Add latest changes from gitlab-org/gitlab@master

1 files changed, 15 insertions, 0 deletions

diff --git a/data/deprecations/16-6-maven-group-permissions.yml b/data/deprecations/16-6-maven-group-permissions.yml
new file mode 100644
index 00000000000..f22aff107f9
--- /dev/null
+++ b/data/deprecations/16-6-maven-group-permissions.yml
@@ -0,0 +1,15 @@
+- title: "Breaking change to the Maven repository group permissions"
+  announcement_milestone: "16.6"
+  removal_milestone: "17.0"
+  breaking_change: true
+  reporter: trizzi
+  stage: Package
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/393933
+  body: |
+    The Maven repository exposes an API endpoint at the group level that allows Maven clients to download files from a specific package. The package finder first locates the package within the group, and then finds the file within the package.
+    However, there is a limitation that affects duplicate package names hosted in different projects. The Maven package finder always returns the most recent package, but the "most recent" filter depends on user permissions. It is possible for a user with different permissions in different projects to download the wrong Maven package.
+
+    In GitLab 17.0, the package finder logic will be fixed so that the "most recent" package is the last updated name and version of a package in a group. User permissions will be checked after the most recent package is found.
+    After the change, download requests for users without correct permissions will be rejected. If your workflow depends on the current bugged behavior, this fix will introduce a breaking change.
+
+    The change will be introduced in GitLab 16.6 behind a feature flag. If you are interested in enabling the feature flag for your group, leave a comment in [issue 393933](https://gitlab.com/gitlab-org/gitlab/-/issues/393933).