Nexus Repository 2.11.2-03 Repository Checksum Bug

Visit for documentation on Nexus Repository version 2.

Problem Summary

Nexus Repository 2.11.2-03 contains a bug (NEXUS-8221) that can cause invalid checksums to be stored for deployed artifacts and artifact metadata.

After identifying the original issue, Sonatype quickly released Nexus 2.11.2-04 on March 6, 2015 which contained a preventative fix.

On March 16, 2015, we released Nexus 2.11.2-06 which includes a scheduled task which will repair invalid checksums produced by this issue.

Action Required

If you have used Nexus version 2.11.2-03, upgrade is required to repair the invalid checksums which may have been added to your repositories.

  1. Upgrade to Nexus 2.11.2-06 or greater
  2. Go to Administration -> Scheduled Tasks and add a Reconcile Repository Checksums task to run against all repositories with a Manual schedule.

    After saving the task, run it.

The Reconcile Repository Checksums task will find and repair any invalid checksums produced by NEXUS-8221.

Frequently Asked Questions

Q. What caused the invalid checksums to be created?

A. The class which computes checksums in Nexus (ChecksummingContentLocator) was mistakenly marked as reusable. This can cause a scenario where an object created from this class is re-used, and the checksum from a previous calculation is used as the starting point for a new checksum. This results in an incorrect checksum being computed.

Q. Does running Reconcile Repository Checksums task recompute all checksums in a repository?

A. No. The only checksums which will be fixed are ones produced by NEXUS-8221. If you have invalid checksums produced by other problems these will not be touched by the task. Invalid checksums produced by other problems (such as client bugs) can be fixed by running a "rebuild metadata" task.

Q. If I've never run Nexus 2.11.2-03 do I need to run the task?

A. Possibly. If you have a proxy repository which has a remote which was running 2.11.2-03 the proxy may contain invalid checksums. Running Reconcile Repository Checksums will repair these.

Q. How often do I need to run Reconcile Repository Checksums?

A. Because the Reconcile Repository Checksums task only repairs invalid checksums created by NEXUS-8221 it only needs to be run once.  After the reconcile checksums task completes successfully and invalid checksums produced by this bug are repaired, running the task again will not accomplish anything.

Q. How can I see what checksums were repaired on my Nexus instance?

A. When an invalid checksum is detected and repaired an INFO level message will be printed in the nexus.log file.

For example:

2015-03-15 19:55:08,246-0500 INFO [pxpool-1-thread-2] admin - Reconciling attribute checksums for releases:/org/openrdf/sesame/sesame-http-protocol/2.8.0/sesame-http-protocol-2.8.0-sources.jar (file)

Q. How much load will running this task put on my Nexus instance?

A. The run rate of the task is limited, so impact to your Nexus instance should be minimal. By default the task is limited to 100 transactions per second, this should be fine for almost all Nexus installations. If you have a particularly heavily loaded instance you might want to consider changing this limit in the task configuration to 50 transactions per second.

Have more questions? Submit a request


Article is closed for comments.