RE: Noncompliant packages can still be downloaded

Hi @daniel-mccoy_4395,

Based on what you've described, it sounds like ProGet is indeed blocking downloads; this is visible in the ProGet Web UI with a "Download Blocked" indicator. If you try accessing the download URL, you will in fact get a 400 error.

However, NuGet/Visual Studio aggressively cache package - which means they aren't even attempting to download them. If you clear all the NuGet caches (system, user, http, project, etc), then it should attempt to download then again.

That said, as of ProGet 2026, we no longer recommend downloads. This is one reason, but there are more reasons.

Here's an work-in-progress article that discusses our new guidance:
https://guides.inedo.com/vulnerability-management/containment/

Cheers,
Alana

Hi @carl-westman_8110 ,

Not really... Feeds and Views are a bit different concept and we don't really encourage using the presence in a particular feed as a means to identify whether something has been released. Instead, we'd encourage using Pre-Release Packages & Repackaging
, which make it obvious from simply lookin at the version (i.e. 1.1.1-rc.7 indicates not yet released).

Thanks,
Alana

Hi @certificatemanager_4002 ,

ProGet is licensed per instance (i.e. installation), you will need a separate license if you wish to maintain a production and non-production instances of ProGet. See the official Licenses for Non-production / Testing Environments for more details.

For things like a one-off, cloud-migration, using a Trial license (which you can get from My.Inedo.com) is fine.

Thanks,
Alana

Hi @certificatemanager_4002 ,

Just to clarify the support:

We are planning to upgrade to ProGet 25.x, as we understand that Microsoft SQL Server support will be not supported by the end of the year.

We are currently planning to discontinue SQL Server support in ProGet 2027. It will continue to work in ProGet 2025 and ProGet 2026 regardless of when you use the software.

To answer your questions...

1. You can continue using SQL Server in ProGet 2025
2. Please see Configuring High Availability & Load Balancing, which details the implementation
3. ProGet for Linux is supported in a Docker environment; many users will deploy using Kubernetes, but we do not provide charts or templates... only a Docker Installation Guide that you will need to "translate" into pods, etc
4. ProGet can handle that traffic, though a lot of factors will determine how much server resources are required; I would start with a two-node cluster and evaluate/consider adding more if needed

Thanks,
Alana

Hi @Nils-Nilsson ,

This will be fixed via PG-3266 in the upcoming maintenance release (next Friday). It looks like it was a separate, SQL Server only bug. It's easy to patch if you'd like the SQL Script. Just let us know!

Cheers,
Steve

Hi @Ashley ,

Good news -- this will be fixed via PG-3265 in the upcoming maintenance release (next Friday).

In case you're curious, the bug was that we were comparing packagePublished.AddDays(recentlyPublishedDays.Value) > DateTime.UtcNow.Date, which includes the time-portion on the left side, but not the right-side (so 12:00A).

Just changing to packagePublished.Date.AddDays(recentlyPublishedDays.Value) > DateTime.UtcNow.Date does the trick, and it works for both Aged and Recently Published.

cheers,
Alana

Hi @stno_9153 ,

Thanks for clarifying; that's not possible with ProGet. A Debian feed is not designed to be a "read-only mirror", but instead a repository where you can add/filter/update packages. So, that's why ProGet must generate/sign the (In)Release files.

I'm afraid we have no plans to support a read-only mirror use case in the forseeable future.

Cheers,
Alana

Hi @stno_9153 ,

(In)Release files are signed using a private/public key scheme, so unless you were somehow able to get a copy of Ubuntu's private signing keys and upload it to ProGet... it is not possible to sign those files using the original Ubuntu Key.

Cheers,
Alana

Thanks @Ashley, that's exactly what I was thinking.

I haven't tried reproducing this yet, but I've got all the steps to now! And at that point, I'll have a debugger and all the code in front of me, so it should be an easy fix. It's probably related to UTC/local time, I don't think we've ever tested it "by the hour" like that :)

Anyway stay tuned we'll get it fixed pretty soon.

Hi @geraldizo_0690,

Thanks for providing all of this information. I was finally able to recreate the issue. I have created ticket PG-3263 to fix that issue. That fix will be released next week in ProGet 2025.27. Just to make sure I cover all my bases, can you tell me which database backend you are using?

Thanks,
Rich