Update to latest NetOffice Excel package

[jozefizso]

Update Excel package to 1.7.4.11

PS: Packages are changed to the NetOfficeFw because those contain the latest code.

[tpetricek]

I had a look at the migration notice here: https://netoffice.io/migrate-notice/. Is this saying that the original versions have been hacked?

For an outsider, it is quite hard to tell what's going on here. Can you please add a bit more background about this? Were you the maintainer of the "netoffice" versions of the packages but somehow lost access to those? If so, wouldn't NuGet administrators be able to restore that? Looking at your recent work on the project, it is clear to see that you are actively working on the project, but changing the NuGet package name sounds like an extreme measure.

[jozefizso]

Original code author of NetOffice is Sebastian. He developed the code on Codeplex and moved the code to OSDN. He did not want to move to GitHub but he approved I can make mirror at https://github.com/NetOfficeFw (see https://archive.codeplex.com/?p=netoffice - the Project has moved to section)

On GitHub, the @netoffice organization was already taken by somebody and the person was not communicating with Sebastian nor me.

To publish latest NetOffice code (from OSDN) I had to choose a new name for nuget packages. I chose NetOfficeFw.

You can check manually that assemblies published at https://osdn.net/projects/netoffice/releases/ are the same binaries I published in https://www.nuget.org/packages/NetOfficeFw.Excel/1.7.4.3 Eg. ExcelApi.dll SHA-256 checksum is 7a3c64dc8551e2781edd329ac25d7c6a377293bf3a80ff7d2c1a015f0d16fb8e

When Sebastian published the NetOffice 1.7.4.3, suddenly somebody from @netoffice published NetOffice.Excel 1.7.4.4 (one version higher, yet at the time, no such official NetOffice release was made) This is the package: https://www.nuget.org/packages/NetOffice.Excel/1.7.4.4 When you download this package manually, you can see the ExcelApi.dll files are version 1.7.3 - therefore I consider this rogue and malicious release.

Meanwhile, Sebastian is not working on NetOffice anymore and I was occasionally fixing small bugs. Releases from @NetOfficeFw organization are signed by authenticode certificate so you can check you get original nuget packages and also assemblies.

Two days ago, @erikaleblanc88 published other NetOffice.Excel packages - version 1.7.4.11. That package contains old and modified NetOffice assemblies. I am not sure why @augustoproiete gave her access to the https://github.com/netoffice/NetOffice-NuGet repository.

I am sorry for this trouble but this rogue release of NetOffice.Excel really upset me and I had to do something.

I see you are using NetOffice for a good cause and I would like you to use the correct code. That's why I made the PR.

PS: I contacted NuGet and GitHub numerous times, but unfortunately they cannot do anything.

[tpetricek]

Thank you so much @jozefizso for the explanation. To provide more background, I also received the following email from @erikaleblanc88:

Hi Tomas, Adam, and Zhenyong,

I apologize for reaching out to you directly, but I thought it would be important for me to give you a heads up about Jozef Izso who is trying to make changes to your Deedle project in order to hijack your NuGet dependencies.

He has been trying for a while to do a hostile takeover of the project that I maintain along with a couple of friends (NetOffice). I have contacted GitHub and NuGet.org and hopefully they'll remove his account soon, but until then I can only alert users of my libraries.

The official packages for NetOffice are here: https://github.com/netoffice/NetOffice-NuGet and they are hosted in NuGet under the user "netofficedotnet".

I recommend you decline his pull-request. You are already using the correct NuGet packages - no further action needed. The packages with the "Fw" suffix are the malicious ones created by Jozef Iszo and I have no idea if they have malware today, or if they will in the future.

If you would like to update your packages to the latest version (1.7.4.11) make sure you update to the right ones (NetOffice).

Kind Regards, Erika.

... which is why I'm trying to figure out what is going on! It seems that the version maintained by @jozefizso is the more active recent one. One thing I still do not understand is who has been releasing the NuGet packages NetOffice.Core etc. (which have been around for longer than NetOfficeFw.Core etc. according to the NuGet history)

[jozefizso]

I'm really sorry for this, I did not want you to be taken into such politics and in intrigues.

Regarding the email, I have only this to say:

Here is my official request about moving forward with the NetOffice project: https://web.archive.org/web/20170913124442/https://github.com/netoffice/NetOffice/issues/3 At the time, @caioproiete agreed to have Skype call with me and Sebastian. It looks like @caioproiete is the one owning the @netoffice org at the time. That call never happen because @caioproiete was not communicating.

At later time, he just deleted everything: https://web.archive.org/web/20181107215735/https://github.com/netoffice/NetOffice/issues/3

It's sad they are trying to ruin the project. I'm signing the code with my personal GPG key and signing the assemblies and nuget packages with my certificates. It's the best I can do to ensure the trust (especially in this complicated fork and project migration).

And I'm denying all the accusations of Erika.

[jozefizso]

NetOffice.Core package was released by @augustoproiete (at the time of Codeplex and up to version 1.7.3). He was the owner of the NuGet account before it moved to netofficedotnet.

Latest NetOffice.Core 1.7.4.4 and 1.7.4.11 were published by @erikaleblanc88.

[tpetricek]

@jozefizso thank you very much for providing all those details and extra evidence! As you can probably guess, it's very hard to see what's going on for an outsider, so your replies have been invaluable in clarifying this. Thank you for your hard work on maintaining NetOffice!

@zyzhu As long as you are also happy with the explanation, I think we should merge the PR.

[zyzhu]

@tpetricek Thanks for looking into this. @jozefizso Thanks for the detailed explanation. The new repo https://github.com/NetOfficeFw/NetOffice/issues has a lot more users involved than the old repo https://github.com/NetOffice/NetOffice/issues. Documentation looks very genuine https://netoffice.io/

The CI documentation test failure is due to World Bank API change. https://datahelpdesk.worldbank.org/knowledgebase/articles/889386-developer-information-overview @tpetricek, take a look at this pull and merge it so that FSharp.Data won't fail on getting data from World Bank https://github.com/fsharp/FSharp.Data/pull/1320