[RTFACT-9560] Artifactory should deny downloading artifacts having bad or no client checksum - JFrog JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Resolution: Deferred
Affects Version/s: 4.5.2
Fix Version/s: None
Component/s: Artifact Storage, HttpRepo, Maven
Labels:
- artifacts
- deploy
- maven3
- pro
- repository
- storage
Environment:

Artifactory Pro 4.5.2 on Debian/GNU Linux using MySQL database

Severity:
High

Description

Artifactory should deny downlaod of artifacts having bad or no client checksums when policy is set to "Verify against client checksums" (for example when using maven repo layout).

The problem we see is the fact that deploying with bad checksum indeed throws a 409 to the deploying client as expected, but the artifact can still be downloaded despite its (partially) bad checksum or completely missing checksum.

Our expectations would be that artifacts can only be downloaded if server checksum and client checksum really match when using policy "Verify against client checksums", thus not allowing any downloads when the desired checksums are missing or (partially) wrong.

We have for example artifacts with bad sha1 checksum but a good/correct md5 checksum in one of our repositories.
Another artifact having no sha1 checksum did also have no md5 checksum.

As said, both could be downloaded without any problems when we were expecting both to be blocked from any downloads.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Tim-Christian Bloss

Votes:: 2 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 14/Mar/16 12:57 PM

Updated:: 06/Jan/21 4:21 PM

Resolved:: 03/Apr/16 2:32 PM

Sync Status

Connection: RTFACT Sync

RTMID-9560 -
SYNCHRONIZED

Last Sync Date: