package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard

Published 20 hours ago verified publisher icon ossf

Race condition between when a new PyPI package is detected and when the package is installable

Open calebbrown opened this issue 3 years ago • 1 comments
trafficstars

Roughly 20-40% of errors occur due to PyPI package updates being detected and scheduled prior to the package itself being ready to install.

This causes many package updates to be missed.

The race condition is likely a result of PyPI publishing the package update prior to the files being available over the CDN.

calebbrown avatar Aug 02 '22 04:08 calebbrown

The plan to solve this issue is to reorient the project towards analysing "artefacts" instead of "package-version".

For most ecosystems "artifact" == "package-version", however this is not the case of ecosystems like PyPI (as per description), or even Composer/Packagist (where "package-version" == "repo tag" - yuck).

calebbrown avatar Dec 21 '22 00:12 calebbrown