Hi,
Yesterday, the setuptools_scm project removed its 3.3.0 release, which had introduced a regression.
When checking locally, I can verify that indeed pip install setuptools_scm installs the 3.2.0 version, i.e. the one before the regression.
However, on various CI builds, I still see version 3.3.0 being installed:
https://travis-ci.org/pitrou/arrow/jobs/529867091#L6318
Do we know how long it takes for PyPI mirrors to register deleted files or releases? Or do they register them at all?
This might be a red herring, as we install some of our dependencies from conda-forge rather than PyPI.
The short answer is somewhere between instantly and forever, and I swear that’s not snark.
So unless you’re configured it to do so, pip doesn’t hit any mirrors, just the CDN. The CDN should generally purge things within ~100ms or so, but there are conditions where you will get a stale response (if the backend is down for example, or if there is a Fastly bug). If the purge for some reason fails, then it should fall out of the cache within a day or so.
If you’re actually using a mirror, then it depends on the software being used. Bandersnatch runs as a cron job, and by default it will delete the file whenever it runs next, so that could be every minute, every 15, every day, etc. However bandersnatch also has a configuration option that doesn’t delete files (though I don’t remember off the top of my head if it just keeps the file, or if it also keeps it listed on the /simple/ page).
Other software may behave differently, but the mirror protocol itself does surface the fact that a file got deleted, so the information is there for the mirror to do the right thing if they so desire.
Also depending on what version of pip you’re running, pip itself may or may not cache the /simple/ pagee for up to 10 minutes, so if you did pip install ... && delete-from-pypi && pip install .. the second pip install still might see the file.
Hopefully that answers your question?
It does, thank you.