Evaluate choice in package IDs

[AArnott]

All Microsoft internal tools packages should have IDs that begin with Microsoft. so that their absence from nuget.org does not present a dependency confusion vulnerability to repos that consume it from one feed and also consume nuget.org via nuget.config.

[AArnott]

@jonfortescue, I hear you're the one to look at this.

[jonfortescue]

This is not actually related to my epic. Kicking back to triage.

[jakubstilec]

[Async Triage]: @AArnott please could you add description to have more context?

[AArnott]

The description was blank before to avoid disclosing a vulnerability before it was announced. I filled it in now.

[riarenas]

FYI @mmitche for guidance

[mmitche]

Yes, we should make this the prefix.

[riarenas]

@markwilkie @Chrisboh @tkapin How do we want to handle these kinds of changes in Xliff-tasks? It's not a giant change so I'm leaning towards throwing this in FR, it requires changing the package name and then making sure arcade depends on the new name.

[markwilkie]

Seems to me this is something we should do from a compliance perspective - so ya, FR. @ilyas1974 ?

[ilyas1974]

I agree. Seems like something that we can take care of in FR.

[ilyas1974]

@jonfortescue what is the status of this?

[jonfortescue]

@ilyas1974 this was meant to be handed off to the next person on FR but I was absent the day of hand-off; sorry about that. A PR is in (#478) but I'm worried about the consequences changing the name will have.

[AArnott]

Any specific concerns? Generally speaking, a new ID doesn't break any existing users. It does make it harder for them to notice that newer versions are available (on another ID) the first time.

[lpatalas]

I'm currently on FR and I will take over this issue from Jon.

[riarenas]

I don't think the name change is too concerning. For the most part, repos get xliff from arcade, so we will need to make sure arcade still gets updated with the new package version.

I think all we wound need is:

• change https://github.com/dotnet/arcade/blob/dc5deb120047922d85aa0a002e1aea64f2db41b2/eng/Version.Details.xml#L71 to use the new name
• change https://github.com/dotnet/arcade/blob/dc5deb120047922d85aa0a002e1aea64f2db41b2/eng/Versions.props#L81 and everything that uses that property
• Let partners know that the package name has changed in case they have custom references to the package.

[lpatalas]

Thanks for the tips @riarenas. I double checked @jonfortescue's changes and they seem ok. Build and tests finish successfully. I'm not sure if I can do any more due diligence there so I think we just need to merge it and see if the package is published correctly.

Is there someone specific I should put as a reviewer? Currently I've added @riarenas and @MattGal.

[lpatalas]

Based on @mmitche suggestion I renamed the package to Microsoft.DotNet.XliffTasks. I've already updated the PR #478. After it's merged we need to make changes in Arcade that @riarenas described above.

[premun]

I see this package is used in several repos, I will open a PR in each so that people know about the name change:

• roslyn-tools
• arcade
• sdk
• upgrade-assistant
• machinelearning

[jonfortescue]

@premun Just so you know, the package is used in dozens of repos that pull it in through arcade. All of the repos in this issue, for example, use xliff-tasks.

[riarenas]

If they bring it through arcade they shouldn't need any changes beyond having arcade use the new name.

[greenEkatherine]

PR merged, is there anything else to do?

[AArnott]

Looks good to me. Thank you.

[ilyas1974]

Closing issue - if anything else is needed, please let us know and we will address it.