Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet docs do not specify behavior for ./tools or install.ps1 args #3656

Closed
mishra14 opened this issue Oct 13, 2016 · 10 comments
Closed

NuGet docs do not specify behavior for ./tools or install.ps1 args #3656

mishra14 opened this issue Oct 13, 2016 · 10 comments
Labels
Resolution:ByDesign This issue appears to be ByDesign Type:Docs
Milestone
4.5

Comments

@mishra14
Copy link
Contributor

mishra14 commented Oct 13, 2016
edited
Loading

Stemming from #3629

We do not have docs for what should be the format/args for install.ps1 and what is expected in the ./tools folder.
@mishra14 mishra14 changed the title NuGet docs do not specify behavior for ./tools NuGet docs do not specify behavior for ./tools or install.ps1 args Oct 13, 2016
@mishra14 mishra14 added this to the Future-0 milestone Jun 21, 2017
@jainaashish
Copy link
Contributor

We don't want anyone to use install.ps1 scripts anymore so it's fine we dont have much docs around it.

@jainaashish jainaashish modified the milestones: Future-0, Backlog, 4.5 Oct 18, 2017
@jainaashish jainaashish added the Resolution:ByDesign This issue appears to be ByDesign label Oct 18, 2017
@StingyJack
Copy link
Contributor

@jainaashish - whats the reason for removing something that lets us addresses gaps present in nuget?

@jainaashish
Copy link
Contributor

@StingyJack These install.ps1 and uninstall.ps1 scripts are really vulnerable and people do all kind of random stuffs in there like adding n removing same assembly reference from project or just open a readme file. Besides, most of the legit functionality which users tries to achieve through these scripts, can already be achieved via msbuild targets or props which then has a huge scope of other scenarios. So, we're asking all the customers to move from these scripts to msbuild targets to achieve the same functionality and we're here to help and make sure that transition is smooth.

@StingyJack
Copy link
Contributor

I can use an install.ps1 to work around how nuget does not handle SSDT projects or AdditionalFiles (non content), and a bunch of other stuff (setting up non-reference development dependencies, platform bitness handling w/ reference assemblies, etc).

If nuget packages are destined for adding references only, then they need to be dead simple to create and use, and all that basic functionality should just work (they aren't and it doesn't).

No "transitivity" discussion, or other features really matter.

@jainaashish
Copy link
Contributor

I can use an install.ps1 to work around how nuget does not handle SSDT projects or AdditionalFiles (non content), and a bunch of other stuff (setting up non-reference development dependencies, platform bitness handling w/ reference assemblies, etc).

Can you point me to some of the packages with these workarounds? so that we can take a look. We've recently started analyzing how can we better support sql server based projects so you might hear something there. Other than that, it's not just about adding references, NuGet packages are designed to deliver code which could include source code, content files, or other relevant data for .Net across platforms.

It already supports development dependencies, so it will be helpful to understand your specific case, and then evaluate how can we have better support for those without having a need for install.ps1

@StingyJack
Copy link
Contributor

StingyJack commented Nov 14, 2017
edited
Loading

Some are not public packages so I have to describe them.
For SSDT, its kind of a piggyback operation.

  1. The SQL project builds, creating a dacpac
  2. The related data repository assembly compiles and has a post build event to copy the dacpac from the sql project output into a folder in its own project outputs.
  3. nuget pack is called on the data repo assembly's nuspec

nuspec file example

   <file src="bin\Release\DataBase.dacpac" target="lib\net11" />
   <file src="bin\Release.net452\DataAssembly.dll" target="lib\net452" />
   <file src="bin\Release.net462\DataAssembly.dll" target="lib\net462" />

The install.ps1 is also included and copies the dacpack from the net11 folder to a more local path so the project that is ingesting the nuget package has a copy to use for deployment, and so the SSDT project in the solution can reference as well.

For AdditionalFiles, example here

I looked at the workarounds required to include both x86 and x64 and decided to just make two packages, as that is a far easier way to address that design miss.

NuGet packages are designed to deliver code which could include source code, content files....

The documentation articles explain none of this. Its all far too abstract with examples so terse they are useless.

It already supports development dependencies

Hacking it like the above is the only way I can see, as there is no documentation about development dependencies, and the options are evaporating (solution level packages, ps1's)

@StingyJack StingyJack mentioned this issue Dec 6, 2017
Closed
@karann-msft karann-msft removed their assignment Dec 18, 2017
@RussKie
Copy link

RussKie commented May 18, 2018

We don't want anyone to use install.ps1 scripts anymore so it's fine we dont have much docs around it.

No, it is absolutely not fine. There are lot of packages out there that depend on install.ps1.

So, we're asking all the customers to move from these scripts to msbuild targets to achieve the same functionality and we're here to help and make sure that transition is smooth.

Could you please point me to where the customers have been asked to do so. And I would really appreciate it if yo could point me to the docs clearly explaining how to migrate install.ps1 to MSBuild targets.
Particularly I am interested in how MSBuild targets support install-time events, because that is what we use install.ps1 for.

Thank you

@RussKie RussKie mentioned this issue May 18, 2018
Open
@jainaashish
Copy link
Contributor

I know there are packages out there with install.ps1 but the point is to restrict customers creating new packages which is why I feel it's fine to not have proper documentation around it.

There are valid security concerns with these scripts and even NuGet can't control most of these scripts behavior which is why they aren't even supported wih PackageReference based projects or new SDK styled projects.

I didn't say we're done migrating customers from these scripts to msbuild targets, rather the work is stil in progress and taking it case by case. So instead of me taking some random example, why don't you let me know why do you need these scripts for in your package? give us details about your packages and we'll see if we can suggest soem better alternate to achieve the similar behavior.

@StingyJack
Copy link
Contributor

@jainaashish - I can understand the security considerations for a public repo like nuget.org, but why should using an install.ps1 from a package served by a private repository be forbidden? The person who wrote the ps1 is well within nerf weapon range should they do anything evil with a script.

@RussKie
Copy link

RussKie commented May 21, 2018

@jainaashish examples are provided in:

Thank you

@RussKie RussKie mentioned this issue Jul 16, 2018
Closed
@bash bash mentioned this issue Jul 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution:ByDesign This issue appears to be ByDesign Type:Docs
Projects
None yet
Milestone
4.5
Development

No branches or pull requests
6 participants
@RussKie @mishra14 @StingyJack @karann-msft @jainaashish and others