Bump to xamarin/xamarin-android-tools/main@63510cfc; packageSources #796
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonpryor
pushed a commit
to dotnet/android-tools
that referenced
this pull request
Feb 9, 2021
Context: dotnet/java-interop#796 Context: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=4454535&view=logs&jobId=f31c9f97-4411-58e7-49ac-fc73f645e6b6&j=f31c9f97-4411-58e7-49ac-fc73f645e6b6&t=35e41a6f-4381-52eb-e0f2-d95c19469a7f We're seeing a Java.Interop build attempt fail on Windows + .NET Framework Windows during a NuGet restore: ##[error]The nuget command failed with exit code(1) and error(D:\a\1\s\external\xamarin-android-tools\src\Microsoft.Android.Build.BaseTasks\Microsoft.Android.Build.BaseTasks.csproj(4,3): error : C:\hostedtoolcache\windows\dotnet\sdk\3.1.300\Sdks\Microsoft.DotNet.Arcade.Sdk\Sdk not found. Check that a recent enough .NET SDK is installed and/or increase the version specified in global.json. The "out of repo" restore attempt is failing to find the `global.json` file next to `Microsoft.Android.Build.BaseTasks.csproj`. Fix this by moving `src/Microsoft.Android.Build.BaseTasks/global.json` to `global.json`, next to `Xamarin.Android.Tools.sln`.
Context: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 Context: https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/ Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/12676/ncident-help-for-Substitution-attack-risk-from-multiple-package-feeds Changes: dotnet/android-tools@26d65d9...479931c * dotnet/android-tools@479931c [build] Move global.json file to root directory (dotnet#106) * dotnet/android-tools@63510cf: [ci] Update packageSources in NuGet.config (dotnet#105) * dotnet/android-tools@83ed0a4: Bump ta xamarin/LibZipSharp/1.0.22@9f563dd1 (dotnet#104) * dotnet/android-tools@8ea78a4: Add Microsoft.Android.Build.BaseTasks project (dotnet#101) * dotnet/android-tools@b2d9fdf: [NDK] Locate and select only compatible NDK versions (dotnet#103) * dotnet/android-tools@5ff1702: [tests] Use dotnet test to run AndroidSdk-Tests (dotnet#102) * dotnet/android-tools@ad80a42: [ci] Use the new "main" default branch (dotnet#100) There is a Package Substitution Attack inherent in NuGet, whereby if multiple package sources provide packages with the same name, it is *indeterminate* which package source will provide the package. For example, consider the [`XliffTasks` package][0], currently provided from the [`dotnet-eng`][1] feed, and *not* present in the NuGet.org feed. If a "hostile attacker" submits an `XliffTasks` package to NuGet.org, then we don't know, and cannot control, whether the build will use the "hostile" `XliffTasks` package from NuGet.org or the "desired" package from `dotnet-eng`. There are two ways to prevent this attack: 1. Use `//packageSources/clear` and have *only one* `//packageSources/add` entry in `NuGet.config` 2. Use `//packageSources/clear` and *fully trust* every `//packageSources/add` entry in `NuGet.config`. `NuGet.org` *cannot* be a trusted source, nor can any feed location which allows "anyone" to add new packages, nor can a feed which itself contains [upstream sources][2]. As the `XliffTasks` package is *not* in `NuGet.org`, option (1) isn't an option. Go with option (2), using the existing `dotnet-eng` source and the new *trusted* [`dotnet-public`][3] package source. [0]: https://github.com/dotnet/xliff-tasks [1]: https://dev.azure.com/dnceng/public/_packaging?_a=feed&feed=dotnet-eng [2]: https://docs.microsoft.com/en-us/azure/devops/artifacts/concepts/upstream-sources?view=azure-devops [3]: https://dev.azure.com/dnceng/public/_packaging?_a=feed&feed=dotnet-public
jonpryor
force-pushed
the
jonp-xat-b2d9fdf8
branch
from
d5b71c7 to
c1babec
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Context: https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/12676/ncident-help-for-Substitution-attack-risk-from-multiple-package-feeds
Changes: dotnet/android-tools@26d65d9...63510cf
There is a Package Substitution Attack inherent in NuGet, whereby
if multiple package sources provide packages with the same name,
it is indeterminate which package source will provide the package.
For example, consider the
XliffTaskspackage, currentlyprovided from the
dotnet-engfeed, and not present in theNuGet.org feed. If a "hostile attacker" submits an
XliffTaskspackage to NuGet.org, then we don't know, and cannot control, whether
the build will use the "hostile"
XliffTaskspackage from NuGet.orgor the "desired" package from
dotnet-eng.There are two ways to prevent this attack:
Use
//packageSources/clearand have only one//packageSources/addentry inNuGet.configUse
//packageSources/clearand fully trust every//packageSources/addentry inNuGet.config.NuGet.orgcannot be a trusted source, nor can any feedlocation which allows "anyone" to add new packages, nor can
a feed which itself contains upstream sources.
As the
XliffTaskspackage is not inNuGet.org, option (1)isn't an option. Go with option (2), using the existing
dotnet-engsource and the new trusteddotnet-publicpackage source.