RE: Cannot upload conda package with same version but different build via CURL

Hi @e-rotteveel_1850

Thanks for the bug report! We will have this fixed in v2023.14 to be released on Friday. It's logged as PG-2446, and looks like a regression from some of the internal consolidation we did for ProGet 2023.

-Greg

Hi @e-rotteveel_1850

Thanks again for the packages and detailed repro steps. I was able to reproduce this and we'll have a fix (PG-2445) in this Friday's release (v2023.14). It appears to have been a regression introduced when we added support for parsing package constrains information from connectors.

-Greg

Hi,

This is a regression in v23 that we have logged as PG-2389. It will be fixed in v2023.8, which is scheduled for release on Friday (June 16).

Thanks!

Hi @MF-60085,

Thanks for the data! We've found that the root cause this time is due to some duplicate rows in the original table, which for some reason was not created with any uniqueness constraints. We'll get this fixed in a prerelease version within a day or two.

We have a prerelease version available with this fix (PG-2354) if you would like to try it. To install on Windows using Inedo Hub, click the [config] link in the bottom and paste in https://proget.inedo.com/upack/PrereleaseProducts/ - you should then be able to upgrade to v23.0.5-rc.4. If you're running in Docker on Linux, just use tag 23.0.5-ci.4.

Hi @jeff-peirson_4344,

Thanks for the detailed steps. I've been able to reproduce this and we should have a fix for it shortly.

As you've seen, we've had a few regression in npm feeds for this release. Historically, npm was the first non-NuGet feed we added to ProGet, and we decided the major version release was a good opportunity to do some badly needed refactoring. Unfortunately, regressions are a result, but we are now able to iterate much more quickly.

Would you be willing to try a prerelease version?

Hi @sebastian ,

Regarding [1], I can't reproduce this behavior. When I add OSS Index I see vulnerabilities from it and also from PGVC, though this is only on the latest v2023 build, so maybe this works differently on another version?

For [2], you are correct. There are a lot more of these in the dataset than we initially thought. We plan to resolve this by filling in the missing data from NVD, though I can't give an estimate on when we will have that (maybe @apxltd can give you a rough idea of our schedule).

Finally, for [3], I think we will end up storing a CVE for most of these to help populate missing CVSS scores if for no other reason. I think this would be part of updates we do to address [2].

-Greg

I believe this has already been fixed as part of PG-2343 in v2023.3, which we are releasing today. In addition to being slow, the NuGet queries responsible for handling latest versions could return a lot more results than necessary. It didn't lead to incorrect behavior (except with counts) as we still validate and filter results in the frontend, but did cause problems like this.

This is now fixed in 2023.3, which is going to be released later today. Thank you!

@rie_6529

We've identified issues in the queries used for fetching the latest versions of NuGet packages in a feed that are causing these problems. We will include a fix (PG-2343) in tomorrow's release of ProGet 2023.3.

Thanks for the report and investigation!

Hi,

We've identified the issue causing the .snupkg push to fail (PG-2340). A fix will be included in tonight's hotfix release (v2023.2).

We haven't been able to reproduce issues with feed re-indexing deleting packages. I agree that that is unsettling. Did you have the "delete missing packages" option selected for the re-index?

-Greg

Hi,

Thanks for the bug report. This was caused by a change in the way we're handling npm package scopes. We have fixed it as PG-2338 for ProGet 2023.2, and we plan to release it later today.

Note that you will need to rename your storage folder back after upgrading - the @ is supposed to be there.

-Greg

Hi,

I thought we had already fixed this, but I was thinking of a fix we applied for RPM package uploads. It's a regression in a core platform library that has bitten us more than once. Fortunately, the fix here is exactly the same (logged as PG-2307). We'll get the fix in v2022.25 for sure. Originally we had planned to release on Mar 24, but we may move it up to this Friday instead to get this resolved more quickly.

-Greg

It turns out the problem was in the code that adds the package record to the database was using the raw version string instead of the normalized version, which causes a lot of problems as you can see. We've fixed that in PG-2278, and this fix will be in ProGet 2022.20 to be released this Friday. Unfortunately it won't fix any invalid records that have already been created. Time permitting, we will try to get a job in that can be run to fix nonnormallized versions in the database, but if it doesn't make it in this release you'll need to manually remove or update that row in the SQL database. Let us know if you need any assistance with this.

