Package Namespaces Proposal #10660
Package Namespaces Proposal #10660
Conversation
|
How will it work for packages that are not part of a "namespace"? I see only Microsoft, System, and maybe a few big packages falling under that list. Would the end user have to manually include each of those packages as a namespace? More concretely, it would be nice to see the linked proposal include scenarios with non-Microsoft packages. If I understand correctly, this feature will have impact on the broad community of package maintainers, not just Microsoft (assuming the end user has this feature enabled). |
proposed/2021/PackageNamespaces.md
Outdated
| </config> | ||
| ``` | ||
|
|
||
| The strict flag provides a source pinning behavior by nature in which one namespace is allowed per package source. Entering a strict mode will provide users an error experience when there are namespace conflicts to which a user will be able to resolve by defining one namespace per package source configuration. |
There was a problem hiding this comment.
Or rather, one package source is allowed per namespace.
There was a problem hiding this comment.
That's a great way to summarize it.
There was a problem hiding this comment.
I wanted to point out the error in "one namespace is allowed per package source", rather than summarize.
There was a problem hiding this comment.
Thanks! We'll fix it.
There was a problem hiding this comment.
This is still very opaque to me. Does strict mode enforce that each <packageSource> can only contain a single <namespace>? Does it mean that I can only include <namespace id="Nuget.*" /> inside a single <packageSource>? Or is it saying that namespaced packages cannot alias to multiple sources, e.g. the following would cause errors for Nuget.Internal.Package because it matches namespaces in multiple different sources?
<packageSource name="nuget.org">
<namespace id="Nuget.*" />
</packageSource>
<packageSource name="InternalFeed">
<namespace id="Nuget.Internal.*" />
</packageSource>There was a problem hiding this comment.
Let me update this shortly to help clarify. It means that only one unique package ID can be defined per package source.
In your conflicting scenario, there is both Nuget.* & Nuget.Internal.*. However since you have Nuget.Internal.*, that takes precedence for the specific Internal.* scope & would therefore be resolved on the internal feed rather than the globbed nuget.org source. Everything outside the Internal.* scope would be resolved on nuget.org.
There was a problem hiding this comment.
I posted some comments above https://github.com/NuGet/Home/pull/10660/files#r597213005, but I don't think this will be easy to turn on if it's one package ID per package source. Basically any kind of organization that does pre-release builds on one set of feeds and releases on another will always have id overlap. The same packages will appear on both feeds and it's valid to use them on both feeds. This gets especially important in any kind of scenario where pre-release packages are different than released ones. For instance, the .NET 6 packages built day to day are unsigned, but those we release are signed, pushed to nuget.org, then deleted from our feeds so that nuget.org is the source of truth. This gets even more likely if you had more than one internal feed with the same packages. Perhaps legacy packages live on one, while new packages are pushed to another, etc. etc.
Could that allow for dependency confusion? Possibly, or at least there could be a restore that pulls from location X one time and location Y another. But when creating the namespaces config, the user is making a trust decision about namespaces on specific feeds. To me, strict should be a way of saying that a trust decision has been made about all referenced package IDs on all input sources.
If single namespace->single feed is still an important pivot, could we add an additional mode? Example
fullySpecified- Any package id must be in one or more matching namespace declarationssingleSource- No package id may match more than one feed (based on precedence rules)
|
@Tyrrrz Right now this feature is largely opt-in. Meaning that if you don't do anything today, you have the same experience. For the non-Microsoft or namespace scenario, you would use the package ID syntax in full to provide the package into your allowed namespaces. This is a bit tedious as mentioned in the proposal, but tooling would be provided to automatically add the namespace when installing through various methods (visual studio, CLI, etc) if you've already opted-in to the feature. |
|
Can I ask why package signing isn't an integral part of a proposal such as this? It just seems that "trusting packages from vendor x" would be easier to configure (trust this signing key), while at the same time being configurable independently of the package source. Signature verification would also work better for any author with multiple packages that aren't sharing a namespace prefix (e.g. Marc Gravell's protobuf-net and fast-member). |
|
@mnmr There's some thoughts here that may share my perspective: https://haacked.com/archive/2019/04/03/nuget-package-signing/ & https://haacked.com/archive/2019/05/10/friend-signing-packages/ There already exists many features for this finer level of control & even a recent proposal to bring these to dotnet CLI So while you can still go trust an author's certificate, you can also scope your namespaces if those packages aren't signed/repo signed only, but you still trust them. This may suffer from the same problem where you have to add every single person you trust to your |
|
Yes, I agree with @JonDouglas. trusted-signers is already a feature that's available that you can use to achieve similar results as namespaces, but in order to rely on signatures you would need every package signed. trusted-signers doesn't have the privacy element that namespaces does. Your in house package ids don't have to looked up on feeds you don't own. |
|
@JonDouglas Thanks for the links - it's hard to disagree with any of what Phil writes. @nkolev92 From my understanding NuGet already signs all packages. Instead of using a single key for this, could it not use a key per account holder? This would remove the obstacle of getting package authors to do the signing. As for privacy and performance, those are probably true concerns, but my (completely uninformed) gut feel tells me that any performance issues can be resolved (and if not, at least be reduced to only affect initial restores). |
|
|
||
| ```xml | ||
| <config> | ||
| <add key="namespaceMode" value="strict" /> |
There was a problem hiding this comment.
I'm not a fan of "strict" here. It doesn't really tell me much about what that means, and it's already a bit of a confusing feature to think about.
There was a problem hiding this comment.
Do you have a recommendation here?
signatureValidationMode has require and allow which I don't love either.
strict matches a feature that the compiler has.
There was a problem hiding this comment.
Maybe rename the option away from signatureValidationMode (which doesn't tell us much), to something more descriptive like multipleNameSpaceSources, and then it can just be true and false?
There was a problem hiding this comment.
I also think it's a bit confusing, and perhaps not all that useful as it's spec'd out here? The issue is that I think it would be hard to turn on in any case where multiple feeds are present. Consider .NET. We build plenty of pre-release packages internally, and also put them on nuget.org. Thus I would want to put Microsoft.* namespaces on both my nuget.org and dotnet6 feed, and that would be completely valid. It sounds like strict mode would disable that ability?
Perhaps instead, the strict mode would specify that all package id's must be accounted for? E.g. If I have 3 feeds:
- nuget.org
- dotnet-eng
- dotnet6
Let's say I said that NewtonSoft.* comes from nuget.org and Microsoft.* comes from dotnet-eng or dotnet6. If I then try to reference Xunit.Whatever, the restore would fail in strict mode because that package ID/namespace was not assigned to any feed.
There was a problem hiding this comment.
Should strict mode imply both, so either a 1-1 relationship between package id and source, or a 1-n explicit relationship between package id & source.
I understand the special scenario for the .NET repos, and that's certainly a big consideration, but we also expect the more common scenario to be 1 private feed & multiple additional feeds.
There was a problem hiding this comment.
Should strict mode imply both, so either a 1-1 relationship between package id and source, or a 1-n explicit relationship between package id & source.
How would that be implemented? I'm not sure I follow.
I understand the special scenario for the .NET repos, and that's certainly a big consideration, but we also expect the more common scenario to be 1 private feed & multiple additional feeds.
I don't think .NET's scenario is all that special, but can we get some sense of that from the community? I think you're likely to see ID overlap in any case where pre-release packages are placed on a feed and verified, prior to publishing to nuget.org.
There was a problem hiding this comment.
How would that be implemented? I'm not sure I follow.
Maybe some examples clarify it:
The packages are:
Microsoft.* and NuGet.*.
- Case 1*
Source 1: Microsoft.*
Source 2: Microsoft., NuGet.
This can be a valid strict mode scenario.
- Case 2:*
Source 1: Microsoft.*
Source 2: *
This a valid strict mode scenario.
Case 3:
Source 1: NuGet.*
Source 2: *
Source 3: *
This is invalid because you are not explicitly opting into using both sources for the specific packages.
proposed/2021/PackageNamespaces.md
Outdated
| <!-- What parts of the proposal need to be resolved before the proposal is stabilized? --> | ||
| <!-- What related issues would you consider out of scope for this proposal but can be addressed in the future? --> | ||
|
|
||
| - Should strict namespaces mode be the default? That would deliver a `secure by default` namespacing experience. |
There was a problem hiding this comment.
Yes.
If you're using this feature, I believe the general intention is to limit something to a single prefix. As such, I think the "default by secure" approach is a better choice.
There was a problem hiding this comment.
Seconded. At a minimum, nuget should reject restoring any package that's present on multiple feeds unless whitelisted, to cap the current security defect.
There was a problem hiding this comment.
nuget should reject restoring any package that's present on multiple feeds unless whitelisted
I love this. Very easy threat fix. I assume whitelisting feeds (like private beta vs prod) not just packages.
There was a problem hiding this comment.
or nuget should implement the equivalent of @scope/package like npm
and assign a feed to an @scope
default @scope could be associated to the user or org pushing the package for backward compat and enrich existing package so there's no breaking change
that would address what's mentionned above and at the same time facilitate multi feed
on top of that nuget v7 could make the use of scope mandatory
which would also fix the "name reservation" with something that looks way more clear especially even doing mono repo of multi library
it would also make easier the validation / installation of certitifacte for on premise nuget proxy feed or storage
check how .npmrc allow to whitelist cert thumbprint per source for example
=> in repo certificate white list (easy for docker container build or computer where you can't install certificate)
You can trust specific The challenges that I am referring to are more relevant to dedicated/private feeds which might not have all packages signed. |
|
I understand from #9611 that package restore in Visual Studio uses a bundled version of NuGet, and upgrading that will require a new version of Visual Studio as well. Is the package namespaces feature planned for Visual Studio 2019 (Dev16), only for later versions, or also for earlier versions that are still supported? On a build server, if the installed versions of Visual Studio Build Tools do not support this feature, but NuGet.exe and .NET SDK do, then how should I script the package restore to make sure that package namespaces are respected even in .NET Framework projects that use PackageReference? |
|
I have following questions to start with.
|
It's ignored. Similar to how PackageSourceCredentials are handled.
