Closed byteSamurai closed 1 year ago
Just once more:
Dotnet 5.0 is end of life, but we'll support it anyway, right?
I am not 100% sure what developers use daily and how quickly they forget about .NET. Since there's no more work or less work to be done to keep support for given framework I guess there is no harm to publish library in out of support framework? I guess any company that runs this is on their own, security wise and has their own processes. Unless there is a need to specifically code something different for NET 5 and NET 7 I would leave it as it is.
I get your point. Let me describe scenario: A web service makes use of OfficeIMO and .NET5.0. A zero-day vulnerability allows an attacker to directly modify the inMemory document. This way, he adds a modified image to the generated document and makes use a vulnerability in Word.
Though they should not run .NET5.0 (and we both know how some business decisions are done these days), they could blame OfficeIMO.
Additionally MS posts also IDE support for .NET5.0 will be dropped:
The .NET 5.0 SDK versions will continue to be supported in VS 16.11 until December of 2022 when .NET Core 3.1 goes out of support so that .NET Core 3.1 customers can continue to use 16.11 to developer their applications.
I guess any company that runs this is on their own, security wise and has their own processes.
I respect your decision, but I would consider to remove .Net5.0. In the worst case, we forget about it and it will be used in an exploit in a few month, resulting in negative reputation for OfficeIMO. #my2cts
Sure, we can remove .NET 5.0. Although you can always argue that if you had your app in NET 5.0 the vulnerability would be related to NET 5.0 and you running an unsupported product. Blaming everyone but yourself is a bit moot point. On the other hand, if it's part of the OfficeIMO problem, it will be present in all versions.
To be honest, I am not really worried about NET 5.0 because, most likely if you use NET 5.0 you usually jump to new versions pretty soon to get all the cool stuff. I'm more worried about upcoming 3.1 end of life and that's why I hesitated.
So you can remove NET 5.0 in the PR, but just a thought on the 3.1 which is LTS.
At the moment, macOS users are not able to run the this project, due to a lack of target frameworks on their platforms and missing dependencies, e.g. the Test project requires a line like this:
Definition of Done: