[🚀 Feature]: Publish StrongNamed builds to nuget feed
#12315
Comments
|
@harunurhan, thank you for creating this issue. We will troubleshoot it as soon as we can. Info for maintainersTriage this issue by using labels.
If information is missing, add a helpful comment and then
If the issue is a question, add the
If the issue is valid but there is no time to troubleshoot it, consider adding the
If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C),
add the applicable
After troubleshooting the issue, please add the Thank you! |
|
I don't think we will publish it in nuget feed. More realistic scenario is making Selenium.WebDriver with strong name. |
|
OK, it would be very useful also for us. Any news on this? |
|
Hi, when will the strong named version published in nuget feed? |
|
Only with Selenium 5 as a major breaking change, and if core team doesn't mind. |
|
Major breaking change? |
|
Hello, let me copy paste my last comment: Strong-naming an assembly introduces a small initial overhead, as it requires generating a key pair and integrating the signing process into the build pipeline. However, once this key pair is generated, it can be reused for all subsequent releases, making the process transparent and straightforward for future updates. For a widely used library like Selenium, providing strong-named assemblies in the NuGet package would enable developers to use these assemblies in environments that require strong-naming, such as in large enterprises with strict security policies. It allows these developers to maintain strong-naming across their entire application stack, ensuring compatibility and compliance with their security requirements. Moreover, it is worth noting that most NuGet packages available today include a public key, which means they are already strong-named. This has become a standard practice, reflecting the industry's emphasis on security and integrity. By aligning with this standard, the Selenium library will not only enhance its security posture but also meet the expectations of its user base, facilitating smoother integration and wider adoption. The benefits of strong-named assemblies in promoting security, integrity, and trustworthiness far outweigh the small initial overhead. Incorporating strong-named assemblies in the next minor release would significantly enhance the utility of the Selenium library, making it more suitable for a wider range of applications and increasing its adoption in secure and enterprise environments. Of course, while you currently provide signed assemblies in a zip file, however best practices in modern .NET development strongly recommend using NuGet package references rather than hard-copied DLL files. NuGet packages ensure better dependency management, automatic updates, and a more streamlined development process. Including strong-named assemblies directly in the NuGet package would align with these best practices, making it easier and more efficient for developers to integrate Selenium into their projects. #region Assembly System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 #region Assembly System.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 #region Assembly DevExpress.RichEdit.v13.1.Core, Version=13.1.8.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a #region Assembly NLog, Version=5.0.0.0, Culture=neutral, PublicKeyToken=5120e14c03d0593c Find the exception.... I think in the back lines this is more an issue about knowledge of how strong name signing works rather than a technical blocker. |
|
I feel Selenium 5 will be signed with strong name. Technically we are ready to do it, I don't see any reasons why the assembly cannot be signed in, build process is adopted. Why not now?.. Because it is breaking change at binary level, all users who consume the assembly transitively will be affected. Given that this assembly is still not signed yet for a long time, and the source code is opened for everybody, I can summarize - wait major update v5 or apply one of many workarounds available to you. Signing the assembly right now will damage the project more than hilling. |
|
Thank you I would be happy to learn about a scenario which would show an
issue if you release tomorrow a strong named version.
I would like to know which one with the parameters for my curiosity.
Le mer. 12 juin 2024 à 16:37, Nikolay Borisenko ***@***.***>
a écrit :
… I feel Selenium 5 will be signed with strong name. Technically we are
ready to do it, I don't see any reasons why the assembly cannot be signed
in, build process is adopted.
Why not now?.. Because it is breaking change at binary level, all users
who consume the assembly transitively will be affected. Given that this
assembly is still not signed yet for a long time, and the source code is
opened for everybody, I can summarize - wait major update v5 or apply one
of many workarounds available to you. Signing the assembly right now will
damage the project more than hilling.
—
Reply to this email directly, view it on GitHub
<#12315 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AIULZZD345MRUWMDXDRUDCLZHBMJ7AVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGE4DGMBTHE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Releasing new signature of the assembly will not break you, but it will break me, my friend and friend of my friend. Read more https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming, with attention on what Microsoft recommends when the assembly signature is changing. I care about my friend and his friend more than you, because 2 is greater than 1. |
|
Thank you Nikolay for your prompt reply,
but your answer "friend of friend" is not a technical explanation.
regarding your link I read:
"You should strong name your open-source .NET libraries if their targets
include .NET Framework or .NET Standard. "
Regards
…--------------------------------
Thierry Brémard
***@***.***
Le mer. 12 juin 2024 à 16:56, Nikolay Borisenko ***@***.***>
a écrit :
Releasing new signature of the assembly will not break you, but it will
break me, my friend and friend of my friend. Read more
https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming,
with attention on what Microsoft recommends when the assembly signature is
changing. I care about my friend and his friend more than you, because 2 is
greater than 1.
