Reduce number of package sources (feeds) for our builds [and declare in a single location] #8019
Comments
MiYanni
added
the
Area-Infrastructure
kvenkatrajan
added
the
Triage-Investigate
|
I may have found a simple solution. There seems to be an 'aggregate feed'. It would be worth looking at other repos to find if they utilize it. https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/12676/Incident-help-for-Substitution-attack-risk-from-multiple-package-feeds?anchor=devdiv-common-feeds |
…xed build as SwixBuild package is needed (accessed via file path). Modified some package versions to match latest of what is available in some specific feed situations. Removed non-multi-referenced variables in Versions.props. Removed MediaRecorder usage for the Integration tests as we currently don't run them anyway, which allowed the myget-legacy feed to be removed. Commented on what the purpose of some feeds are.
|
I have learned that these kind of aggregate feeds are required for projects in the VS repo. Closed-source projects require only a single package feed, which is why they are used. Public feeds cannot have upstream sources. Thus, you cannot make a public aggregate feed. Private aggregate feeds can have public upstream sources, though. For our repo, we need all public feeds, so the best option is simply to find the smallest subset of public feeds to use. |
|
Information for public repo feeds here: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/12676/Incident-help-for-Substitution-attack-risk-from-multiple-package-feeds?anchor=oss/public |
ghost
added
the
Resolution-Fixed
Currently, we rely on multiple packages sources (Azure DevOps feeds) to acquire the components we need to build our product.
From NuGet.config:
project-system/NuGet.config
Lines 7 to 13 in 3dd1db4
From Packages.targets:
project-system/build/import/Packages.targets
Lines 8 to 15 in 3dd1db4
However, all of these are not required. I manually investigated the contents of several of these and certain components/packages are published into multiple feeds.
A simple example is our own product. It gets published to multiple feeds because of the tools used. Our main feed (the one we directly publish to) is this one:
https://dev.azure.com/DevDiv/DevDiv/_artifacts/feed/VS/NuGet/Microsoft.VisualStudio.ProjectSystem.Managed/17.2.0-beta1-20330-02/overview
However, there is a Cloud Build agent that republishes the same package to this other feed a few minutes later:
https://devdiv.visualstudio.com/DevDiv/_artifacts/feed/VS-CoreXtFeeds/NuGet/Microsoft.VisualStudio.ProjectSystem.Managed.VS/17.2.0-beta1-20330-01/overview
My belief is that we are over-feeding since we aren't certain where each package should come from. So, we just added a bunch of them and let restoration sort it out. Instead, I'd like to minimize our reliance on so many feeds by identifying which package should come from which feeds and only having those feeds contained within our build. We should also investigate why we need two places to declare feeds. My belief is that we don't need to specify the list of package sources in two locations, and it was done as a work-around for some specific authentication/restore issue. But that would also need to be investigated and resolved here.
The text was updated successfully, but these errors were encountered: