the "go check
for updates" bit of a regular maven build or during the actual deploy
portion, our content filters said, "nope, can't go there" (they
shouldn't have and that's been fixed".
The content filters provided a html page and a 200 response code so
archiva happily put all those artifacts (that we would normally build
out of our SCM system) that it was trying to proxy into the repository
earmarked for external, third party artifacts.
Again (maybe more for my benefit) here are the steps:
1 - mvn deploy
2 - Archiva goes to check to see if it has the latest and scans remote
repositories
3 - upon scanning people.apache.something, our filters cried foul and
displayed the html page (returning a valid response code)
4 - Archiva saw that and took the returning stream of bits (the web
page) and opted to install/proxy things into the repository we have set
up for external third party jars
This gave us a handful of jars and poms that were nothing more than the
html page. So I don't think it was even looking at checksums for these
things and if it could, how would I turn this feature on? Isn't it on
out of the box?
I'll ask our is/it department if they couldn't get the content filter
system to return some other code instead of an "all clear" code....
-----Original Message-----
From: Brett Porter [mailto:brett.porter@gmail.com]
Sent: Monday, September 08, 2008 7:17 AM
To: users@archiva.apache.org
Subject: Re: How does archiva determine if a remote file exists
2008/9/8 EJ Ciramella <ej...@upromise.com>
> So how/where do I turn on the checksum validation?
This is on the proxy connectors, which is where I assumed the problem to
be.
>
>
> The "false 200" code we had was for a module we are building locally
and
> installing into an archiva managed repository.
>
> I understand your respose with regard to remote repositories (say repo
1)
> but the pom and jar that was goofed was put into archiva via mvn
install not
> by an archiva proxy process.
This sounds unusual - so you're saying that the network infrastructure
intercepted your PUT request and modified the content? Sorry if i I
misunderstood.
We don't currently have a checksum on deployment feature as the files
are
not placed in a single transaction.
- Brett
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
Re: How does archiva determine if a remote file exists
Posted by Brett Porter <br...@gmail.com>.
2008/9/8 EJ Ciramella <ej...@upromise.com>
> So how/where do I turn on the checksum validation?
This is on the proxy connectors, which is where I assumed the problem to be.
>
>
> The "false 200" code we had was for a module we are building locally and
> installing into an archiva managed repository.
>
> I understand your respose with regard to remote repositories (say repo 1)
> but the pom and jar that was goofed was put into archiva via mvn install not
> by an archiva proxy process.
This sounds unusual - so you're saying that the network infrastructure
intercepted your PUT request and modified the content? Sorry if i I
misunderstood.
We don't currently have a checksum on deployment feature as the files are
not placed in a single transaction.
- Brett
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
RE: How does archiva determine if a remote file exists
Posted by EJ Ciramella <ej...@upromise.com>.
So how/where do I turn on the checksum validation?
The "false 200" code we had was for a module we are building locally and installing into an archiva managed repository.
I understand your respose with regard to remote repositories (say repo 1) but the pom and jar that was goofed was put into archiva via mvn install not by an archiva proxy process.
-----Original Message-----
From: Brett Porter [mailto:brett.porter@gmail.com]
Sent: Sat 9/6/2008 10:58 PM
To: users@archiva.apache.org
Subject: Re: How does archiva determine if a remote file exists
2008/9/6 EJ Ciramella <ej...@upromise.com>
> That's a pretty big assumption on the part of archiva, no?
That 200 means OK? I don't think it's such a leap :)
>
>
> Most corporate env's will be blocking various sites, potentially some
> sub directories of some well known opensource sf.
>
> It's a shame there isn't some kina validation (is this a valid xml file
> or is this a valid pom or zip/jar/war/etc).
That's what the checksums are there for if enabled - and far more reliable
than guessing a mime-type from the extension.