Hi Justin,

Looking at the error, I'm wondering if the directory is actually too long for git, and it's reporting the wrong error message. You could try changing the agent temp directory in the %PROGRAMDATA%\Inedo\SharedConfig\InedoAgent.config file by adding a <BuildMasterRootPath> element to the configuration file with a shorter path like C:\Temp.

However, if you just need to run on the local server, there's no reason not to just use the local agent instead - it can do everything the Inedo agent can do.

-Greg

I've logged this as an issue in the upack repo, and we should have this included in an updated version within a day or two.

Thanks!

@jeff-peirson_4344 - I just ran a test and verified the behavior. ProGet does the following on startup to determine the connection string (in this order):

1. look for SQL_CONNECTION_STRING environment variable (this was the old documented name)
2. look for PROGET_SQL_CONNECTION_STRING environment variable
3. look for PROGET_SQL_CONNECTION_STRING_FILE variable

The first of those with a non-empty and non-whitespace-only value is used. The connection string file requires only read access, and must be plain text containing only the connection string with no additional quoting or escaping. Empty lines are ignored - the first non-empty line is used as the connection string, and any trailing newlines are ignored.

Our Dockerfile does specify a default PROGET_SQL_CONNECTION_STRING, so you may need to override that to be empty. Perhaps it would make more sense if we checked for the file first - I'll discuss that with the team.

Hope this helps!

Sorry for the delay - this is logged as PG-2195 and will be fixed in tomorrow's releases of ProGet 2022.7 and 6.0.20.

Hi @pariv_0352

We've updated ProGet 2022.6 to be more permissive and allow the . in non-semver2 NuGet versions. v2022.6 will be released on Friday.

Thank you!

Hi @brett-polivka,

We've published v2.0.1 of the Azure extension for ProGet, which should resolve this issue. You can install it from the Admin->Extensions page.

Let us know if you are still having the issue after updating the extension.

Thank you!
-Greg

Hi,

This is a regression - pdbstr.exe is used to provide source server support for legacy symbol files. I've logged the issue as PG-2159 and it will be fixed in ProGet 2.0.2, scheduled for release this Friday.

Thank you!

Hi,

It looks like on close inspection, conda build omits the summary if it has any non-ascii characters in repodata.json. As of v6.0.16 (see PG-2149) ProGet will now do the same.

Thanks for the bug report!
-Greg

Hi,

This was caused by a very trivial to fix bug (logged as PG-2128) - thanks for reporting it! The fix will be included in ProGet 6.0.12 which is being released on Friday (Apr 15).

Thank you!
-Greg

Hi,

Thanks for reporting this. We've now fixed this internally as PG-2105 - it will be included in this week's 6.0.9 release, scheduled for Friday.

-Greg

Hi,

Thanks for the bug report! We've logged and fixed these as PG-2098 and PG-2099. Note that due to limitations in how that dependency table is built, it's nontrivial to have it take you to the latest package that satisfies the given range if it has an exclusive upper bound - but we have changed it to prefer linking to the upper version number if one is present.

-Greg

Hi,

Did the initial upgrade attempt fail, or did it appear to work but with the wrong directory?

What error did you get - are services/websites not starting?

-Greg

Hi @paul_6112 ,

That actually makes sense. We have an issue in our internal backlog to resolve high memory usage when a large number of agents are scanned just after an upgrade. I've published it as a publicly visible issue (BM-3758), and tentatively scheduled it for the next release.

-Greg

Hi @paul_6112 - The screenshot shows Inedo Hub v1.3.6. Was all of the testing done on this version? We did finally get a fix for this in Inedo Hub v1.3.7 (see DH-63), but did not confirm 100% that this was the underlying issue as we were not able to reliably reproduce it.

Thanks for passing along this test data!

-Greg

Hi @jcardos_9259

We now have this fixed in ProGet 6.0.2, which is scheduled for release on Friday. If you'd like to try the fix right now, you can install the inedo/proget:6.0.2-ci.3 Docker image.

Thank you!

Hi @shiv03_9800,

We've now fixed this issue as well. It is logged as OT-439, and will be included in the v3.0.14 release. If you would like to try the fix right now, you can use the inedo/otter:3.0.14-ci.1 Docker image.

Thanks,
-Greg

Hi Igor,

Thanks for the help in tracking this down. We've now fixed this in an internal build (logged as OT-428) . The fix will be in Otter v3.0.12, scheduled for release on October 8.

If you'd like to test a prerelease build, you can pull the proget.inedo.com/productimages/inedo/otter:3.0.12-ci.1 image, which already contains the fix.