Afaik, all NuGet.config sections support
Namespaces will be merged, similarly to sources and others. |
| ## Motivation | ||
|
|
||
| <!-- Why are we doing this? What pain points does this solve? What is the expected outcome? --> | ||
| Giving the user more control on what packages are allowed in their software supply chain is an on-going need in the .NET ecosystem. Today, users do not have much control nor capabilities to filter the software dependencies they would consider including in their project. There's a misconception about open source dependencies being more secure which is known as the [Linus' Law](https://en.wikipedia.org/wiki/Linus%27s_Law), which allowing the world an opportunity at your software supply chain is posing a greater risk as more new packages are created everyday. Many requirements by organizations is quite the opposite. Having a controlled list of dependencies that are allowed within the company's policy is regular procedure & considered a best practice. |
There was a problem hiding this comment.
There's a misconception about open source dependencies being more secure which is known as the Linus' Law, which allowing the world an opportunity at your software supply chain is posing a greater risk as more new packages are created everyday
Nit: wording
|
As a general comment, as discussed/asked on Twitter it would be very nice to have it available too as "MsBuild First" if possible
The current "dsl" proposal to add to the |
Seconded. I only just learned about package signing, but it seems as though repository level signing would already solve the use case here for most legitimate uses. Naming collisions are pretty rare (though not unheard of; I know at least two unrelated packages that go by the name "NuProj"), and my team's scenarios for using a package namespace feature would be entirely to lock down which author's we'll accept packages from: precisely the use case of package signing. That said, our immediate problem is that our internal repositories don't all support repository signing. This feature would greatly help us secure our package supply chain until our internal repositories catch up and implement repository signing, or internal package authors catch up and sign their packages. |
We thought that the MSBuild driven approach deserves consideration on its own, separate from namespaces. As with anything MSBuild, configuration is project specific but so many other components are repo wide, so we'd have to advise caution when using it :) |
I forgot that "small" detail. |
|
I think it requires more care when working with it. |
|
Instead of scoping by package name, could you add an option to scope by package authors? I'd much prefer to whitelist the authors I'd expect from each feed: |
| <!-- One-paragraph description of the proposal. --> | ||
| NuGet allows access to all package IDs on a package source. However, many .NET developers have needs to filter & consume a subset of the package IDs available on public, private, and local sources. Although NuGet supports a concept of [trusted-signers](https://docs.microsoft.com/en-us/nuget/reference/cli-reference/cli-ref-trusted-signers) to trust packages signed by specific authors, users would like to optionally specify package namespaces that their organization and project's software supply chain trusts. | ||
|
|
||
| This proposal introduces a concept known as package namespaces, allowing a developer to include or exclude package IDs by specifying package namespaces on their package source(s). |
There was a problem hiding this comment.
I'm not familiar enough with the v3 http protocol, but does the package feed expose the registered author of the package? If so, we'd much prefer the option to whitelist by author instead of by namespace.
Rationale: With the PackageReference mechanism and .g.props auto-importing certain named files in the package, package authors are granted permission to run arbitrary code during the user's build. Given that, a given author could easily impersonate other packages by rewriting those packages on disk.
When whitelisting a namespace, I'm effectively granting permission to all authors that have the ability to publish into that namespace to impersonate any package. So why not cut out the intermediary and list authors specifically, if feasible?
Secondly, users are likely to use wildcards without first checking that it properly is scoped to an author. Do I know for certain that nuget.org will only let NewtonSoft publish to the NewtonSoft package namespace? I know many users that would jump to the assumption that nuget.org would implement that restriction. Whitelisting authors would remove that temptation -- e.g. whitelisting NewtonSoft would only allow NewtonSoft authored packages onto the user's machine; even if a malicious entity registered a package with a typosquat - e.g.
"NewtonSoft.Jsno", the user's nuget config with an author whitelist would reject the package as that malicious entity is unlikely to be listed on the user's author whitelist.
There was a problem hiding this comment.
There's an interesting relationship here:
ID prefixes have a 1 to many relationship with owners.