Cheers,
Brett
>
>
>
>
> -----Original Message-----
> From: Brett Porter [mailto:brett.porter@gmail.com]
> Sent: Friday, September 05, 2008 9:17 PM
> To: users@archiva.apache.org
> Subject: Re: How does archiva determin if a remote file exists
>
> That's correct, Archiva will assume if it gets HTTP 200 trying to proxy
> a
> file that it was valid.
> If you change the proxy connector to fail if checksums don't match, this
> problem won't occur. I'd highly recommend this setting in an environment
> such as yours (or ensure the filter blocks with a more appropriate code
> like
> 403).
>
> Cheers,
> Brett
>
> 2008/9/6 Michael Delaney <md...@upromise.com>
>
> > All,
> >
> >
> >
> > How does Archiva determine if a remote file (say something housed on
> > repo1.maven.org/maven2, for example) is valid? Does it determine this
> by
> > the HTTP return code (404 versus 200)?
> >
> >
> >
> > The reason I ask is that I have seen a very odd behavior. We have a
> > goal that attempts to download an artifact from our Archiva server.
> This
> > artifact doesn't exist, it's an optional dependency, but during one of
> > our maven goals, it appears our network filter went a-wall and blocked
> > people.apache.org (which is set up on our Archiva server as a remote
> > repository). So instead of getting a 404 error code when trying to
> > access a file off of people.apache.org, it received a web page (from
> our
> > filter) stating the site was blocked. This web page appears to have
> been
> > downloaded as a pom.xml file and the artifact in question.
> >
> >
> >
> > Mike Delaney.
> >
> >
>
>
> --
> Brett Porter
> Blog: http://blogs.exist.com/bporter/
>
--
Brett Porter
Blog: http://blogs.exist.com/bporter/
Re: How does archiva determine if a remote file exists
Posted by Brett Porter <br...@gmail.com>.
2008/9/6 EJ Ciramella <ej...@upromise.com>
> That's a pretty big assumption on the part of archiva, no?
That 200 means OK? I don't think it's such a leap :)
>
>
> Most corporate env's will be blocking various sites, potentially some
> sub directories of some well known opensource sf.
>
> It's a shame there isn't some kina validation (is this a valid xml file
> or is this a valid pom or zip/jar/war/etc).
That's what the checksums are there for if enabled - and far more reliable
than guessing a mime-type from the extension.
Cheers,
Brett
>
>
>
>
> -----Original Message-----
> From: Brett Porter [mailto:brett.porter@gmail.com]
> Sent: Friday, September 05, 2008 9:17 PM
> To: users@archiva.apache.org
> Subject: Re: How does archiva determin if a remote file exists
>
> That's correct, Archiva will assume if it gets HTTP 200 trying to proxy
> a
> file that it was valid.
> If you change the proxy connector to fail if checksums don't match, this
> problem won't occur. I'd highly recommend this setting in an environment
> such as yours (or ensure the filter blocks with a more appropriate code
> like
> 403).
>
> Cheers,
> Brett
>
> 2008/9/6 Michael Delaney <md...@upromise.com>
>
> > All,
> >
> >
> >
> > How does Archiva determine if a remote file (say something housed on
> > repo1.maven.org/maven2, for example) is valid? Does it determine this
> by
> > the HTTP return code (404 versus 200)?
> >
> >
> >
> > The reason I ask is that I have seen a very odd behavior. We have a
> > goal that attempts to download an artifact from our Archiva server.
> This
> > artifact doesn't exist, it's an optional dependency, but during one of
> > our maven goals, it appears our network filter went a-wall and blocked
> > people.apache.org (which is set up on our Archiva server as a remote
> > repository). So instead of getting a 404 error code when trying to
> > access a file off of people.apache.org, it received a web page (from
> our
> > filter) stating the site was blocked. This web page appears to have
> been
> > downloaded as a pom.xml file and the artifact in question.
> >
> >
> >
> > Mike Delaney.
> >
> >
>
>
> --
> Brett Porter
> Blog: http://blogs.exist.com/bporter/
>
--
Brett Porter
Blog: http://blogs.exist.com/bporter/