Is Release repository policy in Nexus ensures a jar will never change?
I'm in the process of deploying Nexus OSS as internal company repository. One of the main requirements is that once a jar has been downloaded by Nexus (for example, when using is as a proxy of Maven Central) it will never change. I know that Maven Central has that policy, but I'm using ot开发者_开发知识库her repositories which are not under my control, and I have to validate that requirement on my side.
Does a Release repository policy ensures that once a jar is downloaded into that respository, it will never change?
The requirement exists to ensure we can go back to a version of our product created 1.5 years ago, and make sure the repository artifacts used by the product are the same when building it now.
Indeed, a release repository should strictly forbid content modification after a release, which is what Maven Central is doing:
2.2.4. The Central Maven Repository
(...) Here are some of the properties of release repositories such as the Central Maven repository:
...
Release Stability
Once published to the Central Maven repository, an artifact and the metadata describing that artifact never change. This property of release repositories guarantees that projects which depend on releases will be repeatable and stable over time. While new software artifacts are being published to central every day, once an artifact is assigned a release number on Central, there is a strict policy against modifying the contents of a software artifact after a release.
That being said, whether a Maven client will (re)download an artifact or not does not really depend on the repository and its policy, this is part of Maven DNA and it just won't happen (unless you delete the given artifact from your local repository of course). Quoting Brett Porter in [MNG-2528] - updatePolicy "always" does not work for repositories with "releases", at least not for transitive dependencies:
Releases in Maven are, by definition, unchanging. The always flag is to check for new releases (like it looks for new snapshots), not modifications to the existing one.
In other words, if you don't delete the content of your Nexus repository, Nexus will never re-download a released artifact again and you will thus be able to rebuild the version of your product created two years ago, using the exact same libraries.
精彩评论