After having had some problems with corrupted jars, we recently purged our proxying directory on the archiva server, then switched from "ignore" to "fail" policy (when bad hash is found on the remote server).
After some times, for example, we discovered we weren't able to download the maven pom-2.0.6 from the client side of Archiva. The thing is: Archiva only issues a 404 when the remote hash is bad. I guess it should issue a 500 (or some 50x) instead.
To sum up, what I think would be the best solution(s):
- issue something else than an 404 when the remote artifact won't be downloaded because of a non matching hash
- offer a way to notify some admin (by mail, for example) about corrupted artifacts that won't be downloaded. In fact, in this kind of case, there's a big chance people using archiva are going to complain about some artifacts that can't be downloaded (maven pom-2.0.6 e.g. :-/).
- Offer a dedicated page inside archiva admin summarizing all those problematic artifacts. Particularly giving those that couldn't be downloaded because of bash hash associated to "fail" policy.
Thanks a lot.