Design a setting for accepting/rejecting duplicate packages
Problem to solve
When using the GitLab Package Registry to upload packages, a user can upload the same NuGet, Maven, Conan, and PyPI packages name/version multiple times. The newest record will always be served when installing. The older records will only be accessible via the UI or API. This can result in the wrong dependency being installed and can introduce risk into the software development lifecycle.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Rachel (Release Manager)
User experience goal
We prevent a user from accidentally uploading the same version of a package multiple times and clearly let them know why we rejected the duplicate upload.
Proposal
Prevent duplicate NuGet, Maven, Conan, and PyPI packages from being uploaded to the GitLab Package Registry. When a user attempts to upload a duplicate, they should receive a response that this version already exists and to consider uploading a new version.
Further details
Maven
Maven might be a bit tricky because two types of versioning policies are typically used. It's possible that a user will want to allow duplicate uploads of snapshots
but not of releases. However, SNAPSHOTS will always have a date and time stamp appended to the name. So when evaluating if a snapshot is a duplicate, we must ensure that we check the timestamp.
Permissions and Security
- There are no permissions changes required for this change.
Documentation
- Add documentation to the Package Registry that explains that duplicate packages may not be uploaded.
Availability & Testing
What does success look like, and how can we measure that?
Success looks like we help teams by preventing duplicate uploads and preventing some of the confusion that occurs when that happens.
Metrics
- Measure the number of uploads that are rejected as duplicates. This will help us understand how frequently this occurs and if we need to update our opinions.