Hi there, we were chasing some build issues in Nexus -- that were very strange -- and after a long investigation narrowed it to You.
What was the issue: one of our developers built Nexus after a long time not doing so, and his build behaved completely broken, as regarding to restlet REST services. The issue he had was _very_ similar to those reported in my mail few weeks ago (GZIP and content length, confirmed by Thierry in 1.1.2!). The interesting thing was, that in Nexus, we use _released_ artifacts of restlet JARs, specifically the version 1.1.1 (stepped back from 1.1.2 because of "GZIP and content length" problem). Furthermore, Sonatype is proxying the maven.restlet.org repository (to lessen the hit of the grid.sonatype.org CI machines), and some of our developers are using the proxy repository instead of direct accessing the maven.restlet.org. The developer in question was _not_ using repository.sonatype.org proxy, he was accessing the maven.repository.orgdirectly. And interestingly, his builds were totally hosed, and were producing the _exactly_ same "GZIP + content length" issue that was found in 1.1.2, but not in 1.1.1 (up to now). As it turned out, the maven.restlet.org _release_ repository artifacts are _changed_ after they are deployed. This is violating the Maven Remote Repository contract in it's roots. What I detected up to now: 1. The _release_ JAR files _changes_ in time! At least, the Restlet engine of 1.1.1 release _did_ change silently. Example: users accessing restlet proxy repository over repository.sonatype.org pulled the com.noelios.restlet-1.1.1.jar (restlet engine) once, and Nexus (just like Maven!!!), will _never_ again check for new _release_ artifact. It simply does not makes sense. A release is released, put in concrete, and it does not changes in time. The "moving targets" are snapshots only. Right now, there are potentially multiple versions of restlet JARs out there. Just like this: http://maven.restlet.org/com/noelios/restlet/com.noelios.restlet/1.1.1/com.noelios.restlet-1.1.1.jar If you download this JAR for maven.restlet.org, and download the same JARs from Nexus proxying maven.restlet.org: http://repository.sonatype.org/content/repositories/restlet/com/noelios/restlet/com.noelios.restlet/1.1.1/com.noelios.restlet-1.1.1.jar (this jar is proxied from maven.restlet.org at Nov 15 2008). You will end up with two different jars: Coming from maven.restlet.org in this very moment: SHA1(com.noelios.restlet-1.1.1.jar)= 051b7b6bb01356aa296705e71fec82ab02f1f977 Meta-inf says: Implementation-Version: 1.1.1 (build 18) Has GZIP + Content Length bug introduced Came from maven.restlet.org at Nov 15 2008: SHA1(com.noelios.restlet-1.1.1.jar)= ac28b0e9d5a7b0513c2aab495094b51515e40162 Meta-inf says: Implementation-Version: 1.1.1 (build 6) Has _no_ GZIP + Content Length bug introduced 2. (minor but interesting) LastChanged header that is returned by maven.restlet.org repository is always _now_ (current date up to the second). This is bad, and makes detection of remote file change using HEAD impossible. Please, stop doing this. Or don't host a Maven Repository. This actually means, that you are making your Maven Repository consumers _unable_ to guarantee consistent/reproducible builds. Just like Nexus OSS trunk is broken for everybody out there building it by accessing your maven.restlet.org repository. But out builds made on CI machines will be fine, since they are picking up "build 6" of restlet engine, that has no GZIP bung introduced (yet). Thanks, ~t~ ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1227700
