2019-04-01 23:07:22 +03:00
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
|
<configuration>
|
|
|
|
<packageSources>
|
|
|
|
<clear />
|
|
|
|
<!-- ensure only the sources defined below are used -->
|
Bump to xamarin/Java.Interop/main@b46598a2; packageSources (#5608)
Context: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Context: https://azure.microsoft.com/en-us/resources/3-ways-to-mitigate-risk-using-private-package-feeds/
Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/12676/ncident-help-for-Substitution-attack-risk-from-multiple-package-feeds
Changes: https://github.com/xamarin/Java.Interop/compare/ee7b6bbe382bf408cc1a991e6149819889ad8c6c...b46598a254c20060b107312564e0ec0aee9e33d6
* xamarin/Java.Interop@b46598a2: Bump to xamarin/xamarin-android-tools/main@479931ce; packageSources (#796)
There is a Package Substitution Attack inherent in NuGet, whereby
if multiple package sources provide packages with the same name,
it is *indeterminate* which package source will provide the package.
For example, consider the [`XliffTasks` package][0], currently
provided from the [`dotnet-eng`][1] feed, and *not* present in the
NuGet.org feed. If a "hostile attacker" submits an `XliffTasks`
package to NuGet.org, then we don't know, and cannot control, whether
the build will use the "hostile" `XliffTasks` package from NuGet.org
or the "desired" package from `dotnet-eng`.
There are two ways to prevent this attack:
1. Use `//packageSources/clear` and have *only one*
`//packageSources/add` entry in `NuGet.config`
2. Use `//packageSources/clear` and *fully trust* every
`//packageSources/add` entry in `NuGet.config`.
`NuGet.org` *cannot* be a trusted source, nor can any feed
location which allows "anyone" to add new packages, nor can
a feed which itself contains [upstream sources][2].
As the `XliffTasks` package is *not* in `NuGet.org`, option (1)
isn't an option. Go with option (2), using the existing
`dotnet-eng` source and the new *trusted* [`dotnet-public`][3]
package source.
Update `azure-pipelines.yaml` to call [`NuGetAuthenticate@0`][4]
with `forceReinstallCredentialProvider: true`. This is needed so
that our commercial builds are able to authenticate with VSTS to
access internal package feeds.
[0]: https://github.com/dotnet/xliff-tasks
[1]: https://dev.azure.com/dnceng/public/_packaging?_a=feed&feed=dotnet-eng
[2]: https://docs.microsoft.com/en-us/azure/devops/artifacts/concepts/upstream-sources?view=azure-devops
[3]: https://dev.azure.com/dnceng/public/_packaging?_a=feed&feed=dotnet-public
[4]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/package/nuget-authenticate?view=azure-devops
2021-02-11 00:40:02 +03:00
|
|
|
<add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" protocolVersion="3" />
|
[Xamarin.Android.Build.Tasks] Move XA4214 warning text into .resx file (#3900)
Context: https://dev.azure.com/devdiv/DevDiv/_workitems/edit/1009374/
This is a first step toward localizing the MSBuild error and warning
messages produced by `Xamarin.Android.Build.Tasks.dll`.
We will be following the [.NET Resource Localization pattern][0] and
generating satellite assemblies using [`.resx` files][1], in particular
`src/Xamarin.Android.Build.Tasks/Properties/Resources.resx`.
`Resources.resx` is an XML file, and will contain `/root/data`
elements in which `//data/@name` will start with the Xamarin.Android
error or warning code, and `//data/value` will be the error or
warning message:
<root>
<data name="XA4214" xml:space="preserve">
<value>The managed type `{0}` exists in multiple assemblies: {1}. Please refactor the managed type names in these assemblies so that they are not identical.</value>
</data>
</root>
An optional `//data/comment` element may be provided to describe the
meaning within the `//data/value` element to translators:
<data name="XA4214" xml:space="preserve">
<value>The managed type `{0}` exists in multiple assemblies: {1}. Please refactor the managed type names in these assemblies so that they are not identical.</value>
<comment>
{0} - The managed type name
{1} - Comma-separated list of all the assemblies where the managed type exists
</comment>
</data>
During the build, `Resources.resx` will be translated into a
`Resources.Designer.cs` file:
namespace Xamarin.Android.Tasks.Properties {
internal partial class Resources {
internal static string XA4214 {
get => ...
