mozilla / cargo-vet

supply-chain security for Rust
Apache License 2.0
665 stars 46 forks source link

"does not exist" error for existing package #629

Closed sophie-h closed 1 month ago

sophie-h commented 2 months ago

The following works for many packages but not for librsvg-rebind.

Maybe it's an issue with the package only having one release? Or is something wrong with the package? If it's the latter, a better error message would be nice, if possible.

$ cargo vet certify --notes "GNOME contributor" --accept-all --criteria safe-to-deploy --wildcard federicomenaquintero librsvg-rebind
ERROR   × Cannot fetch crate information, 'librsvg-rebind' does not exist.
mystor commented 2 months ago

In order to reduce the load on crates.io's APIs (see https://crates.io/data-access#api), we attempt to do some local caching of crate metadata, such as publisher information. As part of that, though, we also cache information about whether or not a crate exists.

I'm guessing that your local cache ended up seeing at some point in the past that librsvg-rebind was not published, and cached that information, and the code is failing to invalidate the cache right now.

Theoretically with the sparse index.crates.io index now, and that being explicitly not-rate-limited, we could avoid needing any kind of cache for that basic version information, and only use the cache for the rate-limited metadata information, which would help avoid these kinds of outdated-cache issues.

sophie-h commented 2 months ago

Thanks a lot! I manually deleted the entries from the cache and it worked.

If your suggestion is not implemented, maybe enhancing the error message would be good. Or adding an option to clean the cache just for the added crate.

mystor commented 1 month ago

I believe this should have been fixed in #631