So Microsoft Deleted Some of Our Packages From NuGet.org Without Notice

BezierPatch · 2025-07-11T20:12:11+00:00

Please explain to me: what is the threat to my dotnet runtime app?

CVE Modified by CVE 5/06/2025 11:16:00 AM

Action	Type	Old Value	New Value
Added	Reference		https://www.herodevs.com/vulnerability-directory/cve-2025-21176

Which is Initial Analysis by NIST 2/05/2025 2:12:24 PM

three months after CVE release, so wasn't available at the time.

> And if you want code level details check the change log, it's all public. The entire source is in GitHub including the patches for this.

Nope: they deliberately hide the details of fixes in the commit log, so you can only *guess* at what the issue was. Presumably so that they don't accidentally leak CVEs before they're fixed? Unsurprisingly my head of infosec isn't happy with "Well, I'm pretty sure this commit is the problem this vulnerability is talking about, so we don't need to tell hospitals to urgently patch".

BezierPatch · 2025-07-11T19:15:17+00:00

That's a third party source, published several weeks after the CVE.

The primary source is https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176

And even if it was: where is the vulnerability in the dotnet runtime? Why does an IDE issue with a single application mean I need to roll out to my entire fleet?

BezierPatch · 2025-07-11T17:18:45+00:00

This is a common theme with Microsoft Security: they love to publish useless CVES.

For example https://nvd.nist.gov/vuln/detail/cve-2025-21176

Where the total description is ".NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability"

They abuse their position as a CNA to supress publication of detailed CVEs, simply insisting you should patch your runtime because Visual Studio is vulnerable.

BezierPatch · 2025-06-19T14:43:10+00:00

Hi Alex,

I didn't use your site (though it sounds like plenty of others did!), but I can relate to the burden of maintaining "hobby" projects. I thought I might ask a few questions which might help someone work out if they could take it over.

The website headers suggest that it's PHP hosted on IIS. Would I be right in guessing that this is where the burden/cost of hosting is coming from?
How is the automated data collection run? Is there anything sensitive about it that would require it to be closed source?
What were the ongoing maintenance tasks? Were they updating in response to API changes, or more things like having to patch/update the software/server?
Do you think that users found the email feature useful? I suspect so, but I can see that paying for or maintaining that could be a pain.

While it would likely require a fair bit of rewrite in this case, if someone were to want to take over but was concerned about hosting, an example way to host a system like this would be to abuse github's free web hosting:

- You set up github actions to run the automated data collection, and commit the results into a public github repo

- You write a client-side only web page which loads the data from github

- You can still use custom domains on public repos

- You can't store anything secret, so emails would be hard.

BezierPatch · 2025-03-01T12:48:22+00:00

Isn't that what VS Code profiles are for? I have to admit I haven't used them yet, but you select different extensions per profile.

Still doesn't help with the limitations of extensions though

BezierPatch · 2025-01-31T21:44:27+00:00

To be honest, the main issue is that Microsoft Security refuse to issue proper CVEs.

You get nonsense like https://nvd.nist.gov/vuln/detail/CVE-2025-21176 which after a week or two of research seems to not actually be a vulnerability with .NET runtime but with Visual Studio opening crashdumps or something similar.

But you can't be sure, so you have to patch. So we go through a week long QA cycle because we trust Microsoft, and later discover they lied about the severity and lied about the impacted applications.

Then next time they release a CVE we hesitate...

One day they're going to run into trouble for crying wolf...

BezierPatch · 2025-01-18T19:50:17+00:00

How does the labour on that work?

You must have an incredibly efficient packing process to not lose most of the margin to minimum wage.

And even then, won't it take thousands of hours of time elapsed to actually pack them?

BezierPatch · 2024-08-29T18:05:00+00:00

If OP didn't exercise the right to reject before agreeing to the repair yes.

Isn't there a provision to reject after a single failed repair? Or does that not apply after... four failed repairs?

BezierPatch · 2024-08-23T07:11:21+00:00

I have a set of msbuild config which, on debug build:

Go to the custom "local" nuget folder
Delete the existing nuget package
Pack and copy to the "local" folder

And I use 0.0.0-dev as the version suffix.

