Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-21670

Artifactory should use timestamp from .info when serving module versions list

    XMLWordPrintable

    Details

    • Severity:
      High

      Description

      At this moment, Artifactory is using the last update timestamp for local Go repositories when populating the version list. The issue with that is that older pseudo-versions of dependencies that are pushed to Artifactory using the JFrog CLI can show up as being newer. Here is one example from GoCenter:

      → curl https://gocenter.io/github.com/AlekSi/gocov-xml/@v/list
      v0.0.0-20130903134006-d2f6da892a0d 2019-09-22T08:18:12Z
      v0.0.0-20180429091052-dee33fe4b4ad 2019-01-24T11:42:27Z
      v0.0.0-20190121064608-3a14fb1c4737 2019-01-23T07:24:47Z
      

      There we have a pseudo-version from 2013 shows as the latest. This will cause the Go client to fail to resolve the latest version of a module when there are no tagged releases available (that is the scenario where it compares the timestamps to get to the latest version)

      Since the JFrog CLI can upload the .info file as part of the Go Module publish operation and that this file contains the proper timestamp calculated by the Go client (usually the commit date) we should use that information when serving the list of versions.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomern Tomer Nir
              Reporter:
              eliom Elio Marcolino
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-21670 -
                  SYNCHRONIZED
                  • Last Sync Date: