Navigation

    Inedo Community Forums

    Forums

    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. apxltd
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Alex Papadimoulis

    @apxltd

    inedo-engineer

    I'm the founder and CEO of Inedo, a DevOps software company based in Cleveland. Having worked in IT for nearly 20 years, I've has helped enterprises around the world adopt Agile and DevOps practices through cultural change and technology.

    17
    Reputation
    225
    Posts
    129
    Profile views
    5
    Followers
    0
    Following
    Joined Last Online

    apxltd Follow
    inedo-engineer administrators

    Best posts made by apxltd

    • RE: Support for R and CRAN

      hi all, thanks for the interest/comments; I decided to write-up a page that details this on the docs.

      http://inedo.com/support/documentation/proget/feeds/other-types

      I'm hoping we can use this public thread to maintain the discussion on technical detail; otherwise it'll get stuck in my email, or somewhere else, and we can get everyone to chime in this way.

      That said, @M-W if you've got any insight into how R/CRAN works please do share :)

      posted in Support
      apxltd
      apxltd
    • RE: Best way to backup plans version 5.6.11

      Of course, plan versioning is introduced in a later version, and Rafts (which allow for Git-based storage) is coming in 6.2.

      I definitely understand the hesitance to upgrade, but worth noting ---- for once 6.2 comes around we'll offer some great migration tactics to let you pull applications from really old versions of BuildMaster. We'll also better support multi-instances of BuildMaster, so each group can upgrade as they'd like.

      That said, the Plans database table will contain your OtterScript plans. Not sure if that's a good solution, but pulling from that table will give you latest versions.

      posted in Support
      apxltd
      apxltd
    • RE: Bulk-deletion nuget packages

      Hello;

      There may have been a miscommunication somewhere; do you know specifically what you were told?

      We recently added the Feeds Management API, but that's only to manage feeds (not packages).

      I just updated the documentation, and it will be published soon.

      You can delete (permanently remove) or unlist (hide from most search results) NuGet packages from your feed by navigating to the package page and clicking the corresponding Delete Package or Unlist Package button. These actions require the Feeds_DeletePackage or Feeds_UnlistPackage permission attribute, respectively.

      To programmatically delete a package from your feed, you can use the NuGet CLI's delete command, or make a DELETE request via HTTP:

      DELETE http://{proget-server}/nuget/{feed-name}/package/{ID}/{VERSION}`
      

      Note that this behavior is different than NuGet.org's DELETE command, which unlists packages instead.

      To programmatically unlist (or relist) a package, you can use the NuGetPackagesV2_SetListed method within the Native API.

      Is that helpful?

      posted in Support
      apxltd
      apxltd
    • RE: [BUG - ProGet] Not able to remove container description

      Definitely sounds like a bug; we've get it logged.

      By the way, we've got some real exciting container/registry features coming very soon in ProGet 5.3. Stay tuned!

      posted in Support
      apxltd
      apxltd
    • RE: Terraform private registry

      Hi @jeff-miles_5073 ,

      Thanks for the first inquiry; I just updated the documentation! These must be "relatively new", and I know we've had a few customers using universal packages for this.

      We have some Terraform integrations on our roadmap for 2023, so this definitely something we'll look into on our own as well.

      Cheers,
      Alex

      posted in Support
      apxltd
      apxltd
    • RE: NPM Audit

      Just as an update, we will be doing this:

      https://inedo.myjetbrains.com/youtrack/issue/PG-1555

      "Proxy npm audit requests to npmjs.org (experimental)"

      posted in Support
      apxltd
      apxltd
    • RE: Support for Alpine Packages

      Hi @shfunke_1795 , @jrottmann_6111

      Thanks, I just added this to our documentation page!

      I didn't look too deeply, but I found some initial documentation:
      https://wiki.alpinelinux.org/wiki/Package_management

      It seems this is "like Yum/RPM but for Alpine Linux"? None of us here use Alpine Linux, so there's a pretty big learning curve to get started. Any help here would be appreciated, and definitely move this along :)

      Is this related to "APK" that Android uses?

      Is the "API" mostly like basic file downloads, based on an index file? Are you able to "hack" or do a PoC using ProGet Asset Directories?

      posted in Support
      apxltd
      apxltd
    • RE: HTTPS with self hosted ProGet and internal web server

      Hi @tkolb_7784

      I wanted to provide an official answer to this:

      Are there plans for (easy) HTTPS support in the internal webserver? Applying a self hosted certificate and deploying it to all build servers and developer machines seems over the top for me right now.

      Yes. Not exactly sure how yet, but we would like the integrated webserver to support this as easily as possible.

      posted in Support
      apxltd
      apxltd
    • RE: pgscan: lockfileVersion 3 for npm dependencies not supported

      @shayde @sebastian really appreciate the help, we'll get this incorporated ASAP !!

      posted in Support
      apxltd
      apxltd
    • RE: License Usage Overview - Non-compliant Licenses in Use

      Thanks for clarifying @sebastian

      So I'm not exactly thrilled by this UI, but maybe this is fine.

      What do you think?

      b77a13f7-8327-4219-86e7-14595e46b0b1-image.png

      This is a kind of "quick and dirty" page that would show up if you clicked on that GPL-2.0 license and the "# projects" number.

      Here's one for the packages as well:

      6c7c1391-5385-471d-843a-b0faaeb85128-image.png

      posted in Support
      apxltd
      apxltd

    Latest posts made by apxltd

    • RE: Feature Request / Discussion: Restricting Build Promotion to Forward-Only (Prevent Backward Promotion)

      Hi @fabrice-mejean ,

      Thanks so much for the detailed information and offer to connect further! Very interested in that and I will definitely take you up on that :)

      Please give me a little time for that; I've got some travel coming up and then a bunch of other things... so I'd like to connect when I can really focus on some of these future things.
      .
      Cheers,
      Alex

      posted in Support
      apxltd
      apxltd
    • RE: Feature Request / Discussion: Restricting Build Promotion to Forward-Only (Prevent Backward Promotion)

      Hey @fabrice-mejean ,

      Thanks for the thoughtful feature request!

      My somewhat rhetorical question is.... don't you have another tool that manages pipeline lifecycle? Doesn't that tool just handle promotion and then "call into" ProGet.... and thus, ultimately, does it really matter if ProGet's information is wrong?

      But here's the long explanation / rambling...

      --

      So we actually implemented a whole new feature for ProGet 2026 called "build pipelines", but then I scrapped it because it just didn't "feel right".

      The major highlights were this:

      • add concept of "Pipelines", which are a collection of stages; the current stages would be converted into the Default pipeline
      • add "enforce stage sequence" on a Pipeline, which would allow you to just promote without selecting a stage and error if you tried otherwise
      • add concept of "Releases", which group related builds together under a common release number and Pipeline (basically the BuildMaster definition)

      This would allow you to do a workflow something like this:

      pgutil builds releases create --number=1.0.0 --pipeline=major
      pgutil builds scan --build=1 --release=1.0.0
      pgutil builds promote --build=1 --release=1.0.0 # build -> test
      pgutil builds promote --build=1 --release=1.0.0 # test -> qa
      pgutil builds promote --build=1 --release=1.0.0 # qa -> prod
      

      Since the build was promoted to the last stage, the release status would become "deployed" or something like that. By default, this would "archive" the previously deployed release, which would hide all those related builds from the dashboard.

      This model made sense to me, as a single project/application often has multiple releaes and multiple deployment pipelines, and this kind of modeled that.

      That said, the big issue I have is that "Releases" seem to be a foreign concept to many organizations; they simply produce a stream of "builds" and then someone "picks one" to deploy. So, it just feels like we're introducing a concept they don't use.

      And then I thought... what exactly would we be solving here? Is anyone actually looking at "stages" or "pipelines" in ProGet? Don't they have some other tool for this? Why are we even modeling these things visually?

      The more I thought about it, I kept circling back to "main value" of stages is "issue creation" and "retention" --- not "visualization". So I thought, maybe we should just pgutil builds audit generate issues? Does anyone use issues anyways? .

      And then I kinda gave up after that šŸ˜…

      Anyway, I'd still like to "do something" here, but I'm not sure I'm "connecting the dots" just yet.

      There are a few recurring themes users talk about:

      • Docker container images and the relation to sCA/covernance
      • Package-based applications (e.g. NuGet for OCtopus deploy, Universal Packages)
      • Library packages

      I can't help but wonder if we can adapt the SCA Builds/Projects to encompass these ideas a little better. Libraries obviously can't have a SBOM (they have dependency ranges instead), but there's gotta be "something" we can do here.

      I do feel I'm rambling here, but if we're going to do something, it should be an opiniated approach that introduces a new/better way to solve problems without a lot of friction.

      Personally I think visualization is huge, but what's the visuzliation problem we can solve with our tools šŸ¤”

      Thanks,
      Alex

      posted in Support
      apxltd
      apxltd
    • RE: Block recently published - Metadata filter ?

      @jens-viebig_4541 ooh good catch!