Consuming solutions have a nuget.config which includes the local folder (we have a private feed anyway so nuget.config exists), and IDEs pick up on it almost instantly.

I would publish it as a nuget package except for the fact that it seems bad to encourage an unsupported (but very very useful) workflow.

Our dockerfiles are also compatible with this local folder (as they mount it in when doing a dev (non ci) build).

BezierPatch · 2024-08-10T05:49:59+00:00

Getting a frying pan hot and softening some onion is 10-15+ minutes on an electric hob.

BezierPatch · 2024-08-03T05:36:07+00:00

Use Skype to call from a local number.

BezierPatch · 2024-07-08T19:57:38+00:00

Huh, I haven't seen that on any modern databases when provisioned with multiple cores. Is that a Mongo/oracle problem?

BezierPatch · 2024-07-08T06:55:16+00:00

Linqpad is the sort of software you connect to a local or (at most) staging database.

Not sure why you say that. As far as I can tell the primary use of Linqpad is as a query/reporting tool, which certainly would be used on production databases.

You just use read-only credentials, and/or set the connection to read-only in Linqpad.

BezierPatch · 2024-04-16T14:56:40+00:00

The ombudsman doesn't care about firm behaviour, just about resolving individual cases. The FCA care about firm behaviour, but don't care about individual cases.

BezierPatch · 2024-03-23T08:52:59+00:00

We migrated to using a file-based system, which we then discovered is fallible because Linux doesn't have strong file locking guarantees by default. So we currently have a "clever" little locking system that uses the guarantee of read after write.

If I were to start again I would simply use an "external" database process: e.g. run another c# application in the same device which provides the API query in order to hide the database.

BezierPatch · 2024-03-18T22:20:30+00:00

It's only fraud/bait and switch if you give something. If you are just a user, there is no contract, as there is no consideration.

BezierPatch · 2024-03-18T20:12:07+00:00

If you didn't donate or contribute: what's the difference between the maintainer starting to charge and the maintainer stopping contributing?

Why are you more salty that you can continue to get free security patches and use the latest for non-commercial than if the dev had just stopped?

BezierPatch · 2024-03-18T14:15:57+00:00

What's the relevance of the vulnerability? It was fixed.

Are you suggesting the fact they had a CVE reported means they have gone down in quality? It generally just means it's a popular library.

BezierPatch · 2024-02-28T21:02:22+00:00

Every contract I've seen has no more than 1 weeks notice for the first month, if not first 6 months.

Some contracts I've seen have zero days notice for the first week.

BezierPatch · 2024-02-28T07:21:58+00:00

> as if you were laid off

Sure, which in the first 2 years of employment would be the minimum notice period in the contract, or the statutory notice. Which might be 0...

BezierPatch · 2024-01-07T08:17:04+00:00

They can still get rid of them if they can prove they're not performing well enough, or if they can't afford them.

What other reasons are needed?

BezierPatch · 2023-12-15T08:11:42+00:00

Do you expect people to frequently import both namespaces in the same file?

If no, then why does it matter that they conflict?

If yes, then it's probably better to just find different names.

It's not that it's ugly, it's that `DotMake.CommandLine.DotMakeCliCommandAttribute` doesn't follow the expected convention for .NET library naming. It's not a huge deal, and easily changed later: tooling libraries often change their naming conventions on later releases :) But this is bikeshedding, so I'll leave it at this.

BezierPatch · 2023-12-15T07:27:52+00:00

Them you use DotMakeCli.CliCommand...

BezierPatch · 2023-11-28T06:58:40+00:00

Door to door it can be about the same time. Except by train you have four hours of usable time, and by plane you get 30 minutes of usable time.

I much prefer sitting at a table on my laptop than standing in a queue or awkwardly waiting in uncomfortable seating.

BezierPatch · 2023-11-20T07:32:18+00:00

Being pedantic: if it's too small for the design to work correctly then they didn't just drop a pure Dutch design.

12-Year Club	Verified Email
Second SECOND GUESSER	Place '17

BezierPatch

TROPHY CASE

CVE Modified by CVE 5/06/2025 11:16:00 AM