Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NuGet package manager should display 'Owner' field for NuGet.org packages #6631

Closed
anangaur opened this issue Mar 1, 2018 · 12 comments
Closed

Comments

@anangaur
Copy link
Member

anangaur commented Mar 1, 2018

Author being a free text field is often misused and causes confusion to the developers consuming packages. The proposal is to show the owner information in PM UI when the information is available from the feed/repository like NuGet.org.

@clairernovotny
Copy link

clairernovotny commented Mar 1, 2018

Better yet, it should be showing the CN off of a signed package if signed. I'd even say instead of the owner as a more authoritative verification. That also works regardless of package source.

The GUI's and NuGet.org should have it.

@anangaur
Copy link
Member Author

anangaur commented Mar 2, 2018

@onovotny Makes sense. We have been discussing this since signing was incubated. But it also adds to the confusion as to what is shown. I was thinking to have an account setting to have a Display name that can be a CN from the registered certificates.
/cc: @rido-min who is really passionate about this change. :)

@rido-min
Copy link

rido-min commented Mar 2, 2018

With repository signatures we could show the owners included in the signature metadata.

@clairernovotny
Copy link

clairernovotny commented Mar 2, 2018

Is there a value in owners, even in signature metadata? I would think there is value in showing a CA-vetted identity prominently.

@rido-min
Copy link

rido-min commented Mar 2, 2018

We'd need to revisit the decision to have different UI for signed vs. unsinged packages.

@clairernovotny
Copy link

@rido-min you know where I stand on that and always happy to participate in any conversation around that topic :)

@anangaur
Copy link
Member Author

anangaur commented Mar 2, 2018

The topic beaten to death but i see no harm in showing that a package has been signed by an entity in the details page on the PM UI. This is package property - needs to show up somewhere?

@clairernovotny
Copy link

clairernovotny commented Mar 2, 2018

@anangaur I would expect the following behavior --

CN show up in the search results to help differentiate a bogus package from a real one. In that context, the package isn't downloaded, so I'd expect the search result endpoint to provide that extracted information. It could then download the public cert "just in time" upon request to show in the UI (on click).

Showing it in the details portion is "too late," as a primary reason for code signing is to disambiguate and prove ownership.

@rido-min
Copy link

rido-min commented Mar 2, 2018

to help differentiate a bogus package from a real one.

that's the issue, since being signed does not mean being "safe". We got feedback from everyone that we should not made any UI distinction on signed vs. unsigned.

@anangaur
Copy link
Member Author

anangaur commented Mar 2, 2018

I see where the discussion is going.. again.. :) - that's why I mentioned:

The topic beaten to death..

@clairernovotny
Copy link

clairernovotny commented Mar 2, 2018 via email

@nkolev92
Copy link
Member

Duplicate of #442

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants