Hi 1) Is this only for camel-core project, and not camel-spring-boot?
2) I wonder if we have similar problem on main branch if we attempt to release it as 4.17.0 ? 3) I wonder if we redo a 4.14.3 with latest code from camel-4.14.x branch (new code since current attempt) does it work then? 4) I guess we don't know which file sonartype complains about, and as such its not easy to find out. There is no additional logging? 5) Are there other ASF projects that releases without MD5 hashes? (see my other mail thread). IMHO those are outdated today, and we should consider dropping them and jump from SHA1 to SHA256. But finding other ASF projects releasing that way would be good to see its already done, and this can help us analyze what we can do to upgrade. Maybe this is better for newer releases like 4.17 or later. But if all above fails and this is the only way to do 4.14.3 release then we can try this. 6) Any other ideas? On Mon, Dec 15, 2025 at 5:23 PM Gregor Zurowski <[email protected]> wrote: > Hi Everyone: > > I wasn't able to resolve this. Therefore, I have created the following > ticket for the INFRA team: > https://issues.apache.org/jira/browse/INFRA-27498. > > Thanks, > Gregor > > On Thu, Dec 11, 2025 at 10:33 PM Claus Ibsen <[email protected]> > wrote: > > > > Hi > > > > And here is another Grok AI reply (think harder mode) > > https://grok.com/share/c2hhcmQtNQ_2c900d4c-f6e5-401a-9162-d526ac50c514 > > > > > > > > The error you're encountering during the staging repository closure is > due > > to Nexus's security validation rule > ("no-traversal-paths-in-archive-file") > > misidentifying one of your uploaded MD5 checksum files (e.g., something > > like `artifact-name.pom.md5` or `artifact-name.jar.md5`) as a compressed > > archive file (specifically, a cpio format archive). This happens because > > the content of that particular MD5 file starts with a string like > "070701" > > or "070702", which matches the magic number for cpio archives. > > > > When Nexus attempts to inspect it as an archive to check for insecure > paths > > (e.g., path traversal vulnerabilities), the parsing fails because it's > not > > actually an archive—it's just a text file containing a hash and filename. > > This leads to the WalkerException and the nested IllegalArgumentException > > about the "unknown mode," as the random bytes in the file don't conform > to > > a valid cpio header structure (e.g., the mode field is interpreted as > > invalid hex like "5543562b"). > > > > ### How to Identify the Problematic File > > - Log in to your Sonatype Nexus OSSRH account and view the contents of > the > > staging repository (`orgapachecamel-1911`). > > - Download all the .md5 files. > > - Open them in a text editor or hex viewer and check which one starts > with > > "07070..." (e.g., "070702xxxxxxxx filename"). > > > > ### Solutions > > - **Short-term workaround:** Slightly modify the artifact associated with > > the problematic .md5 file (e.g., add a space in a comment or update a > > non-functional part of the POM) to regenerate a new hash that doesn't > start > > with the conflicting magic number. Then, redeploy to a new staging > > repository. > > - **Alternative:** Bump the version number of the affected artifact > (e.g., > > from x.y.z to x.y.z+1) and redeploy. This will change the hash and avoid > > the issue. > > - **Long-term recommendation:** Consider generating and uploading > stronger > > checksums like SHA-256 (.sha256 files) alongside or instead of MD5/SHA1, > as > > longer hashes reduce the chance of magic number collisions. Update your > > Maven build configuration to include this (e.g., via the > > `maven-assembly-plugin` or `maven-deploy-plugin`). Sonatype supports > > SHA-256, and it may help avoid similar edge cases in the future. > > - If this persists across versions or you can't modify the artifacts, > > contact Sonatype support via their OSSRH Jira (issues.sonatype.org) and > > provide the staging repo ID and error logs for assistance—they may be > able > > to override or investigate server-side. > > > > This is a known edge case in Nexus (versions around 2.x and 3.x), > stemming > > from content-based file type detection prioritizing magic numbers over > file > > extensions in some scenarios. > > > > On Thu, Dec 11, 2025 at 10:09 PM Gregor Zurowski < > [email protected]> > > wrote: > > > > > Hi Everyone: > > > > > > I have built the Camel 4.14.3 release candidate, but I am getting the > > > following error when attempting to close the staging repository in > > > Nexus: > > > > > > ``` > > > Event: Failed: Archives must not contain insecure paths > > > > > > typeId no-traversal-paths-in-archive-file > > > failureMessage Rule evaluation unexpectedly failed: > > > org.sonatype.nexus.proxy.walker.WalkerException: Aborted walking on > > > repository ID='orgapachecamel-1911' from path='/'. > > > x.x.causedBy.1 java.lang.IllegalArgumentException: Unknown mode. Full: > > > 5543562b Masked: 5000 > > > x.x.causedBy.0 org.sonatype.nexus.proxy.walker.WalkerException: > > > Aborted walking on repository ID='orgapachecamel-1911' from path='/'. > > > ``` > > > > > > Any ideas what might be causing this? > > > > > > Thanks in advance, > > > Gregor > > > > > > > > > -- > > Claus Ibsen > -- Claus Ibsen
