[Feature]: Improve resiliency against supply chain attacks

[jgilbert2017]

Related Problem

Background: Supply chain attacks are becoming an increased vector for compromise.

Most recently, the open source library xz was compromised via a bad actor who inserted malicious code via a change to a source tarball that was not present in the git tree.

The current trust paradigm of nuget is based upon publisher trust via a signing key which can then be used to publish arbitrary binary nuget packages (*.nupkg).

An improvement to this model would be to allow trusted publishers to publish source releases (via signing a release tag) rather than a binary.

This would increase transparency and reduce the chance that a bad actor introduces malicious code into a binary.

The Elevator Pitch

Support publishing nuget packages via the package owner submitting a link to a git repository and a commit hash.

The nuget server backend should permanently mirror the the repository and checkout and build the nupkg artifact.

The nuget gallery should link to the mirrored source tree and commit.

Additional Context and Details

In support of this idea, it appears that go language packages work via a git tag.

cc: @FiloSottile, @rsc, @anarazel

https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowo2acmyx2k

Go does even better: every version+hash is checked into an immutable append-only transparency log that not even Google can tamper with undetectably.

If you change the contents of a git tag, it will just be rejected. No override, excuses or not.

Really every git-tag based system should do this.

[erdembayar]

cc @JonDouglas