-Greg

Hi Nico,

You're doing nothing wrong as far as I can tell.

I can't reproduce the issue where the wrong latest version is shown for an uncached package. Does it only happen for that one package? How many versions of it are on the external feed?

Regarding the other issue - that cached packages in the browse list may show the incorrect latest version - there is not much we can do about that. The browse list both in ProGet web interface and in the VS NuGet dialog sort by popularity and so frequently return totally different packages. The only way we could guarantee an accurate "latest version" display for cached packages on there would be to individually query those packages from the connector, which would drastically slow down the results. That said, I agree this isn't great. I'll chat with the rest of the team and see if we can come up with a better way to handle this.

-Greg

Hi Dennis,

Thanks for the feedback! You should be able to delete files/folders using the Asset Directory Delete API. Using curl, it should look something like this:

curl -X POST http://proget/endpoints/<AssetDirName>/delete/<path to directory>

We are actually focusing on Asset Directory improvements for the upcoming ProGet v6.0 release, so if you see any gaps or problems be sure to let us know!

-Greg

I've merged this pull request and published v1.0.2 with the change. Thanks for the fix!

I'm glad you got it working! I had forgotten that flag was even added :/

I'll chat with the docs team to get things clarified in there, or maybe see if we can change the default to enable v3 by default from now on.

Thanks!
-Greg

Hi,

Try using the NuGet v3 API for your feed instead- just use https://proget.eschbach.com/nuget/nuget-internal/v3/index.json as the package source URL in NuGet. NuGet's handling of semantic versions in the old API can be inconsistent, so this may resolve the issue.

Looks like that was our mistake, and we missed that line in the spec. This has now been logged as PG-1964, and it will be fixed in ProGet 5.3.30, scheduled for release on May 28.

Thanks for pointing it out, and sorry for the inconvenience!

Hi,

It looks like that file isn't a valid debian package file. According to the .deb file specifications, a file named debian-binary should be the first item, but instead, there's one named debian-binary/. You can see this by opening the file with a text editor:

Do you know what was used to generate the package?

We've got a fix for this as OT-415. It will be included in Otter v3.0.6. If you'd like, I can publish a prerelease version for you. Thank you!

@brett-polivka So one more update. Implementing the workaround was easier than expected. This should now be resolved in v1.11.1 of the Azure extension, which you install from the Admin->Extensions page. You may need to restart the Docker container after installing.

@brett-polivka It looks like the underlying problem is likely that 100MB limit. When we published the Azure extension, we'd mistakenly believed the maximum block size to be 4000 MB, but because we're using the v11 client library to push to azure, it's limited to the older 100mb limit. We can't upgrade without dropping support for .NET 452 on windows, which we aren't prepared to do yet, so we'll work around using another means.

We're on it; hopefully will have an update included for tomorrow's release.

That's strange. We'll do some experimentation with trying to perform that upgrade in a test environment and let you know what we discover.

Hi,

Could you click the "Submit Error Report" button when this happens? If you'd prefer to look at the file that gets set to us first, you can use "Save Error Report" instead. The error report is a zip file that should have more information than this empty log in it.

Thanks!

This is unfortunately a documentation issue. We changed some of the environment variable names for ProGet 5.3 - so you'll need to use:

-e PROGET_DATABASE="Data Source=proget-sql; Initial Catalog=ProGet; User ID=sa;Password=<Secret>" \
-e PROGET_DB_TYPE=SqlServer

instead of -e SQL_CONNECTION_STRING=...

We'll update the docs to note this for ProGet 5.2.

Just following up- all of these issues should be resolved in ProGet 5.3.13, which will be released later today.

Thanks-

I've seen that anti-CSRF error appear if you try to perform certain tasks while not logged in- we're still investigating the cause.

Hi,

The lowercase file errors should be fixed in ProGet 5.3.13. So far we have not been able to reproduce authentication or activation issues, but we'll be adding additional logging in 5.3.13 to diagnose these issues.

Thank you!

We have identified the regression (PG-1830) and fixed it. It will be included in this week's maintenance release (ProGet 5.3.13), but you are also welcome to try the prerelease image right now if you would like - it's available as proget:5.3.13-ci.2 or progetmono:5.3.13-ci.2.

Thanks for reporting the bug!

This is not supposed to be the case. We'll investigate and try to reproduce this.

We've got this fixed. If you'd like to try it, it's available as proget.inedo.com/productimages/inedo/progetcore:5.3.12-ci.1