Strong Naming #97
Comments
|
Please please please please don't! Let me point you to what Paul Betts said on the subject when it was raised on the ReactiveUI list. |
|
@JohnStov what problems would you have if Fixie were strong named? |
|
When done right, (i.e. checking in the key for strong naming), there is zero friction for contributors. This is what we have done for RiakClient. A potential contributor can clone the project, build it, and have it strongly named, with zero effort on their part. The thread to which I linked explained everything better than I could, and we have decided to stick with NUnit in RiakClient due to this issue, so I don't have anything further to add here. |
|
@jbogard - I don't know for sure, but my big worry is that it would make the ReSharper plugin harder, if not impossible to implement. (I am working on the RS9 plugin, honestly...). For the vast majority of people it's just additional friction. I avoid newtonsoft.json because of the grief it's caused me in the past... It's hard enough trying to persuade people to switch to Fixie, without having to tell them they're going to have to deal with strongnaming issues too. |
|
What friction? I kept bringing this up on that thread but never received any notion of what pain people were feeling, unless it was "I have a massively popular OSS project that a lot of other OSS projects depend on" like JSON.net. This is what I hit in removing SN in AutoMapper. Had it SN'd, zero complaints in 7 years. Removed SN, complaints. Both were equal work to me, having/not having SN, so I put it back in. |
This is the main reason we decided to SN RiakClient - @jbogard's experience with AutoMapper. |
|
Hey FYI you can use the StrongNamer package to strong name all packages at compile time. It's what I'm using for MediatR. |
|
Thanks for the tip. |
|
As Jimmy suggests, our recommendation for Fixie will be to use StrongNamer instead. See similar discussion here: jbogard/MediatR#86 |
|
So have been one of the strong advocates for "dont strong name". I was the one who pushed for "Do not rely on strong names for security. They provide a unique identity only" to be added here: https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named However the community has spoken and strong naming has won. If you want a project to get wide adoption, that adoption will be hampered by lack of strong naming. The packages mentioned in this issue (MediatR, AutoMapper, RiakClient, and Octokit) are all now strong named Much of the friction of strong naming can be avoided by pinning the assembly version. so you never change it from what it is currently. This will stop any binding redirect issue. This is the approach newtonsoft eventually adopted so it is with great disappointment in our community and myself, that i suggest you reconsider strong naming your assemblies |
From the Linked Documentation
In contrast to that section we see:
And it ends with (emphasis added):
From Related DocumentationFrom the related page https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/strong-naming we have:
That last point about .NET Standard is likely in reference to netstandard2.0 or earlier only, since that would imply .NET Framework consumers exist. Regarding the warning, those who set all warnings as errors and then choose to create a problem by not suppressing CS8002 will be advised to uncreate that problem. Dotnet Team DiscussionEven folks at Microsoft, understandably, were surprised by the change in the .NET Core era, but thankfully they captured this conversation for reference: dotnet/docs#22412 In that conversation we have:
Strong Naming Concept May be DroppedRelated, the Program Manager on .NET had the following to say in a thread where he was debating dropping the concept from .NET 8 altogether: https://twitter.com/terrajobst/status/1575848512192847873
Mentioned Packages in This Thread
FixieFixie v3.4.0 targets netcoreapp3.1, net6.0, net7.0, and net8.0. It hasn't targeted .NET Framework (nor indirectly via netstandard), for 859 days, and there have been three major versions of .NET since then, each of which ignores strong names. We dropped .NET Framework support for a few reasons once it was clear from Microsoft messaging that it was lapsing into legacy. Some of the reasoning for the aggressive drop there was that getting the VSTest integration to work for both Framework and Core was startlingly complex, accounted for >90% of time spent in development, and blew up the end-to-end QA effort on each Fixie release. At the time, users of Fixie on .NET Framework would use v2 and also at the time the community consensus was to "punt" the workaround (StrongNamer) to the end users who were opting into the pain, rather than taking on a workaround themselves. Strong naming now would mean opting into something viral (even if only via CS8002 and unsupported community momentum), that offers no material benefit to the project, that many members in the community are avoiding too for that reason, and that would force me to immediately and permanently take part in a workaround by materially damaging/faking assembly metadata, since even back when this did have a material effect the material effect was so immediately wrong for real users that the workaround had to be debated and crafted over years of arguments. I would sooner delete the repo, unlist the packages, and defenestrate my laptop. |
|
@plioi thanks for the comprehensive answer. and i full respect your decision |
and others
Hello!
I wanted to try out Fixie for some new RiakClient tests, but can't since Fixie is not strong named.
I tried decompiling and re-compiling
Fixie.dllusing our key to sign it, but then the VS test runner can't load the DLL since it is trying to bind an assembly with a nullPublicKeyToken.Please consider strong naming Fixie, and refer to octokit/octokit.net#405 for extensive discussion. We decided to strong name
RiakClientbased on this, and adopted the assembly versioning strategy based on the discussion as well.The text was updated successfully, but these errors were encountered: