Maven dependency proxy: make the ETag support optional
🔥 Problem
In Maven Dependency proxy: cache hit path (!129495 - merged), we implemented part of the Maven dependency proxy.
That part focused entirely on what to do when we have the requested package file locally. At that time, we wanted to have a similar feature as the dependency proxy for container repositories:
- When the "local" package file is located, there is a check against the remote file to make sure that the remote one was not updated or changed.
In other words, we verify that the cached file is not outdated. To do this, we technically ask for the details of the package file (not the entire package file). In response of that request, we can have a field called ETag
which usually is a digest of the file.
We can then compare the digests and if they don't match, we know that the cached file is outdated.
The problem is that not all Maven package registries implement that Etag
field:
registry | how the ETag is generated |
---|---|
Gitlab |
md5 |
Maven Central |
md5 |
Github | No ETag field returned in response of the HEAD request |
Artifactory |
sha1 |
Sonatype Nexus |
custom sha1 string |
🚒 Solution
Currently, the logic is: if the ETag
value mismatch the local file, we discard the local file.
We should update the logic to:
- Do we have an
ETag
value?- Yes. Compare it with the local file digests.
- Values match. Good, the local file can be used and returned.
- Values don't match. The local file is discard and we use the remote one.
- No. We use the local file (A).
- Yes. Compare it with the local file digests.
In other words, (A) will turn the dependency proxy into a simpler proxy: do we have the requested file locally? Yes, ok, then we return it.
- This should be properly documented listing the registries that don't support the
ETag
field and how the dependency proxy's behavior will change because of that.