Problem
The PEP 792 quarantine check currently only runs inside get_project_from_pypi() in resolver.py, which is only called by PyPIProvider.find_candidates(). When a package is configured to resolve from GitHub or GitLab (via GitHubTagProvider or GitLabTagProvider through override plugins), the quarantine status on PyPI is never checked.
This means a quarantined package can still be resolved and built if it uses a non-PyPI resolver, bypassing a safety mechanism.
Expected behavior
Regardless of which resolver provider is used, fromager should check the package's quarantine status on PyPI before proceeding with resolution. If the package is quarantined on PyPI, resolution should fail with a clear error.
Proposed solution
Option A: Unconditional check at resolution entry points
Add a standalone check_pypi_quarantine_status() function and call it unconditionally from resolve() and resolve_source() for all resolver types. Remove the existing quarantine check from get_project_from_pypi().
- Pros: Simpler, single responsibility, no conditional logic, also fixes the custom-index case
- Cons: For
PyPIProvider resolving from pypi.org, the project page is fetched twice — once for the quarantine check and once for candidates
Option B: Conditional check only for non-PyPI providers
Same standalone function, but only called when the provider is not a PyPIProvider. Keep the existing quarantine check inside get_project_from_pypi().
- Pros: No duplicate HTTP requests
- Cons: Quarantine logic split across two locations, conditional branching, does not fix the custom-index case
Problem
The PEP 792 quarantine check currently only runs inside
get_project_from_pypi()inresolver.py, which is only called byPyPIProvider.find_candidates(). When a package is configured to resolve from GitHub or GitLab (viaGitHubTagProviderorGitLabTagProviderthrough override plugins), the quarantine status on PyPI is never checked.This means a quarantined package can still be resolved and built if it uses a non-PyPI resolver, bypassing a safety mechanism.
Expected behavior
Regardless of which resolver provider is used, fromager should check the package's quarantine status on PyPI before proceeding with resolution. If the package is quarantined on PyPI, resolution should fail with a clear error.
Proposed solution
Option A: Unconditional check at resolution entry points
Add a standalone
check_pypi_quarantine_status()function and call it unconditionally fromresolve()andresolve_source()for all resolver types. Remove the existing quarantine check fromget_project_from_pypi().PyPIProviderresolving from pypi.org, the project page is fetched twice — once for the quarantine check and once for candidatesOption B: Conditional check only for non-PyPI providers
Same standalone function, but only called when the provider is not a
PyPIProvider. Keep the existing quarantine check insideget_project_from_pypi().