protobuf icon indicating copy to clipboard operation
protobuf copied to clipboard
Published 1 week ago verified publisher icon protocolbuffers

Google.Protobuf NuGet package is not deterministic

Open martincostello opened this issue 3 months ago • 4 comments

What version of protobuf and what language are you using? Version: v3.33.0 Language: C#

What operating system (Linux, Windows, ...) and version?

N/A

What runtime / compiler are you using (e.g., python version or gcc version)

N/A

What did you do?

  1. View the NuGet package in nuget.info
  2. Observe the Health section of the package

What did you expect to see

All sources in the NuGet package are tracked, so things look like this:

Image

What did you see instead?

Image

Anything else we should know about your project / environment

N/A

martincostello avatar Oct 16 '25 07:10 martincostello

#8466 made the changes that I would expect to fix this, but for whatever reason they don't appear to be the whole story.

martincostello avatar Oct 16 '25 07:10 martincostello

I realize it's not great to have the warnings showing -- is this creating a blocker for you or a technical problem? Or is it only unexpected UI behavior?

bellspice avatar Oct 21 '25 17:10 bellspice

Well it implies that sources are missing so that the debuggability of the code from the NuGet package is compromised to some degree: Source Link

Deterministic builds enable verification that the resulting binary was built from the specified source and provide traceability. For more information about deterministic builds and instructions for enabling them, see Deterministic Builds.

martincostello avatar Oct 21 '25 17:10 martincostello

Thanks. We're taking a look at this.

bellspice avatar Oct 28 '25 17:10 bellspice