Best practices for archival of external packages

I need to ensure that I have always access to packages@version that are used in product releases. As far as I can see I have two options:

  1. proxy the public repo
    pros: simple to setup, updates automatically as soon as fetching some public package
    cons: accumulation of packages that have not really been used, maybe only in test and studies, impossible to clean them up separately from the ones that I need to preserve (for eternity)

  2. duplicate public packges in private repo
    pros: be sure to only have the packges that are really used in production releases
    cons: a tedious job to do keep up to date (at least manually), possible duplicate packages in private and proxy repo

How others are handling this? Are there some best practices?

Thanks for any advice.


The simplest thing to do is use a proxy repository, along with a cleanup policy to remove versions that have not been downloaded through Nexus Repo in a long time:


Also, you can see a demonstration on how cleanup policies are used our Storage Primer: A Primer for Storage Management in Nexus Repository 3 - Sonatype Guides

That’s the simplest thing, but that’s exactly what I do not want. Packages that have been used in production release must stay there forever. (I’m working in industrial environmenst where software versions are in use 10 to 20 years). And the problem is separating these from packages that have been used only for tests or case studies.