It’s a fundamental tenet of Maven that release artifacts never change once they are released. This is enforced in Maven by the fact that once a release artifact or POM is located in the local repository, Maven will never check for an updated artifact in a remote repository. Once an artifact is released, it is considered a static, unchanging artifact. If you release an artifact and then subsequently change it (intentionally or otherwise), you’re in for some fun as people will have different versions based on when they first retrieved it… that’s a situation not exactly conducive to a repeatable, standard build. This blog post discusses a feature in Nexus 1.4 which can enforce this rule and help you avoid problems caused by the redeployment of release artifacts.
To illustrate this problem, consider a 1.0 build of your product that depends on foo-1.2.jar. It works great. Then you build 2.0 of your product which still depends on foo-1.2.jar. Since then, foo-1.2.jar was patched and now breaks your application. However the application still works for half of your developers because the original foo-1.2.jar is in their local repository and possibly proxied in another Nexus instance.
The solution is to release a new version foo-1.2.1.jar. (ie foo-1.2.2.jar or foo-220.127.116.11-jar), but that alone isn’t enough. You want to make sure that you are using a repository manager that prevents someone from updating a release artifact once it has been published.
It has always been possible to stop people from doing this in Nexus but the solution was difficult to explain. In the Nexus 1.4 release, we have reworked and simplified the interface to encourage this best-practive.
To disable redeployment, edit your repository and set the ‘Deployment Policy’ field to ‘Disable Redeploy’ then click save.
Upgrading from a previous version of Nexus 1.4.0 will set this field to ‘Allow Redeploy’, so no existing repositories will be changed and the behavior matches previous releases. However the default value when creating a new repository is now ‘Disable Redeploy’.
When you use Nexus, you are not just using a capable repository manager, you are adopting the best-practice.