TheCakeIsNaOH
commented
9 months ago Our suggestion would be to use Chocolatey CLI with NuGet v3 repositories when using Sonatype Nexus or JFrog Artifactory, if you are seeing these issues.
What is the suggested path for users on Nexus that are proxying CCR?
As Nexus can't mix v2 and v3 feeds when a proxy feed is in the mix. So if I have a chocolatey-hosted hosted repository, a ccr-proxy proxy repository to the ccr v2 api, and a chocolatey-group group repository which includes both chocolatey-hosted and ccr-proxy, there is no v3 feed from chocolatey-group, as Nexus would only provide a v2 feed.
For some users, switching to adding both the chocolatey-hosted and ccr-proxy on client systems would work. That would allow using the v3 feed on the chocolatey-hosted repository.
However, because source priority on Chocolatey CLI is broken, this direct usage wouldn't work for users internalizing or modifying packages (like me). This is because there would be no guarantee that Chocolatey CLI/GUI would pull internalized or modified internal packages on the chocolatey-hosted repository, instead of using the non-internalized/modified version from CCR being used. This would open users to security issues where the wrong packages could be installed in a very similar manner to dependency confusion. When setting the priority in a Nexus group repository, it does work correctly in my testing, so it is not problematic for Nexus group repositories.
Here are some potential solutions:
- Fix Chocolatey CLI source priority
- Add a v3 API to CCR
- Get Sonatype to fix the Nexus bugs with their v2 implementation (which is unlikely as mentioned)
- Get Sonatype to add a feature to allow mixing v2 and v3 repositories in groups (or more specifically accessing a group repository with v3 while a v2 proxy is in the group)
- Move away from recommending Nexus as a good option for open source/pro users (C4B users can still use Nexus with hosted repositories only, using the download/internalization pipelines to update the hosted repository)
- Move downloading (and maybe internalizing packages) to open source, and recommend users purely use hosted repositories and setup a CI to manually download from CCR and push to their hosted repository.
What New Or Updated Would You Like To See?
After investigating an issue raised regarding NuGet v2 repository types in Sonatype Nexus and JFrog Artifactory, we found there was a bug in the API responses. This bug is not present in NuGet v3 repositories. I updated the issue with this information.
Oridnarily we'd suggest raising issues with the repository managers directly. However, with NuGet v2 repository support being reduced / deprecated in Nexus and Artifactory, there's unlikely to be much traction in those being fixed. Other repository managers are likely to follow.
To ensure customers and community have the maximum lifespan from their repositories, we should ensure NuGet v3 repositories are recommended in documentation and other communications.
When troubleshooting a NuGet v2 repository issue we should ensure it can be reproduced in a NuGet v3 repository.
The list below is the work that needs to be done but is not an exhaustitive list. As we find more we will update it: