RE: Debian feed mirror Performance

@stevedennis thank you for the update and insights. Looking forward to what Q4 (or later) will bring!

@dan-brown_0128 thanks for the update. I'll ponder about what we should do and provide an update here if we find a solution involving ProGet as debian mirror with a decent performance.

Hi @dan-brown_0128 have you made any further progress on this? I'm seeing exactly the same behaviour, and it makes things like Ansible playbooks involving apt: update_cache: yes time out.

Any tip on how to improve the performance would be great (I have a default ProGet installation with default database and web server BTW).

Thanks,
Stefan

Thank you @stevedennis, this makes sense.

One odd thing is that I noted that when I had set metadatacache=true using pgutil, the time the WebUI showed Loading Packages.... and the time it took to do sudo apt update in clients went from long to super long. It went back to long when I set metadatacache=false again. I don't know if there is a logical explanation for this or of it was just a coincidence.

Br,
Stefan

Hi @stevedennis, thank you for looking into this.

I was on ProGet 2025.1 Build 5, and just upgraded to ProGet 2025.2 Build 15

$ ./pgutil health
Checking https://packages.prod.antura.cloud/...all OK
Version: 2025.2 (Build 15) (2025.2 (Build 15))

Database: OK
License:  OK
Service:  OK
$ ./pgutil connectors properties list --connector="noble updates"
url=https://archive.ubuntu.com/ubuntu/
feedType=debian
timeout=60
metadataCacheEnabled=true
metadataCacheCount=100
metadataCacheMinutes=30

while the Web UI looks like

I will be away for a few weeks now but will investigate more when I'm back, I just wanted to upload the info I have now.

Best regards,
Stefan

Hi @stevedennis, thank you.

I contemplated the idea store the fingerprint in another location (and doing so at a point in time when I'm convinced things are not compromised), and then, when a new host is to subscribe to the ProGet feed, compare the calculated fingerprint of the ProGet provided key with the one obtained from the other store. If they do not match I know one of them have been tampered with.

But maybe I'm going overboard, and I still can do it by downloading the key to the second location and calculating the fingerprint there if I really want to, so things are fine.

Thank you again,
Stefan

Hi,

I did pgutil connectors properties set --connector=myconnector --property=metadataCacheEnabled --value=true, and when then doing pgutil connectors properties list --connector=myconnector it says metadataCacheEnabled=true.

However, it is still said being disabled in the Web UI.

Br,
Stefan

Hi,

I think it is best practice to verify the fingerprint of a signing key before accepting it. I do not think it is super important in my case as I am in control of ProGet and the Ubuntu clients that are to use the ProGet instance for apt update, apt ungradeetc. as well as the network connecting these entities.

But I wanted to ask anyway: can the fingerprint be obtained? How (I'm sorry if it is obvious)? (I guess I could do one download and trust that one, and then calculate the fingerprint myself, but asking if it is directly available)

Br,
Stefan

Hi Steve, thank you!

I will try badssl.com out and see how ProGet reacts.

Thank you again,
Stefan

Thank you Steve!

I also noted that the defaults in setting up a connection proposes http - perhaps something to update eventually as well.

Given the reliance on SSL/HTTPS, can you tell what verification ProGet does in terms of certificate, certificate chain and hostname (and what else that can be verified - I'm no expert, but want to make sure someone cannot pretend to be archive.ubuntu.com and get through with it).

Cheers,
Stefan