Can the “author” field on Nuget be spoofed? Can I trust the file's authenticity?

Question

I'm browsing Nuget libraries from an author and see questionable content.. something that doesn't have the same quality as some of the prior work I've seen.

How do I know that the author of a Nuget package is really that person?

Can I extend that trust into the built-in update process of Nuget?

Answer 1

The "author" is simply metadata that is included in the .nuspec file. See (http://docs.nuget.org/docs/reference/nuspec-reference). This can be different than the package owner/creator.

In the beginning when NuGet was starting out, there were a few people that were creating packages for projects that they didn't author mainly to get the package in the repository.

Now that NuGet is more established, it is recommended that people contact the project owner and have them create their own NuGet package.

For packages that have already been uploaded to the repository by someone other than the author, the author can request to have the ownership transferred to them.

Since there's no guarantee that the package creator is the original author, I'm not sure how that affects trust. However, if you install a package, it is pretty safe to say that updates will either be from the same person that created the initial package, or potentially it will have transferred to the actual author of the project.

In other words, trust will likely be the same or perhaps better (if actual author), but seldom worse than the original package you installed.

Hope that helps.

Answer 2

I know this is a fairly old question, but this is the best answer I've found. I'd like to add my $.02 to the till. I've got a couple of packages on nuget.org that are based on another package. Unity.Mvc3.VB, Unity.Mvc3.DLL, and I'm working on a Unity.Mvc4.VB package. They're all based on Unity.Mvc3 from devtrends. The DLL project basically just installs the assembly reference for Unity.Mvc3 without the c# source code files so that it's a little easier to use in projects of other languages. The VB package(s) include VB.Net versions of the C# source files. Since I didn't write anything other than the nuspec file in the DLL package, I just listed Paul Hiles as the author and myself as the package owner.

For the VB package(s), again I'm listed as the owner, but for the author I list Paul and myself with each of our contributions in parenthesis like so:

The idea is that I'm giving credit to the original author of my derivative work.

Answer 3

Kiliman's answer is correct and comprehensive. I would like to add that it is up to the community to start writing reviews of nuget packages in the NuGet Gallery. Reviews are very few and far between and they have a star-rating system, so if you don't think a package is useful, or if you have concerns about a particular package, write them there and help your fellow programmers.