maui has an dependecy to SponsorLink #16647
Comments
|
MAUI does not have a dependency on SponsorLink. #16638 MAUI does not reference "ThisAssembly.Constants" in its codebase. The nearest one would be GitInfo and the version used is 2.2.0, which does not have that dependency. https://github.com/dotnet/maui/blob/main/eng/Git.Build.targets#L3 Moreover, even if it was bumped to a newer version that did include it, that would potentially be an issue for those building MAUI locally but it's not included as part of the framework (As in, it's not in the workloads nor something you would have installed on your machine) If you can find an actual use of SponsorLink or other dependencies which are pulled in as part of the build that you don't expect to be there (As in, are the DLLs being invoked as part of a build? Are they in the workloads?) feel free to reopen this issue or make a new one. |
Isnt that significant? You're potentially exposing your contributors to a GDPR violation at worst and at best a case of "trust me, this closed source, obfuscated code that runs every build, abuses the analyser contract and downloads and sends data to some external server wont do anything bad or have any vulnerability" it does this regardless if you sponsor the project in question or not btw. |
Well first, to be clear: the version MAUI is using in its build process does not have the offending code. And we're not saying that it would be insignificant if it did; just that the set of folks affected would be limited to contributors, rather than everyone using the SDK. Which is serious, and why we took the time to make sure it wasn't the case. |
Yes, my point was that even if it was included (which, to be clear, would be bad!) it wouldn't be part of the MAUI builds (I.E that code wouldn't be in the compiled or shipped with MAUI, it wouldn't end up in the workloads, nor part of code deployed to end users, etc). But the version we currently use is from 2021 and doesn't have that included. In retrospect, I should have been a bit less blunt about it, and I apologize. Seeing the conversation around it, and especially how it devolves, I was trying to avoid it by making it very clear that MAUI does not have dependencies that use it. I think Rich Landers comment regarding it in dotnet/runtime says it best, dotnet/runtime#90222 (comment). If you see weird dependencies or artifacts you don't expect as part of your build appearing, then by all means let us know. |
samhouts
added
the
s/not-a-bug
|
I'm happy that you are not using a version later than 2023-01-24. Happy coding |
|
Just to close the loop on this one, the .NET MAUI repository is in line with what is written here for the .NET runtime repository. Additionally we have written some details in a discussion that was also already opened earlier. |
ghost
locked as resolved and limited conversation to collaborators
samhouts
added
platform/macOS 🍏
Description
maui has an dependecy to ThisAssembly.Constants which has an dependency to SponsorLink
https://github.com/devlooped/ThisAssembly/blob/main/src/ThisAssembly.Constants/SponsorLink.cs
I think this is the other side of good.
Steps to Reproduce
use maui
Link to public reproduction project repository
No response
Version with bug
7.0.49
Is this a regression from previous behavior? In other words, did this work before an update and now does not?
Last version that worked well
6.0
Affected platforms
iOS, Android, Windows, macOS, Other (Tizen, Linux, etc. not supported by Microsoft directly), I was not able test on other platforms
Affected platform versions
No response
Did you find any workaround?
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered: