lucenenet-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oren Eini (Ayende Rahien)" <aye...@ayende.com>
Subject Re: Removing signing of assemblies (starting in v4)
Date Wed, 23 Apr 2014 15:11:53 GMT
I'm many corporate environment that is a big requirement
In a library like Lucene, where other people depend on it, a sign build is
important
On Apr 23, 2014 2:27 PM, "Petar Repac" <petar.repac@gmail.com> wrote:

> There is a long discussion about SN here:
> https://nuget.codeplex.com/discussions/247827
>
> I'd suggest that even if decision is not to sign, there should be an easy
> way to get signed assemblies.
>
> Like:
> 1. clone repo (signing keys are publicly accessible in repository)
> 2. run BuildSigned.bat (or PowerShell script, Rake, ....)
> 3. c/p files from /build folder
>
> I stopped signing my assemblies long ago, but probably there still are many
> that still do
> and less obstacles in adopting Lucene.NET the better.
>
> Regards,
> Petar Repac
>
>
>
>
>
>
> On Wed, Apr 23, 2014 at 1:10 PM, Itamar Syn-Hershko <itamar@code972.com
> >wrote:
>
> > All Lucene.NET assemblies are signed, aka strongly named.
> >
> > We are starting to run into problems with dependencies which not being
> > signed. What's becoming more common in the .NET world (OSS mainly) is to
> > stop signing assemblies because its
> > pretty<
> >
> http://stackoverflow.com/questions/20105103/are-signed-net-assemblies-ever-fully-verified-when-loaded-to-check-they-haven
> > >
> > much<
> >
> http://stackoverflow.com/questions/1197133/anything-wrong-with-not-signing-a-net-assembly
> > >
> > useless <http://msdn.microsoft.com/en-us/magazine/cc163583.aspx> (in the
> > last link: What Strong Names Can't Do).
> >
> > Regardless of the argument about SN it seems to bring more fraction and
> > trouble than anything good, especially considering we are an open-source
> > library.
> >
> > Case in question, I'm moving to updating the spatial module and want to
> > fetch dependencies from nuget. While spatial4n is signed (so it can be
> used
> > from Lucene.NET), NTS+GeoAPI are not and don't appear to get signed any
> > time soon. Since signed assemblies cannot reference non-strongly-named
> > assemblies, I can't currently do that - not through nuget at least. This
> > introduces a lot of frustration and tons of fraction which I'd like to
> have
> > removed.
> >
> > Ideally I'd want to move to removing strong-naming from all Lucene.NET
> > assemblies (v4 and forward), and having a wiki page that describes why
> > signing is pointless and how to manually sign it if you insist.
> >
> > I can see 2 disadvantages for not signing, both of which I doubt really
> > matter nowadays and given our usage scenarios:
> >
> > 1. Deploy Lucene.NET to the GAC without further steps (non-signed
> > assemblies can be SN or ILMerged as part of the install process)
> >
> > 2. Signed assemblies / project won't be able to get Lucene.NET from nuget
> > directly because they'll have to sign it before referencing it. Or lose
> SN
> > themselves.
> >
> > Thoughts?
> >
> > --
> >
> > Itamar Syn-Hershko
> > http://code972.com | @synhershko <https://twitter.com/synhershko>
> > Freelance Developer & Consultant
> > Author of RavenDB in Action <http://manning.com/synhershko/>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message