}
}
}
The `Resources` members should be used to obtain all strings for use
in `LogCodedError()` and `LogCodedWarning()` calls:
Log.LogCodedWarning ("XA4214", Properties.Resources.XA4214, kvp.Key, string.Join (", ", kvp.Value));
When an MSBuild error or warning code is used with more than one
output string, then a semantically meaningful suffix should be used
to distinguish between the two:
<data name="XA4214_Result" xml:space="preserve">
<value>References to the type `{0}` will refer to `{0}, {1}`.</value>
</data>
Note that this infrastructure does not interoperate with C#6 string
interpolation. Any error or warning messages currently using C#6
string interpolation will need to use .NET 1.0-style format strings.
Our translation team doesn't work directly with `.resx` files.
Instead, the translation team works with [XLIFF files][2].
`Resources.resx` is converted into a set of
`src/Xamarin.Android.Build.Tasks/Properties/xlf/Resources.*.xlf`
files via `XliffTasks.targets` from the [dotnet/xliff-tasks][3] repo.
The `Resources.*.xlf` files should be automatically updated whenever
`Resources.resx` is updated.
Other:
* This approach leaves the error code `XA4214` as a string literal
for now. This differs from what dotnet/sdk and microsoft/msbuild
do; they instead include the message code as part of the string
resource in the `.resx` file. That might sometimes provide useful
additional context for the translation team, but it also requires
using a different set of logging methods from
`Microsoft.Build.Utilities.TaskLoggingHelper`.
* Fix the Test MSBuild Azure Pipelines build
Specify the `feedsToUse` and `nugetConfigPath` inputs for the
[`NuGetCommand@2`][6] Azure Pipelines task so that the NuGet
restore step will be able to restore XliffTasks successfully from
the dotnet-eng Azure DevOps NuGet package feed.
This resolves the following error:
The nuget command failed with exit code(1) and error(Errors in packages.config projects
Unable to find version '1.0.0-beta.19252.1' of package 'XliffTasks'.
C:\Users\dlab14\.nuget\packages\: Package 'XliffTasks.1.0.0-beta.19252.1' is not found on source 'C:\Users\dlab14\.nuget\packages\'.
https://api.nuget.org/v3/index.json: Package 'XliffTasks.1.0.0-beta.19252.1' is not found on source 'https://api.nuget.org/v3/index.json'.)
TODO:
* When `Xamarin.Android.Build.Tasks.csproj` is converted into a
[short-form project][4], add a dependency on dotnet/arcade and
switch to using the [`GenerateResxSource` mechanism][5] instead
of using `%(EmbeddedResource.Generator)`=ResXFileCodeGenerator
and set `$(UsingToolXliff)`=True. This would match dotnet/sdk.
[0]: https://docs.microsoft.com/dotnet/framework/resources/index
[1]: https://docs.microsoft.com/dotnet/framework/resources/creating-resource-files-for-desktop-apps#resources-in-resx-files
[2]: http://docs.oasis-open.org/xliff/v1.2/os/xliff-core.html
[3]: https://github.com/dotnet/xliff-tasks
[4]: https://docs.microsoft.com/visualstudio/msbuild/how-to-use-project-sdk
[5]: https://github.com/dotnet/arcade/blob/e67d9f098029ebecedf11012a749b532d68ad2a9/Documentation/ArcadeSdk.md#generateresxsource-bool
[6]: https://docs.microsoft.com/azure/devops/pipelines/tasks/package/nuget
2019-12-07 21:58:58 +03:00
|
|
|
<add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" protocolVersion="3" />
|
2022-05-06 00:04:44 +03:00
|
|
|
<add key="dotnet7" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet7/nuget/v3/index.json" />
|
2021-03-22 22:57:32 +03:00
|
|
|
<!-- This is needed (currently) for the Xamarin.Android.Deploy.Installer dependency, getting the installer -->
|
|
|
|
<!-- Android binary, to support delta APK install -->
|
|
|
|
<add key="xamarin.android util" value="https://pkgs.dev.azure.com/xamarin/public/_packaging/Xamarin.Android/nuget/v3/index.json" />
|
2022-09-09 00:15:08 +03:00
|
|
|
<!-- Added manually for dotnet/runtime 6.0.9 -->
|
|
|
|
<add key="darc-pub-dotnet-emsdk-3f6c45a" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-emsdk-3f6c45a2/nuget/v3/index.json" />
|
|
|
|
<add key="darc-pub-dotnet-runtime-531f715" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/darc-pub-dotnet-runtime-531f715f/nuget/v3/index.json" />
|
2019-04-01 23:07:22 +03:00
|
|
|
</packageSources>
|
2021-03-22 22:57:32 +03:00
|
|
|
<disabledPackageSources />
|
2020-01-17 00:25:54 +03:00
|
|
|
</configuration>
|