Artifact Repository

We are using a Nexus Repository Server. Reachable at https://artifacts.acc.gsi.de/. Read Access is anonymous. To deploy artifacts you require an acc-account.

Migration Summer 2022

nexus have been migrate to a new system and to nexus3 2022-07-18

The repository urls have changed (https://artifacts.acc.gsi.de/repository/REPONAME/). The INN managed settings.xml are updated.

Repositories

central is a proxy to maven central.

csco is the in house repository. It is hosted by cscoin. It allows artifact upload for authenticated users. A companion repository csco-snapshots exits.

cern-release is a proxy to the cern accsoft repository.

cmmnbuild is a proxy to the cern commonbuild artifacts.

default is a group. It holds csco, csco-snapshots, cern and central. Routing is applied, see below

Routing

global routing rules for all groups (that is default and default-snapshots)

Inclusive rules. That is if groupId matches it will only search in the listed repositories

groupId repositories
de.gsi csco, csco-snapshots
cern cern
Exclusive rules. That is if groupId matches, never search the listed repository

groupId repositories
not cern cern
The inclusive rules are there to speed up searches by not accessing repositories that should not hold these artifacts.

The exclusive rules will prevent access to the cern repository for artifacts that are not created by cern. Cern publishes additional thirdparty artifacts that are also published on maven central.

we have blocking rules to filter highly vulnerable artifacts
regexp reason
.*/org/apache/logging/log4j.*/2\.([0-9]|10|11|12|13|14)\..*\.jar
CVE-2021-44228 / log4shell

Retention

  • snapshots older then 180 days are removed

Nexus 3 can't implement sophisticated cleanup policies. These were the policies for nexus 2

csco-snaphots has a cleanup policy. As of writing

  • snapshots older then 7 days are up for deletion
    • but at least 14 snapshots are kept
    • snapshot artifacts not accessed for 180 Tage will be removed
  • released artifacts will remove the snapshot after 14 days
  • for released artifacts only the last 14 releases are kept. For example if de.gsi.foo:my-artifact exists in the version 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.0.2 and we want to keep the last four artifacts, it would delete version 1.0.0

Usage

The maven installation provided by csco has a preconfigured /etc/maven/settings.xml (legacy: /opt/maven/conf/settings.xml). It configures the grouped repository at URL https://artifacts8.acc.gsi.de/repository/default/ (legacy: https://artifacts.acc.gsi.de/nexus/content/repositories/default/) as a mirror of maven central.

As default is a merged view of maven central and csco internal repository it is possible to resolve internal artifacts using this mirror.

In addition three profiles are configured.

Profile csco disables the repository maven central and activates the repository default (as artifact and plugin repository). This profile is active by default.

Profile csco-snapshot reconfigures the repository default to also accept snapshot artifacts.

Profile csco-plugin-snapshot activates the plugin repository csco-snaphost. This profile is not active. It is intended for users who want to use inhouse plugins before they are released.

Artifacts require a distributionManagement Section for csco and csco-snapshot. The artifact de.gsi.cs.co:parent:1.0.5 will be the first to supply this. Using older parents will result in trying to deploy to default which no longer accepts uploads as it is a repository group.

Artifacts should not contain a repository section. They should rely on a properly configured settings.xml for repositories and a parent for distribution Management.

On non cscoin systems the central (or users) settings.xml must be updated to include repositories or profiles.

If a cern artifact references a thirdparty artifact it will be pulled from central (via group default) NOT from cern (excluded via routing). Any thirdparty artifact that cern chooses to publish in their repository will not be available. We need to prevent cern from publishing for example a log4j in a newer version, or a patched version that then overlaps with central.

If you republish a cern artifact in csco it won't be available. Cern artifacts must be in the cern repository.

Please note if http://jira.codehaus.org/browse/MNG-4946 gets any updates. It effects the merging order of profiles.

snapshots

By default Snapshots from csco are available and included. You can disable them by disabling the profile (mvn -P \!csco-snapshot) but maven will still be able resolve them from your local ~/.m2/ repository. For releases use the maven release plugin and remove all version ranges.

See also https://jira.codehaus.org/browse/MNG-3092
Topic revision: r20 - 07 Nov 2022, ChristophHandel
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback