Nexus Repository Manager 的 Remove Snapshots 计划任务没有清除带时间戳的工件的关联 GPG 签名文件?
Nexus Repository Manager's Remove Snapshots scheduled task is not cleaning out timestamped artifact's associated GPG signature files?
我正在 运行安装一个 dockerized Nexus Repository Manager v2.13.0-01。我想使用 Remove Snapshots
计划任务删除快照存储库中的工件。我这个定时任务的参数如下
- Repository/Group:快照(回购)
- 最小快照数:1
- 快照保留(天):1
- 如果已发布则删除:(未选中)
- 发布后的宽限期(天):1
- 立即删除:(勾选)
当我 运行 此任务时,我希望至少保留 1 个快照,并删除所有其他超过 1 天的快照。当我在 Browse Storage
选项卡上时,我注意到所有 .jar
+ .pom
文件都被删除,包括关联的 .md5
和 .sha1
文件。例如,删除了以下文件。
- 我的神器-0.0.1-20160705-020817-5-javadoc.jar
- my-artifact-0.0.1-20160705-020817-5-javadoc.jar.md5
- my-artifact-0.0.1-20160705-020817-5-javadoc.jar.sha1
- 我的神器-0.0.1-20160705-020817-5-sources.jar
- my-artifact-0.0.1-20160705-020817-5-sources.jar.md5
- my-artifact-0.0.1-20160705-020817-5-sources.jar.sha1
- 我的神器-0.0.1-20160705-020817-5.pom
- my-artifact-0.0.1-20160705-020817-5.pom.md5
- my-artifact-0.0.1-20160705-020817-5.pom.sha1
- 我的神器-0.0.1-20160705-020817-5.jar
- my-artifact-0.0.1-20160705-020817-5.jar.md5
- my-artifact-0.0.1-20160705-020817-5.jar.sha1
但是,关联的 .asc
、.asc.md5
和 .asc.sha1
哈希值 未 被删除。例如,
- my-artifact-0.0.1-20160705-020817-5.jar.asc
- my-artifact-0.0.1-20160705-020817-5.jar.asc.md5
- my-artifact-0.0.1-20160705-020817-5.jar.asc.sha1
以下是我用来发布到 pom.xml
.
中我的 SNAPSHOT 存储库的 2 个 Maven 插件
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<serverId>mycompanynexus</serverId>
<nexusUrl>http://nexus.mycompanynexus.io/</nexusUrl>
<autoReleaseAfterClose>true</autoReleaseAfterClose>
</configuration>
</plugin>
我在 pom.xml
中的分发管理部分如下所示。
<distributionManagement>
<snapshotRepository>
<id>mycompanynexus</id>
<url>http://nexus.mycompanynexus.io/content/repositories/snapshots/</url>
</snapshotRepository>
<repository>
<id>mycompanynexus</id>
<url>http://nexus.mycompanynexus.io/content/repositories/releases/</url>
</repository>
</distributionManagement>
未显示我的 settings.xml
,我在其中提供用于发布到这些存储库的凭据。
部署时,我只需使用 Maven v3.3.9 输入 mvn clean deploy
。
当我在寻求解决方案时,我偶然发现了这个博客post http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/,但是,我不知道我是否同意不签署我的 SNAPSHOT 工件(如果我不这样做,则不会生成 GPG 签名和校验和,我也不必担心使用预定服务删除它们)。此外,OSSRH 的指南说明了签署 SNAPSHOT 工件。也许不签署 SNAPSHOT 工件是标准做法?
感谢任何帮助。
For internal usage of Nexus Repository Manager it is probably not standard practice to sign artifacts with GPG - not released and not snapshots either. However for distribution to the Central Repository via OSSRH it is pretty common although probably also not standard.
Typically the GPG plugin usage is part of a release profile and that is often not use for snapshot deployments. So depending on your internal needs you should be okay to just not use GPG at all or just not for snapshot builds.
On the other hands the snapshot deletion scheduled task should work for that deletion. There were some changes with regards to performance and behaviour in the last releases though. I just tested this and it turns out there is a regression in 2.11+. We created an issue at https://issues.sonatype.org/browse/NEXUS-10460 . Please follow that for updates. Hopefully we will include a fix in the next release (2.14).
Update 2016-07-13: A patch is now available and fixed jar is attached to the linked issue.
我正在 运行安装一个 dockerized Nexus Repository Manager v2.13.0-01。我想使用 Remove Snapshots
计划任务删除快照存储库中的工件。我这个定时任务的参数如下
- Repository/Group:快照(回购)
- 最小快照数:1
- 快照保留(天):1
- 如果已发布则删除:(未选中)
- 发布后的宽限期(天):1
- 立即删除:(勾选)
当我 运行 此任务时,我希望至少保留 1 个快照,并删除所有其他超过 1 天的快照。当我在 Browse Storage
选项卡上时,我注意到所有 .jar
+ .pom
文件都被删除,包括关联的 .md5
和 .sha1
文件。例如,删除了以下文件。
- 我的神器-0.0.1-20160705-020817-5-javadoc.jar
- my-artifact-0.0.1-20160705-020817-5-javadoc.jar.md5
- my-artifact-0.0.1-20160705-020817-5-javadoc.jar.sha1
- 我的神器-0.0.1-20160705-020817-5-sources.jar
- my-artifact-0.0.1-20160705-020817-5-sources.jar.md5
- my-artifact-0.0.1-20160705-020817-5-sources.jar.sha1
- 我的神器-0.0.1-20160705-020817-5.pom
- my-artifact-0.0.1-20160705-020817-5.pom.md5
- my-artifact-0.0.1-20160705-020817-5.pom.sha1
- 我的神器-0.0.1-20160705-020817-5.jar
- my-artifact-0.0.1-20160705-020817-5.jar.md5
- my-artifact-0.0.1-20160705-020817-5.jar.sha1
但是,关联的 .asc
、.asc.md5
和 .asc.sha1
哈希值 未 被删除。例如,
- my-artifact-0.0.1-20160705-020817-5.jar.asc
- my-artifact-0.0.1-20160705-020817-5.jar.asc.md5
- my-artifact-0.0.1-20160705-020817-5.jar.asc.sha1
以下是我用来发布到 pom.xml
.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonatype.plugins</groupId>
<artifactId>nexus-staging-maven-plugin</artifactId>
<version>1.6.7</version>
<extensions>true</extensions>
<configuration>
<serverId>mycompanynexus</serverId>
<nexusUrl>http://nexus.mycompanynexus.io/</nexusUrl>
<autoReleaseAfterClose>true</autoReleaseAfterClose>
</configuration>
</plugin>
我在 pom.xml
中的分发管理部分如下所示。
<distributionManagement>
<snapshotRepository>
<id>mycompanynexus</id>
<url>http://nexus.mycompanynexus.io/content/repositories/snapshots/</url>
</snapshotRepository>
<repository>
<id>mycompanynexus</id>
<url>http://nexus.mycompanynexus.io/content/repositories/releases/</url>
</repository>
</distributionManagement>
未显示我的 settings.xml
,我在其中提供用于发布到这些存储库的凭据。
部署时,我只需使用 Maven v3.3.9 输入 mvn clean deploy
。
当我在寻求解决方案时,我偶然发现了这个博客post http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/,但是,我不知道我是否同意不签署我的 SNAPSHOT 工件(如果我不这样做,则不会生成 GPG 签名和校验和,我也不必担心使用预定服务删除它们)。此外,OSSRH 的指南说明了签署 SNAPSHOT 工件。也许不签署 SNAPSHOT 工件是标准做法?
感谢任何帮助。
For internal usage of Nexus Repository Manager it is probably not standard practice to sign artifacts with GPG - not released and not snapshots either. However for distribution to the Central Repository via OSSRH it is pretty common although probably also not standard.
Typically the GPG plugin usage is part of a release profile and that is often not use for snapshot deployments. So depending on your internal needs you should be okay to just not use GPG at all or just not for snapshot builds.
On the other hands the snapshot deletion scheduled task should work for that deletion. There were some changes with regards to performance and behaviour in the last releases though. I just tested this and it turns out there is a regression in 2.11+. We created an issue at https://issues.sonatype.org/browse/NEXUS-10460 . Please follow that for updates. Hopefully we will include a fix in the next release (2.14).
Update 2016-07-13: A patch is now available and fixed jar is attached to the linked issue.