—
Reply to this email directly, view it on GitHub
<#12315 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AIULZZCGTHYEAIUFBV7QSQLZHBOTTAVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGI2TMOBXG4>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Thanks for your curiosity, I already said that is a breaking change at
binary level. Googling it is more useful than I try to explain the problem
here. I used "friend of friend" to highlight that you are not alone, and
making changes is not a safe process.
…On Wed, Jun 12, 2024, 6:16 PM Thierry Bremard ***@***.***> wrote:
Thank you Nikolay for your prompt reply,
but your answer "friend of friend" is not a technical explanation.
regarding your link I read:
"You should strong name your open-source .NET libraries if their targets
include .NET Framework or .NET Standard. "
Regards
--------------------------------
Thierry Brémard
***@***.***
Le mer. 12 juin 2024 à 16:56, Nikolay Borisenko ***@***.***>
a écrit :
> Releasing new signature of the assembly will not break you, but it will
> break me, my friend and friend of my friend. Read more
>
https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming,
> with attention on what Microsoft recommends when the assembly signature
is
> changing. I care about my friend and his friend more than you, because 2
is
> greater than 1.
>
> —
> Reply to this email directly, view it on GitHub
> <
#12315 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AIULZZCGTHYEAIUFBV7QSQLZHBOTTAVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGI2TMOBXG4>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
—
Reply to this email directly, view it on GitHub
<#12315 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFMRXHXFWS6K5S5F4JXCMITZHBQ6FAVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGMYDCNBVGA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Hello,
** I am aware that I challenge you. And that it might be not comfortable.**
I take note that you are unable to describe any scenario where a user would
be impacted by a new version of Selenium which would be strongly signed.
Asking me to google it is a non sense as I already wrote that this would
have no impact. If you disagree, engineer practice is to state a user story
with precise terms where you spot an issue.
Telling me that the binary would be changed is not a valid one as you do
not state the client code would broke, and indeed if i release the same
source code at 1 minute interval the binary would be different and even
more different if the minor version number is incremented.
By the way speaking about a **major version** (v4 to v5) change to release
strong named key is also a non sense as this issue is now open about a
year, It would give more sense to write an approximate release date eg
august 2024.
I tried to change your mind by using rational decision process, but it
clearly looks there is other thing in your input.
Regards
…--------------------------------
Thierry Brémard
***@***.***
Le mer. 12 juin 2024 à 17:27, Nikolay Borisenko ***@***.***>
a écrit :
Thanks for your curiosity, I already said that is a breaking change at
binary level. Googling it is more useful than I try to explain the problem
here. I used "friend of friend" to highlight that you are not alone, and
making changes is not a safe process.
On Wed, Jun 12, 2024, 6:16 PM Thierry Bremard ***@***.***>
wrote:
> Thank you Nikolay for your prompt reply,
> but your answer "friend of friend" is not a technical explanation.
>
> regarding your link I read:
> "You should strong name your open-source .NET libraries if their targets
> include .NET Framework or .NET Standard. "
>
>
>
> Regards
>
> --------------------------------
> Thierry Brémard
> ***@***.***
>
>
> Le mer. 12 juin 2024 à 16:56, Nikolay Borisenko ***@***.***>
> a écrit :
>
> > Releasing new signature of the assembly will not break you, but it
will
> > break me, my friend and friend of my friend. Read more
> >
>
https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming,
>
> > with attention on what Microsoft recommends when the assembly
signature
> is
> > changing. I care about my friend and his friend more than you, because
2
> is
> > greater than 1.
> >
> > —
> > Reply to this email directly, view it on GitHub
> > <
>
#12315 (comment)>,
>
> > or unsubscribe
> > <
>
https://github.com/notifications/unsubscribe-auth/AIULZZCGTHYEAIUFBV7QSQLZHBOTTAVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGI2TMOBXG4>
>
> > .
> > You are receiving this because you commented.Message ID:
> > ***@***.***>
> >
>
> —
> Reply to this email directly, view it on GitHub
> <
#12315 (comment)>,
> or unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AFMRXHXFWS6K5S5F4JXCMITZHBQ6FAVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGMYDCNBVGA>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
—
Reply to this email directly, view it on GitHub
<#12315 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AIULZZCSZ24KFWEGANLUURDZHBSHDAVCNFSM6AAAAAAZ7FAD2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRTGMZDKOJTGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Feature and motivation
It would make it easier to consume if strong name signed versions of the packages, such as
Selenium.WebDriver.StrongNamedwere published to nuget.org feed, currently it's only possible to download from github.Usage example
N/A
The text was updated successfully, but these errors were encountered: