Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support dotnet tool restore --locked-mode #16003

Closed
0x0309 opened this issue Feb 22, 2021 · 3 comments
Closed

Support dotnet tool restore --locked-mode #16003

0x0309 opened this issue Feb 22, 2021 · 3 comments
Labels
Area-Tools
Milestone
Backlog

Comments

@0x0309
Copy link

0x0309 commented Feb 22, 2021

dotnet restore has --locked-mode for repeatable restores. The same kind of option should be available for dotnet tool to verify tool identity.
@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged Request triage from a team member label Feb 22, 2021
@marcpopMSFT marcpopMSFT removed the untriaged Request triage from a team member label Sep 19, 2023
@marcpopMSFT marcpopMSFT added this to the Backlog milestone Sep 19, 2023
@marcpopMSFT
Copy link
Member

We have package source mapping support for restore and tools which is the recommended way of doing this. Tools don't need a lock file because the configuration manifest specifies the version and doesn't support transitive dependencies.

@marcpopMSFT marcpopMSFT closed this as not planned Won't fix, can't repro, duplicate, stale Sep 19, 2023
@KalleOlaviNiemitalo
Copy link

The same justification could be used for removing content hashes from NuGet package lock files. After all, the exact version is already specified there, and package source mapping together with repository signatures and HTTPS should ensure that the package is not tampered with.

Those cannot detect government coercion or other insider attacks at the package repository though. The content hash can detect those for previously resolved versions, although not for newly published versions.

ViktorHofer pushed a commit that referenced this issue May 7, 2024
@mthalman
Enable PVP flow for symreader (#16003)
dc40fc7
@KalleOlaviNiemitalo KalleOlaviNiemitalo mentioned this issue Jun 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Tools
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@dsplaisted @marcpopMSFT @0x0309 @KalleOlaviNiemitalo