PostSharp Is Now Source Available

The code is released under a permissive, proprietary source-available license. You can modify, build, and distribute the software, provided users of the modified code hold a valid PostSharp license.

We are releasing our source code with the following use cases in mind:

• Troubleshooting
• Supply chain security
• Supply chain resilience

In an era of tightening regulations (like the EU’s Cyber Resilience Act) and increased focus on software supply chain security, transparency isn’t optional — it’s necessary.

Who qualifies

To access the source, you need an Enterprise E1 support plan or higher, which is included in:

• a 10-user subscription of PostSharp Ultimate, or
• a 15-user subscription of PostSharp Framework.

There’s no additional cost — it’s included in your subscription.

If you have fewer users but need source access, add more users to your subscription.

See our support policies for a description of our support levels and their eligibility.

Before getting access to the repo, you must sign a Non-Disclosure & Non-Competing Agreement.

Use case 1. Troubleshooting

You now have full visibility into the source to troubleshoot issues.

We’ve disabled obfuscation in all maintained versions. When decompilation isn’t sufficient, you can read the original source.

Note: SourceLink is not available yet.

Use case 2. Supply chain security

Supply chain security isn’t just about trusting suppliers — it’s about trusting the code you run. With full access to our source, you can run your own analysis tools and assess the code’s quality.

Auditing the source alone isn’t enough. You need to guarantee that the binaries you execute were built from that audited source. That means you should be able to build the code yourself. To make that practical, we provide a Docker-based build that requires only Windows containers.

Once you’ve built the packages, you have two theoretical options to verify the chain of custody:

1. Use the packages you built yourself instead of sourcing them from nuget.org, or
2. Compare your packages with those sourced publicly.

In practice, our public binaries won’t be bitwise identical to what you build because our public builds are signed with Authenticode using a timestamp and a private certificate we cannot share. For that reason, only the first option — using your own built packages — is available to guarantee the chain of custody.

You can use Package Source Mapping (a NuGet client option) to ensure packages are sourced from your private builds rather than PostSharp’s public ones.

Use case 3. Supply chain resilience

Companies rely on PostSharp for mission-critical applications and need contingency plans for scenarios such as product end-of-life, company closure, or temporary inability of the supplier to deliver fixes or platform updates. By giving enterprise customers full source access, we enable practical contingency plans. You have the legal right and technical capability to:

• Fork and maintain your own version of PostSharp if our support becomes unavailable
• Apply critical security patches without waiting for official updates
• Maintain older versions beyond their official support lifecycle
• Ensure business continuity even in worst-case scenarios

Section 9 of the license agreement provides the legal framework for these business continuity scenarios, so you can be confident your critical systems won’t be held hostage by vendor dependencies.

How does it work?

1. Getting access

1. Sign in to the customer portal.
2. Check your support entitlements. You must have an Enterprise support plan (E1 or higher).
3. Go to the source access page.
4. Sign the Non-Disclosure/Non-Competing Agreement online (or offline).
5. Allow one business day for review and account update.
6. Return to the source access page and create Git users and passwords.
7. Clone the repositories using Git.
8. Check out one of the support release branches: release/2024.0, release/2025.0, or release/2025.1.

2. Building packages

See README.md in the cloned repo for details about requirements and build instructions.

1. You need a Windows 11 machine with Docker Desktop configured for Windows containers.
2. Open a PowerShell prompt and execute ./Build-Docker.ps1.
3. Wait — initial image creation can take over an hour on a high-end notebook; subsequent builds may take around 30 minutes.

Getting support

We’re here to help. Enterprise customers can email [email protected] for help with source access, builds, or questions about the source-available license. Customers with Enterprise E2 support plans or higher can also reach us on Microsoft Teams or Slack for real-time collaboration and faster resolution of complex issues.

Limitations

• The source code of Visual Studio Tools for Metalama and PostSharp is currently not available.
• Our obligation is limited to a successful Docker build from the unmodified source:
  • Although the repo includes CI/CD scripts, running those tests or configuring CI/CD infrastructure is not supported.
  • We do not provide support for modified source code.
• We only support building release branches for currently maintained versions.

Conclusion

Publishing PostSharp’s source is the final step in our 2025 transparency and dependability initiative, following Metalama’s earlier move to open source. Eligible customers now have full access to the source, improving supplier security and resilience.

If you want access, visit the PostSharp Customer Portal to verify your eligibility, complete the NDA/NCA process, and gain repository access.