I am setting up Maven corporate repository using Apache Archiva for my company. Our requirements for now are quite basic - have an internal repo for our jar files and dependency management.
I want to make sure that Archiva does not upload any of our proprietary code / jar files to Central Repo (Public), but we would like to be able to download public libs from central repo if needed by the project. (Our desired configuration: IDE/Developer <Download/Upload> Internal Repository <DOWNLOAD ONLY> Public Central Repo.)
My question is, by default, does Archiva upload my jar files to central repo if its configured as a proxy/mirror? if so, how do I prevent publishing to central/external repo while keeping the option to download from central when needed?
Appreciate any answers.
If you configure the local/managed repository which is linked to Central as read-only, then nobody can upload to it. This is done by only giving the "Repository Observer" role but not the "Repository Admin" (in fact you will most likely add additional roles, just make sure none of them is assigned for any developer to one of the mirrored repos).
BTW: you can also disallow re-deploy (aka overwrite of artifact versions) for a repository. This is generally a good idea. This is done in the repository settings (not by roles).
One additional thing you might want to look for: if you configure a repo to be Snapshot only, it still will accept SNAPSHOT uploads. This can be quite confusing, make sure nobody does that.