New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NuGet package manager should display 'Owner' field for NuGet.org packages #6631
Comments
Better yet, it should be showing the CN off of a signed package if signed. I'd even say instead of the owner as a more authoritative verification. That also works regardless of package source. The GUI's and NuGet.org should have it. |
@onovotny Makes sense. We have been discussing this since signing was incubated. But it also adds to the confusion as to what is shown. I was thinking to have an account setting to have a Display name that can be a CN from the registered certificates. |
With repository signatures we could show the owners included in the signature metadata. |
Is there a value in owners, even in signature metadata? I would think there is value in showing a CA-vetted identity prominently. |
We'd need to revisit the decision to have different UI for signed vs. unsinged packages. |
@rido-min you know where I stand on that and always happy to participate in any conversation around that topic :) |
The topic beaten to death but i see no harm in showing that a package has been signed by an entity in the details page on the PM UI. This is package property - needs to show up somewhere? |
@anangaur I would expect the following behavior -- CN show up in the search results to help differentiate a bogus package from a real one. In that context, the package isn't downloaded, so I'd expect the search result endpoint to provide that extracted information. It could then download the public cert "just in time" upon request to show in the UI (on click). Showing it in the details portion is "too late," as a primary reason for code signing is to disambiguate and prove ownership. |
that's the issue, since being signed does not mean being "safe". We got feedback from everyone that we should not made any UI distinction on signed vs. unsigned. |
I see where the discussion is going.. again.. :) - that's why I mentioned:
|
Duplicate of #442 |
Author being a free text field is often misused and causes confusion to the developers consuming packages. The proposal is to show the owner information in PM UI when the information is available from the feed/repository like NuGet.org.
The text was updated successfully, but these errors were encountered: