Currently nuget is not reliable source

Topics: General
Dec 23, 2013 at 11:25 PM
Edited Dec 23, 2013 at 11:33 PM
I'm sorry to write that but nuget for me is not reliable source of packages.
Why:
  1. Packages can be added by anyone, which means that someone can add someones other library without his knowledge and without guarantee that source/library wasn't changed
    How many of you users, check if downloaded package from nuget contains exactly that same code/library as the one provided by the author?
  2. There are PLENTY of packages OUTDATED. Someone or author registered it in nuget and then he stopped to update it.
    Have anyone compared if version provided by nuget is the latest version released by the author?
  3. Packages are having crappy settings - I don't remember which package was that but once I installed a package which broke my web.config (removed all references to .net mvc stuff).
  4. Ah and awesome names of files provided by nuget (and authors). Good example here is: knockout.mapping-latest.js - when you open this file it says v2.4.0 and when you navigate to knockout site you can find out that "latest" means only 11 month old version - version v2.4.1 was released 11 months ago. WOW.
I think that nuget team should consider changing way of adding packeges to the model in which members of nuget team are responsible for creating and updating packages. And peoples role is just to point link to the authors' site on which further releases will be deployed.

I don't know if people involved in nuget are hired by MS but if MS is promoting nuget as so super solution, they should take some responsibility for it.

What do you think?
Jan 28, 2014 at 9:07 PM
I agree. I worry that when I download something from NuGet, there may be something not right. How do I know who is posting the packages and how safe the packages are?