search

rust-secure-code / cargo-supply-chain

Gather author, contributor and publisher data on crates in your dependency graph.
Apache License 2.0
313 stars 18 forks source link

Cancelling `cargo supply-chain update` leaves it believing it is up to date #53

Closed Nemo157 closed 3 years ago

Nemo157 commented 3 years ago

I ran cargo supply-chain update, then realised I should probably check if there was an update to the tool itself first so ctrl+ced the update. When I then ran cargo supply-chain crates it thinks that it has an up to date cache, but then has to individually fetch the data, and attempting to update again does nothing:

> cargo supply-chain crates
...
Using cached data. Cache age: 18h 33m 14s 126ms 57us 170ns
Fetching data for "ansi_term" (1/91)
Fetching data for "anyhow" (2/91)

> cargo supply-chain update
Note: this will download large amounts of data (approximately 250Mb).
On a slow network this will take a while.
No updates found

I had to then force an update with cargo supply-chain update --cache-max-age 1s.

Nemo157 commented 3 years ago

Just to check I reproduced this again, to cause it to happen you must wait for a little while to let at least one file get downloaded and written, giving it ~9s gave me just metadata.json:

> ls ~/.cache/cargo-supply-chain
metadata.json
Shnatsel commented 3 years ago

Great find! Thanks!

Shnatsel commented 3 years ago

This seems to happen because metadata.json is the first thing in the tar archive, and it contains the timestamp.

I can see two ways to fix it:

  1. Extract all the files to an intermediate directory
  2. Hold off updating the metadata cache file until everything else is in place