Fetch plugins from NuGet

[biohazard999]

It would be awesome if we can install pretzel plugins directly from nuget.

Proposed solution:

• Add a new plugin commands
  • List packages
  • Any package tagged with Pretzel.Plugin.
• Install plugin
  • Add a new file called pretzel.conf or probably use _config.yml
  • Add new entry to pretzel.conf
  • Download missing packages on startup and extract them into _plugins folder
• Update plugin
  • Check for latest version on installed packages
• Uninstall plugin
  • Remove Entry from pretzel.conf and delete from _plugins folder

related #226

[laedit]

Nice idea, that is an old dream of me 😄

But that could be dangerous, we allow anyone to download virtually any files packaged on nuget with the right tag. We need at least to display a warning.

We also need to think about a (simple) dependency system, for plugins needing ScriptCs (dotnet script in a near future).

[biohazard999]

Nice idea, that is an old dream of me 😄

Always wanted to build something like this 😁

But that could be dangerous, we allow anyone to download virtually any files packaged on nuget with the right tag. We need at least to display a warning.

Package signing could be the solution to this. But on the other hand: we do that all the time.
But we should at least hash the packages and compare it with a base line to avoid package spoofing.

We also need to think about a (simple) dependency system, for plugins needing ScriptCs (dotnet script in a near future).

If we just follow the dependencies of the nuget packages, plugin authors could just define their dependencies in their package.

[laedit]

Package signing could be the solution to this. But on the other hand: we do that all the time.
But we should at least hash the packages and compare it with a base line to avoid package spoofing.

That can check integrity and identity but we should signal that we haven't validate/check these plugins and cannot guaranty that they are safe.

If we just follow the dependencies of the nuget packages, plugin authors could just define their dependencies in their package.

I haven't thought of that, that could do it but since it is runtime dependency I think we will have to treat it specifically.

[biohazard999]

That can check integrity and identity but we should signal that we haven't validate/check these plugins and cannot guaranty that they are safe.

We can check how the cake guys treat this problem.

I haven't thought of that, that could do it but since it is runtime dependency I think we will have to treat it specifically.

We could advise plugin authors to use Fody.ILMerge instead of fetching dependencies or the new AssemblyLoadContext in netcore3.0 (I'm not sure about net4 support on this).

[biohazard999]

But I think we should not overcomplicate, throw in a prototype, check integrity and see if plugin author's will jump on :)
I have a few new plugins in mind and would love to built this feature. Of course manual plugins should work as before.

[laedit]

I agree that we should not overcomplicate this, I just want to display a warning on console, nothing more :)

For runtime dependency on dotnet script I was thinking of doing that in a second part or integrate it directly in Pretzel.
Anyway, we can leave it for now :)