verifying artifact on deployment

[Marc Lustig <ml...@marclustig.com>]

Hi,

we had a number of cases when the artifact in our central-repo
(Archiva-based) was not consistent with the corresponding hash. 

It there any way to
1. automatically test the integrity of an uploaded artefact by comparing
it's generated hash with the hash of the local repo (from where it's
deployed)
2. force the deploy-plugin to throw an ERROR in case the hashes do not match
?


I think this is a very common and essential feature, and there should a
solution to it.

Regards
Marc
-- 
View this message in context: http://old.nabble.com/verifying-artifact-on-deployment-tp27714420p27714420.html
Sent from the Maven - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: verifying artifact on deployment

[Brett Porter <br...@apache.org>]

On 26/02/2010, at 2:02 AM, Marc Lustig wrote:

> thanks for the swift response.
> First I also thought it's an Archiva issue, but basically Maven is talking
> to the Repo Manager, right? So Maven defines the contract, and Archiva can
> only respond to the contract.
> 
> We are still investigating the issue and try to reproduce different
> scenarios.
> 
> For now, the question for us is whether Maven has the concept of
> artifact-verification by using hash-codes at all.
> Any input on this matter?

Maven can't really do anything without either having a specific relationship with a repository manager (requesting it send back the checksum of an actual file, not the checksum it just sent), or redownloading the entire file. It is better for the repository manager to deal with uploads that don't match their checksum and give Maven back an HTTP error at the conclusion of the upload. Currently, Archiva is only checking the content length matches on upload to prevent partial upload corruption, and filing problem reports for mismatches with checksums from misbehaving clients as Wendy said.

Please let us know if we can help diagnose the issue if it's not as simple as avoiding the scenarios in the two issues I listed.

Thanks,
Brett

> 
> 
> 
> 2010/2/25 Brett Porter <br...@apache.org>
> 
>> 
>> On 26/02/2010, at 1:30 AM, Wendy Smoak wrote:
>> 
>>> On Thu, Feb 25, 2010 at 8:10 AM, Marc Lustig <ml...@marclustig.com> wrote:
>>>> we had a number of cases when the artifact in our central-repo
>>>> (Archiva-based) was not consistent with the corresponding hash.
>>> 
>>> You can configure the checksum policy to fail when Maven _downloads_
>>> an artifact if the checksum doesn't match.
>>> 
>>> If you're having trouble with checksums when deploying to Archiva, it
>>> would probably be best to ask on the Archiva users list.  If artifacts
>>> are getting added with the wrong checksum, that's probably a bug.
>> 
>> Could it be one of these?
>> http://jira.codehaus.org/browse/MNG-4301
>> http://jira.codehaus.org/browse/MNG-4235
>> 
>>> It
>>> does have some 'repository health' reports that might help find the
>>> problems after the fact.
>> 
>> 
>> - Brett
>> 
>> --
>> Brett Porter
>> brett@apache.org
>> http://brettporter.wordpress.com/
>> 
>> 
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>> 
>> 

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: verifying artifact on deployment

[Yoav Landman <yl...@gmail.com>]

Artifactory 2.2.2 (the upcoming minor release) already has configurable
checksum verification for _uploaded_ artifacts too.

FYI.

On Thu, Feb 25, 2010 at 5:02 PM, Marc Lustig <ar...@googlemail.com> wrote:

> thanks for the swift response.
> First I also thought it's an Archiva issue, but basically Maven is talking
> to the Repo Manager, right? So Maven defines the contract, and Archiva can
> only respond to the contract.
>
> We are still investigating the issue and try to reproduce different
> scenarios.
>
> For now, the question for us is whether Maven has the concept of
> artifact-verification by using hash-codes at all.
> Any input on this matter?
>
>
>
> 2010/2/25 Brett Porter <br...@apache.org>
>
> >
> > On 26/02/2010, at 1:30 AM, Wendy Smoak wrote:
> >
> > > On Thu, Feb 25, 2010 at 8:10 AM, Marc Lustig <ml...@marclustig.com>
> wrote:
> > >> we had a number of cases when the artifact in our central-repo
> > >> (Archiva-based) was not consistent with the corresponding hash.
> > >
> > > You can configure the checksum policy to fail when Maven _downloads_
> > > an artifact if the checksum doesn't match.
> > >
> > > If you're having trouble with checksums when deploying to Archiva, it
> > > would probably be best to ask on the Archiva users list.  If artifacts
> > > are getting added with the wrong checksum, that's probably a bug.
> >
> > Could it be one of these?
> > http://jira.codehaus.org/browse/MNG-4301
> > http://jira.codehaus.org/browse/MNG-4235
> >
> > > It
> > > does have some 'repository health' reports that might help find the
> > > problems after the fact.
> >
> >
> > - Brett
> >
> > --
> > Brett Porter
> > brett@apache.org
> > http://brettporter.wordpress.com/
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
> >
>

Re: verifying artifact on deployment

[Brian Fox <br...@infinity.nu>]

It does on download not on upload. Nexus Staging has the ability to
validate artifacts before being allowed to be staged, things like pom
criteria, pgp sigs etc. We don't have a hash rule but its trivial to
add.