      That guidance is outdated as of ProGet 2026, where we no longer recommend/default to blocking Noncompliant packages.

      We should rewrite/republish the article to be more focused on guidance, update the screenshots, etc. I'll add that to the list.

      posted in Support
      apxltd
      apxltd
    • RE: Block recently published - Metadata filter ?

      Hi @jens-viebig_4541 ,

      In very early versions of ProGet, we would filter specific versions from connectors (i.e. remote feeds/repositories) but it caused all sorts of problems due to client (i.e. npm, nuget, etc.) behavior and server API (npmjs.com, nuget.org) limitations. But the biggest problem was Developer Experience, and the fact that the behavior was simply befuddling.

      When "random" versions suddenly go missing from the API, users will see a totally different dependency resolution result. Sometimes it would yield build failures.

      Troubleshooting this is an pain in the ass, especially for those nested dependencies, since the client provides no useful information. They can see the versions of "their packages" are both in npmjs.com and ProGet. The end result is end users saying, dependency resolution with ProGet is broken, so we just use npmjs.com instead.

      Long story short, I don't image we will return to filtering specific versions. It just causes more problems for everyone for no real benefit.

      Addressing Malicious Packages

      As for addressing malicious packages, this is simply a risk you have to accept. The question is how much Developer Experience you want to sacrifice to minimize the risk.

      First, you really can't rely on malicious packages ever being discovered . I mean, just look at the XZ Utils (CVE-2024-3094) backdoor; that kind of code could be in any library you're using now. So, the first step has nothing to do with Malicious Packages... but it's to make sure all of your apps are deployed under a Minimally Viable Security Posture (MSVP) and track which dependencies go where using ProGet's SCA capabilities.

      That said, if you do absolutely nothing, chances are you will be totally fine. As we wrote in Changes to Malicious Package Handling in 2025.20 and Beyond: the overwhelming majority of malicious packages are basically bot-created spam that no one will ever see, let alone use. These packages don’t rely on typos, but instead random, ā€œpackage-soundingā€ names generated by some LLM.

      In addition, Microsoft/GitHub seems to be undoing the braindead npm design descision to run arbitrary scripts at install time. I'm shocked that terrible idea survived this long. So, that will significantly reduce the attack vector, as developer machines can no longer be compromised by simply installing a package.

      Noncompliance for Recently Published Packages

      That said, the risk of harm caused by newly-published malicious packages pale in comparison to the real harm caused by regressions from constant upgrades. There's about a 0% chance of being harmed by a malicious package, but nearly a 100% chance of having problems when your developers always upgrade.

      So, it's a good idea to say newly published packages (like 30 days, not 1 day) are noncompliant. You'll just need to figure out how to balance Developer Experience with that. We have a lot of options, from using Package Approval Workflows (pretty heavy handed) to allowing exceptions for single packages.

      We do not recommend blocking noncompliant packages, especially for npm. Instead, use pgutil builds scan as discussed here: https://guides.inedo.com/vulnerability-management/containment/

      I understand that pnpm has some kind of rule you can configure to not resolve "newer" dependencies. So you could just set that to like 31 days, and set ProGet's to like 29 days. Or 15 days, 14 days.

      But a single day isn't going to do anything for you, except provide a false sense of security while maintaining the real risk of regressions from a "always upgrade" culture.

      --

      Finally... as for what Sonatype does, I'm skeptical. Based on the many customers that migrated from Nexus to ProGet, there's a rather large gap in advertised features and functionality, especially when it comes to stuff like this. Just taking a quick look, that feature looks defunct anyway and likely doesn't get much/any use.

      Regardless, filtering versions from feeds causes problems than it solves, so it really doesn't make sense to do.

      Hope that helps,

      Alex

      posted in Support
      apxltd
      apxltd
    • RE: Add Documentation for Chocolatey Proxy feeds

      Hi @imm0rtalsupp0rt ,

      We've published a version of the article now:
      https://docs.inedo.com/docs/proget/feeds/chocolatey/howto-chocolatey-proxyccr

      Let us know your thoughts or freel free to submit a PR should have have any suggestions!

      Thanks,

      Alex

      posted in Support
      apxltd
      apxltd
    • RE: ProGet: implement Policies & Blocking support for Container feeds

      Hi @Nils-Nilsson ,

      Thanks for the feedback; we discussed this with the team some more.

      The use case makes a lot of sense, especially with risk profiles introduced in ProGet 2026. Instead of exposing Policies (which have a bunch of package-driven rules) and blocking, our thoughts are:

      [1] Allow risk profile to be set/configured on Docker feeds; behind the scenes this would create Policy, but none of the rules would be used

      [2] Allow scoped assessments on Docker feeds; this would also use the feed's policy

      [3] Add pgutil containers audit command, which would display vulnerabilities and error if any are severe

      The issue we have with "blocking" downloads directly is that the Docker/Kube/Podman/etc. do not expose HTTP error messages and this becomes very painful to debug/troubleshoot.

      However, running pgutil containers audit can "break" any automation process (nonzero exit code) and will list all vulenrabilities etc.

      LEt us know your thoughts!

      Thanks,
      Alex

      posted in Support
      apxltd
      apxltd
    • RE: ProGet: implement Policies & Blocking support for Container feeds

      Hi @Nils-Nilsson ,

      We're considering "doing something" about this for our ProGet 2027 roadmap, but I really want to think about how this should be handled in ProGet. I want to create something that actually is helpful in identifying real security risks... and I'm not sure if our package-intended Policies is the move for Docker containers.

      One major issue is that nearly all vulnerable packages in a container IMAGE pose zero risk. Even if the component were used (most aren't... they're just installed), exploitation would require someone SSH'ing into the container and running interactive commands. PGV-2387734 is a great example of this.

      It's actually more risky to remediate the vulnerability and become "sensitized" to vulnerabilities like this. So, we want to make sure we can find way to "permanently mute" these for certain containers - and perhaps that involves saying "I do not actively use this component that happens to be installed in the image"? I'm not sure.

      There are also some issues with the ways vulnerabilities work with certain Linux distros; for example, the "patch version" varies by operating system, and that information isn't readily available in the vulnerability database and ProGet isn't analyzing which operating system the platform is using.

      We have a rough idea of treating Docker images to be more like SCA Builds than Feed Packages, in that an entire container image would be considered complaint. However, how many container images are built (it's done at CI for a lot of people), how few people seem to use pre-release tagging, etc., I don't know what makes sense here.

      Anyway let me know your thoughts!

      Thanks,
      Alex

      posted in Support
      apxltd
      apxltd
    • RE: Migrating from Sonatype Nexus to ProGet

      Hi @pg_user_8607 ,

      Thanks! If you haven't already, please do check out our Migrating from Sonatype to ProGet guide.

      [1] This is a common configuration, and it looks like anonymous is allowed based on the screenshot. It's hard to say withtout more troubleshooting. I would try using the Test Privileges function , which allows you to select a user, feed, and then it will show you all the task attributes available.

      [2] To be honest, our users have not found those analyses to add any real value (outside of describing what the library does). So, starting in Q1 we've shifted our research efforts to align with the big changes to vulnerability management in ProGet 2026, including Category 5 Vulnerability Research. Check out the Vulnerability Management Done Right with ProGet guide to learn more about what's coming!

      [3] No plans... in retrospect, there's no value in monitoring activity outside of checking the /health endpoint periodically. In fact, we've seen the opposite -- even monitoring HTTP traffic for abnormalities creates false positives that just wastes everyone's time.

      For example, if NuGet.org is having an outage, then your NuGet feeds connect to nuget.org will run slow, as the connector times out.

      [4] I suppose so! We'll update once we get ProGet 2026 out :)

      Cheers,

      Alex

      posted in Support
      apxltd
      apxltd
    • RE: How to use Package/Container Usage in ProGet/Otter

      @geraldizo_0690 thanks for clarifying!!

      That's an interesting use case (i.e. using Otter/ProGet for vulnerability monitoring), though one we haven't really thought about. I can definitely see how the tools could work together to support that, but I suspect there are some key features/functionality that are missing (like getting notified, etc). Plus, a whole bunch of documentation and marketing to support the use case :)

      It feels like we're taking on a whole new niche here, and there's a lot of solutions/players in this space. A quick search revealed Wazuh, OpenSCAP, Grype, Syft, etc. I've never heard of any of those, so it's hard to know how we could do something better. That would be first step -- why build "yet another solution" to this problem?

      From a technical/solution standpoint, I think that something like a "pgutil but for system packages" might be a better choice. Just run that after a system update on the hosts, and that would push information to ProGet.

      That simplifies configuration/management, and the two systems already have network access -- whereas opening up the host via SSH requires higher-level permissions, etc. It's lot of "adoption overhead", which means users won't really try it out.

      A:nyway... it seems like we just need to "start from scratch" on this one. Definitely interested to learn more, but for now the main question would be "what problems can we uniquely solve that the existing tools can't".

      Best,
      Alex

      posted in Support
      apxltd
      apxltd