| 19 Dec 2024 |
 6pak | 
Download image.png | 12:20:18 |
| 6pak | ;p | 12:20:22 |
 GGG | owell, guess they lied then | 12:20:55 |
| GGG | smh my head | 12:21:03 |
| 6pak | the same can happen randomly without switching the source order if the first one is slow enough | 12:21:03 |
| 6pak | * the same can happen randomly without switching the source order if the first request is slow enough | 12:21:10 |
| 6pak | this is so cursed | 12:21:47 |
| 6pak | PackageReference should have a required Source property, change my mind | 12:23:00 |
| GGG | I don't think it should matter honestly, unless if we're dealing with adversary sources or something | 12:23:53 |
| 6pak | nuget.org is an adversary source | 12:24:27 |
| 6pak | anyone can upload there | 12:24:31 |
| 6pak | and if you rely on a internal package thats not on nuget.org | 12:24:40 |
| 6pak | anyone can claim the package id there | 12:24:46 |
| 6pak | and you will just restore that instead if you dont have package source mappings setup | 12:25:03 |
| GGG | fair | 12:25:12 |
| 6pak | custom sources without mapping is a big security risk | 12:25:17 |
| 6pak | and shouldn't be allowed imo | 12:25:20 |
| 6pak | like at all | 12:25:27 |
| GGG | I guess that's the point of having nuget lockfiles | 12:25:36 |
| GGG | if they didn't suck so much | 12:25:39 |
| GGG | * if only they didn't suck so much | 12:25:46 |
| 6pak | not really | 12:25:51 |
| 6pak | someone can upload a newer version on nuget.org | 12:25:59 |
| 6pak | and just wait for you to click upgrade in VS ui | 12:26:05 |
| 6pak | without realizing you are switching sources | 12:26:09 |
| 6pak | lockfile doesn't specify the source | 12:26:18 |
| 6pak | especially because the order is random, like wtf | 12:27:17 |
| 6pak | I thought that when I add nuget first then all the regular dependencies will be official | 12:27:37 |
| 6pak | but turns out if you add a nightly nuget repo for some random dependency, they can take over any package | 12:27:59 |
| GGG | yeah | 12:28:06 |
