Release the Maven the remote included checksum support
🩰 Context
In the (magical) world of Maven, pulling a package/dependency is not as simple as pulling a single file. Instead, we pull multiple files. To guarantee the integrity of the downloaded files, registries (including the GitLab Maven package registry), provide digests (mainly md5 and sha1). We can access them by simply appending .md5 or .sha1 to an existing file url. Example: https://gitlab.com/api/v4/projects/22780791/packages/maven/gl/pru/My.Ananas/13.0.3/My.Ananas-13.0.3.pom.sha1.
However, you can imagine that for a single file, the clients will already trigger 2 web requests: one for the file and one for the digest. This is not efficient.
The main maven client ($ mvn) solved this by describing remote included checksums. In simple words, when returning the file to a client, we can add custom http headers (x-checksum-...) that will communicate the digests value. By doing so, clients can read the headers and completely skip the web request to get the digest.
This change has been implemented in Add remote checksums for Maven package registry... (!175378 - merged) • David Fernandez • 17.8. Given that the GitLab maven package registry is one of the most used registries on gitlab.com, we deployed this change with a feature flag.
After a full day of verification, the results are good (a 60+% reduction in the amount of .sha1 requests). Now, it's time to remove the feature flag and release this change to self-managed .
🤔 What does this MR do and why?
- Release the maven remote included checksum support.
- Remove the related feature flag.
- Given that we're forcing a proxy download, we can also remove a dedicated logic we had for redirecting a
HEADrequest to a signed url (we don't use signed urls anymore).
- Update the related documentation about forcing the proxy download mode.
📚 References
- Maven Package Registry: implement remote includ... (#507768 - closed) • David Fernandez • 17.8
- [Feature flag] Rollout of `packages_maven_remot... (#507817 - closed) • David Fernandez • 17.8
- Add remote checksums for Maven package registry... (!175378 - merged) • David Fernandez • 17.8
- https://maven.apache.org/resolver/expected-checksums.html#remote-included-checksums
🚥 MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
🦄 Screenshots or screen recordings
No UI changes.
⚗️ How to set up and validate locally
See !175378 (merged)