Remove deprecated field "owners" from VS UI Details Pane

[raffaeler]

Details about Problem

Even if the field "owners" in the .nuspec file has been deprecated, the NuGet UI in Visual Studio shows this field when the nuspec is created from the csproj and consumed directly in VS.

Visual Studio version: 16.10.0 Preview 1

Repro steps and/or sample project

1. Create a C# .NET 5 project with the following nuget attributes:

<PropertyGroup>
        <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
        <GenerateNuspecDependsOn>$(GenerateNuspecDependsOn);SetPackageVersion</GenerateNuspecDependsOn>
        <PackageOutputPath>..\nuget</PackageOutputPath>

        <PackageId>MyComponent</PackageId>
        <Version>1.0.0</Version>
        <Authors>Raffaele Rialdi</Authors>
        <Company>Raf</Company>
        <PackageTags>.NET </PackageTags>
        <Description>Abcdef</Description>
</PropertyGroup>

2. Publish the library / package in a local folder
3. Reference the package from another project. The UI in VS shows the owners field:
   

The owners field is not shown when browsing the public nuget website.

/cc @anangaur

[heng-liu]

Hi @loic-sharma , according to this blog, Owners is deprecated from .nuspec, but it's still used when nuget.org repo signs the package, right?

[heng-liu]

I repro with two different packages and two kinds of sources:
Check Newtonsoft.Json in VS UI:

1. When the source is nuget.org:
   

2. When the source is a local path:
   

Check Microsoft.Extensions.Logging in VS UI:

1. When the source is nuget.org:
   

2. When the source is a local path:
   

So it looks like,
when the source is a local path, it's using the owners in .nuspec file (Microsoft.Extensions.Logging has owners in .nuspec file, while Newtonsoft.Json doesn't have owners in .nuspec file.), which seems not right, if the owner field is already deprecated from .nuspec file.
when the source is nuget.org, the owners are not shown. I'm not sure if this is right, as the owners info is still needed for package signing usage.

[loic-sharma]

Hello, this is a little confusing since owners information may come from several sources:

1. .nuspec owners element - This is deprecated as per the docs. This value is controlled by the package's author and should not be trusted as it is susceptible to impersonation attacks. We've seen third-party authors package Microsoft code and claim the author/owner is Microsoft. My understanding is that this value should never be shown in Visual Studio.
2. Search API's owners property - This is the package's owners according to the package source. On nuget.org, these owners are the account names that own the package. In other words, this value is controlled by the package source and can be trusted. This value is always up-to-date and should be used to display owners information in Visual Studio whenever possible.
3. Repository signature nuget-package-owners attribute - Package sources that repository sign packages, like nuget.org, can include the package's owners in the signature. On nuget.org, these owners are the account names that own the package when the package was uploaded. In other words, this value is controlled by the package source and can be trusted. The repository signature's owners information can be used to configure trusted signers, so the owners should be shown in the nuget verify or dotnet nuget verify command. You can display this owners information on Visual Studio too if you'd like, but do note that this value may be stale if the package's owners changed after the package source created the repository signature.

[heng-liu]

Thanks for the detailed explanation! @loic-sharma
I didn't check the code so I'm not sure how do we display owner in VS UI for packages from different sources.
But the behavior is different from what we expected.

[donnie-msft]

Related: https://github.com/NuGet/Engineering/issues/3805

[raffaeler]

@donnie-msft the link is not accessible outside MS people (HTTP 404)

[nkolev92]

Team Triage: Assigning to @chgill-MSFT.

[nkolev92]

Team Triage: Remove the owners field from the UI.

[zivkan]

Team Triage: Remove the owners field from the UI.

I wasn't at that meeting. I find the decision unusual. The owners field is the only way for nuget.org to communicate which nuget.org account is responsible who uploaded the package, and who can upload updates. It's not uncommon for customers to repackage Microsoft assemblies and list Microsoft in the author field. If we don't show owner, then customers using Visual Studio will have little way to know if the package is really an official Microsoft package or if someone else uploaded a package that put Microsoft in the authors field (I think customers don't understand the blue tick).

Perhaps we should hide the owners field from local sources, but in my opinion it's valuable for HTTP sources.

[raffaeler]

@zikvan according to @loic-sharma :

.nuspec owners element - This is deprecated as per the docs. This value is controlled by the package's author and should not be trusted as it is susceptible to impersonation attacks.

My considerations:

• If that field is deprecated, anyone should assume to not use it at all. IMO a deprecated field is something that will be removed in the future and that I should not use anymore.
• In addition to be deprecated, it is also untrustable as susceptible to impersonation attacks. For sure, I don't want to see such information in any kind of UI (VS, nuget.org, local repos that could be used by third parties).
• I agree the info about the user/organization who uploaded the package is relevant. But this should be inherited by the user account used from the nuget.org (or other repo) authentication, certainly not from a manifest compiled by hand.

Did I miss something else?

[zivkan]

owners is deprecated in the nuspec (so, for package authors creating packages), but not the HTTP protocol that Nuget Client (VS, dotnet cli) talks to remote NuGet feeds over HTTP.

Other elements that are different between nuspec and HTTP Protocol (registration and search resources) are deprecated package messages and vulnerability information.

[raffaeler]

@zivkan what are the other ways to set the owners field out of the nuspec?
I don't get how can I "consume" that field if "publishing" it is deprecated.

[zivkan]

Package authors are not supposed to set it. NuGet feeds (severs) are.

That is, people implementing NuGet's HTTP API. Specifically the search resource has an owners field in the response, and maybe the package metadata resource (for better or worse, due to the design of how nuget.org works, it was easier from a technical point of view for them to not maintain owners in the package metadata resource, so they documented the resource as not containing the owners field. But from an idealist point of view, I don't agree with that decision. Again, due to technical implementation details, NuGet.Client reuses the same data type for both search and package metadata resources, so NuGet.Protocol is capable of getting owners from both. Which resource VS's PM UI, or other apps like Rider, choose to source owners from is an independent technical implementation detail).

Loic's earlier comment already explained that the owners field from the search service should be trusted, and recommended displaying it. So my comments 2 days are is not a new recommendation, hence I don't understand why an internal discussion on the 28th of March recommended removing it.