2
Vote

Source ignorant package caching

description

Copied in part from full discussion here: http://nuget.codeplex.com/discussions/272541

If you have:

1) Two feeds with the same package IDs
2) One has higher versions than the other
3) You specify the source via nuget.exe -s

NuGet.exe will resolve from the cache rather than the remote service, and generally the higher version will be chosen regardless of the package source you specify.

A suggested fix would be to check the remote source first and defer to it. Although checking the remote source first may force the download of the package due to the hash being different, this just becomes a race for who gets there first. It fixes the problem in a very single-threaded, duplicative manner.

1) Ask for package A v1.0 from SourceA. Gets downloaded and installed in cache.

2) Ask for package A v1.0 from SourceB. Checks remote, compares to cache, fails hash check, overwrites cache and installs.

3) Ask for package A v1.0 from SourceA again, rinse and repeat compare/fail/download cycle.

comments

aldion wrote Oct 10, 2011 at 9:40 PM

We'll think about it.

FilipDeVos wrote Mar 26, 2013 at 7:53 PM

This is really needed.

We have a private NuGet feed where all packages contain strong named files. It happens quite often that an unsigned package gets pulled out of the cache.