Patrick Stevens
Patrick Stevens
My purpose in attestation here is to credibly claim that an open-source package has the contents it appears to have. I can claim that package Foo.Bar was built from Git...
To be extremely concrete, I have some packages that I wrote myself which I wish to use in a context where the integrity of the code we're running is important:...
The problem with author certificates is that the *organisation* then needs to control the source repository. If *I* am administrator of the source repository, I can obtain the author certificate...
Yeah, the obvious proof-of-concept for this is [the standard .NET workflow on NixOS](https://github.com/NixOS/nixpkgs/blob/6efefdc8c16fe1c483f35e3c5f6c1de45f5f4e23/pkgs/build-support/dotnet/build-dotnet-module/default.nix), which fetches every package from [a lockfile](https://github.com/Smaug123/WoofWare.Myriad/blob/669eccbdef483a904ebed8b186208203925879d6/nix/deps.nix) into an isolated environment and [sets the NuGet source to...
The instability of NuGet package SHAs, by the way, is aesthetically displeasing for Nix as well. It *should*, morally, be the case that I can build a package from source...
Yeah, NixOS's setup gives that stuff for free. I guarantee the "isolated" property of the Dotnet.ReproducibleBuilds.Isolated package by packaging with Nix, and I lock the SDK and all NuGet packages...
EDIT: I suspect I've found it, it's https://github.com/NuGet/NuGet.Client/blob/128a5066b1438627ac69a2ffe9de564b2c09ee4d/src/NuGet.Core/NuGet.Packaging/Signing/Archive/SignedPackageArchiveIOUtility.cs#L518 , although how NuGetGallery ends up calling this is a mystery to me. Is there anywhere I can see NuGet.org's logic for...
Thanks, that comment clarifies something that in hindsight was fuzzy in my mind. I care about *determinism* (a non-NuGet.org entity can recreate the package exactly), not about retrieving the original...
More generally, the docs require a bunch of Windows knowledge to read; e.g. I believe "If you pass in a short file name, it is expanded to a long file...
Sorry for the incomplete report. I didn't realise there was a Directory.Build.props file applying; it turns out that `--crossoptimize-` is also a critical part of the repro. I don't actually...