On Thu, Feb 25, 2010 at 10:02 AM, Marc Lustig <ar...@googlemail.com> wrote:
> thanks for the swift response.
> First I also thought it's an Archiva issue, but basically Maven is talking
> to the Repo Manager, right? So Maven defines the contract, and Archiva can
> only respond to the contract.
>
> We are still investigating the issue and try to reproduce different
> scenarios.
>
> For now, the question for us is whether Maven has the concept of
> artifact-verification by using hash-codes at all.
> Any input on this matter?
>
>
>
> 2010/2/25 Brett Porter <br...@apache.org>
>
>>
>> On 26/02/2010, at 1:30 AM, Wendy Smoak wrote:
>>
>> > On Thu, Feb 25, 2010 at 8:10 AM, Marc Lustig <ml...@marclustig.com> wrote:
>> >> we had a number of cases when the artifact in our central-repo
>> >> (Archiva-based) was not consistent with the corresponding hash.
>> >
>> > You can configure the checksum policy to fail when Maven _downloads_
>> > an artifact if the checksum doesn't match.
>> >
>> > If you're having trouble with checksums when deploying to Archiva, it
>> > would probably be best to ask on the Archiva users list.  If artifacts
>> > are getting added with the wrong checksum, that's probably a bug.
>>
>> Could it be one of these?
>> http://jira.codehaus.org/browse/MNG-4301
>> http://jira.codehaus.org/browse/MNG-4235
>>
>> > It
>> > does have some 'repository health' reports that might help find the
>> > problems after the fact.
>>
>>
>> - Brett
>>
>> --
>> Brett Porter
>> brett@apache.org
>> http://brettporter.wordpress.com/
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: verifying artifact on deployment

[Marc Lustig <ar...@googlemail.com>]

thanks for the swift response.
First I also thought it's an Archiva issue, but basically Maven is talking
to the Repo Manager, right? So Maven defines the contract, and Archiva can
only respond to the contract.

We are still investigating the issue and try to reproduce different
scenarios.

For now, the question for us is whether Maven has the concept of
artifact-verification by using hash-codes at all.
Any input on this matter?



2010/2/25 Brett Porter <br...@apache.org>

>
> On 26/02/2010, at 1:30 AM, Wendy Smoak wrote:
>
> > On Thu, Feb 25, 2010 at 8:10 AM, Marc Lustig <ml...@marclustig.com> wrote:
> >> we had a number of cases when the artifact in our central-repo
> >> (Archiva-based) was not consistent with the corresponding hash.
> >
> > You can configure the checksum policy to fail when Maven _downloads_
> > an artifact if the checksum doesn't match.
> >
> > If you're having trouble with checksums when deploying to Archiva, it
> > would probably be best to ask on the Archiva users list.  If artifacts
> > are getting added with the wrong checksum, that's probably a bug.
>
> Could it be one of these?
> http://jira.codehaus.org/browse/MNG-4301
> http://jira.codehaus.org/browse/MNG-4235
>
> > It
> > does have some 'repository health' reports that might help find the
> > problems after the fact.
>
>
> - Brett
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: verifying artifact on deployment

[Brett Porter <br...@apache.org>]

On 26/02/2010, at 1:30 AM, Wendy Smoak wrote:

> On Thu, Feb 25, 2010 at 8:10 AM, Marc Lustig <ml...@marclustig.com> wrote:
>> we had a number of cases when the artifact in our central-repo
>> (Archiva-based) was not consistent with the corresponding hash.
> 
> You can configure the checksum policy to fail when Maven _downloads_
> an artifact if the checksum doesn't match.
> 
> If you're having trouble with checksums when deploying to Archiva, it
> would probably be best to ask on the Archiva users list.  If artifacts
> are getting added with the wrong checksum, that's probably a bug.  

Could it be one of these?
http://jira.codehaus.org/browse/MNG-4301
http://jira.codehaus.org/browse/MNG-4235

> It
> does have some 'repository health' reports that might help find the
> problems after the fact.


- Brett

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: verifying artifact on deployment

[Wendy Smoak <ws...@gmail.com>]

On Thu, Feb 25, 2010 at 8:10 AM, Marc Lustig <ml...@marclustig.com> wrote:
> we had a number of cases when the artifact in our central-repo
> (Archiva-based) was not consistent with the corresponding hash.

You can configure the checksum policy to fail when Maven _downloads_
an artifact if the checksum doesn't match.

If you're having trouble with checksums when deploying to Archiva, it
would probably be best to ask on the Archiva users list.  If artifacts
are getting added with the wrong checksum, that's probably a bug.  It
does have some 'repository health' reports that might help find the
problems after the fact.

-- 
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org