Fetch plugins from NuGet about pretzel HOT 6 OPEN

I agree that we should not overcomplicate this, I just want to display a warning on console, nothing more :)

For runtime dependency on dotnet script I was thinking of doing that in a second part or integrate it directly in Pretzel.
Anyway, we can leave it for now :)

from pretzel.

Nice idea, that is an old dream of me 😄

But that could be dangerous, we allow anyone to download virtually any files packaged on nuget with the right tag. We need at least to display a warning.

We also need to think about a (simple) dependency system, for plugins needing ScriptCs (dotnet script in a near future).

from pretzel.

Nice idea, that is an old dream of me 😄

Always wanted to build something like this 😁

But that could be dangerous, we allow anyone to download virtually any files packaged on nuget with the right tag. We need at least to display a warning.

Package signing could be the solution to this. But on the other hand: we do that all the time.
But we should at least hash the packages and compare it with a base line to avoid package spoofing.

We also need to think about a (simple) dependency system, for plugins needing ScriptCs (dotnet script in a near future).

If we just follow the dependencies of the nuget packages, plugin authors could just define their dependencies in their package.

from pretzel.

Package signing could be the solution to this. But on the other hand: we do that all the time.
But we should at least hash the packages and compare it with a base line to avoid package spoofing.

That can check integrity and identity but we should signal that we haven't validate/check these plugins and cannot guaranty that they are safe.

If we just follow the dependencies of the nuget packages, plugin authors could just define their dependencies in their package.

I haven't thought of that, that could do it but since it is runtime dependency I think we will have to treat it specifically.

from pretzel.

That can check integrity and identity but we should signal that we haven't validate/check these plugins and cannot guaranty that they are safe.

We can check how the cake guys treat this problem.

I haven't thought of that, that could do it but since it is runtime dependency I think we will have to treat it specifically.

We could advise plugin authors to use Fody.ILMerge instead of fetching dependencies or the new AssemblyLoadContext in netcore3.0 (I'm not sure about net4 support on this).

from pretzel.

But I think we should not overcomplicate, throw in a prototype, check integrity and see if plugin author's will jump on :)
I have a few new plugins in mind and would love to built this feature. Of course manual plugins should work as before.

from pretzel.