Getting latest .NET Core Runtime patch information #87
Conversation
| - Add a `dotnet` command which will check for the latest patches to the .NET Core runtime. Naming is TBD, straw man for this proposal is `dotnet patch-check`. The command will: | ||
| - Update the latest patch versions to use for self-contained applications | ||
| - Notify the user if the installed shared frameworks are not up-to-date, with a link to download the latest patch | ||
| - When building a self-contained app, generate a warning if `dotnet patch-check` has not been run within a specified period of time (7 days?), suggesting that the user run `dotnet patch-check` to make sure the self-contained app uses the latest patch |
There was a problem hiding this comment.
Why is this not just part of dotnet restore for self-contained app? The package for self-contained runtime is no different from other NuGet packages that may have servicing security fixes as well.
There was a problem hiding this comment.
We've looked at that and it ends up being expensive to ask for the latest version of a NuGet package on every build. As I understand it, when a specific package version is requested, then there doesn't even need to be a web request if that package is already in the local packages folder. However, if you want to ask NuGet for the latest version, then it has to request that from all the configured feeds, and wait for a response from all of them.
So this proposal is an attempt to sidestep those issues by having an explicit command to check for updates. It should be an improvement over today's status quo, which is that you need to install an entirely new SDK to get the latest runtime patches by default.
There was a problem hiding this comment.
I understand that it is expensive to ask for the latest version of a NuGet package on every build.
My point is that there should be just a single gesture required to ensure that all my app dependencies are up to date. I do not think it makes sense to have one gesture for the runtime package itself and a different gesture for the NuGet packages that my app depends on.
|
|
||
| When patches are released for the .NET Core runtime, developers should not need to install an entirely new .NET Core SDK. They should be able to install only the updated runtime as needed, and the existing SDK should have a way of discovering that new patches should be used for self-contained applications. | ||
|
|
||
| Eventually we hope to be able to stop producing new releases of the .NET Core SDK whenever there is a patch to the runtime. This proposal is a step in that direction, however a lot more will be needed to enable that. |
There was a problem hiding this comment.
Eventually we hope to be able to stop producing new releases of the .NET Core SDK whenever there is a patch to the runtime.
This is the wrong framing and sends the wrong message, IMO. In fact, I think that this statement is barely relevant to the overall topic. Instead, this scenario should be about a single topic:
- enabling you to publish a self-contained app with the latest runtime, w/o updating your SDK.
In addition (but not part of this document), we should have a promise that we always give users the latest runtime when they install/download the latest SDK distributions.
|
|
||
| - Add a `dotnet` command which will check for the latest patches to the .NET Core runtime. Naming is TBD, straw man for this proposal is `dotnet patch-check`. The command will: | ||
| - Update the latest patch versions to use for self-contained applications | ||
| - Notify the user if the installed shared frameworks are not up-to-date, with a link to download the latest patch |
There was a problem hiding this comment.
How does that work for Linux distributions? If .NET Core is a part of a Linux distro, the update is handled by the package manager and pretty much anything a user does to install the latest version manually will be wrong or conflict with the package manager.
| - Update the latest patch versions to use for self-contained applications | ||
| - Notify the user if the installed shared frameworks are not up-to-date, with a link to download the latest patch | ||
| - When building a self-contained app, generate a warning if `dotnet patch-check` has not been run within a specified period of time (7 days?), suggesting that the user run `dotnet patch-check` to make sure the self-contained app uses the latest patch | ||
| - This should be configurable to either specify the time period or disable the warning altogether |
There was a problem hiding this comment.
What is the configuration mechanism? Will that be a part of this document?
|
@dsplaisted should this be merged or closed? |
|
We still want to do something like this, but will probably implement it in terms of workloads: #100 |
No description provided.