Tag and document releases

[ImrePyhvel]

Nuget has new Microsoft.AspNet.Identity.* versions available (2.2.2), but it is impossible to get any information about what has changed compared to previous versions or which state of source code maps to given version for manual verification.

Please do add all releases to publicly visible release notes (or github Releases page), add link to it to nuget package metadata, and tag corresponding codebase in git.

[OzBob]

Is there a diff between #aspidentity 2.1.0 vs 2.2.1 vs 2.2.2?

2.1.0 is here, but no releases: https://github.com/aspnet/AspNetIdentity/releases

No 2.2.1 nor 2.2.2 which are versions available in nuget: https://www.nuget.org/packages/Microsoft.AspNet.Identity.EntityFramework/

I'm trying to gauge the benefits of upgrading … but with no clear 'diff' between releases I can't justify it.

[TechSavvySam]

BUMP!

There is now a version 2.2.3 showing as available in NuGet with no sign of release notes. IMO this is a MAJOR failing in the whole NuGet system user community. There is little to no consideration given to informing the developers using NuGet packages of:

• why they should upgrade
• what impact upgrading might have

I could go on and on about this, but we here all know that this is a required function in any proper SDLC.

[Zero3]

@HaoK @joeloff maybe one of you guys could provide an answer to this question? Seems like you are the only guys that ever committed to this repository, and there are no other contact details listed.

I think everbody realizes that this library is dead, but somehow these undocumented updates keep appearing on NuGet, which makes us wonder what is going on and whether it is safe to install them.

[TechSavvySam]

I did look at the recently completed pull requests and a couple were comment edits and the other two looked minor. I don't really know specifically how to determine what changes were in a release, but this seems to be or only option at the moment unless someone actually does release notes for a nearly stagnant project.

[joeloff]

The 2.2.2 build was a rebuild of 2.2.1. There was a bug in the 2.2.1 release that contained a security fix. The AssemblyFileVersion properties on the DLL were invalid. This caused a problem when the DLLs are redistributed in an MSI since upgrades will look at the AssemblyFileVersion which can be reported as 0.0.0.0 and the MSI won't install the DLL because it would consider it to be an older version.

[OzBob]

@joeloff thank you for the update. Could you help me find a list of differences between 2.1.0 and 2.2.2

[joeloff]

@OzBob I'll see if we can find anything. Also, if you want to update from 2.1.0 I recommend the 2.2.3 package. 2.2.2 had a problem with the AssemblyFileVersion (my previous post indicated that 2.2.2 was the rebuilt, that was a typo). 2.2.2 contained a security fix. 2.2.3 was a rebuilt of 2.2.2 to address the file version issue.

The security issue is documented here

@HaoK the old identity repo that used to live on CodePlex is archived. Do we have the history saved somewhere. 2.1.0 was built in June 2014. I looked at the CI history, but don't see any changes other than the security issue. I did find an internal release doc for 2.2.0 that stated the following issues from CodePlex:

1991 Additional IdentityDbContext constructor 2278 ASP.net Identity ChangePassword is inefficient on the database

[HaoK]

I don't really recall, could we have just upgraded package versions?

[joeloff]

That is certainly possible, or package dependencies might have been updated, e.g. when a newer version of EF shipped. The issues I listed are the only ones I could find that internally came up on email threads when the releases shipped and I cannot find anything else in the CI history that suggest there were other issues addressed.

[AndreaMinosu]

Hello Mr. @HaoK and Mr. @joeloff ,

I don't really recall, could we have just upgraded package versions? I cannot find anything else in the CI history that suggest there were other issues addressed.

please I cannot understand why you could not simply do a compare between sources of the version 2.2.1 and 2.2.3 with a utility like BeyondCompare for example, so that you can put an end word and definitively clarify the question so that we all (the developers) can have a conclusive answer on this. We rely on AspNetIdentity for authentication, so this is a very important security component. Thank you for your efforts and for your help.