An allow list of owners/maintainers is interesting. You may establish your trust relationship purely on an owner/maintainer's name at the risk of knowing that if that entity were compromised, your supply chain would be at a larger risk in terms of packages rather than a handful of namespaces. This is somewhat related to the trusted-signers command to add an author's signature of a package to be trusted, but without the certificate fingerprint.
If people are interested in being able to trust owners/maintainers in addition to the namespaces they possess, please feel free to upvote & drop some comments below as well. We'll look into it! It may be out of scope initially, but shouldn't stop the conversation.
|
@aaronla-ms The trust by author is interesting. It gets even more interesting with the idea that NuGet supports both The trusted-signers feature currently allows you to trust author signatures in this fashion. There could be merit in specifying the publisher name that you trust in addition to the namespace they may have reserved. We'll discuss this more! |
|
@JonDouglas ah, you're spot on, owner or publisher is better. I wouldn't want someone to implicitly trust some library just because Contoso once submitted a pull request -- only if they're a controlling party for that nuget. And if the owner/publisher changed, I'd certainly want to stop implicitly trusting it. Let me know how the discussion goes! |
|
@nkolev92 @kartheekp-ms @erdembayar Can we get an approval on this PR to merge now that we have requirements for MVP & VS integration? Thanks! |
|
I find the structure confusing. Specifically that Take the following example: Click to expand<packageNamespaces>
<packagesource key="contoso">
<namespace id="Contoso.*" />
</packageSource>
</packageNamespaces>Could it be inverted instead? E.g.: <packageNamespaces>
<namespace id="Contoso.*">
<packagesource key="contoso" />
</namespace>
</packageNamespaces>This feels more natural to me. It reads as "any package ID matching |
|
In addition, I would prefer a simple "strict by default" behavior, without any modes that make it more difficult for third-party tooling to copy or predict nuget's behavior (not to mention for users to understand it). In a nutshell: use the order as defined by the user in Click to expand<packageNamespaces>
<namespace id="Contoso.*">
<packagesource key="contoso" />
</namespace>
<namespace id="*">
<packagesource key="nuget" />
<packagesource key="dotnet-public" />
</namespace>
</packageNamespaces> |
|
@vweevers, how would you define the order if a |
|
@KalleOlaviNiemitalo I see. If In either case ( |
|
Hi all, We're still listening to all feedback for this proposal, but we have begun development & will be sharing iterations with the world shortly. Thus I am moving forward to merge this PR as approved 7 days ago & adjusted to the feedback we've heard thus far. The syntax is one we went to ensure we would not override older client versions of nuget.config and wanted to find a mixture that was human-readable & understandable at a glance when one would open up the file. If there is a compelling argument to be made to change the syntax as it's presented in the spec, please feel free to make a case here in the next few days before we merge. The primary reason the syntax is the way it is today mostly relates around previous NuGet feature designs, vertical real estate, readability of configuration files, ease of merging, and not wanting to have users duplicate elements when they may only have a handful of them (i.e. package sources). We also toyed around with the idea of having users define the sources on the namespace element itself which would be similar syntax as to another proposal found here: https://github.com/NuGet/Home/blob/source-pinning/proposed/2021/SourcePinning.md which didn't fully fit the criteria of the problem we're trying to solve although it was well received. Please continue to share thoughts around the syntax as it helps us build the best feature possible! |
|
As @KalleOlaviNiemitalo pointed out, we chose to go the per source direction because it meshes better with the config precedence concept. Note that the configs are how the data is represented, we can have CLI commands and UI that may be able to display the information in different ways. |
|
I would very much love to have all that in a getting rid of
we already witness the removal from |
|
@tebeco I like the thought, putting it all in one place. However, the limitation with Directory.Feed.props is that is doesn't allow for securing:
None of the above can parse msbuild props files in a reasonable fashion. I support the notion, (filed an issue, now closed, to that effect), but the feedback from the msbuild team is that it's just not practical at this time, would have to be pursued by nuget, not msbuild. |
|
oO no that's exactly why it should exists the fact that dotnet tool absolutely needs the nuget.config and don't even load Directory.Build.props create a mess in your repo the moment you start having both already today same goes for nuget.exe, you get a valid point I see these point as an excellent reason to make these changes ... fix all at once |
|
I personally think that "they don't do it why would we" is what slow down evolution of echo system. We see the same in human society ... taking the lead on that would drive other forward in a non-breaking way and open possibility of re-use rather than locking down everyone to a an old behavior. for example ... IIRC what i've read, a part of the msbuild team is whiling to replace sln file with msbuild proj ... but VsTeam is not ready but of the work to do... so nothing move. I truly hope that the change from package.config to PackageReference should be seen as an example to "move forward" |
Introduction of a feature concept called
Package Namespaceswhich allows a developer to include or exclude package IDs by specifying package namespaces on their package source(s).馃帀馃摝Please provide your comments, concerns, and feedback within this PR. 馃摝馃帀
Rendered