NuGet Blog

Introducing signed package submissions to NuGet.org

May 22, 2018

In September 2017, we announced our plans to improve the security of the NuGet ecosystem by introducing the ability for package authors to sign packages. Today, we want to announce support for any NuGet.org user to submit signed packages to NuGet.org. A signed NuGet package is designed to be fully compatible with pre-existing NuGet servers and clients. Only newer versions of NuGet clients will take advantage of validating package signatures. We added this capability to Visual Studio 2017 15.6 – so we encourage you to upgrade to the latest VS updates to benefit from these added security measures. All the [...]

Read more...

NuGet.org will only support MSA/AAD starting June 1st, 2018

May 15, 2018

We had previously announced the deprecation of NuGet.org’s home-grown authentication in favor of Microsoft accounts (MSA) that will allow us to add support for additional security systems such as two-factor authentication (2FA). We will be disabling the NuGet.org’s home-grown authentication mechanism starting June 1st, 2018. This means that you can only sign in to NuGet.org using a Microsoft account or an Azure AD account from next month. If you have not yet linked your account to MSA/AAD, do it now! Linking MSA/AAD to an existing account If you have not yet linked your NuGet.org account to a MSA/AAD, you can [...]

Read more...

Welcoming SymbolSource to the .NET Foundation

May 01, 2018

We are excited to welcome SymbolSource.org to the .NET Foundation! SymbolSource has been providing a valuable service to the .NET Community for years with the ability to host Symbols for public NuGet packages on SymbolSource. With recent progress made in several areas, including SymbolSource being published to GitHub and NuGet.org planning a symbol server experience, we are thrilled to announce SymbolSource has joined the .NET Foundation. This post is to explain how the SymbolSource symbol server will exist harmoniously with the upcoming NuGet.org symbol server. With the recent open-sourcing of SymbolSource, the project is looking for new contributors. Head over [...]

Read more...

Organizations on NuGet.org

April 17, 2018

We are happy to announce support for Organizations on NuGet.org. This will help businesses and open-source projects collaborate on packages using a single nuget.org identity. Why organizations? NuGet.org used to allow you to create an account and publish packages through that account with little support to manage and publish packages as a team or a group. To overcome the single account - single user limitation, many users shared credentials of the account across the group. Obviously this is not a secure way to collaborate and has no audit trail for package updates across different users. With the deprecation of NuGet.org’s [...]

Read more...

Migrate to PackageReference with 3 clicks

April 09, 2018

Last year, we introduced the option to make PackageReference the default package management format for managing NuGet dependencies when installing the first NuGet package for a newly created projects. With Visual Studio Version 15.7 Preview 3, we have introduced the capability to migrate existing projects that use the packages.config format to use PackageReference instead. Benefits of using PackageReference include: Ability to manage all project dependencies from one place (the project file). An uncluttered view of top-level dependencies: the project file shows only those NuGet packages you directly installed in the project. Faster package install/update times. Better cache management with a [...]

Read more...

Incident report - NuGet.org downtime on March 22, 2018

March 22, 2018

We did this blog post to report about the incident that happened on March 22, 2018. In the last couple of days we digged deeper into the incident. Here is the summary of our findings and proposed next steps. Customer Impact NuGet.org website and V2 APIs were unavailable for 2 hours on March 22, 2018 between 8:45AM - 11:30AM UTC. More than 1.5 million requests failed. What Happened? On March 22nd, a certificate used internally for authentication with Key Vault expired. It was rotated on all components except for a single Search service. This triggered a chain reaction that made [...]

Read more...

NuGet Spring 2018 Roadmap

March 01, 2018

In August 2017, we published the NuGet Fall 2017 Roadmap where we outlined our backlog for the upcoming quarter. Since then, we’ve published specifications for these experiences on GitHub for the community to review. You have provided a ton of great feedback that has helped us ensure we deliver the right experiences. Thank you for your continued involvement and feedback! In this post, I would like to briefly summarize our progress on our Fall 2017 roadmap and discuss what we plan to build over the next quarter leading up to early Summer (May 2018). Looking back Here is a quick [...]

Read more...

Deprecating NuGet.org authentication

February 27, 2018

As announced in our NuGet Fall 2017 Roadmap blog post, we are transitioning away from NuGet.org’s home-grown authentication mechanism which will eventually allow us to add support for additional security systems such as two-factor authentication (2-FA). In preparation for this transition, we had already added support for Microsoft accounts (MSA) to sign in to NuGet.org and are now announcing support for Azure Active Directory (AAD) that can be used to sign in to NuGet.org. We recommend that all NuGet.org publishers start using either MSA or AAD to manage their accounts as soon as possible. We will ensure a smooth transition [...]

Read more...

NuGet.org package publishing workflow – behind the scenes

February 01, 2018

In December 2017, we changed the NuGet.org backend publishing pipeline to introduce a set of validation steps for submitted packages. Our goal is to maintain the same level of experience in terms of the time and effort it would take to publish a package and have it available for download. However, these new validation steps caused a few incidents that resulted in significant delays in the publishing workflow. We wanted to share the reasons why the experience has changed over the last few months and the continuous improvements we have been making since then, based on our learnings. Background When [...]

Read more...

NuGet Package Signing

September 14, 2017

In our NuGet Fall 2017 Roadmap, we highlighted security as the main area of investment over the next few months. This blog post describes a major part of that roadmap in greater detail – package signing. We started talking about supporting signed packages on NuGet.org a while ago. For example, in 2015 we published a post on Package Signing as well as a related specification from the ASP.NET team, and more recently we described package signing as a part of our future plans in the post on NuGet Package Identity and Trust. We´ve received some great feedback from our various [...]

Read more...

Previous |