[Bug 432018] Project repositories allow deployment of artifacts from other Eclipse projects
Bugzilla Link | 432018 |
Status | REOPENED |
Importance | P3 major |
Reported | Apr 04, 2014 08:14 EDT |
Modified | Dec 20, 2021 15:20 EDT |
Reporter | Tobias Oberlies |
Description
Apparently, the policies on repo.eclipse.org allow that projects deploy artifacts of other Eclipse projects. E.g. when searching for org.eclipse.equinox [1], you'll find an artifact which apparently has been uploaded by the acceleo project.
This may lead to either unpleasant or even critical situations when other projects try to upload the same artifact:\
- If the policies are set up correctly, the second deployment under the same GAV fails. This may be unpleasant if e.g. Equinox is no longer allowed to upload their own aritfacts because someone else has already uploaded them.\
- If there is no policy that prevents deployments of the same GAV, you may end up in the situation that two projects deploy a different artifact under the same GAV. In this case, the content which is served by the "releases" group may change over time, violating the basic assumption of artifact immutability in Maven repositories.
So, to avoid this problem, you should only allow distinct white-lists of groupId prefixes in each project specific repositories.
[1] https://repo.eclipse.org/index.html#nexus-search;quick~org.eclipse.equinox