RE: Different query results nuget feed

Hello @NanciCalo ,

thank you for the clarification.

So, as I wrote, the only way to have the expected behavior is to disable the cache from the feed/connector right ? Then the search mechanism will not search for local packages.

Best Regards

Hi @dean-houston ,

thank you for your quick response.

The missing values from the search API are not new, the owners exist since v2 at least.
I searched for a package that I don't have any local package, then the search works as expected (all versions and owners are there). Then I deleted the cached package (microsoft.playwright.nunit) and the search result contains now all versions and owners.

So, I would say that for me is a clear relation between the cache and the missing information.

I understand that can be hard, and can cause performance problems, but the version information is present when I access the package page from ProGet, so, that information should be available over search API and not only the local packages, in my opinion.

Of course, a possible solution is to disable the cache from that feed/connector. So then, no local packages will be present. Of course, with this change, I will not be able to use the full power/features of ProGet :\

Regarding the registration API, the amount of data present is huge! A lot of not necessary information and the owners entry is not there too :)

I would like to point out that, the owners were just an example of the missing properties, there are more missing. But the important ones for me are the versions.

I'm using the search API in our internal tool to verify if a new version is available, if exists on the feed, etc.
I encounter this problem, when I was setting our internal tool to only use ProGet feeds (mixed connectors), so that way, we can block internet access (nuget.org) to the server where that tool is running, and only ProGet server will have access to nuget.org.

Do you see any other way to get all the versions ?

Thank you for your help.

Hello,

I have a feed connected to nuget.org and to an internal feed.

When I do a query to this feed for a specific package, some information is missing compared to the result if I do the same query to nuget.org.

Query to internal feed result (https://internal/nuget/Development/v3/search?q=microsoft.playwright.nunit&take=1):

Query to nuget.org feed result (https://azuresearch-usnc.nuget.org/query?q=microsoft.playwright.nunit&take=1)

From what I see, the result of the internal query only returns some information about the local packages, but other important information from metadata is missing, for example, the owners.

Can you please advise what I need to do on this feed/query to be able to return the same information as present on nuget.org, since the feed is connected to there?

Thank you.

@apxltd

I don't know if using the package name will be enough... There are a lot of packages from Microsoft, that don't start with Microsoft.

Would be nice to be able to filter the licenses based on other metadata, for example, owners.

At the moment, in our company, we use TrustedSigners to allow/block the installation of some packages from external sources, as you can see below. So, maybe being able to assign licenses by owner will be a big win for us here, I don't know @sebastian thoughts about this approach.

  <trustedSigners>
    <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
        <certificate fingerprint="0e5f38f57dc1bcc806d8494f4f90fbcedd988b46760709cbeec6f4219aa6157d" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
        <certificate fingerprint="5a2901d6ada3d18260b9c6dfe2133c95d74b9eef6ae0e5dc334c8454d1477df4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
        <owners>Microsoft;dotnetfoundation;aspnet;Microsoft Corporation;confluent</owners>
      </repository>
  </trustedSigners>

Hello @sebastian ,

yes, that is my current problem too! One of the main reasons to buy the ProGet is the nice Reporting & SCA feature! I hope that functionality will be added in the future too!

Thank you for the clear explanation and sample queries, I will use them for sure!

1222 packages are a lot! For now, we do not have many packages, but we will have them for sure :)

@atripp FYI, this is what I was looking for :)

Hello @atripp,

yes, I know that I can do that, and is really one important feature for our evaluation :)

But what I would like to have is, a list of packages without licenses, so then, I can go to all packages without the license and assign them manually.

The only possibility that I see to do that is, to go throw all available packages in the feed and check if the license info is available or not.

So, would be nice to have a list somehow, is that possible ? Can I get that information from database ?

Best Regards,
Pedro

Hello @atripp ,

yes, that was the reason :)

Is possible to filter all packages without a license defined ?

Best Regards,
Pedro

Hello Alana,

Thank you for the clarification.

The problem is, I don't see the option to assign the license type to Package as you can see in the two examples below.

First Example
Accord Package
This package has a file license as you can see here in the picture below

Because the ProGet is not able to read the file to identify the license (LGPL), the license doesn't appear in the main feed and cannot be allowed/restricted by our rules:

The same is true for some other packages, for example, Newtonsoft.Json.Schema.

So, I would like to be able to specify manually the licenses for these type os packages.

Second Example
For a package without any license information, the option to assign the license type to Package is not appearing at all

Best Regards,
Pedro

ProGet Version 2022.16 (Build 7) (Inedo Hub) - Trial version

Hello,

we are evaluating ProGet as our package manager, and license control is one of the critical features that ProGet gives us.

In the first installation, I remember seeing the possibility to specify the license that belongs to a package, when the ProGet is not able to detect.

Now, that I reinstall everything using a trial version, I don't see any possibility to specify the license of a package when ProGet is not able to detect the license. Even, when I go to the metada of the package, there is no possibility to specify the license.

I'm missing some configuration ?

Best Regards,
Pedro Magno