Hi Jerome, Thanks for looking into this. I would suggest not changing 1.1.1 again back to b6, simply release a new version and leave it alone to avoid further confusion for people.
Also, Nexus has the ability to deny updates to existing releases if you want to use that for hosting your repository. We also make Pro licenses available for OSS projects like Restlet if you're interested. (and we could host it too at http://oss.repository.sonatype.org) --Brian From: Jerome Louvel [mailto:[email protected]] Sent: Wednesday, February 25, 2009 2:28 PM To: [email protected] Subject: RE: maven.restlet.org repository misbehaving Hi Tamas, Thanks for reporting this issue. We do understand the root contract of Maven saying that a released artifact shouldn't be updated. This has always been our release policy at Restlet, even before our Maven support. As you know, bugs just happen :-) I'd like to mention that due to the lack of a formal and detailled specification on how to maintain Maven artifacts, Thierry had to do several round trips (with Buckminster users for example), in order to finally guess the proper/expected behavior for the repository metadata. During this process I guess he unintentionnaly published a more recent build. Again, we'll restore the original build ASAP and make sure that our Maven publishing tasks can't mistakenly erase an existing artifact. Best regards, Jerome Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org <http://www.restlet.org/> Noelios Technologies ~ Co-founder ~ http://www.noelios.com <http://www.noelios.com/> ________________________________ De : [email protected] [mailto:[email protected]] De la part de Tamás Cservenák Envoyé : mercredi 25 février 2009 19:59 À : [email protected] Objet : Re: maven.restlet.org repository misbehaving Yeah, this was exactly my question: which 1.1.1 jars is the "good" ones? If those served _currently_, then we are in trouble, since both 1.1.1 and 1.1.2 introduces the GZIP + Content-Length bug, and we (Nexus) have nowhere to "escape" to (1.1.0 is also broken, AFAIK)! Checkmate. It would be nice to have build6 back, with version like Brian proposes (1.1.1-b6), to make it build able to everyone out there. We will make the proper changes in Nexus POMs, once you make it accessible over your repo. Note: Brian meant version 1.1.2, not 1.2.1 I assume. ~t~ On Wed, Feb 25, 2009 at 7:35 PM, Brian E. Fox <[email protected]> wrote: I Thierry, Is it possible to restore the original 1.1.1 perhaps as 1.1.1-b6 so that we know there is a valid version? The major concern is that the current 1.1.1 is broken like 1.2.1 so our only alternative is to disconnect the proxy and deploy it to our 3rd party manually. --Brian Fox Apache Maven PMC -----Original Message----- From: Thierry Boileau [mailto:[email protected]] Sent: Wednesday, February 25, 2009 1:31 PM To: [email protected] Subject: Re: maven.restlet.org repository misbehaving Hello Tamás, we don't intentionally update released artifacts. Once released they are not normally updated, however, I recognize this thing happened. I don't remember exactly when (maybe in november) but it was a mistake. >we were chasing some build issues in Nexus -- that were very strange -- and after a long investigation narrowed it to you. I'm particularly sorry about that. best regards, Thierry Boileau > Hi there, > > we were chasing some build issues in Nexus -- that were very strange > -- and after a long investigation narrowed it to You. > > What was the issue: one of our developers built Nexus after a long > time not doing so, and his build behaved completely broken, as > regarding to restlet REST services. The issue he had was _very_ > similar to those reported in my mail few weeks ago (GZIP and content > length, confirmed by Thierry in 1.1.2!). > > The interesting thing was, that in Nexus, we use _released_ artifacts > of restlet JARs, specifically the version 1.1.1 (stepped back from > 1.1.2 because of "GZIP and content length" problem). > > Furthermore, Sonatype is proxying the maven.restlet.org > <http://maven.restlet.org> repository (to lessen the hit of the > grid.sonatype.org <http://grid.sonatype.org> CI machines), and some of > our developers are using the proxy repository instead of direct > accessing the maven.restlet.org <http://maven.restlet.org>. The > developer in question was _not_ using repository.sonatype.org > <http://repository.sonatype.org> proxy, he was accessing the > maven.repository.org <http://maven.repository.org> directly. And > interestingly, his builds were totally hosed, and were producing the > _exactly_ same "GZIP + content length" issue that was found in 1.1.2, > but not in 1.1.1 (up to now). >  > As it turned out, the maven.restlet.org <http://maven.restlet.org> > _release_ repository artifacts are _changed_ after they are deployed. > This is violating the Maven Remote Repository contract in it's roots. > > What I detected up to now: > > 1. The _release_ JAR files _changes_ in time! At least, the Restlet > engine of 1.1.1 release _did_ change silently. > > Example: > users accessing restlet proxy repository over repository.sonatype.org > <http://repository.sonatype.org> pulled the > com.noelios.restlet-1.1.1.jar (restlet engine) once, and Nexus (just > like Maven!!!), will _never_ again check for new _release_ artifact. > It simply does not makes sense. A release is released, put in > concrete, and it does not changes in time. The "moving targets" are > snapshots only. > > Right now, there are potentially multiple versions of restlet JARs out > there. Just like this: > > http://maven.restlet.org/com/noelios/restlet/com.noelios.restlet/1.1.1/com.noelios.restlet-1.1.1.jar > > If you download this JAR for maven.restlet.org > <http://maven.restlet.org>, and download the same JARs from Nexus > proxying maven.restlet.org <http://maven.restlet.org>: > > http://repository.sonatype.org/content/repositories/restlet/com/noelios/restlet/com.noelios.restlet/1.1.1/com.noelios.restlet-1.1.1.jar > > (this jar is proxied from maven.restlet.org <http://maven.restlet.org> > at Nov 15 2008). You will end up with two different jars: > > Coming from maven.restlet.org <http://maven.restlet.org> in this very > moment: > SHA1(com.noelios.restlet-1.1.1.jar)= > 051b7b6bb01356aa296705e71fec82ab02f1f977 > Meta-inf says: Implementation-Version: 1.1.1 (build 18) > Has GZIP + Content Length bug introduced > > Came from maven.restlet.org <http://maven.restlet.org> at Nov 15 2008: > SHA1(com.noelios.restlet-1.1.1.jar)= > ac28b0e9d5a7b0513c2aab495094b51515e40162 > Meta-inf says: Implementation-Version: 1.1.1 (build 6) > Has _no_ GZIP + Content Length bug introduced > > 2. (minor but interesting) LastChanged header that is returned by > maven.restlet.org <http://maven.restlet.org> repository is always > _now_ (current date up to the second). This is bad, and makes > detection of remote file change using HEAD impossible. > > Please, stop doing this. Or don't host a Maven Repository. > > This actually means,  that you are making your Maven Repository > consumers _unable_ to guarantee consistent/reproducible builds. > > Just like Nexus OSS trunk is broken for everybody out there building > it by accessing your maven.restlet.org <http://maven.restlet.org> > repository. But out builds made on CI machines will be fine, since > they are picking up "build 6" of restlet engine, that has no GZIP bung > introduced (yet). > > Thanks, > ~t~ ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1228076 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1228132 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1228453
