No OnixLabs packages exist on www.nuget.org

[jesuslpm]

You say that there are two packages:

• OnixLabs.Security.Cryptography
• OnixLabs.Core

But none of them exist on nuget.org

[MrMatthewLayton]

@jesuslpm I don't publish to nuget.org. Instead the packages are published to GitHub's nuget package management repository: https://github.com/orgs/onix-labs/packages?repo_name=onixlabs-dotnet

[xaevik]

@MrMatthewLayton I know this issue was closed awhile back but I wanted to provide some feedback on why this choice is problematic. Publishing these artifacts on GitHub Packages severely limits the scope of adoption as an authentication token is required to access packages even if they are on a public repository.

I had plans to replace the dependency that my library cuid.net has on BouncyCastle.Cryptography with OnixLabs.Security.Cryptography but cannot because of this limitation as I cannot guarantee the consumers of my library have access to GitHub.com either directly or on their CI/CD infastructure.

GitHub Packages were really meant for private dependency distribution, not public consumption.

[MrMatthewLayton]

@xaevik Thanks for that feedback, that's useful to know. Let me see what I can do about publishing to nuget.org. Last time I tried I was tied in knots just trying to authenticate my nuget account, and they seem to have horrific support for that.

Out of interest, which components of the cryptography library were you interested in using?

[xaevik]

@MrMatthewLayton you can reference https://github.com/visus-io/cuid.net/blob/main/.github/workflows/release.yaml as a guide if you'd like as it takes care of packing and publishing on NuGet.

[MrMatthewLayton]

@xaevik Thanks. I'll see what I can do over the weekend.

[MrMatthewLayton]

@xaevik Just to keep you in the loop, I haven't forgotten about this. I've set up a new account for nuget.org, so I will aim to build and release the packages asap, time permitting.

[xaevik]

@MrMatthewLayton no worries, I figured you'd get to it when you get to it. The dependency change is not critical to the library currently, and I need to submit a PR anyway it to add support for LTS releases of .NET

[MrMatthewLayton]

@jesuslpm @xaevik Both packages have now been released to nuget.org!

• OnixLabs.Core
• OnixLabs.Security.Cryptography

Apologies for the holdup. I never really expected that I would get much interested in them. I will likely release version 6.0.0 next year, and it will likely target .NET 8.0

[xaevik]

@MrMatthewLayton phenomenal, I will conduct testing with them against cuid.net later this week as that would very much lower the size of the transient dependencies and allow greater portability.

I am not sure how much of the loop you've been in with regards to SHA-3 support in .NET but it is making it (partially) into .NET 8 (and subsequently 9). You can review dotnet/runtime#20342 and dotnet/runtime#84132 for additional details but the gist of it is that they will expose an IsSupported boolean property for all SHA-3 algorithm types to let you know if the underlying platform supports it. The scope of the underlying OS support is still basically limited though:

• Windows 11 Build 25324 or higher (FIPS-202 compliant)
• GNU/Linux with OpenSSL >= 1.1

Apple Crypto does not support SHA-3 still and the dotnet team chose not to depend on OpenSSL for that platform as its not fully native but at least it's now a step in the right direction.

[jesuslpm]

@MrMatthewLayton

Great news, thank you very much.

[MrMatthewLayton]

@xaevik

I am not sure how much of the loop you've been in with regards to SHA-3 support in .NET but it is making it (partially) into .NET 8 (and subsequently 9)...

Yes, I think this is the moment we've all been waiting for. When I first encountered SHA-3, it was the Keccak version which is what Ethereum uses (or at least, did at the time. Perhaps they've updated to use FIPS-202 now). There is a SHA-3 nuget package, but IIRC (I haven't looked at it for a LONG time) it was based on BouncyCastle and implemented the Keccak team variant.

My implementation is the FIPS-202 standard. My plan, once SHA-3 makes its way into .NET is to refactor my implementation, such that it will first check if its implemented by the OS/Platform and use that. If not, it will fall back to using the managed version that I've implemented.

[xaevik]

@MrMatthewLayton the implementation worked beautifully, and a new release is out for consumption. Thanks again for making this available on nuget.

[MrMatthewLayton]

@xaevik Amazing work! Thank you for letting me know. I think this is the first time one of my open-source projects has been used in the wild :)