NuGet prefix reservation: LibGit2Sharp

[ethomson]

There are a ridiculous number of packages in the nuget gallery that are named LibGit2Sharp. Some have version numbers greater than our own, a bunch include ssh binaries, and most have security vulnerabilities (but I repeat myself).

This is confusing as hell, and they're all using libgit2 trademarks and icons so certainly appear official. They're not.

I've contacted all the publishers and asked them to de-list their packages and mark them as deprecated. I'll follow up with a takedown request to nuget.org.

You can reserve a prefix in the NuGet gallery, so we could reserve the prefix. I think the LibGit2Sharp project should.

/cc @bording

[gep13]

As I mentioned to @ethomson on Twitter there are a couple of caveats around prefix name reservation that have meant that we haven't enabled it on a couple of projects that I work on, but these might not apply here, but I will mention them anyway.

• When marking an ID as private, it means that no-one outside the core organisation can ever push any package that contains the reserved prefix. Instead, when attempted, the user will get an error along the lines of You can't do this. We have requested from the NuGet team that this message be made configurable, so additional information can be added along the lines of Thanks for trying to do this, please contact Bob on this email address here with information about why you want to do this. etc. To the best of my knowledge, this isn't yet possible.
• In order to use the above, you have to be in a NuGet Organisation. For one of the projects that I work on, we wanted to provide fine grained permissions to packages within that Organisation, so that certain people can have access to certain packages, this is not possible currently.
• Some of the requirements, for example using the latest NuGet recommendations around how license, repository URL's etc, are specified in the nupsec/csproj files, couldn't be met, as we don't "own" all the packages
• When marking an ID as public, there is currently no mechanism to get notified when a new package is pushed that uses the reserved package id.

Again, some of these issues might not apply here, but I thought I would mention them in case they are a road blocker.