Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    How to use Package/Container Usage in ProGet/Otter

    Scheduled Pinned Locked Moved Support
    8 Posts 2 Posters 44 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      geraldizo_0690
      last edited by

      Dear Supporters,

      we are trying to get Package/Container Usage work.

      Our Testenvironment in containers:

      • ProGet 2025.24(Build 5)
      • MSSQL
      • Otter 2025.3 (Build 1)

      The problem is, as soon as a server has been assigned into a role, for executing checkconfiguration with activated "Configuration drift:", the package/container scanner inside of ProGet will get the following error while scanning. And there is no information about package usage have been transfered from otter to proget.

      Have any clue, why is this happening?

      Scan using Otter at http://otter/ failed: Invalid name.
      
      System.ArgumentException: Invalid name.
         at Inedo.UPack.UniversalPackageId.Parse(String s)
         at Inedo.ProGet.Extensions.PackageContainerScanners.OtterScanner.OtterPackageData..ctor(String server, FeedType type, JObject obj) in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E648765\Src\src\ProGet\Extensions\PackageContainerScanners\OtterScanner.cs:line 147
         at Inedo.ProGet.Extensions.PackageContainerScanners.OtterScanner.<>c__DisplayClass12_0.<ReadPackages>b__0(JObject p) in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E648765\Src\src\ProGet\Extensions\PackageContainerScanners\OtterScanner.cs:line 128
         at System.Linq.Enumerable.ConcatIterator`1.MoveNext()
         at Inedo.ProGet.Service.PackageContainerScannerRunner.GetPackageRecords(Context db, IEnumerable`1 packages)+MoveNext() in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E648765\Src\src\ProGet\Service\TaskRunners\PackageContainerScannerRunner.cs:line 71
         at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
         at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
         at Inedo.ProGet.Service.PackageContainerScannerRunner.ScanAsync(TaskRunnerSubtask`1 subtask, PackageContainerScanner scanner) in C:\Users\builds\AppData\Local\Temp\InedoAgent\BuildMaster\192.168.44.60\Temp\_E648765\Src\src\ProGet\Service\TaskRunners\PackageContainerScannerRunner.cs:line 46
      
      ::PackageContainerScannerRunner Error on 04/01/2026 10:12:11::
      
      

      Thank you.
      Best regards

      apxltdA 1 Reply Last reply Reply Quote 0
      • G Offline
        geraldizo_0690
        last edited by

        Additional Information:

        proget[1916719]: Scan using Otter at http://otter/ failed: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
        
        1 Reply Last reply Reply Quote 0
        • apxltdA Offline
          apxltd inedo-engineer @geraldizo_0690
          last edited by

          Hi @geraldizo_0690 ,

          Thanks for trying out the feature! Unfortunately I think this feature broke around ProGet 2023 and no one seemed to notice it; we were actually planning on removing it in ProGet 2026.

          We build the feature ages ago, but no one ever asked for it. It just "felt" like a "nice idea" at the time, but we never really thought out a proper use case. So was never documented very well and it would seem no one used it 😅

          Anyway... I'd be open to reviving it if we could actually figure out a use case. What are you trying to do? Would love to get an idea to see if we can solve a real-world problem here

          Thanks,
          Alex

          Founder and CEO, Inedo

          1 Reply Last reply Reply Quote 0
          • G Offline
            geraldizo_0690
            last edited by geraldizo_0690

            Hi, thanks for the info.

            We find this feature very interesting because packages can be tracked using Proget and Otter.
            This allows users to check whether the packages they use have already been updated with the latest security updates.

            But it’s not a big deal if the feature is no longer supported soon.

            It appears to be just a JSON interface that is used between Proget and Otter.

            Btw. Offtopic

            Can you take a look here again, I find it better to continue this thread instead of opening a new thread with the same topic:
            https://forums.inedo.com/topic/5635/support-for-notautomatic-butautomaticupgrades-headers-in-debian-feed-release-files?_=1775537208917

            Thank you very much

            apxltdA 1 Reply Last reply Reply Quote 0
            • apxltdA Offline
              apxltd inedo-engineer @geraldizo_0690
              last edited by

              Hi @geraldizo_0690 ,

              Thanks! That's pretty much where we left it, an "interesting feature" with no real demand. I'm glad you "get it" though and see some value here :)

              This allows users to check whether the packages they use have already been updated with the latest security updates.

              So to clarify, your envisioned usecase is system/Debian packages? What would you do on the Otter side? Orchestrate updates of those packages?

              Cheers,
              Alex

              PS -- other issue is the list to address, easy fix just haven't gotten to it yet w/ PG2026 stuff

              Founder and CEO, Inedo

              1 Reply Last reply Reply Quote 1
              • G Offline
                geraldizo_0690
                last edited by geraldizo_0690

                The intended use case is to improve the identification of vulnerable software packages in circulation.

                This would allow me to determine which package(deb or rpm) on which host is at risk, thereby notifying the host owner and taking further action. However, the number of software packages on individual hosts can be very high.

                On the Otter side, of course, systems can be administered with ease and an additional vault system. The use of inventoried configurations via groups and roles is particularly easy to implement. You wouldn’t need to learn any additional configuration or scripting language for this. You can, of course, learn OtterScript. But you don’t have to. It offers simple integration with Linux and Windows systems. Such a tool is particularly ideal for Windows server systems.

                Perhaps you should continue to retain the usage/statistics in Proget. After all, the package/container scanner only needs JSON to feed the usage/statistics with information.

                apxltdA 1 Reply Last reply Reply Quote 0
                • apxltdA Offline
                  apxltd inedo-engineer @geraldizo_0690
                  last edited by

                  @geraldizo_0690 thanks for clarifying!!

                  That's an interesting use case (i.e. using Otter/ProGet for vulnerability monitoring), though one we haven't really thought about. I can definitely see how the tools could work together to support that, but I suspect there are some key features/functionality that are missing (like getting notified, etc). Plus, a whole bunch of documentation and marketing to support the use case :)

                  It feels like we're taking on a whole new niche here, and there's a lot of solutions/players in this space. A quick search revealed Wazuh, OpenSCAP, Grype, Syft, etc. I've never heard of any of those, so it's hard to know how we could do something better. That would be first step -- why build "yet another solution" to this problem?

                  From a technical/solution standpoint, I think that something like a "pgutil but for system packages" might be a better choice. Just run that after a system update on the hosts, and that would push information to ProGet.

                  That simplifies configuration/management, and the two systems already have network access -- whereas opening up the host via SSH requires higher-level permissions, etc. It's lot of "adoption overhead", which means users won't really try it out.

                  A:nyway... it seems like we just need to "start from scratch" on this one. Definitely interested to learn more, but for now the main question would be "what problems can we uniquely solve that the existing tools can't".

                  Best,
                  Alex

                  Founder and CEO, Inedo

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    geraldizo_0690
                    last edited by geraldizo_0690

                    I actually haven't looked into pgutil yet. I'll check it out.

                    But overall, ProGet does a pretty good job. Right now, I really can't think of anything that ProGet can solve uniquely.

                    1 Reply Last reply Reply Quote 0

                    Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                    Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                    With your input, this post could be even better 💗

                    Register Login
                    • 1 / 1
                    • First post
                      Last post
                    Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation