I'm many corporate environment that is a big requirement In a library like Lucene, where other people depend on it, a sign build is important On Apr 23, 2014 2:27 PM, "Petar Repac" <[email protected]> wrote:
> There is a long discussion about SN here: > https://nuget.codeplex.com/discussions/247827 > > I'd suggest that even if decision is not to sign, there should be an easy > way to get signed assemblies. > > Like: > 1. clone repo (signing keys are publicly accessible in repository) > 2. run BuildSigned.bat (or PowerShell script, Rake, ....) > 3. c/p files from /build folder > > I stopped signing my assemblies long ago, but probably there still are many > that still do > and less obstacles in adopting Lucene.NET the better. > > Regards, > Petar Repac > > > > > > > On Wed, Apr 23, 2014 at 1:10 PM, Itamar Syn-Hershko <[email protected] > >wrote: > > > All Lucene.NET assemblies are signed, aka strongly named. > > > > We are starting to run into problems with dependencies which not being > > signed. What's becoming more common in the .NET world (OSS mainly) is to > > stop signing assemblies because its > > pretty< > > > http://stackoverflow.com/questions/20105103/are-signed-net-assemblies-ever-fully-verified-when-loaded-to-check-they-haven > > > > > much< > > > http://stackoverflow.com/questions/1197133/anything-wrong-with-not-signing-a-net-assembly > > > > > useless <http://msdn.microsoft.com/en-us/magazine/cc163583.aspx> (in the > > last link: What Strong Names Can't Do). > > > > Regardless of the argument about SN it seems to bring more fraction and > > trouble than anything good, especially considering we are an open-source > > library. > > > > Case in question, I'm moving to updating the spatial module and want to > > fetch dependencies from nuget. While spatial4n is signed (so it can be > used > > from Lucene.NET), NTS+GeoAPI are not and don't appear to get signed any > > time soon. Since signed assemblies cannot reference non-strongly-named > > assemblies, I can't currently do that - not through nuget at least. This > > introduces a lot of frustration and tons of fraction which I'd like to > have > > removed. > > > > Ideally I'd want to move to removing strong-naming from all Lucene.NET > > assemblies (v4 and forward), and having a wiki page that describes why > > signing is pointless and how to manually sign it if you insist. > > > > I can see 2 disadvantages for not signing, both of which I doubt really > > matter nowadays and given our usage scenarios: > > > > 1. Deploy Lucene.NET to the GAC without further steps (non-signed > > assemblies can be SN or ILMerged as part of the install process) > > > > 2. Signed assemblies / project won't be able to get Lucene.NET from nuget > > directly because they'll have to sign it before referencing it. Or lose > SN > > themselves. > > > > Thoughts? > > > > -- > > > > Itamar Syn-Hershko > > http://code972.com | @synhershko <https://twitter.com/synhershko> > > Freelance Developer & Consultant > > Author of RavenDB in Action <http://manning.com/synhershko/> > > >
