packages and trust

Oct 7, 2010 at 7:19 AM

How do we prove the provenance of a package? Who owns it? Can someone else overwrite it with a modified version? What is to stop a 3rd party uploading a tampered package?

Okay a lot of questions but I have been looking at a number of .NET package managers over the past few weeks (only recently discovering Nu) and then voila nupack is born.

I am excited about NuPack (Nu had a delivery infrastructure, WebGac had VS integration) but the quality of packages is of importance to me (and others in this space according to email conversations I have had).

We are dealing with a binary downloads rather than source so subtle bugs introduced by 'evil' 3rd parties is an issue to me.

I'd prefer that the packages are grabbed from the OSS sites themselves i.e. the packager could join the project as a contributor and maintain the package creation such that it is built as part of the OSS delivery mechanism. Even sign the package in some way. Thoughts?

Oct 7, 2010 at 7:49 AM
Edited Oct 8, 2010 at 4:24 AM

Once we have a gallery implementation, it’ll work a lot like or You’ll create an account and you’ll upload packages that you own. Someone won’t be able to overwrite a package that you uploaded. 

We’re looking at some signing options for proving ownership:


Also, we’d like to support two models:

  • You can upload your package and let the gallery host it ( does this)
  • You can host the package elsewhere and link to it from our gallery (like Web PI does)