Description
We've been releasing libraries under two different models for many years. We recently documented our practices. The differences between the two models is user-observable and can (and will) affect key performance and compliance metrics that users (and we) care about. We need to provide users with diagnostic information so that they understand the impact of their actions (when they add/update a PackageRef). In many cases, it is difficult and impractical for the user to determine the impact on their own. It's logically similar in difficulty to getting a user to realize that there is a CVE in a package w/o the E2E audit experience we recently provided.
We also need to write new guidance. What should a library provider (for example, OpenTelemetry) do if they update/add a PackageRef and see this diagnostic? Let's assume they have a net8.0 library and the new PackageRef lifts them to 9.0-era libraries.
Options:
- Back out the change
- Keep that (singular) 9.0 reference since the functionality is needed (AKA, ignore the warning)
- Adopt the runtime-band policy
- Go all in and update all libraries to 9.0
At present, we don't have any guidance on this. We don't need to wait for the diagnostic to write the guidance. It's not entirely obvious what the guidance (in terms of offering a preferred option) should be. However, we know that the last option should be generally avoided since it is likely to have unintended negative consequences on users. Each lifted reference will result in apps growing in size, CVE exposure, and (as a result) additional servicing responsibility for both the library and app owners.
The primary issue with being able to define good guidance is that we need to decide what our own behavior will be, since some of our own packages lift references. I'm assuming we'll choose option 2 above. We'll see.
Related: