Problem Statement
- No central approval process for adding packages
- Anyone can pack anything into a package, give it any name they want (like "Microsoft Prism", as long as the name is not taken (doesn't manage trust)
- Binaries downloaded from Sourceforge.net, Codeplex.com, etc could feasibly contain malicious code
- What if the project is using licensed NuGet. We do not have any mechanism to verify that license terms are followed or not.
- There is no check for using an obsolete version of NuGet. Once added never updated
Approach for using packages
- Lock in the semantic version number completely. Explicitly specify the major, minor, and patch numbers. Don't assume that new updates will be safe or that their semantic version will be accurate.
- Use only well-known current versions for production.
- Experiment with anything in a test environment with limited access e.g. under an account that isn't a local administrator, no local access to highly privileged credentials, no access rights to privileged resources granted to the test machine's IP.
- Check the vendor/publisher. For example, if the package is released by Microsoft, Amazon and it's an AWS SDK, then that package is probably safe to use if you trust Amazon.
