Is "Created by" in VS Manage Packages misleading (and dangerous)?

Topics: General
Apr 23, 2013 at 1:37 PM
Currently when I scroll through packages in Visual Studio, there is a "Created by" field in the right panel. On first glance it seems to be the package publisher, but it is actually the author of the contents, as set by the package publisher. Some people set it to "Microsoft" for things like WindowsAPICodePack and to "JetBrains" for ReSharper annotations.

Given that anyone can set this to anything (correct me if I am wrong), this is in best case misleading, and in worst case dangerous.

Misleading because the level of quality I expect from Microsoft release is pretty high, and a sloppy package (even if all dlls are from MS, it can be missing some, have wrong platforms, etc) can decrease my opinion of the company (unless I go and check the uploader in web).

Dangerous because anyone can put in a malicious package "created by Microsoft", which will give false confidence to people. Such package can even contain MS dlls, but with some IL rewriting in certain places (does anyone check public tokens?).

The minimal fix would be to show the publisher in VS UI as well, and maybe highlight the cases when it is different from the author.

Sorry if this topic was already discussed, I did not find good keywords to search for.
Apr 23, 2013 at 5:42 PM
Makes sense. Maybe we should change it to "Authors"? Would that still be misleading?
Apr 24, 2013 at 1:45 AM
I think anything that implies that package was created by a certain entity is misleading -- "authors" can be read as "package authors" as well.
It is similar to allowing sites on the internet to display in the address string if they desire to do so.

My suggestion:
  1. If the owner of the package is the same as the author, display "Created by" as it is now.
  2. If the owner of the package is different, display additional filed "Published by" underneath "Created by", and highlight it in yellow maybe?
Not sure about multiple owners/authors, but a generalized condition might be "if all authors of the package are in the list of its owners".
Apr 24, 2013 at 1:47 AM
Actually, we're planning to get rid of the "authors" altogether and always shows "owners".
Apr 24, 2013 at 1:49 AM
Edited Apr 24, 2013 at 1:49 AM
Good point, that might be the best/simplest option (copyrights should be visible in the licenses anyway).
Apr 24, 2013 at 1:51 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.