At this moment, Artifactory is using the last update timestamp for local Go repositories when populating the version list. The issue with that is that older pseudo-versions of dependencies that are pushed to Artifactory using the JFrog CLI can show up as being newer. Here is one example from GoCenter:
→ curl https://gocenter.io/github.com/AlekSi/gocov-xml/@v/list v0.0.0-20130903134006-d2f6da892a0d 2019-09-22T08:18:12Z v0.0.0-20180429091052-dee33fe4b4ad 2019-01-24T11:42:27Z v0.0.0-20190121064608-3a14fb1c4737 2019-01-23T07:24:47Z
There we have a pseudo-version from 2013 shows as the latest. This will cause the Go client to fail to resolve the latest version of a module when there are no tagged releases available (that is the scenario where it compares the timestamps to get to the latest version)
Since the JFrog CLI can upload the .info file as part of the Go Module publish operation and that this file contains the proper timestamp calculated by the Go client (usually the commit date) we should use that information when serving the list of versions.
- is cloned by
-
RTFACT-23317 CLONE - Artifactory should use timestamp from .info when serving module versions list
- Done
- is duplicated by
-
RTFACT-22878 Artifactory Go remote repository not proxying requests to @latest URLs
- Done