search

fszlin / certes

A client implementation for the Automated Certificate Management Environment (ACME) protocol
MIT License
552 stars 122 forks source link

Version 3.0.4? #325

Open ygoe opened 8 months ago

ygoe commented 8 months ago

I see the NuGet package is available in version 3.0.4 and it seems to be necessary to use it to make it work as of Feb 2024. But there is no tag in the source and no changes are documented. So is this package now closed source and undocumented? What code will I be using when installing the new package version? What kind of packaging process is this?

fszlin commented 8 months ago

Are you running into any issues? The package is working as it is.

itniels commented 6 months ago

@fszlin I agree with @ygoe here, it does seems a bit spooky that there are no changes for many years in the repo, and then a new version pop up, I also would like to know where the code for those changes are?

ygoe commented 6 months ago

Update: Yes, it works, as far as I can tell. But in the light of the recent supply chain attack with that compression library, some more transparency is needed here. Everybody should be able to build the library from the verifyable source code. If that's not possible, the library is no longer available as open-source.

itniels commented 6 months ago

@ygoe Exactly, that was a bit of wakeup call, and it is best to be cautious, this has been stale for so long, it makes trust a bit hard even with a comment from the author, which did not answer your questions at all!

Could you elaborate and show us the code for version 3.0.x @fszlin ?

webprofusion-chrisc commented 6 months ago

The nuget package commit hash in the assembly info 3.0.4+Branch.release.Sha.ffa00c6061b49de17901df0cd997cc7531e1607e matches the github commit hash for the latest commit (currently):

https://nuget.info/packages/Certes/3.0.4

I think Eddie has been very gracious to supply this code for the community to use, so if in doubt build your own copy. Clearly he just uses it for work and doesn't have time to support a community of users. A lot of the problems users see using the package are a direct result of the users knowing very little about ACME, Certificate Chains, or Let's Encrypt, and that's a support job in itself.

We do have a fork over at https://github.com/webprofusion/anvil which is also available as a nuget package but likewise we don't really support it as a community project as it has experimental tweaks and changes specifically used in Certify The Web. We will however commercially support Certify The Web customers who also use that library.