New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should we keep our sign key secret? #746
Comments
👍 to open the key. |
👍 Don't see any reasons not to open it. How cares? I doubt anyone does. |
Open the key and keep nuget.org privileges secret.
…On Sun, 2 Apr 2017 at 14:16 Alexander Batishchev ***@***.***> wrote:
Don't see any reasons not to open it. How cares? I doubt anyone does.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#746 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAwCvwwhRzzUb9d3jVblzyxrpqrWyUsJks5rr9fkgaJpZM4Mw2Pq>
.
|
Although I find the topic of discussion interesting, I have no opinion. Voting neutral on that one. |
@ecampidoglio and @adamchester Could you please add your opinions here as well? |
I think it makes sense to open it up, especially considering the second point brought up in this comment. So, sure, you can go ahead and commit the keys to the repo as far as I'm concerned. 👍 |
👍 to open it up |
Thanks, agreed :) |
Previously @ploeh kept the signing key for all the assemblies in secret. I'd like to discuss whether it indeed makes sense.
If we check other popular testing helpers, we'll find that all them has opened public key:
I don't see too much sense to keep AF key closed and believe we can also add it to the repository. Indeed, signing allows to prove the assembly's identity, but I don't believe we strictly require that. Our days NuGet is used to distribute packages, rather than third-party sites where the identity indeed does matter.
If we publish key to the repository, that will have a lot of benefits:
It will be easier to generate NuGet with signed assemblies by CI.
It will be easier for people to make own AutoFixture assemblies and test whether it solves particular issue. Consider the following scenario:
Here is where the issues start. If you assemblies are unsigned, you cannot simply put the modified assemblies to the local NuGet cache - project will not compile. Rather, you need to update all your projects to target to a new assembly - just for a simple test. The things become even worse when that is the core
AutoFixture
assembly, as other depending libraries (likeAutoFixture.xunit
orAutoFixture.NSubstitute
) will need to be updated as well.If we ship signing key issue will be solved.
You don't need to store one more secret :)
As for the @ploeh, it seems he didn't have strong reason to keep it secret.
Personally, I'd vote using both hands to open the key and simplify everybody's life.
Guys (@moodmosaic, @adamchester, @ecampidoglio, @klimisa) - what do you think about this?
The text was updated successfully, but these errors were encountered: