Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NuGet package manager should display 'Owner' field for NuGet.org packages #6631

Closed
anangaur opened this issue Mar 1, 2018 · 12 comments
Closed

NuGet package manager should display 'Owner' field for NuGet.org packages #6631

anangaur opened this issue Mar 1, 2018 · 12 comments

Comments

@anangaur
Copy link
Member

@anangaur anangaur commented Mar 1, 2018

Author being a free text field is often misused and causes confusion to the developers consuming packages. The proposal is to show the owner information in PM UI when the information is available from the feed/repository like NuGet.org.

@onovotny

This comment has been minimized.

Copy link

@onovotny onovotny commented Mar 1, 2018

Better yet, it should be showing the CN off of a signed package if signed. I'd even say instead of the owner as a more authoritative verification. That also works regardless of package source.

The GUI's and NuGet.org should have it.

@anangaur

This comment has been minimized.

Copy link
Member Author

@anangaur anangaur commented Mar 2, 2018

@onovotny Makes sense. We have been discussing this since signing was incubated. But it also adds to the confusion as to what is shown. I was thinking to have an account setting to have a Display name that can be a CN from the registered certificates.
/cc: @rido-min who is really passionate about this change. :)

@rido-min

This comment has been minimized.

Copy link

@rido-min rido-min commented Mar 2, 2018

With repository signatures we could show the owners included in the signature metadata.

@onovotny

This comment has been minimized.

Copy link

@onovotny onovotny commented Mar 2, 2018

Is there a value in owners, even in signature metadata? I would think there is value in showing a CA-vetted identity prominently.

@rido-min

This comment has been minimized.

Copy link

@rido-min rido-min commented Mar 2, 2018

We'd need to revisit the decision to have different UI for signed vs. unsinged packages.

@onovotny

This comment has been minimized.

Copy link

@onovotny onovotny commented Mar 2, 2018

@rido-min you know where I stand on that and always happy to participate in any conversation around that topic :)

@anangaur

This comment has been minimized.

Copy link
Member Author

@anangaur anangaur commented Mar 2, 2018

The topic beaten to death but i see no harm in showing that a package has been signed by an entity in the details page on the PM UI. This is package property - needs to show up somewhere?

@onovotny

This comment has been minimized.

Copy link

@onovotny onovotny commented Mar 2, 2018

@anangaur I would expect the following behavior --

CN show up in the search results to help differentiate a bogus package from a real one. In that context, the package isn't downloaded, so I'd expect the search result endpoint to provide that extracted information. It could then download the public cert "just in time" upon request to show in the UI (on click).

Showing it in the details portion is "too late," as a primary reason for code signing is to disambiguate and prove ownership.

@rido-min

This comment has been minimized.

Copy link

@rido-min rido-min commented Mar 2, 2018

to help differentiate a bogus package from a real one.

that's the issue, since being signed does not mean being "safe". We got feedback from everyone that we should not made any UI distinction on signed vs. unsigned.

@anangaur

This comment has been minimized.

Copy link
Member Author

@anangaur anangaur commented Mar 2, 2018

I see where the discussion is going.. again.. :) - that's why I mentioned:

The topic beaten to death..

@onovotny

This comment has been minimized.

Copy link

@onovotny onovotny commented Mar 2, 2018

@nkolev92

This comment has been minimized.

Copy link
Member

@nkolev92 nkolev92 commented Jan 14, 2020

Duplicate of #442

@nkolev92 nkolev92 marked this as a duplicate of #442 Jan 14, 2020
@nkolev92 nkolev92 closed this Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.