NuGet package registry: investigate sequential uploads

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

🔥 Problem

Users can upload .nupkg files to the NuGet Repository along with .snupkg files. Clients will send the two files in a row.

The NuGet Repository has a background job to extract the package name and version out of files and:

• create the package if it doesn't exist
• locate the package if it exists.

The problem is that the background job for the .snupkg file will require the package to exist.

We could hit a small situation with this timeline. Consider a brand new package, so the package name and version doesn't exist in the NuGet Repository yet:

1. .nupkg is uploaded and job j1 is enqueued.
2. .snupkg is uploaded and job j2 is enqueued.
3. j1 starts its execution and goes until right before creating the package.
4. j2 starts its execution and check if a package with the name+version exists.
5. j2 💥 because for .snupkg, we require the package to exist.
6. j1 resumes its execution and creates the package.
   • but it's too late, j2 has already 💥

🚒 Solution

• Investigate if this happens on gitlab.com.
• Have a sense of how many times this happens in order to apply a severity label here.
• Investigate solutions.
• Implement it.