This project is read-only.

Source ignorant package caching


Copied in part from full discussion here:

If you have:

1) Two feeds with the same package IDs
2) One has higher versions than the other
3) You specify the source via nuget.exe -s

NuGet.exe will resolve from the cache rather than the remote service, and generally the higher version will be chosen regardless of the package source you specify.

A suggested fix would be to check the remote source first and defer to it. Although checking the remote source first may force the download of the package due to the hash being different, this just becomes a race for who gets there first. It fixes the problem in a very single-threaded, duplicative manner.

1) Ask for package A v1.0 from SourceA. Gets downloaded and installed in cache.

2) Ask for package A v1.0 from SourceB. Checks remote, compares to cache, fails hash check, overwrites cache and installs.

3) Ask for package A v1.0 from SourceA again, rinse and repeat compare/fail/download cycle.


aldion wrote Oct 10, 2011 at 10:40 PM

We'll think about it.

FilipDeVos wrote Mar 26, 2013 at 8:53 PM

This is really needed.

We have a private NuGet feed where all packages contain strong named files. It happens quite often that an unsigned package gets pulled out of the cache.