Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-21670

Artifactory should use timestamp from .info when serving module versions list

    XMLWordPrintable

    Details

    • Severity:
      High

      Description

      At this moment, Artifactory is using the last update timestamp for local Go repositories when populating the version list. The issue with that is that older pseudo-versions of dependencies that are pushed to Artifactory using the JFrog CLI can show up as being newer. Here is one example from GoCenter:

      → curl https://gocenter.io/github.com/AlekSi/gocov-xml/@v/list
      v0.0.0-20130903134006-d2f6da892a0d 2019-09-22T08:18:12Z
      v0.0.0-20180429091052-dee33fe4b4ad 2019-01-24T11:42:27Z
      v0.0.0-20190121064608-3a14fb1c4737 2019-01-23T07:24:47Z
      

      There we have a pseudo-version from 2013 shows as the latest. This will cause the Go client to fail to resolve the latest version of a module when there are no tagged releases available (that is the scenario where it compares the timestamps to get to the latest version)

      Since the JFrog CLI can upload the .info file as part of the Go Module publish operation and that this file contains the proper timestamp calculated by the Go client (usually the commit date) we should use that information when serving the list of versions.

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                tomern Tomer Nir
                Reporter:
                eliom Elio Marcolino
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: