Possibility to adopt strong naming? #23
Comments
|
Hi Kevin
I don't understand the problem, can you elaborate?
It's not up to me, but if this involves tweaking the namespace I have no
issue with it
…On Tue, 28 Feb 2023, 15:06 Kevin Schneider, ***@***.***> wrote:
Hi there,
I know its legacy stuff and maybe much to ask, but is there the
possibility of adopting a strong name
<https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named>
for this package?
I maintain a graphing library, Plotly.NET
<https://github.com/plotly/Plotly.NET>, which is a strong named DLL. I
forgot about that legacy stuff when updating my html generation backend to
use this package, and now people on netfx face these problems:
plotly/Plotly.NET#371 <plotly/Plotly.NET#371>
Another solution would be copying the two source files of
Giraffe.ViewEngine into our project. That would have the advantage of not
asking you to do anything, but the disadvantage of not attributing any
package downloads. Would that be something you'd allow (IANAL but i think
your license allows this, i think it would still be better to ask as well)?
—
Reply to this email directly, view it on GitHub
<#23>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEIGJF7NMZVO5SXL6GMKSKDWZWPWXANCNFSM6AAAAAAVKKUMCI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
here is the lengthy discussion we had in plotly.NET before adopting it: plotly/Plotly.NET#175 The gist of it is that it provides a stable identifier for your package in .NET framework environments. For .NET core / .NET 5 onwards it has no effect at all. To cite from microsoft docs:
The "problem" now is that for the thing to work, the dependencies of a project must also be strongly named, hence the problem our users now have when using Plotly.NET in .NET framework applications since i have added Giraffe.ViewEngine as a dependency. Since this repo has no external dependencies, it should make no difference for you. I can also file a PR if you want to adopt strong naming. It would consist of generating a key that is used to sign the assembly on build and will also be checked into source control. Then a little tweak to the project file and maybe setting assembly version on build/pack/publish calls. |
|
thanks for the explanation, so why is plotly strongly named?
…On Wed, 1 Mar 2023 at 20:25, Kevin Schneider ***@***.***> wrote:
here is the lengthy discussion we had in plotly.NET before adopting it:
plotly/Plotly.NET#175 <plotly/Plotly.NET#175>
The gist of it is that it provides a stable identifier for your package in
.NET framework environments. For .NET core / .NET 5 onwards it has no
effect at all.
To cite from microsoft docs:
For .NET Framework, strong-named assemblies are useful in the following
scenarios:
You want to enable your assemblies to be referenced by strong-named
assemblies, or you want to give friend access to your assemblies from other
strong-named assemblies.
An app needs access to different versions of the same assembly. This means
you need different versions of an assembly to load side by side in the same
app domain without conflict. For example, if different extensions of an API
exist in assemblies that have the same simple name, strong-naming provides
a unique identity for each version of the assembly.
You do not want to negatively affect performance of apps using your
assembly, so you want the assembly to be domain neutral. This requires
strong-naming because a domain-neutral assembly must be installed in the
global assembly cache.
You want to centralize servicing for your app by applying publisher
policy, which means the assembly must be installed in the global assembly
cache.
For .NET Core and .NET 5+, strong-named assemblies do not provide material
benefits. The runtime never validates the strong-name signature, nor does
it use the strong-name for assembly binding.
If you are an open-source developer and you want the identity benefits of
a strong-named assembly for better compatibility with .NET Framework,
consider checking in the private key associated with an assembly to your
source control system.
The "problem" now is that for the thing to work, the dependencies of a
project must also be strongly named, hence the problem our useers now have
when using Plotly.NET in .NET framework applications.
Since this repo has no external dependencies, it *should* make no
difference for you.
I can also file a PR if you want to adopt strong naming. It would consist
of generating a key that is used to sign the assembly on build and will
also be checked into source control. Then a little tweak to the project
file
<https://github.com/plotly/Plotly.NET/blob/1e5fec1496e5b78dc4bb7cad7648a95cefdb975a/src/Plotly.NET/Plotly.NET.fsproj#L17-L18>
and maybe setting assembly version on build/pack/publish calls.
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEIGJF2WWSF22BYL4HA6SETWZ452ZANCNFSM6AAAAAAVKKUMCI>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
Friendly Regards
Bradley Phillips
M: 0473 257 737
|
To make the story of plotly/Plotly.NET#175 short, we were asked because of the same reason as I ask here, someone wanted to use it in a environment that required it to have a strong name:
|
|
strongly named seems to be causing issues here, why is ml.net strongly
named?
…On Wed, 1 Mar 2023 at 21:22, Kevin Schneider ***@***.***> wrote:
so why is plotly strongly named?
To make the story of plotly/Plotly.NET#175
<plotly/Plotly.NET#175> short, we were asked
because of the same reason as I ask here, someone wanted to use it in a
environment that required it to have a strong name:
I'm Jake from the ML.NET team (one of .NET's Machine Learning libraries)
- we're creating a bunch of sample notebooks and we'd love to use
Plotly.NET in some of our Interactive Extensions. Unfortunately, we can't
take dependency on Plotly.NET until it's signed.
We'd also like to use Plotly.NET in Model Builder (That is what
LittleLittleCloud was asking about above).
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEIGJF552FGOVJ6DTQPUW43WZ5EPTANCNFSM6AAAAAAVKKUMCI>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
Friendly Regards
Bradley Phillips
M: 0473 257 737
|
|
For the reasons i laid out in my previous answer - its a thing used in .NET framework applications which they support |
|
I've seen a lot of libraries go for Strong Naming then reverse course later. One of on the better write up about it are StephenCleary/AsyncEx#129 (comment). Is it possible for the ML Team to sign their own assemblies with their key with something like: https://github.com/brutaldev/StrongNameSigner |
To quote from the back and forth we had in Plotly.NET then:
So basically we are stuck with this in plotly.NET now as well because I really want them to keep using the lib. I read the first thread you quoted then as well, which is why i was so hesitant in the original discussion in plotly/Plotly.NET#175 , but ultimately i deemed integration into their stack being worth it. I understand however if you don't, hence why i suggested the other option with copying the source code |
|
Hi guys, have you decided on your stance on this? As said, I absolutely understand if you don't want to go for a strong name, but if that's the case please tell me so I can proceed implementing html generation directly. |
|
What if another csproj file is added to this solution for a strong name?
Target both?
…On Wed, 15 Mar 2023, 17:25 Kevin Schneider, ***@***.***> wrote:
Hi guys, have you decided on your stance on this? As said, I absolutely
understand if you don't want to go for a strong name, but if that's the
case please tell me so I can proceed implementing html generation directly.
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEIGJF5OG4VJMR4OEELCW6LW4GDJRANCNFSM6AAAAAAVKKUMCI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
That is another possibility, yes. Something like 'Giraffe.ViewEngine.StrongName' there are other projects that decided to do it this way https://www.nuget.org/packages?q=Strongname |
|
I think this is a good approach, other thoughts other contributors??
…On Thu, 16 Mar 2023, 12:06 Kevin Schneider, ***@***.***> wrote:
That is another possibility, yes. Something like
'Giraffe.ViewEngine.StrongName' there are other projects that decided to do
it this way https://www.nuget.org/packages?q=Strongname
—
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEIGJF47HL4SBGM6GQ7GLHDW4KGUXANCNFSM6AAAAAAVKKUMCI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I have created a PR (#24) for this. I don't know enough about your github actions to adapt them for also releasing this package, i would leave that up to someone with more knowledge about this repo. |
|
I have to admit I know little about .NET strongly named assemblies. It sounds absolutely crazy and makes little sense to me that if someone wants to "strongly name" their assembly (whatever that means) that they have to ask all downstream dependencies to make changes to their libraries as well. Surely you should be able to package up your assembly however you want without this library having to change. If it already works now then why does it need to do this strong naming as well which sounds like adds more problems than it helps in order for a consuming library to also strongly name. Is there like no way to strongly name your library in any other way? |
yes this is true and also what I did initially. The problem arises if someone wants to consume it in an environment that cares about strong names (legacy/.NET framework stuff). The specific issue is this:
In an environment that does not care about strong names (anything .NET core / .NET 5+) it does not matter. Which is the reason why i only recognized this issue after adding a dependency to this library - i develop on a modern machine, using .NET SDK and therefore encountered no issues.
This is not true though. Consuming libraries that do not care about strong names can reference strongly named assemblies without being strongly named themselves. Large libraries like
Consumers of non-signed libraries can apply the solution mentioned by @TheAngryByrd - they can sign the assemblies themselves before consuming it., but that's about it. Not very ergonomic, but one can argue that if you have to work in such an environment, you just have to endure the pain. I could also sign a dll of this lib and redistribute it with my library, but that would be basically the same as copying your source code into my lib - and all I wanted to do in this issue is show a good faith approach of trying other solutions before just doing that, including a PR that leaves the original project an package intact as discussed above. |
|
I think I can read the writing on the wall. I'll fork this repo and redistribute it with a strong name. Thanks for the discussion. |
With the fork you have made it is now impossible to use Plotly.Net library in a Giraffe project Components.fs(286,9): error FS0001: All elements of a list must be implicitly convertible to the type of the first element, which here is 'Giraffe.ViewEngine.HtmlElements.XmlAttribute (Giraffe.ViewEngine.StrongName, Version=2.0.0.0, Culture=neutral, PublicKeyToken=028aa8e2a326f4d0)'. This element has type 'Giraffe.ViewEngine.HtmlElements.XmlAttribute (Giraffe.ViewEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null)'. [Components.fsproj::TargetFramework=net8.0] |
|
i don't know what i could do about that other than the maintainers of this repo reconsidering this issue. |
Hi there,
I know its legacy stuff and maybe much to ask, but is there the possibility of adopting a strong name for this package?
I maintain a graphing library, Plotly.NET, which is a strong named DLL. I forgot about that legacy stuff when updating my html generation backend to use this package, and now people on netfx face these problems: plotly/Plotly.NET#371
Another solution would be copying the two source files of Giraffe.ViewEngine into our project. That would have the advantage of not asking you to do anything, but the disadvantage of not attributing any package downloads. Would that be something you'd allow (IANAL but i think your license allows this, i think it would still be better to ask as well)?
The text was updated successfully, but these errors were encountered: