Hi @msimkin_1572 ,
Sorry I didn't realize this before... the URL needs to be the Feed Endpoint URL, which would end in /index.json. I also updated the documentation to make this clear.
The URL you have now is the v2 endpoint url, which doesn't have a feed description document.
Hopefully it'll work as soon as you add /index.json to the URL :)
Cheers,
Alana
Hi @kichikawa_2913 ,
PG-2290 was the regression fix, and it was included in ProGet 2022.22
Cheers,
Alana
Hi @philipp-cender_3322 ,
Looks like you're making good progress :)
I ran the command .\inedoagentservice.exe run but the command only stated that it does: "Starting agent connector to the otter-host-fqdn on port 8630"
That's okay to see; it means that its working as expected. I there was an error, you would see it.
But for Source 10.67.0.17 something like a token exception is stated
In the screenshot, it seems okay and doesn't report an error. So I think it's okay?
The exception message is some kind of OS-level error, and I'm not sure what it means exactly. But it's a SSL/TLS issue. In this case, if you search for the text of the error ("Die Anmeldeinformationen, die dem Paket übergeben wurden, wurden nicht erkannt" -- but perhaps English is better), you can probably get some details on how to fix it. It could be some obscure operating system configuration.
If i open otter at Port 8630 (Agent Listener) on Firefox webbrowser i get something like that: PR_CONNECT_RESET_ERROR
It's not possible to "browse" such a connection; the Inedo Agent uses a proprietary, TCP-based binary protocol. So you will always get errors if you try to browse, telnet, etc.
Cheers,
Alana
Hi @msimkin_1572 ,
The blog article was technically incorrect on the arguments, so I changed that.
However, the documentation is updated and should be accurate:
https://docs.inedo.com/docs/proget-feeds-nuget-symbol-and-source-server
Basically, if you have both a nupkg and a snupkg in your folder, then you should only have to use
dotnet nuget push kramericalib.4.1.2.nupkg --source https://proget.kramerica.corp/nuget/internal-nuget
The .snupkg file will be stored on the same feed.
The symbol server url hasn't changed (it's still /symbols/feed).
hope that helps :)
Hi @cjchambers_1799 ,
Thanks for clarifying that; that handler outputs logs in plain text format (content-type is like txt/plain or something like that, not html).
That url is intended mostly to download/export the log files for APIS and other tools, but we put it in the UI for discoverability. And sometimes it's convenient to CTRL-F everything.
Since it's plain-text, it's not possible to do any kind of formatting (even a user-style sheet). But I guess you could CTRL-F [Error] or something, and it will "highlight" it in the browser at the least.
Cheers,
Alana
Hi @cjchambers_1799 ,
I'm not entirely sure what screen that is.....I think the execution-in-progress page (with the moving bar)?
So you're using the built-in Dark Mode then? Can you (temporarily) try switching to Light Mode, just to make sure it's showing up in the proper/expected colors?
If that's the case, likely just a CSS bug/fix we need to make :)
I didn't test yet, but just want to be sure I know we're looking at right thing.
Cheers,
Alana
Hi @cjchambers_1799 ,
Log entries are stored with an associated log level (error, warning, info, debug), and when you Log-Error it writes that item to the log with an error level.
When displaying log entries, error-level entries are displayed in Red, warning are in Yellow, and Debug is in Light-Grey.
So, I think this already behaves the way you are asking.
Cheers,
Alana
Hi @jw ,
In ProGet 2023, we are recording a "publish user" when a package is published. I'm not sure how we will show/expose this (probably history page for now), but that's really easy to change once we collect the data.
We're really hoping to get to get 2023.0 released later this month :)
Cheers,
Alana
Hi @Justinvolved ,
That error message is coming from here:
https://github.com/Inedo/inedox-git/blob/master/Git/Git.InedoExtension/Operations/CanonicalGitOperation.cs#L73
Basically, it means that value you've specified for From is not a known Secure Resource. It's not a common error, and is likely the result of deleting/re-adding something.
I would remove the From argument from your OtterScript altogether (just leave it as Git::Checkout-Code;). I don't think you need it. Your build should already associated with a repository, branch, and commit.
Cheers,
Alana
Hi @Justinvolved ,
Looks like there's a Visual Editor bug with Exec statement; we'll investigate/fix ASAP .
But as for the Git, you mention it's happening during an execution (i.e. build process)? Anyway, can you share more of the execution log?
Are you able to browse the Git repository in the Web UI okay?
If that's the case, the error is on the build agent (or BuildMaster server) in the service process. That uses a different set of local repositories than the Web UI. There may be a troubleshooting step we can take to manually clear the local repository (on the service-side), but Id like to gather more info
Cheers,
Alana
Hi @philipp-cender_3322 ,
The "inbound connection" is complex and a relatively new feature, and I don't have a ton of experiencing troubleshooting - so I'll do my best :)
So far, everything looks okay to me.
On the Otter Server, are you seeing any errors related to the server under Admin > Diagnostic Center? I see the server is in an "Error" state.
On the remote server, does the service stay running? If so, that's indicating it's able to establish a connection. But one thing you can try is to stop the service, and run in interactive mode (i.e. run InedoAgentService.exe run on the commandline). That will show you information about the connection.
Cheers,
Alana
@e-rotteveel_1850 thanks for explaining that, that's great to know!
Sometimes it's almost impossible to learn how these feed/package types are actually used, especially since we don't develop in those languages and really just focus mostly on API reverse-engineering ;)
FYI We are targeting late April for 2023.0 release 
Hi @jim-borden_4965 !
I think that the "delete old versions" option of Retention Rules might be what you're looking for; that will let you keep the last "X" versions of each package. That, in combination with "unused versions" (i.e. not recently downloaded) typically cover nearly all desired retentions.
As far as a "feed independent" API, that's on our list as a "nice to have", and I don't know how much of an API we'll get in the first version of ProGet 2023. The "hard part" is usually specifications/docs, so if you have any ideas we'd be very open!
Currently, our idea is base it off of the upack api:
https://docs.inedo.com/docs/upack-feed-api-endpoints
Some things will be more difficult (or impossible?) than others. Especially for multi-platform package types like ruby, python. But TBD.
Cheers,
Alana
I haven't set up Clair (v2) recently... but a little while back (as part of a ProGet regression test), I did set it up and it worked. I remember it wasn't very straight-forward and I had to redo a few things because I fat-fingered some of the Docker commands.
I'll see if I can some additional help on this, please stay tuned...
Cheers,
Alana
How to enable download statistics (disabled by default and we need enabled)
This is controlled by restrictPackageStatistics property.
How to support both ODATA (v2) and JSON-LD (v3) (default is only ODATA (v2))
There's no property for this; however it should be enabled by default (it is not). We can also add this as useApiV3
Which property in JSON controls the "Remove signature file" option (enabled by default but we need disabled)
There's also no property for this....; however it IS currently disabled by default . We can also add this as stripSignature
I made these changes as PG-2317, and they'll be in ProGet 2022.27 (which should ship next Friday).
Currently ProGet works with Clair v2. Unfortunately, Clair v4 (there is no v3 by the way) is basically a "different product" and the API is completely different. The vulnerabilities that are scanned/reported are the same, it's really just the back-end. We are exploring updating to v4 (a major change) or just creating our own container scanner for PGVC; both are major undertakings.
That being said, it sounds to me like Clair v2 is currently running okay.
What's really through us off is the error message that you're getting...
Fetching updates for Clair_Index_Docker...
Persisted object is not a VulnerabilitySource.
That's an internal error to ProGet, and basically ProGet is failing to even try to query Clair. This must be a new regression (there are some new preview features for vulnerabilities), but we just can't figure out how you are getting that particular error message.
Essentially, it means the configuration in the ProGet database is incorrect; the Configuration_Xml column from select * from VulnerabilitySources should look something like this:
<Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource Assembly="Clair">
<Properties ApiUrl="http://localhost:6060/" AuthenticationHeader="MySecretKey" />
</Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource>
Any insight or more information would be really helpful - especially if you can query the ProGet database to see what's in the table.
This is why Rich asked if you can "edit" the Vulnerablity Source in the ProGEt UI, because that should give the exact same error if the config is invalid.
Thanks
Hi @mhdos_4222 ,
I'm not sure if that's related (and it was, why changing network would have any impact last time).
When the current user is not authorized to perform the required task in a Docker feed, this is code that ProGet runs:
string[] scopeParts = new[] { "repository", fullRepositoryName, ex.SecuredTask == (int)ProGetSecuredTask.Feeds_ViewFeed ? "pull" : "push" };
context.Response.AppendHeader("WWW-Authenticate", $@"Bearer realm=""{authUrl}"",service=""{context.Request.Url.Host}"",scope=""{string.Join(":", scopeParts)}""");
WriteError(context, new DockerException(401, "UNAUTHORIZED", ex.Message), feed, w =>
{
w.WriteStartObject();
w.WritePropertyName("Type");
w.WriteValue(scopeParts[0]);
w.WritePropertyName("Name");
w.WriteValue(scopeParts[1]);
w.WritePropertyName("Action");
w.WriteValue(scopeParts[2]);
w.WriteEndObject();
});
I do know that the Docker authentication stuff is very sensitive/complex, and I don't think anyone can answer why ProGet writes pull instead of pull,push. But whatever we're doing now works...
This code has basically been the same for about five years now, and we don't want to just change it because that will probably cause something to break.
Do you have any documentation/evidence/specs or anything that points to pull,push being a correct response?
Thanks,
Alana
Hi @mhdos_4222 ,
I'm afraid I'm not sure how to help troubleshoot this very well; behind the scenes, the server (i.e. ProGet) side of things is fairly simple. Images are basically just manifest files and blobs, and ProGet will add those to the repository when receiving commands to a somewhat basic REST API.
What I would do is use a tool like Fiddler to capture the HTTP traffic between the client and server, and see if you can identify if there are any failed or missing requests. For example, maybe the client is never uploading 3cc66... for some reason. Or perhaps, the request is getting "eaten" but your ingress-controller for some reason.
I would also try to take your somewhat complicated configuration out of the equation, and just go with the most basic setup possible, like this: https://docs.inedo.com/docs/proget-how-to-install-on-aws-lightsail
You can then compare/contrast the HTTP traffic and find where there are issues.
Cheers,
Alana
Hi @e-rotteveel_1850 ,
Sorry but I had this mis-categorized internally , so I didn't see the reply.
This actually requires a fair amount of under-the-hood changes, because of the way we maintain an index of the conda packages in a SqlLite database. It's not terrible, but it's also not complex.
This was added as a "nice to have" in PG2023 :)
Cheers,
Alana
Hi @sebastian ,
FYI; for now, we'll plan to add support for OR when reading a SPDX from a manifest; we'll add this to the "nice to haves" in PG2023!
Cheers,
Alana
Hi @e-rotteveel_1850 , sorry I missed the notification on this b/c of how I categorized this.
Yes.. Q2 (late April for now) is the current plan, though this is something we would likely do after the main release.
Hi @falk-winkler_2111 ,
I believe in this case, you'll just enter the access token as the password, and select "Bearer" as the authentication type.
Cheers,
Alana
@ade8s_7742 so glad to hear that! It's really rare, but glad it wasn't database corruption!!
Hi @doejohn_7742 ,
The underlying error message "Invalid object name 'dbo.RpmPackages' is implying that there's something pretty wrong with the database; in this case, a missing table (RpmPackages).
If that's the case, it wouldn't be easy to fix or troubleshoot unfortunately, and would require SQL expertise, etc. We don't have any general advise for this, but we may be able to help some paid users depending on the issue (it's quite time consuming as you can imagine).
HOWEVER -- it could also be something really simple, like your username (i.e. set in the connection string when you upgrade) is in the wrong schema (needs to be dbo schema), so I would check that too. Our script is supposed to detct that, but sometimes it doesn't work.
Cheers,
Alana
Hi @darturow_6059 ,
I think the equivalent to a "Generic Repository" would be ProGet's asset directory:
https://docs.inedo.com/docs/what-is-an-asset-directory
However, there is no "connector" possible, except to another ProGet asset directory.
Cheers,
Alana
Thanks for clarifying @avaleriusdebeffort_3858
In this case, please do not monitor the console output. There is no useful information that you will gather from that, and it's entirely a diagnostic tool. It cannot be adjusted
If you wish to monitor the health of ProGet, please check the /health API endpoint. That will contain all of the information that you need.
@avaleriusdebeffort_3858 what do you want to log? You can enable more detailed logging on ngnix... but otherwise, in ProGet, we don't have any more detailed logging available for end-users to troubleshoot.
Hi @Justinvolved ,
We don't currently have that type of monitor/trigger, but it's something we'd like to support in the future... in addition to new triggers like for Docker images, etc. Our extensible ResourceMonitor Feature is capable of handling this, but it just needs to be coded.
If you're interested, it'd be relatively easy...
PackageVersion that will store latest version number of a package (like Revision Number on SvnRepositoryCommit.cs)Hope that helps !
Cheers,
Alana
Hi @mhdos_4222 ,
Sorry, I must be confused.
Is the image actually pushed? It's not very clear from the logs, but it looks like it's working after you login? You wrote:
The push command was executed after successfully logging into our self hosted Proget.
A 401 basically just means the credentials are incorrect or not sent, and I really can't tell from the logs what's happening or not happening.
