Capability-based security for packages

[symbiogenesis]

Some people have considered adding capability-based security at the level of programming languages. This would prevent supply chain attacks, such as the infamous left-pad incident.

https://borretti.me/article/introducing-austral

That is an ambitious goal, and may or may not ever be incorporated at the level of the .NET runtimes and compilers, and to make this actually work without being possible to circumvent, it would be needed at that level.

But it would be cool if we had this at the level of the package manager, at least with some basic checks.

It may be possible to use decompilers and/or inspect the IL with Cecil. And to disallow references to certain .NET framework pieces like System.IO or System.Net if the package isn't granted storage or networking permissions, respectively. Or check for p/invoke calls and disallow them.

Custom .NET implementations of various kinds of dependencies may circumvent this, and inspecting obfuscated binaries from the native toolchain may be a challenge, but perhaps obfuscated binaries could be excluded. And anything is better than what we have now, which is nothing.
 
Ideally you could just do something like this:

<PackageReference Include="ExamplePackage" Version="1.2">
  <Permissions>pinvoke; networking; storage; microphone; camera; location</Permissions>
</PackageReference>

[symbiogenesis]

@jeffkl