In reply to@gggkiller:matrix.org
man, I wish there was an easy way to list all packages that use buildDotnetModule in nixpkgs

Sort of a tangent, but I've taken to running fetch-deps (and update scripts) in firejail, out of paranoia, since it's not sandboxed. I couldn't think of a way to take advantage of the nix sandbox to do it...

NIX_PATH= firejail --private-tmp --whitelist=$PWD --protocol=netlink nix-shell --pure ./maintainers/scripts/update-dotnet-lockfiles.nix --argstr keep-going true

In reply to @corngood:corngood.com
I don't think we should be using binary packages from nuget.org at all, which means nixpkgs would have to know how to build everything from source.

--protocol=netlink being only required for msbuild.fetch-deps afaict, due to some ridiculous old dotnet thing

even more so since fetch-deps runs the packages' code, it might have untrusted code running

Yeah, if I'm regenerating all lockfiles, or doing mass updates, that's a lot of peoples code being run. Lots of new packages going in without any real audits.

Could end up bad either through malice or accident.

In reply to @gggkiller:matrix.org
technically contributors should've audited it before adding all of that to nixpkgs, but you can never be too safe

Yeah, that part of the dotnet ecosystem is a mess. Actual build recipes would be the dream.

My favourite recent example was finding Avalonia.BuildServices, which is on nuget.org, but they don't even release the source for it. :|

https://github.com/AvaloniaUI/Avalonia/discussions/16878

I don't know how relevant this is, but the thing that comes to mind is how we patch the dll imports in the source-built version of avalonia:

          substituteInPlace src/Avalonia.X11/ICELib.cs \
            --replace-fail '"libICE.so.6"' '"${lib.getLib libICE}/lib/libICE.so.6"'
          substituteInPlace src/Avalonia.X11/SMLib.cs \
            --replace-fail '"libSM.so.6"' '"${lib.getLib libSM}/lib/libSM.so.6"'
          substituteInPlace src/Avalonia.X11/XLib.cs \
            --replace-fail '"libX11.so.6"' '"${lib.getLib libX11}/lib/libX11.so.6"' \
            --replace-fail '"libXrandr.so.2"' '"${lib.getLib libXrandr}/lib/libXrandr.so.2"' \
            --replace-fail '"libXext.so.6"' '"${lib.getLib libXext}/lib/libXext.so.6"' \
            --replace-fail '"libXi.so.6"' '"${lib.getLib libXi}/lib/libXi.so.6"' \
            --replace-fail '"libXcursor.so.1"' '"${lib.getLib libXcursor}/lib/libXcursor.so.1"'

we nerf it in the source-build of avalonia:

      preConfigure = ''
        # closed source (telemetry?) https://github.com/AvaloniaUI/Avalonia/discussions/16878
        dotnet remove packages/Avalonia/Avalonia.csproj package Avalonia.BuildServices
      '';

but that needs work before other packages can use it.

it should just be build-time, in sandbox, but it's still shady

I think it's a nice idea on paper but has a lot of issues in practice.

Let's say libc for example (ofc nothing in .NET uses it but anyways), there are like 2 or 5 packages that provide that and maybe not all of them could work.

Or maybe openssl, that has 1.1.x and 3.0 versions, which one does the package want if they only specifcy openssl.so?

I don't think we'll be able to get rid of this anytime soon, just like Rust can't nor any other native lang really