-
Notifications
You must be signed in to change notification settings - Fork 266
Package Immutability
Status: Incubation
With Package Signing, we have two primary goals: Package Integrity and Package Authenticity
The package signing blog post calls out several key design principles - this spec focuses on Package Immutability.
The discussion around this spec is tracked here - Package Immutability #5917
To guarantee the integrity of a package, the package contents must not change from the time it was authored and signed to when a developer consumes it i.e. the package contents must be immutable, this includes the nuspec. Editing the package metadata results in changes to the nuspec, invalidating existing signatures. Thus, editing package metadata violates the key design principle - Package Immutability.
On NuGet.org, there are two ways you can edit the package metadata -
- verify stage of the package upload workflow
- edit package button on a published package
To adhere to the design principle of package immutability, the the ability to edit package metadata will be phased out.
For signed packages, the package cannot be edited on NuGet.org.
For unsigned packages, we have a phased approach:
These banners will call out the recommendation of now editing a package after it has been authored and point to a readme link that explains the reasoning for this recommendation.
Check out the proposals in the accepted & proposed folders on the repository, and active PRs for proposals being discussed today.