I’m searching for the way to get real upload date for artifacts from plugins.gradle.org. This is mainly needed for security reasons to quarantine too new artifacts in our internal storage before using them in code. An obvious approach to do this is fetching Last-Modified header in HTTP request. However so far as plugins.gradle.org runs behind Cloudflare this header is means not the date when artifact was uploaded to plugins.gradle.org but the date when is was cached in Cloudflare. So even for old artifacts we have:
$ curl -I https://plugins.gradle.org/m2/org/jetbrains/kotlin/jvm/org.jetbrains.kotlin.jvm.gradle.plugin/1.5.31/org.jetbrains.kotlin.jvm.gradle.plugin-1.5.31.pom
HTTP/1.1 200 OK
Date: Thu, 18 Aug 2022 15:07:17 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 673
Connection: keep-alive
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' data: fonts.googleapis.com; script-src 'self' ajax.googleapis.com stackpath.bootstrapcdn.com cdnjs.cloudflare.com z8s4n2jmrsl0.statuspage.io go.gradle.com fast.wistia.com www.google-analytics.com 'sha256-3qctdUZX/6QPVNn4hg55oarXzLBDDCkQ6AaG8ehXgDg=' 'sha256-ZqVyBZIOnOs0ufJvaehuhjzSkrVKIH4DFy95DJ8pDxw=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-bzgPbiBbhlwatKiESkSqGJr5wldMGBU+GAbfeWwMqBM=' 'sha256-cThjNwQ0AS+/Z2uD76101UnXGOH65pSGKTbFESeaGzE=' 'sha256-z37L25oLkGTsxFGUxf9x0Fj5KBhjKdcy49cFi+MqJXA='; font-src 'self' data: fonts.gstatic.com assets.gradle.com; img-src 'self' unpkg.com www.gravatar.com *.githubusercontent.com; frame-src 'self' z8s4n2jmrsl0.statuspage.io
X-Permitted-Cross-Domain-Policies: master-only
Via: 1.1 vegur
CF-Cache-Status: HIT
Age: 3013
Last-Modified: Thu, 18 Aug 2022 14:17:04 GMT
Expires: Fri, 19 Aug 2022 03:07:17 GMT
Cache-Control: public, max-age=43200
Accept-Ranges: bytes
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 73cb8eec9ca3169f-DME
As you can see Last-Modified is today. However artifact was published at least a year ago. Any way to fetch real artifact upload date?