https://github.com/NixOS/nixpkgs/compare/master...corngood:nixpkgs:dotnet-avalonia.wip

Here's one branch full of hacks. pkgs/top-level/nuget-packages.json and pkgs/top-level/nuget-packages.nix might be interesting.

I was trying to do something along the lines of python/haskell, where we pull in nuget packages centrally. We'd then be able to replace them individually with source-built derivations.

take a look at: maintainers/scripts/update-dotnet-lockfiles.nix

It abuses update.nix to find packages that have fetch-deps. It's probably not perfect (e.g. I know godot3-mono uses make-deps for some reason).

In reply to@gggkiller:matrix.org
man, I wish there was an easy way to list all packages that use buildDotnetModule in nixpkgs

Sort of a tangent, but I've taken to running fetch-deps (and update scripts) in firejail, out of paranoia, since it's not sandboxed. I couldn't think of a way to take advantage of the nix sandbox to do it...

NIX_PATH= firejail --private-tmp --whitelist=$PWD --protocol=netlink nix-shell --pure ./maintainers/scripts/update-dotnet-lockfiles.nix --argstr keep-going true

In reply to @corngood:corngood.com
I don't think we should be using binary packages from nuget.org at all, which means nixpkgs would have to know how to build everything from source.

--protocol=netlink being only required for msbuild.fetch-deps afaict, due to some ridiculous old dotnet thing

even more so since fetch-deps runs the packages' code, it might have untrusted code running

Yeah, if I'm regenerating all lockfiles, or doing mass updates, that's a lot of peoples code being run. Lots of new packages going in without any real audits.

Could end up bad either through malice or accident.

In reply to @gggkiller:matrix.org
technically contributors should've audited it before adding all of that to nixpkgs, but you can never be too safe