Hello Tamás, we don't intentionally update released artifacts. Once released they are not normally updated, however, I recognize this thing happened. I don't remember exactly when (maybe in november) but it was a mistake.
>we were chasing some build issues in Nexus -- that were very strange -- and after a long investigation narrowed it to you. I'm particularly sorry about that. best regards, Thierry Boileau > Hi there, > > we were chasing some build issues in Nexus -- that were very strange > -- and after a long investigation narrowed it to You. > > What was the issue: one of our developers built Nexus after a long > time not doing so, and his build behaved completely broken, as > regarding to restlet REST services. The issue he had was _very_ > similar to those reported in my mail few weeks ago (GZIP and content > length, confirmed by Thierry in 1.1.2!). > > The interesting thing was, that in Nexus, we use _released_ artifacts > of restlet JARs, specifically the version 1.1.1 (stepped back from > 1.1.2 because of "GZIP and content length" problem). > > Furthermore, Sonatype is proxying the maven.restlet.org > <http://maven.restlet.org> repository (to lessen the hit of the > grid.sonatype.org <http://grid.sonatype.org> CI machines), and some of > our developers are using the proxy repository instead of direct > accessing the maven.restlet.org <http://maven.restlet.org>. The > developer in question was _not_ using repository.sonatype.org > <http://repository.sonatype.org> proxy, he was accessing the > maven.repository.org <http://maven.repository.org> directly. And > interestingly, his builds were totally hosed, and were producing the > _exactly_ same "GZIP + content length" issue that was found in 1.1.2, > but not in 1.1.1 (up to now). >  > As it turned out, the maven.restlet.org <http://maven.restlet.org> > _release_ repository artifacts are _changed_ after they are deployed. > This is violating the Maven Remote Repository contract in it's roots. > > What I detected up to now: > > 1. The _release_ JAR files _changes_ in time! At least, the Restlet > engine of 1.1.1 release _did_ change silently. > > Example: > users accessing restlet proxy repository over repository.sonatype.org > <http://repository.sonatype.org> pulled the > com.noelios.restlet-1.1.1.jar (restlet engine) once, and Nexus (just > like Maven!!!), will _never_ again check for new _release_ artifact. > It simply does not makes sense. A release is released, put in > concrete, and it does not changes in time. The "moving targets" are > snapshots only. > > Right now, there are potentially multiple versions of restlet JARs out > there. Just like this: > > http://maven.restlet.org/com/noelios/restlet/com.noelios.restlet/1.1.1/com.noelios.restlet-1.1.1.jar > > If you download this JAR for maven.restlet.org > <http://maven.restlet.org>, and download the same JARs from Nexus > proxying maven.restlet.org <http://maven.restlet.org>: > > http://repository.sonatype.org/content/repositories/restlet/com/noelios/restlet/com.noelios.restlet/1.1.1/com.noelios.restlet-1.1.1.jar > > (this jar is proxied from maven.restlet.org <http://maven.restlet.org> > at Nov 15 2008). You will end up with two different jars: > > Coming from maven.restlet.org <http://maven.restlet.org> in this very > moment: > SHA1(com.noelios.restlet-1.1.1.jar)= > 051b7b6bb01356aa296705e71fec82ab02f1f977 > Meta-inf says: Implementation-Version: 1.1.1 (build 18) > Has GZIP + Content Length bug introduced > > Came from maven.restlet.org <http://maven.restlet.org> at Nov 15 2008: > SHA1(com.noelios.restlet-1.1.1.jar)= > ac28b0e9d5a7b0513c2aab495094b51515e40162 > Meta-inf says: Implementation-Version: 1.1.1 (build 6) > Has _no_ GZIP + Content Length bug introduced > > 2. (minor but interesting) LastChanged header that is returned by > maven.restlet.org <http://maven.restlet.org> repository is always > _now_ (current date up to the second). This is bad, and makes > detection of remote file change using HEAD impossible. > > Please, stop doing this. Or don't host a Maven Repository. > > This actually means,  that you are making your Maven Repository > consumers _unable_ to guarantee consistent/reproducible builds. > > Just like Nexus OSS trunk is broken for everybody out there building > it by accessing your maven.restlet.org <http://maven.restlet.org> > repository. But out builds made on CI machines will be fine, since > they are picking up "build 6" of restlet engine, that has no GZIP bung > introduced (yet). > > Thanks, > ~t~ ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1228076
