lucenenet-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wyatt Barnett <wyatt.barn...@gmail.com>
Subject Re: Nuget packages & 3rd party libs
Date Fri, 16 Jan 2015 14:55:34 GMT
Sorry to chime in belatedly but the security angle really needs to be
underlined -- nuget is a very functional package management system but
there is zero security. Phil Haack summarizes the issues very well in his
post at http://haacked.com/archive/2013/02/19/trust-and-nuget.aspx/.
Especially for a library that tends to be a deep, underlying layer to
applications with unfettered access to data.

I'll add this isn't unique to nuget -- the venerable yum and apt have
tacked this to some extent and ruby gems offers signed gems now. But for a
while npm wasn't even using a legit SSL certificate nevermind pretending to
have any security. I'm shocked nobody leveraged that to do some real damage.

On Tue, Jan 6, 2015 at 12:16 PM, Rob Vesse <rvesse@dotnetrdf.org> wrote:

> Note that there is nothing stopping anyone packaging up an arbitrary DLL
> into a NuGet package and publishing it themselves if that is what is
> necessary to get an all NuGet build.  I've done this myself in the past
> for some of the more obscure dependencies I've needed in projects.
>
> However if you are using a dependency that isn't on NuGet these days that
> probably begs the question about whether said dependency is abandon ware
> and should be removed/replaced
>
> Rob
>
> On 06/01/2015 16:26, "Wyatt Barnett" <wyatt.barnett@gmail.com> wrote:
>
> >I'm one of those who disagrees -- at least at this scale. We have very,
> >relatively small few dependencies here that are quite stable. They have
> >been in the git repo at some point so we are already paying freight.
> >
> >Personally I'd prefer the safer route of having the binaries locally and
> >not depending on nuget being up and nuget keeping whatever old
> >dependencies
> >we might have avaliable -- there is no SLA there that I'm aware of on that
> >side of the world and I'm not sure what recourse we would have if there
> >were.
> >
> >That said it does appear nuget restore has been working well so I don't
> >see
> >why we can't proceed down this path.
> >
> >On Tue, Jan 6, 2015 at 11:20 AM, Paul Irwin <pirwin@feature23.com> wrote:
> >
> >> There are those in the community that disagree with that approach
> >>though,
> >> so it isn't obvious to some. Just trying to clarify and determine if
> >>that
> >> is our project's stance.
> >>
> >>
> >> Paul Irwin
> >> Lead Software Engineer
> >> feature[23]
> >>
> >> Email: pirwin@feature23.com
> >> Cell: 863-698-9294
> >>
> >> On Tue, Jan 6, 2015 at 11:15 AM, Itamar Syn-Hershko <itamar@code972.com
> >
> >> wrote:
> >>
> >> > Obviously
> >> >
> >> > --
> >> >
> >> > Itamar Syn-Hershko
> >> > http://code972.com | @synhershko <https://twitter.com/synhershko>
> >> > Freelance Developer & Consultant
> >> > Author of RavenDB in Action <http://manning.com/synhershko/>
> >> >
> >> > On Tue, Jan 6, 2015 at 6:11 PM, Paul Irwin <pirwin@feature23.com>
> >>wrote:
> >> >
> >> > > Agreed with using Nuget as much as possible. I also prefer not to
> >> commit
> >> > > binaries (like the packages folder) into the repo to reduce bloat.
> >>Yes,
> >> > it
> >> > > requires internet access to pull down the latest packages, but that
> >> beats
> >> > > having a gigantic repo to clone.
> >> > >
> >> > >
> >> > > Paul Irwin
> >> > > Lead Software Engineer
> >> > > feature[23]
> >> > >
> >> > > Email: pirwin@feature23.com
> >> > > Cell: 863-698-9294
> >> > >
> >> > > On Tue, Jan 6, 2015 at 8:58 AM, Itamar Syn-Hershko
> >><itamar@code972.com
> >> >
> >> > > wrote:
> >> > >
> >> > > > No, on the master branch we will be using nuget as much as we
> >>can. If
> >> > you
> >> > > > can bring Antlr with nuget please do so.
> >> > > >
> >> > > > --
> >> > > >
> >> > > > Itamar Syn-Hershko
> >> > > > http://code972.com | @synhershko <https://twitter.com/synhershko>
> >> > > > Freelance Developer & Consultant
> >> > > > Author of RavenDB in Action <http://manning.com/synhershko/>
> >> > > >
> >> > > > On Tue, Jan 6, 2015 at 3:49 PM, Hakeem Mohammed <
> >> hakeemosrc@gmail.com>
> >> > > > wrote:
> >> > > >
> >> > > > > So all 3rd party dlls go under a subfolder under lib and
actual
> >> nuget
> >> > > > pkgs
> >> > > > > are not used. Is that correct?
> >> > > > >
> >> > > > > Apologies if this has been addressed before, I'm new to
the
> >>group
> >> > > > >
> >> > > > > Thanks!
> >> > > > >
> >> > > >
> >> > >
> >> >
> >>
>
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message