lucenenet-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Troy Howard <thowar...@gmail.com>
Subject Re: Removing signing of assemblies (starting in v4)
Date Mon, 28 Apr 2014 18:20:29 GMT
FWIW, I totally support Itamar's plan of delivering unsigned libs as the
main distribution and offering signed as an optional download. Best of both
worlds.

Re: scripts to do the signing.. Worth noting that people can't sign as us
without our key file. They can of course, sign with their own key file, but
that wouldn't be a drop in replacement for our signed libs. It would
essentially represent a private fork, which is of course, totally fine, but
would mean a dependency signature update, which may have conflict w/ other
libs they use that also depend on our lib.

Thanks,
Troy


On Mon, Apr 28, 2014 at 10:16 AM, Itamar Syn-Hershko <itamar@code972.com>wrote:

> And compile every component we use in (spatial4n, NTS, etc) and kill every
> opportunity for people to enhance Lucene.NET on their own? no thanks
>
> --
>
> Itamar Syn-Hershko
> http://code972.com | @synhershko <https://twitter.com/synhershko>
> Freelance Developer & Consultant
> Author of RavenDB in Action <http://manning.com/synhershko/>
>
>
> On Mon, Apr 28, 2014 at 7:15 PM, Petar Repac <petar.repac@gmail.com>
> wrote:
>
> >
> >
> http://jeremydmiller.com/2014/04/28/fubumvc-lessons-learned-strong-naming-woes-and-workarounds/
> >
> > ILMerge ?
> >
> >
> > On Mon, Apr 28, 2014 at 7:13 PM, Rob Vesse <rvesse@dotnetrdf.org> wrote:
> >
> > > +1 to Oren's point here
> > >
> > > Remember the signing dependency issue works both ways, there are lots
> of
> > > other projects that depend on Lucene.Net which do sign their
> dependencies
> > > and so changing whether the project is signed breaks upstream consumers
> > of
> > > the library
> > >
> > > An unsigned assembly can happily depend on a signed assembly whereas
> the
> > > opposite is not true
> > >
> > > Regardless of how effective/valuable SN signing is we are unfortunately
> > > stuck with it in the .Net world and you will only get grief.
> > >
> > > My own project got rid of signing for a while and had to bring it back
> > > because we got too many user complaints about this.  For comparison my
> > > project has ~10k downloads on NuGet whereas Lucene.Net has ~500k so I
> > > would strongly suspect you will get far more user complaints far more
> > > quickly if you drop signing in future releases.
> > >
> > > Rob
> > >
> > >
> > > On 23/04/2014 08:11, "Oren Eini (Ayende Rahien)" <ayende@ayende.com>
> > > wrote:
> > >
> > > >I'm many corporate environment that is a big requirement
> > > >In a library like Lucene, where other people depend on it, a sign
> build
> > is
> > > >important
> > > >On Apr 23, 2014 2:27 PM, "Petar Repac" <petar.repac@gmail.com> wrote:
> > > >
> > > >> There is a long discussion about SN here:
> > > >> https://nuget.codeplex.com/discussions/247827
> > > >>
> > > >> I'd suggest that even if decision is not to sign, there should be
an
> > > >>easy
> > > >> way to get signed assemblies.
> > > >>
> > > >> Like:
> > > >> 1. clone repo (signing keys are publicly accessible in repository)
> > > >> 2. run BuildSigned.bat (or PowerShell script, Rake, ....)
> > > >> 3. c/p files from /build folder
> > > >>
> > > >> I stopped signing my assemblies long ago, but probably there still
> are
> > > >>many
> > > >> that still do
> > > >> and less obstacles in adopting Lucene.NET the better.
> > > >>
> > > >> Regards,
> > > >> Petar Repac
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> On Wed, Apr 23, 2014 at 1:10 PM, Itamar Syn-Hershko <
> > itamar@code972.com
> > > >> >wrote:
> > > >>
> > > >> > All Lucene.NET assemblies are signed, aka strongly named.
> > > >> >
> > > >> > We are starting to run into problems with dependencies which
not
> > being
> > > >> > signed. What's becoming more common in the .NET world (OSS mainly)
> > is
> > > >>to
> > > >> > stop signing assemblies because its
> > > >> > pretty<
> > > >> >
> > > >>
> > > >>
> > >
> >
> http://stackoverflow.com/questions/20105103/are-signed-net-assemblies-eve
> > > >>r-fully-verified-when-loaded-to-check-they-haven
> > > >> > >
> > > >> > much<
> > > >> >
> > > >>
> > > >>
> > >
> >
> http://stackoverflow.com/questions/1197133/anything-wrong-with-not-signin
> > > >>g-a-net-assembly
> > > >> > >
> > > >> > useless <http://msdn.microsoft.com/en-us/magazine/cc163583.aspx>
> > (in
> > > >>the
> > > >> > last link: What Strong Names Can't Do).
> > > >> >
> > > >> > Regardless of the argument about SN it seems to bring more
> fraction
> > > >>and
> > > >> > trouble than anything good, especially considering we are an
> > > >>open-source
> > > >> > library.
> > > >> >
> > > >> > Case in question, I'm moving to updating the spatial module and
> want
> > > >>to
> > > >> > fetch dependencies from nuget. While spatial4n is signed (so
it
> can
> > be
> > > >> used
> > > >> > from Lucene.NET), NTS+GeoAPI are not and don't appear to get
> signed
> > > >>any
> > > >> > time soon. Since signed assemblies cannot reference
> > non-strongly-named
> > > >> > assemblies, I can't currently do that - not through nuget at
> least.
> > > >>This
> > > >> > introduces a lot of frustration and tons of fraction which I'd
> like
> > to
> > > >> have
> > > >> > removed.
> > > >> >
> > > >> > Ideally I'd want to move to removing strong-naming from all
> > Lucene.NET
> > > >> > assemblies (v4 and forward), and having a wiki page that describes
> > why
> > > >> > signing is pointless and how to manually sign it if you insist.
> > > >> >
> > > >> > I can see 2 disadvantages for not signing, both of which I doubt
> > > >>really
> > > >> > matter nowadays and given our usage scenarios:
> > > >> >
> > > >> > 1. Deploy Lucene.NET to the GAC without further steps (non-signed
> > > >> > assemblies can be SN or ILMerged as part of the install process)
> > > >> >
> > > >> > 2. Signed assemblies / project won't be able to get Lucene.NET
> from
> > > >>nuget
> > > >> > directly because they'll have to sign it before referencing it.
Or
> > > >>lose
> > > >> SN
> > > >> > themselves.
> > > >> >
> > > >> > Thoughts?
> > > >> >
> > > >> > --
> > > >> >
> > > >> > Itamar Syn-Hershko
> > > >> > http://code972.com | @synhershko <https://twitter.com/synhershko>
> > > >> > Freelance Developer & Consultant
> > > >> > Author of RavenDB in Action <http://manning.com/synhershko/>
> > > >> >
> > > >>
> > >
> > >
> > >
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message