Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: dotnet/android-libzipsharp
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 1.0.22
Choose a base ref
...
head repository: dotnet/android-libzipsharp
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 1.0.23
Choose a head ref
  • 2 commits
  • 5 files changed
  • 1 contributor

Commits on Feb 9, 2021

  1. [ci] Update packageSources in NuGet.config (#80) 

    Context: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Context: https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/12676/ncident-help-for-Substitution-attack-risk-from-multiple-package-feeds

There is a Package Substitution Attack inherent in NuGet, whereby
if multiple package sources provide packages with the same name,
it is *indeterminate* which package source will provide the package.

For example, consider the [`XliffTasks` package][0], currently
provided from the [`dotnet-eng`][1] feed, and *not* present in the
NuGet.org feed.  If a "hostile attacker" submits an `XliffTasks`
package to NuGet.org, then we don't know, and cannot control, whether
the build will use the "hostile" `XliffTasks` package from NuGet.org
or the "desired" package from `dotnet-eng`.

There are two ways to prevent this attack:

 1. Use `//packageSources/clear` and have *only one*
    `//packageSources/add` entry in `NuGet.config`

 2. Use `//packageSources/clear` and *fully trust* every
    `//packageSources/add` entry in `NuGet.config`.
    `NuGet.org` *cannot* be a trusted source, nor can any feed
    location which allows "anyone" to add new packages, nor can
    a feed which itself contains [upstream sources][2].

As the `XliffTasks` package is *not* in `NuGet.org`, option (1)
isn't an option.  Go with option (2), using the existing
`dotnet-eng` source and the new *trusted* [`dotnet-public`][3]
package source.

[0]: https://github.com/dotnet/xliff-tasks
[1]: https://dev.azure.com/dnceng/public/_packaging?_a=feed&feed=dotnet-eng
[2]: https://docs.microsoft.com/en-us/azure/devops/artifacts/concepts/upstream-sources?view=azure-devops
[3]: https://dev.azure.com/dnceng/public/_packaging?_a=feed&feed=dotnet-public
    @dellis1972
    dellis1972 authored Feb 9, 2021
    Configuration menu
    Copy the full SHA
    9853933 View commit details
    Browse the repository at this point in the history

Commits on Feb 24, 2021

  1. Include Windows pdb in Nuget (#82) 

    * Include Windows pdb in Nuget

* Bump version

* use a wildcard

* use a wildcard

* use RelWithDebInfo configuration for the build
    @dellis1972
    dellis1972 authored Feb 24, 2021
    Configuration menu
    Copy the full SHA
    521b54e View commit details
    Browse the repository at this point in the history
Loading