Yesterday, the .NET Framework team posted an item announcing service updates to .NET libraries released via NuGet. Please read the full post.
I think this is a very significant announcement because of what it means for Open Source in the .NET Ecosystem. It means you get the best of both worlds for these libraries: Open Source, and commercial security update and rollout. Microsoft has created a way to update vulnerable libraries that you include via NuGet and upgrade any of your customers’ machine if they are affected by a security vulnerability. You, as a developer, get the convenience of NuGet, regular updates, and you keep control over when you upgrade those libraries. But you also get deployment support in ways no other Open Source community manages. If one of the NuGet based libraries you are using is vulnerable, your customers’ machines (servers or clients) will receive the security updates via the normal Windows Update mechanism.
In and of itself, this is a super cool feature. It’s a brilliant innovation. But what it means for the .NET ecosystem is even bigger. Traditionally, the .NET Framework components were all released en masse, with the languages and the Visual Studio IDE. That many dependencies led to longer release cycles. Everyone had to be in sync. Microsoft moved to releasing more .NET Assemblies of band via NuGet. ASP.NET MVC, Entity Framework, SignalR, and WebAPI, to name a few. This does a lot to increase the velocity of releases. But what of the support? For a while, developers needed to watch for updates to any of the libraries they used, and rollout their own patches quickly in the case of any security vulnerabilities. Now, we can enjoy the increased velocity that comes with uncoupling individual components from major releases without incurring the increased risk of being responsible for downloading and applying security patches to every .NET component we use. And, especially, the cost associated with applying those patches to all your customers’ machines.
It’s a well thought out strategy that enables velocity and customer support.
All of these projects are Open Source (using the Creative Commons license for content, and the MIT license for code). If you would like to contribute, visit our GitHub Repository. Or, if you have questions, comments, or ideas for improvement, please create an issue for us.