1. Home
  2. Categories
  3. Support
  4. Enforcing Licence Policies/Blocking?

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Enforcing Licence Policies/Blocking?

  • J

    Hi,

    I'm in the process of evaluating ProGet as a solution for improving our software supply chain controls. To that end I've deployed ProGet Enterprise edition, version 2024.8 build 10, to a Kubernetes cluster with a trial licence and am currently trialing it's licence-based download blocking.

    A Python feed has been configured as follows in terms of its policies and blocking behaviour:
    ad11e498-79af-465b-bf72-5facdab199f2-image.png
    The global settings are applied to the feed which are to block anything noncompliant:
    4956d426-a8b8-4d65-945e-6e8faa291b0d-image.png
    However, in the box on the policy page it says that downloads are not blocked:
    415c99af-7fe1-453d-95d0-f80a423e0185-image.png
    And indeed if I try to download and install a GPLv3 licensed package into a test virtual environment I'm not encountering any issues:
    299744e7-e5f5-4056-9169-f5bd538e7d32-image.png
    The test user in question has been explicitly only permitted to view and download packages from this one feed:
    c1c1d4f7-90ae-421b-ac1f-4a3006efae7e-image.png

    Can you please point me in the right direction for enforcing the licence/vulnerability blocking?

    Many thanks,
    Stian

    0 dean-houston 1 Reply
  • dean-houston
    inedo-engineer

    Hi @johnsen_7555 ,

    Thanks for sharing all of the configuration details; can you navigate to one of the GPL packages that you're trying to install, and see what it says on the package page within ProGet?

    On that page, you can also ReAnalyze the package (using the dropdown button ) and get a log of which policies/rules were applied.

    -- Dean

    0
  • J

    Hi Dean,
    Thanks for the quick response. Here's an example called abydos where I even set the status to always block downloads:
    d1bde0c9-5c27-4a1e-8636-a08e4fd38923-image.png
    Not even the download of this package is blocked.

    Here's another example, the one whose download is shown above, plover-consol-ui, which again as expected shows it as noncompliant:
    d9429cf5-1434-49ca-854e-ea7a213f5e86-image.png

    0
  • dean-houston
    inedo-engineer

    Hi @johnsen_7555 ,

    Thanks for sharing the additional details; I was able to reproduce this, and its a regression/bug.

    We fixed this via PG-2723 (FIX: Noncompliant Pypi packages can be downloaded when blocking is enabled on trial licenses), which is going to be shipped in the next maintenance release.

    However, in the mean time, you can try a patch/prerelease version that contains the fix; since you mentioned Docker, the tag to pull would be 24.0.9-ci.1.

    Hopefully that will solve the issue!

    -- Dean

    0
  • J

    Thanks, Dean. This new build does indeed resolve the issue:
    f146af02-09f1-4a91-839d-7f82d863c478-image.png

    Have a good weekend.

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation