[SAC] [OSGeo] #2978: repo.osgeo.org contains 0 byte files

OSGeo trac_osgeo at osgeo.org
Mon Sep 11 10:29:24 PDT 2023 

#2978: repo.osgeo.org contains 0 byte files
---------------------------+------------------------
 Reporter:  jive           |       Owner:  jive
     Type:  task           |      Status:  closed
 Priority:  critical       |   Milestone:  Unplanned
Component:  Systems Admin  |  Resolution:  fixed
 Keywords:                 |
---------------------------+------------------------
Comment (by jive):

 For organizations encountering this issue and wondering how an external
 maven repository was filled with your "internal" metadata files ...

 1. This seems to have occurred to a bug in the nexus software used by
 repo.osgeo.org (the zero sized files). One of the caches we had setup,
 geonetwork-cache, was incorrectly record zero byte files for every request
 that came in.

 2. I have completely removed the geonetwork-cache and all traces to my
 knowledge of these zero byte files. So your "metadata" is no longer
 visible in geonetwork-cache or osgeo-release.

 3. Keep in mind the requests for your "internal" metadata.xml files are
 still coming in. It is just we now correctly answering that we do not have
 this information.

 If you are concerned about the visibility of your organizations metadata
 files - this is an ongoing concern with the configuration of some maven or
 gradle build used within your development team.

 Although these files are not present within our infrastructure - your
 developers are making requests for these files constantly to
 repo.osgeo.org (and any other maven repository your team is using world
 wide).

 It is not necessarily a problem asking public repositories for the
 artifacts groups and artifact names used "internally" by your team. Just
 keep in mind such requests will appear in the network traffic and logs of
 each external repository your team makes use of.

 To manage your team's configuration:

 1. you should be running your own nexus maven repository
 2. Your team should configure ~/.m2/settings.xml to mirror any external
 repositories such as repo.osgeo.org to operative via your mirror.
 3. Your mirror should cache repo.osgeo.org, with rules to only fetch the
 jars (such as org.geotools.* that are required to support your operations

 I also note that gradle allows fine grain control over how each repository
 is used with includes/excludes control.

 *
 https://docs.gradle.org/current/userguide/declaring_repositories.html#sec
 :repository-content-filtering

 I personally use maven which does not offer such a facility as part of a
 default install, instead using mirrors as described above:

 * https://maven.apache.org/guides/mini/guide-mirror-settings.html
 * https://maven.apache.org/guides/mini/guide-multiple-repositories.html
 * https://maven.apache.org/resolver/remote-repository-filtering.html
 (advanced!)

 Aside: I am volunteering to look at repo.osgeo.org on behalf of my
 employer !GeoCat BV and our customers. We take part in a number of
 projects including !GeoServer and !GeoNetwork. If you need further
 assistance please reach out on these tickets.
-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2978#comment:17>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

More information about the Sac mailing list