Sorry to chime in belatedly but the security angle really needs to be underlined -- nuget is a very functional package management system but there is zero security. Phil Haack summarizes the issues very well in his post at http://haacked.com/archive/2013/02/19/trust-and-nuget.aspx/. Especially for a library that tends to be a deep, underlying layer to applications with unfettered access to data.
I'll add this isn't unique to nuget -- the venerable yum and apt have tacked this to some extent and ruby gems offers signed gems now. But for a while npm wasn't even using a legit SSL certificate nevermind pretending to have any security. I'm shocked nobody leveraged that to do some real damage. On Tue, Jan 6, 2015 at 12:16 PM, Rob Vesse <[email protected]> wrote: > Note that there is nothing stopping anyone packaging up an arbitrary DLL > into a NuGet package and publishing it themselves if that is what is > necessary to get an all NuGet build. I've done this myself in the past > for some of the more obscure dependencies I've needed in projects. > > However if you are using a dependency that isn't on NuGet these days that > probably begs the question about whether said dependency is abandon ware > and should be removed/replaced > > Rob > > On 06/01/2015 16:26, "Wyatt Barnett" <[email protected]> wrote: > > >I'm one of those who disagrees -- at least at this scale. We have very, > >relatively small few dependencies here that are quite stable. They have > >been in the git repo at some point so we are already paying freight. > > > >Personally I'd prefer the safer route of having the binaries locally and > >not depending on nuget being up and nuget keeping whatever old > >dependencies > >we might have avaliable -- there is no SLA there that I'm aware of on that > >side of the world and I'm not sure what recourse we would have if there > >were. > > > >That said it does appear nuget restore has been working well so I don't > >see > >why we can't proceed down this path. > > > >On Tue, Jan 6, 2015 at 11:20 AM, Paul Irwin <[email protected]> wrote: > > > >> There are those in the community that disagree with that approach > >>though, > >> so it isn't obvious to some. Just trying to clarify and determine if > >>that > >> is our project's stance. > >> > >> > >> Paul Irwin > >> Lead Software Engineer > >> feature[23] > >> > >> Email: [email protected] > >> Cell: 863-698-9294 > >> > >> On Tue, Jan 6, 2015 at 11:15 AM, Itamar Syn-Hershko <[email protected] > > > >> wrote: > >> > >> > Obviously > >> > > >> > -- > >> > > >> > Itamar Syn-Hershko > >> > http://code972.com | @synhershko <https://twitter.com/synhershko> > >> > Freelance Developer & Consultant > >> > Author of RavenDB in Action <http://manning.com/synhershko/> > >> > > >> > On Tue, Jan 6, 2015 at 6:11 PM, Paul Irwin <[email protected]> > >>wrote: > >> > > >> > > Agreed with using Nuget as much as possible. I also prefer not to > >> commit > >> > > binaries (like the packages folder) into the repo to reduce bloat. > >>Yes, > >> > it > >> > > requires internet access to pull down the latest packages, but that > >> beats > >> > > having a gigantic repo to clone. > >> > > > >> > > > >> > > Paul Irwin > >> > > Lead Software Engineer > >> > > feature[23] > >> > > > >> > > Email: [email protected] > >> > > Cell: 863-698-9294 > >> > > > >> > > On Tue, Jan 6, 2015 at 8:58 AM, Itamar Syn-Hershko > >><[email protected] > >> > > >> > > wrote: > >> > > > >> > > > No, on the master branch we will be using nuget as much as we > >>can. If > >> > you > >> > > > can bring Antlr with nuget please do so. > >> > > > > >> > > > -- > >> > > > > >> > > > Itamar Syn-Hershko > >> > > > http://code972.com | @synhershko <https://twitter.com/synhershko> > >> > > > Freelance Developer & Consultant > >> > > > Author of RavenDB in Action <http://manning.com/synhershko/> > >> > > > > >> > > > On Tue, Jan 6, 2015 at 3:49 PM, Hakeem Mohammed < > >> [email protected]> > >> > > > wrote: > >> > > > > >> > > > > So all 3rd party dlls go under a subfolder under lib and actual > >> nuget > >> > > > pkgs > >> > > > > are not used. Is that correct? > >> > > > > > >> > > > > Apologies if this has been addressed before, I'm new to the > >>group > >> > > > > > >> > > > > Thanks! > >> > > > > > >> > > > > >> > > > >> > > >> > > > > >
