Reputation: 8741
Allow only Nuget packages with verified package owners
Our dev servers at work currently can't reach nuget.org because of concerns about the safety of packages. Is it possible to apply a url rule / filter to a firewall that would allow access only to those packages with a "verified package owner"?
Upvotes: 0
Views: 494
Answers (1)
Reputation: 1661
That's not possible with the server at this point. There's no APIs that would allow you to query whether a package has a verified owner or not. Additionally, the clients will hit so many different endpoints that it'd be very to make them all accessible. You'd need to whitelist almost all packages likely.
There is some work on the clients being done to cover your scenario though.
Along side with package signing, a new client policies is being worked on. That would allow you only to accept packages from certain package authors/feeds.
An alternative in the short-term would be to use a mirroring feed that everyone in the company uses. That mirroring feed would only contain a set of whitelisted packages.
Upvotes: 1
Related Questions
- Nuget private source - possible to set condition in PackageReference?
- How to require license acceptance for NuGet package through .csproj file
- How to hide or restrict user to download only dependent package from nuget?
- How to publish a nuget package privately using Nuget Gallery
- Block NuGet package
- How do I mirror nuget packages only from a specified owner?
- Ensuring confidential data is protected from Nuget Packages
- How to avoid nuget authentication when pushing package?
- How to create and keep in sync a local nuget repository with only internally approved packages?
- prevent nuget package modifications