RE: Halting a pipeline stage without using fail

If you set Warn, will it automatically advance?

One idea as well... how about also setting a build variable using Set-ReleaseVariable called IsValidBuild, and then using a Variable Value Promotion Requirement (IsValidBuild = true)?

hi all, thanks for the interest/comments; I decided to write-up a page that details this on the docs.

http://inedo.com/support/documentation/proget/feeds/other-types

I'm hoping we can use this public thread to maintain the discussion on technical detail; otherwise it'll get stuck in my email, or somewhere else, and we can get everyone to chime in this way.

That said, @M-W if you've got any insight into how R/CRAN works please do share :)

The Postgres container has had a lot of performance problems at scale, and neither our customers nor engineers could figure it out. A regular instance was fine, but our customers wanted containers.

But in the long term, maintaining two separate code bases doesn't make sense. And now that Sql Server is available, it makes sense to do it.

Hi, sorry on the slow reply!

I think you've got a good undersatnding of the situation, but a couple of comments:

• do not share the Temporary files (ServiceTempPath, WebTempPath); these should be kept on the same server as the BuildMaster web/service app. These are only used during the runtime of those applications.

• on the back up server, make sure both the Web Application and Service are set to DISABLED, or configured with a bad username/password such that they cannot be started easily; having two identical BuildMaster instances pointing to the same database and the same agents will cause that multi-master problem you dont' want to deal with :)

• we have had some customers put our products in a Windows Container, but largely the support on the Microsoft side isn't so great, and it's more trouble than it's worth; we are moving towards DotNetCore so we can have BuildMaster run on Linux (and linux containers)

Does that make sense? Let me know how it goes.

And by the way, I'd love to document this better... would you be interested in helping me with this, especially once you have it running in your set up? I think it would really help the community :)

Thanks Scott; just an FYI, we spent sometime investigating this and it actually looks simpler because it separates the package metadata from the file metadata, and uses XML as the serialization.

We'll keep digging; since it's addidirive, I don't see why we couldn't get it in a maintence release if it's as easy to do as, say, Helm or something. Just don't want to get stuck in a rabbit hole like PHP Composer :(

This is also being discussed here; long story short, this is a bug in Microsoft's PowerShell Gallery (and in the packages) in that they have two conflicting version numbers, and sometimes one is used, sometimes the other is used.

The docs have been updated for now: https://github.com/Inedo/inedo-docs/commit/10c42c3ad546ac2feb4748b7736db06567c7a6d6

Ugh, this sounds like a mess :(

Your comments on that GitHub issue seem spot on, and I'm not so keen on introducing quirky behavior to workaround their bugs. We made that mistake on the NuGet feeds and it made life worse for everyone, especially when the NuGet team silently fixed them (and introduced more weird behavior).

So I think we should just handle this via docs for now. I've updated the docs, feel free to suggestion more changes :)

To be honest, "SCM Triggers" are in a "quasi-legacy" state, because they use the "Legacy Providers". As such, we don't list it as a feature, and we hide the button on installations without SCM Providers configured. This was done slowly over the course of two years, in various v5 versions, to gauge user reaction.

So, your inquiry is good feedback. That being said, we have not yet put a lot of effort into properly redesigning this feature. The reason for this, is that the "general direction" has been moving towards post-commit hooks; i.e. triggering the build from the SCM server, once a merge request (or something?) happens. Even on dedicated CI tools, the preference is shifting towards this route. I think this is because the branching logic has been too complicated to follow (even for really advanced CI servers like Jenkins and TC).

So I wonder, have you looked into post-commit hooks?

Otherwise, we are definitely considering a general-purpose poll/trigger feature: basically, a poll will periodically occur, and if a condition is met, trigger some sort of event. This would be shared across multiple products, and the usecases might vary based on the product.

One motivation to develop this feature is that it will allow us to really feature the "BuildMaster is from source to production" story, which is becoming more popular again. Most people didn't want that, but now the pendulum is swinging back to it, now that source code tools (like Git) are integrating (totally inadequate) build/release features.

In any case, none of this is all that "immediate", but I wanted to share reasoning to you about this, and solicit your feedback.

Of course, if you need to create "legacy components" we can help you do that as well. We don't plan on removing those from BUildMaster, just hiding them so no new users can access them.

It seems like NuGet.org now finally supports it! So we will too; I filed PG-1246 to add it to a future maintence release.

Good question.

Regarding Vor Security, that was a recent acquisition by Sonatype, and it's being transitioned into a new service called OssIndex. Sonatype plans to keep this going for the foreseeable future, and we have verified this with Ken Duck (formerly of Vor Security, now Sonatype employee). ProGet will continue to support it (we are renaming it as well).

Moreover, we are planning to work with Sonatype to better integrate their broader services (vulnerability scanning) with ProGet. We are also investigating Blackduck integration, though we're not entirely sure how it would work with ProGet.

Regarding "developing our own"... broadly speaking, there are two types of vulnerabilities scanning:

• static analysis - analyzing actual code or binaries to look for patterns (buffer overflow, etc); this is done "on your own software"
• repository/database - looking at public databases like NVD, CVE, etc. for vendor- or third-party documented vulnerabilities reported for a known, published piece of software

We don't believe that static analysis has a place in a package manger; there are a handful of tools that can scan your codebase directly for this.

As for repository/databases, it's not really bout "finding" vulnerabilities in software, it's more about "aggregating databases" and then translating those into machine-readable formats. This is what Sonatype, Whitesource, etc., do, and we think more vendors will continue to innovate in this space.

But the "repository" and "scanning" are two different problems, and you should pick the best of both problems; it would almost be like saying "Microsoft makes Office, may as well use Visual Studio and .NET".

ProGet has the extensibility support for this already, so we should be able to integrate with new providers as they come up,

The behavior your describing is to be expected; basically the API acts as an impersonation token, meaning... if you supply an apikey, and its associated with a user, then it's as if you logged in as that user.

So in this case, try this:

1. create a user called ApiUser, and give ApiUser access to myFeed as desired
2. go to the APIKeys and Access Logs screen.
3. create a key and tick Feed API and set Feed API user to ApiUser

Assuming myFeed doesn't allow anonymous access (you will need to restrict this from permissions page), then you will need to provide an api key or username/password to access that feed.

In this case, just use the key you created.

Hope that helps!

It doesn't, but I think we should add it to the Release & Package Deployment .. so I added BM-3149

So, it will come in a future maintenance release, since it's additive and seems to pose minor risk.

There isn't currently, but there will be soon! Please see PG-1221

I can't imagine any reason at all this wouldn't be done, and it can go it the next maintenance release assuming it passes code review etc!

Thanks much for the specific suggestion!

Mostly it's goign to be the PlanVersions table. Plan_Bytes is UTF8-encoded , so you can do "CAST(Plan_Bytes as VARCHAR(MAX))". The ConfigurationFileInstances table may reference it, if you use configuration file assets. IssueSources are another destination.

Note you should never directly update the database.

Hey Clint;

This was intentional in the infrastructure sync; credentials are a bit trickier, because of the encryption key and fact that some credentials aren't supported.

That said, this is definitely on our roadmap and will (likely) come in the form of a new (free) product that manages multiple instances of our tools:

• users and permissions
• licenses
• resource credentials
• infrastructure (?)
• other settings?

In the mean time, it's possible to do with a database script / simple tool that just updates rows from one database to another (ResourceCredentials table). We can certainly help with that if needed.