If things used to work before, do you know what was changed ? It's just hard to guess from the information we have here.
Hello,
ProGet will issue a 401 (Unauthorized) when the request has not been authenticated or if the authenticated credentials are not correct.
We don't have instructions or troubleshooting steps for nerdctl, but in the docker client you will use a login first., before a push.
Here's some more info:
https://docs.inedo.com/docs/proget-docker-private-registries#creating-and-using-a-docker-registries-in-proget
Cheers,
Alana
Hi @OtterFanboy ,
Thanks for the feedback and for finding additional bugs; I just fixed these as BM-3826 - at least I think.
I also corrected the "new application flow" so that Rakko will do a "repository detection" to help select a pattern to use.
Let us know if you find other UI bugs (browsing, etc.) with the "Generic Git" repository; it should work the same as Git-service integrations, but we didn't do very good regression testing on it.
Hi @Bob_4018 ,
Thanks for the heads-up! We've resolved this, and the link should now work:
http://cdn.inedo.com/downloads/otter/OtterInstaller22.0.9_Offline.exe
Cheers,
Alana
You can aggregate multiple feeds using connectors:
https://docs.inedo.com/docs/proget-feeds-connector-overview
If you want to put all the packages in one feed, then after adding the connector you can use a "feed downloader":
https://docs.inedo.com/docs/proget-feed-importing
Cheers,
Alana
Hi @jim-borden_4965 ,
It looks like that isn't supported; but it should be relatively easy :)
I added a change (PG-2305) that we'll try to get in the next release (scheduled Mar 24).
Cheers,
Alana
Hi @e-rotteveel_1850 ,
ProGet doesn't currently support deleting individual "files" like this under a package, but it's something we can add for sure. The UI definitely seems to act "suboptimal" with some of these conda packages, but we'll fix it!
I suspect it is best for us to wait until ProGet 2023, since we're doing a big data model changes. I'm going to keep this "open" internally, along with the "constrains" request you made earlier (https://forums.inedo.com/post/13876) :)
Cheers,
Alana
@sebastian no problem :)
Actually... I just realized that I have a backup of your database that you sent to us for analysis/review. And your vulnerability assessments were one of our test datasets to see how migration goes.
So we can give you a very accurate and specific answer once we get to that phase of the ProGet 2023 release 
Hello @sebastian ,
Great questions, and I'll do my best to help. This is a little complicated I think :)
[1] PGVC vs OSS Index
From a technical standpoint, PGVC is implemented as an "offline database", which offers a lot of performance benefits - namely ProGet can know about vulnerabilities in packages you're not yet using, and display those on remote packages. ProGet will download updates on a nightly basis.
Regarding the "Quality of data", it's really hard to say. I think everyone just aggregates from the same sources like NVD:
We decided to invest in PGVC because OSS Index has been rate limiting more and more, and the quality of results have been declining over the years. We believe PGVC (and the underlying OSV platform) will ultimately be superior.
[2] Instant Availability & Overnight Scanning
As I mentioned above, PGVC is an offline database. This means ProGet can immediately query that database to show you vulnerabilities on packages you may want to use or are currently using. This is not possible with OSS Index due to rate limiting.
The "vulnerability scan job" (which both OSS Index and PGVC scan do) will basically compare all packages you have in ProGet (local/cached) against the vulnerability source. This is to show you about vulnerabilities discovered in pakcages you're using.
[3] Migration
We are planning on some guidance about this. In theory, its should be possible because both the PGVC and OSS Index use CVE-ID. But the OSS Index sometimes uses their own ID instead of a CVE-ID.
We'll study some datasets and see what we can bring over. It might be a SQL Script or a tool inside of PRoGet.
[4] Using Both
I want to say, that you should just pick one source. Otherwise you’ll get a lot of duplicate vulnerabilities. Either one should be sufficient for package scanning, as they both aggregate the same publicly-available data sources.
However, it wouldn't hurt to try using both... just to see what comes up for vulnerabilities. If you delete a vulnerability source, it will delete all the assessments -- so that is a quick way to at least test (you can delete the PGVC vulnerability source).
Hi @OtterFanboy ,
FYI, Generic Git repo browsing in the UI has now been fixed as BM-3822 and will be included in the next maintenance release (March 10). If you'd liek a patch/prerelease sooner, just let me know!
Cheers,
Alana
Hi @priyanka-m_4184 , thanks for updating; yes in this case, it must be a really large package file? 30min is long time, and the upack client must be timing out then.
