[6.0] Different versions of `NuGet.Commands.dll`s between source-build and Microsoft build

[omajid]

Describe the Bug

Sourcebuild has 3 copies of NuGet.Commands.dll, compared to just 1 copy in the Microsoft-built SDK. The version numbers are also different: 6.0.3-rc.32767+c60eee85ec0109bdda894806b167bb4d55f75183 vs 6.0.3-rc.1+c60eee85ec0109bdda894806b167bb4d55f75183.c60eee85ec0109bdda894806b167bb4d55f75183, though the commit sha is the same.

source-build .NET 6.0.113:

$ find /usr/lib64/dotnet -iname 'NuGet.Commands.*'
/usr/lib64/dotnet/sdk/6.0.113/Sdks/NuGet.Build.Tasks.Pack/CoreCLR/NuGet.Commands.dll
/usr/lib64/dotnet/sdk/6.0.113/Sdks/NuGet.Build.Tasks.Pack/Desktop/NuGet.Commands.dll
/usr/lib64/dotnet/sdk/6.0.113/Sdks/NuGet.Build.Tasks.Pack/NuGet.Commands.dll
/usr/lib64/dotnet/sdk/6.0.113/NuGet.Commands.dll
$ exiftool /usr/lib64/dotnet/sdk/6.0.113/NuGet.Commands.dll
ExifTool Version Number         : 12.42
File Name                       : NuGet.Commands.dll
Directory                       : /usr/lib64/dotnet/sdk/6.0.113
File Size                       : 1939 kB
File Modification Date/Time     : 2023:01:12 15:15:03-05:00
File Access Date/Time           : 2023:02:15 10:59:18-05:00
File Inode Change Date/Time     : 2023:02:13 17:38:37-05:00
File Permissions                : -rw-r--r--
File Type                       : Win32 DLL
File Type Extension             : dll
MIME Type                       : application/octet-stream
Machine Type                    : Unknown (0xfd1d)
Time Stamp                      : 2101:06:16 11:05:07-04:00
Image File Characteristics      : Executable, Large address aware, DLL
PE Type                         : PE32+
Linker Version                  : 11.0
Code Size                       : 1505280
Initialized Data Size           : 433152
Uninitialized Data Size         : 0
Entry Point                     : 0x0000
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
Subsystem                       : Windows command line
File Version Number             : 6.0.3.32767
Product Version Number          : 6.0.3.0
File Flags Mask                 : 0x003f
File Flags                      : (none)
File OS                         : Win32
Object File Type                : Dynamic link library
File Subtype                    : 0
Language Code                   : Neutral
Character Set                   : Unicode
Comments                        : Complete commands common to command-line and GUI NuGet clients.
Company Name                    : Microsoft Corporation
File Description                : NuGet.Commands
File Version                    : 6.0.3.32767
Internal Name                   : NuGet.Commands.dll
Legal Copyright                 : © Microsoft Corporation. All rights reserved.
Original File Name              : NuGet.Commands.dll
Product Name                    : NuGet
Product Version                 : 6.0.3-rc.32767+c60eee85ec0109bdda894806b167bb4d55f75183
Assembly Version                : 6.0.3.32767

Microsoft's build of .NET 6.0.113:

$ find ~/local/dotnet/microsoft/6.0.113 -iname 'NuGet.Commands.dll'
/home/omajid/local/dotnet/microsoft/6.0.113/sdk/6.0.113/NuGet.Commands.dll
$ exiftool /home/omajid/local/dotnet/microsoft/6.0.113/sdk/6.0.113/NuGet.Commands.dll
ExifTool Version Number         : 12.42
File Name                       : NuGet.Commands.dll
Directory                       : /home/omajid/local/dotnet/microsoft/6.0.113/sdk/6.0.113
File Size                       : 1406 kB
File Modification Date/Time     : 2022:12:01 20:36:36-05:00
File Access Date/Time           : 2023:02:15 11:02:37-05:00
File Inode Change Date/Time     : 2023:02:15 11:02:37-05:00
File Permissions                : -rw-r--r--
File Type                       : Win32 DLL
File Type Extension             : dll
MIME Type                       : application/octet-stream
Machine Type                    : Unknown (0xfd1d)
Time Stamp                      : 2084:09:06 01:19:40-04:00
Image File Characteristics      : Executable, Large address aware, DLL
PE Type                         : PE32+
Linker Version                  : 11.0
Code Size                       : 1081856
Initialized Data Size           : 323584
Uninitialized Data Size         : 0
Entry Point                     : 0x0000
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
Subsystem                       : Windows command line
File Version Number             : 6.0.3.1
Product Version Number          : 0.0.0.0
File Flags Mask                 : 0x003f
File Flags                      : (none)
File OS                         : Win32
Object File Type                : Dynamic link library
File Subtype                    : 0
Language Code                   : Neutral
Character Set                   : Unicode
Comments                        : Complete commands common to command-line and GUI NuGet clients.
Company Name                    : Microsoft Corporation
File Description                : NuGet.Commands
File Version                    : 6.0.3.1
Internal Name                   : NuGet.Commands.dll
Legal Copyright                 : © Microsoft Corporation. All rights reserved.
Original File Name              : NuGet.Commands.dll
Product Name                    : NuGet
Product Version                 : 6.0.3-rc.1+c60eee85ec0109bdda894806b167bb4d55f75183.c60eee85ec0109bdda894806b167bb4d55f75183
Assembly Version                : 6.0.3.1

32767 is Int16.MaxValue.

[dotnet-issue-labeler[bot]]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[omajid]

Looks like it's set from https://github.com/NuGet/NuGet.Client/blob/55728432057dc57733661fe01e9c8493ab5034f2/build/common.project.props#L117-L119:

  <PropertyGroup Condition=" '$(PreReleaseVersion)' == '' ">
    <PreReleaseVersion>32767</PreReleaseVersion>
  </PropertyGroup>

[MichaelSimons]

[Triage] NuGet is a non-arcade repo which may be the source of the version number differences.

[omajid]

I am focusing this issue on the version number mismatch only.

The too-many-NuGet.Command-dlls is a general issue related to the source-build-vs-microsoft baselines that's being handled elsewhere.

[crummel]

Bringing this one up to triage again. One possibility is that we should focus on fixing this in 8.0, possibly by pushing NuGet to adopt Arcade so their versioning works the same way as everything else.

[MichaelSimons]

[Triage] @Crummel, Can you link this to the NuGet issue regarding getting them onboarded onto Arcade?

[MichaelSimons]

[Triage] The priority of fixing this in servicing would be higher if the nuget vulnerabilities caused from the version diff becomes the only vulnerability being reported. Right now there are numerous vulnerabilities because of https://github.com/dotnet/sdk/issues/30659. Once that issue is resolved, we should re-assess the situation.

[tmds]

Question: are the version numbers on the assemblies produced by source-build expected to match with those on Microsoft build?

If so, can we add a test to source-build that verifies they do?

[omajid]

Sounds like https://github.com/dotnet/source-build/issues/3145 should cover this?

[MichaelSimons]

Question: are the version numbers on the assemblies produced by source-build expected to match with those on Microsoft build?

It is desirable. One reason for this is related to vulnerabilities. Security scanners can associate vulnerabilities with particular versions. If the source-build versions don't align with Microsoft, this can cause mis-information.

[tmds]

Does source-build 'fake' version numbers?

The trigger for my question was to use version numbers as a way of checking the same sources were used. If source-build overrides them, then that relationship is gone.

[tmds]

The trigger for my question was to use version numbers as a way of checking the same sources were used. If source-build overrides them, then that relationship is gone.

Maybe we could check commit sha's (instead of version numbers) for this?

[tmds]

I've added a comment to the version check issue to check shas as well: https://github.com/dotnet/source-build/issues/3145#issuecomment-1466272911.

[crummel]

The existing issue I was thinking of was https://github.com/NuGet/Home/issues/11059, which I've added a comment about the broader versioning aspect to.

[MichaelSimons]

This requires NuGet to onboard onto arcade which is tracked with https://github.com/NuGet/Home/issues/12731.