---
title: "What happens when you upload a Package?"
description: "Packages in Cloudsmith repository are so much more than just “bits on disk”, and treating them as such is really doing them a disservice! "
canonical_url: "https://cloudsmith.com/blog/what-happens-when-you-upload-a-package"
last_updated: "2024-10-23T14:15:15.000Z"
---
# What happens when you upload a Package?

It’s a fairly common perception that a package repository is basically a file share or file storage, and perhaps for some of the most simple implementations, this is a reasonable analogy.

However, when thinking of Cloudsmith, this analogy misses a lot of important details that make Cloudsmith package repositories rather unique.

## Synchronization - what is it good for?

If you have used Cloudsmith, you may have noticed that when you publish/upload a package to Cloudsmith or fetch a package from a public package repository (Like Maven Central or PyPi) into Cloudsmith, the first thing that happens is that the package enters a “Synchronizing” state. What exactly is synchronizing?Put simply, synchronization is where Cloudsmith processes the uploaded/ingested package. But that still belies a lot of the detail. What possible processing could a package need? Well, quite a lot actually!

Some of the steps that synchronization/package processing involves are:

- **Initialization** - Setting up the initial state, tools and environment for synchronization.
- **Retrieving** - Getting the package files from the upload storage location.
- **Assembling** - Extracting the package files and package assembly (layers and configs for Docker images, for example)
- **Malware Scanning** - Once we have the complete package file set, we scan the files for trojans, malicious content etc.
- **Parsing** - Verify and generate package checksums and signatures, as well as parse and verify package metadata and licenses.
- **Final Synchronization** - Local and Distributed Storage synchronization.

These processes are automatic, require no user interaction and run asynchronously on Cloudsmith's global infrastructure. They are a large part of what empowers Cloudsmith users to implement effective package controls. As they say, knowledge is power - and it’s by the process of synchronization that we gain the knowledge of packages.

## How does this help me?

Once a package has been synchronized, we can then use the metadata generated to apply things like Vulnerability, Licence and Package Deny policies, create a scoped access token, add tags to the package, or fire a webhook for specific packages/versions. The data generated from synchronization drives a lot of the subsequent actions and workflows that you can perform.

Also, you may encounter occasions where a package fails synchronization:

```json
{
  "_key": "cf12bef5a445",
  "_type": "image",
  "alt": null,
  "asset": {
    "_createdAt": "2025-06-05T07:57:55Z",
    "_id": "image-ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080-png",
    "_rev": "yO7itY9PAzaQqagh0UP0tM",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2025-06-05T07:57:55Z",
    "assetId": "ca60a94ffc6ada9536428583d908e279b65a6c26",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "MNB|tBDP9G~pMy00%K-,9Gt6j-WUR*kCs,",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.7777777777777777,
        "height": 1080,
        "width": 1920
      },
      "hasAlpha": true,
      "isOpaque": false,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC60lEQVR4nFXPWUyTBwDA8T6KxnOhhTKmQyEGR4HokKzCENuvx3e0fB8FpdJW44UuLk5LVQoCQRczM7OyGR88EGdwxIGUINpoNOoSj3nGK4tuDy4zMjWZ8cqA/g2IUR/+r7/kr0swWQYSsq3xhGwro3OdjMuvYELBMiYWrmTSl6vQF39NqiNIujvMdG0TGWo9U91DNTKtpJF0pZpPhQAphVr8o3x5QJeQLQxjw+XYGZtXzsSC5Uwq+gqDZQ2TxRBTlRqmyGFSnTUYHWGS7bUkO+oxio2kOOtIEVaTUuzj46LyuG5UtoV3WRkzq4QJc5agH8Kk9aS5wqSKNRhsG0i0biBRCKO31aG3N6B3NGFwbsHgaCBJCGK0rEI3Lkdk7HuNn6mSWLCUKeJG0t31fCLWkSTUohdqMQib0NsaMNibSHJuIUncSrK0jWRlO0b5e4zSd+hM5mo+MweZYV5HpvkbMuesJVdoYHZpM7nqDqZLETLEZtLFZjLkH8ny7CTPt5vZgb2YFuwhQ9tFmrqbNK2FtNJWdB7nITRHO257G4ptP4qjFU1tQ5nfwVzPYcxaJ/lqB194OlGqjlC97Te2t17h212/s6LpNMLKI+RWdDKjvIPM+YfRLVJO4JdjLJR6qRC78bqi+MuilJVGsWk9FHmOUljWi1Z1ksi+W1y68Yg//vqPUxcesOOXO1RtPkfx8hg53h6yFvS8AytHwMqSKAFPF2WuQziVDuaqPczzxghtvcTF64949qKfvscvOX+9j5boXap/uIy85iSzfEcxeXs/BL1SN76S7jeg1I7iPIhF/hUpcIxIy23uP3jO//2DPHz8knMjYChyBfe60+QtimGqPDYMxt8H/Wo3fk8XHqkdl/0AdvsBVG8XO1tv8s/DEfDJEPgve6P3CEWu4g6eIW/xcUy+WFwXkE4M+uVY/O2y7+2yPAT+jGjdh6q2EfnpAvf/fkr/QJy+J69GwD8JNV/DFTzL54uPx7MqY4OvAZ+u8xmFb6LRAAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#325165",
          "foreground": "#fff",
          "population": 0.93,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#133f6c",
          "foreground": "#fff",
          "population": 8.98,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#133f6c",
          "foreground": "#fff",
          "population": 8.98,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7068bc",
          "foreground": "#fff",
          "population": 1.45,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#94acdb",
          "foreground": "#000",
          "population": 0.25,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#5a54af",
          "foreground": "#fff",
          "population": 0.8,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#2857af",
          "foreground": "#fff",
          "population": 7.75,
          "title": "#fff"
        }
      }
    },
    "mimeType": "image/png",
    "originalFilename": "whole.png",
    "path": "images/rafvlnhi/production/ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080.png",
    "sha1hash": "ca60a94ffc6ada9536428583d908e279b65a6c26",
    "size": 1363921,
    "uploadId": "xFutYYN8HqzQchebk44AUb10QK6AHLsB",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/ca60a94ffc6ada9536428583d908e279b65a6c26-1920x1080.png"
  },
  "caption": null,
  "link": null,
  "markDefs": null
}
```

This is typically a good thing (contrary to initial impressions!) because it can alert you to a problem with the package itself such as invalid/missing/incorrect metadata (the package not meeting the specification for the package type, for example), the presence of Malware in the package, or that you are attempting to upload/publish a package that already exists in the repository (as above). Package synchronization is an essential step in verifying the “correctness” of a package and It’s always better to catch things earlier in your processes than later, as the cost of remediation rises dramatically the later issues are identified.

**In summary:**

Cloudsmith Package Repositories do far more than just store your packages, and they have a lot more functionality than just storing your packages in an AWS S3 bucket or Azure Blob Storage, or spinning up a simplistic instance of a package repository. Packages in Cloudsmith repository are so much more than just “bits on disk”, and treating them as such is really doing them a disservice!