Hi @e-rotteveel_1850 ,
Thanks so much, this will help quite a lot and should be easy to follow! I downloaded those package and attached them to our internal tracker.
So basically... it sounds like we should just treat constrains (no t 
) like we do depends? And if we can display it in the UI, then we will.
I peeked at the code, and it's a bit more complex than I hoped... mostly because of how we have to index/cache "connector" data as a SQL Lite database. But hopefully not that complex.
Anyway, I'll update once we have an idea of when we can get this field in.
Cheers,
Alana
Hi @Justinvolved ,
The first thing I would try is enabling verbose logging; this is on the advanced tab of the operation, or you can set with Verbose: true parameter.
That will give a file-by-file comparison, and show you what's being copied and not. You will see texts like:
Copying C:\apxltd\artifact\Inedo.DependencyScan.dll to C:\apxltd\artifact2\Inedo.DependencyScan.dll...
Inedo.DependencyScan.dll already exists in C:\apxltd\artifact2.
Source timestamp: 11/12/2022 8:26:38 AM, Target timestamp: 11/12/2022 8:26:38 AM
Source size: 54272, Target size: 54272
Size and timestamp are the same; skipping Inedo.DependencyScan.dll...
Hopefully that will help trace this a little bit better.
Cheers,
Alana
Hello @jmartschinke_3948 ,
Thanks for letting me know; this appears to be some kind of regression from a python-related change in 2022.20 .
It will be addressed ASAP via PG-2290 in the next maintenance release (coming ASAP).
Cheers,
Alaa
@OtterFanboy got it, thanks!
So this particular change is a bit more involved unfortunately. For example, if you clicked on "Windows Server", you wouldn't find any drifted servers - which would be confusing, because the environment would show as drift.
I'll note this as something to think about for v2023
Hi @e-rotteveel_1850 ,
Thanks for the suggestion! We could definitely use your help in getting a few more details on how to implement this... we only learned CONDA by trying to implement a repository
I couldn't find any info about constraints from searching their documentation.
Can you provide us with an example package we can upload to ProGet (public package is easiest, but private is fine too)? And also, show us what it should look like in the repodata.json file?
Cheers,
Alana
Hello @OtterFanboy ,
Thanks for the bug report! We'll fix it via OT-483.
That tab only displays if "Configuration drift:" is set to something other than "None", but there should be a "no roles" type of message instead of a crash.
Cheers,
Alana
Hello @OtterFanBoy123 ,
I was able to reproduce this; it's a UI regression BuildMaster 2022's new OtterScript editor. This won't impact deployment, the script, or anything like that.
I've logged this as BM-3817 and we'll try to get this fixed in the next maintenance release :)
Cheers,
Alana
@lm thanks for letting us know that it worked!
I'm glad you were able to find the issue on GitHub. Looking closer, it is a NuGet client bug; I posted an update on the issue. The only workaround is what you described (setting a separate API key).
Hi @cshipley_6136,
We aren't trying to pass the buck here, but given the symptoms, it's almost certainly not a software problem I'm afraid. Under the hood, ProGet uses Microsoft's SQL Server driver/components, which uses the operating system's networking drivers/components to communicate to the server. In this case, the error is originating in the operating system's networking components.
Based on the symptoms (intermittent network-level errors), it's most certainly a problem with the network hardware, components, or configuration. Since the problem is intermittent, running nslookup similar commands on the container won't really identify any issues; those commands also communicate on different protocols/ports than SQL Server.
We're not really experts at troubleshooting network problems, but we have seen a few over the years. Have you had a chance to bring this up with your Network/Operations team? What have they tried or investigated so far?
Cheers,
Alana
Hi @lm , thanks for the feedback!
I'm not sure about #1, but I was curious about #2, and spotted a typo in our database updating code.
If you run this against your ProGet database, this will work and should unblock you:
GRANT EXECUTE ON TYPE::[IndexedSymbolEntry] TO [ProGetUser_Role]
This will also be fixed in in ProGet 2022.21 as PG-2287.
Cheers,
Alana
Hi @cshipley_6136 ,
In general, when the database has temporary problems (timeouts, unavailability, etc.), then errors will be shown to users (like the above) when they make a web request. Every web request is a new try, basically, and will cause the same error. But once the database is back up, new requests should work fine.
However, if the application fails during initialization (i.e. the first web request after starting the service), then it effectively requires restarting the application (container/service). This scenario is tricky to work-around.
Otherwise, what was the nature of the user auth issue? If it was an incorrect password, then that would require fixing the connection string (which is passed as an environment variable usually) and then restarting the container.
Hope that helps...
Alana