Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet: License Policies - General questions
-
Hi all,
we tried to work on global and feed policies and we do have some questions regarding this topic. We are currently working on Version 2024.38.
If a feed policy is active, will the global policy also be evaluated when analyzing the packages in this feed? Or will the global policy completely be ignored?
Let's work with an example for our next question:
I have a feed called "NuGet". This feed contains the package "EPPlus 6.0.6" which has the license "PolyForm-Noncommercial-1.0.0".
In my NuGet policy i set this license as "Compliant" and in my Global policy i set this license to "Noncompliant".
Is it correct to assume that the package will by Compliant in the feed "NuGet" but should be Noncompliant in any other feed?
Because if I upload the package to another feed (which has no specific feed poilcy) the package is listed as compliant:
If I remove the feed policy, this package is shown as Noncompliant in this specific feed. But if I reupload or promote it to another feed it is shown as Compliant. So maybe this has nothing to do with the policies, but not sure.In general we are just curious about how the policies interact with each other.
Thanks
Caterina
-
Hi @caterina ,
Multiple policies will "stack" and are evaluated in order from Global > Shared > Feed. It can get pretty tricky, so I would use the "Re-analyze" feature on a package - this will print out some detailed analysis logs that show you exactly what rules are being followed.
The "Policies and Blocking" view under the Manage Feed pages will try to combine these a single view, but you may find that using Admin > Policies is helpful... it only shows one policy at a time, and does not combine them.
To add to the complexity, compliance results are cached on the "list packages view" -- so that's why it's important to do that renalyze function to make sure you're looking at the right results.
The caching doesn't last long (few minutes), but it makes debugging a challenge/
Thanks,
Steve
-
Hi Steve,
thanks for clarifying things.
I was just wondering: If I create a feed policy the UI looks like that:
I set "PolyForm-Noncommercial-1.0.0" as compliant for the feed but it is noncompliant in the global policy. The noncomliant part of my global policy is crossed out completely. Does that mean it is ignored? Or is that a UI issue because only "PolyForm-Noncommercial-1.0.0" should be crossed out?I also tried to use the Reanalyze Task with the following result (The package has the license "PolyForm-Noncommercial-1.0.0"):
In the feed "NuGet" (the original feed of the package) I see this log:
If I reupload/promote this package to another feed and reanalyze it I see this log:
It looks like the global policy is not being considered? A policy is being found but it does not seem to be applied?Maybe you can tell me more about that behavior.
Thanks
Caterina
-
Hi @caterina,
That looks to be an issue with the UI. Your feed policy will only ovewrite the specific license you marked as compliant and the remaining non-compliant licenses will still mark packages with those licenses as non-compliant. For example, any package
AGPL-1.0
will still be non-compliant. On the second feed, it should be using the Global policy for that package. Can you share which feed features are enabled under the Feed Properties tab (Manage Feed in ProGet 2024) on the feed you promoted the package to?Thanks,
Rich
-
Hi @rhessinger,
thank you for pointing out the feed features. License detection was not enabled in the feed I used for testing. After activating the feature the package is being reanalyzed correctly and the global policy is being used.
Thanks
Caterina