Group setting to allow or prevent duplicate Maven uploads
Release notes
Have you been using the GitLab Package Registry to publish your Java dependencies with Maven and/or Gradle? You may have run into a problem with publishing the same version multiple times. For Java packages, you expect to be able to publish duplicate snapshots, but not releases.
We've addressed this issue by adding a new group setting for the package registry that allows you to choose whether or not you'd like to allow or disallow duplicate Maven or Gradle uploads. By default, duplicates will not be allowed with the exception of snapshots. You can easily adjust this by navigating to your group->settings->packages & registries and enable duplicates or add an exception using a regular expression.
After Maven and Gradle, we'll be doing the same for other package manager formats as well. We'll follow the standard set by the public registries.
Problem to solve
When using the GitLab Package Registry to upload packages, a user can upload the same Maven package name/version multiple times. The newest record will always be served when installing. The older records will only be accessible via the UI or API. This can result in the wrong dependency being installed and can introduce risk into the software development lifecycle.
Proposal
Offer a setting in the application that will allow Admin to determine if they want to allow or disallow duplicate Maven packages to be published to their registry. By default, duplicate Maven uploads will be allowed. In addition, allow an Admin to add any additional exceptions using regex.
This can take advantage of the work done in #276882 (closed), which added a new API endpoint that allows a Developer to set this setting.
Further details
Roll out to other formats
As part of the epic &5070, we will be rolling out this setting to other package manager formats over the next several milestones. This issue will focus only on Maven and we will add a note to the documentation that other formats will be done later and link to the epic.
Current duplicate behaivor
This table is a good reference for our current duplicate behavior, and it can be used to determine what the default value should be as we work through adding this setting for each package type.
Package type | Duplicates allowed? |
---|---|
npm | |
maven | |
NuGet | |
Conan | |
PyPI |
Testing
At the end-to-end level tracked in gitlab-org/quality/testcases#1121 (closed)