Update .NET SDK to 8.0.108 #4377
Conversation
Signed-off-by: Rui Chen <[email protected]>
|
@microsoft-github-policy-service agree |
|
global.json sets the minimum required version for this repository, and what will be installed when running build.ps1 / build.sh / on our CI, so lowering this would introduce unpatched security issues within our automated and bootstrapped builds. |
|
The latest security patched version would be |
even with |
right now that is the one with the dotnet formula, sounds like we need to patch it regardless, I think we can still lower than the sdk requirement, right? |
As we build each PR / Merge on 7+ CI systems and 9+ operating systems, I.e. GitHub Actions we use the setup-dotnet task - name: Install .NET Core SDK (global.json)
uses: actions/setup-dotnet@v3
with:
global-json-file: global.jsonwith Azure Pipelines we use the UseDotNet task - task: UseDotNet@2
displayName: Install .NET Global.json
inputs:
useGlobalJson: trueand for many other scenarios we use the official obtain SDK scripts with dotnet-install.sh --jsonfile ./global.jsondotnet-install.ps1 -JSonFile $GlobalJsonPath Lowering SDK might cause issues, but it might not.
If all our CI unit and integration tests work, lowering it is certainly an option, as the runtime is the same it should work. One question is though what happens in a week or so when we shift to |
yeah, currently the dotnet homebrew formula points to 8, which is using sdk 8.0.100 |
@chenrui333 does that mean you will stay on sdk |
|
I dont think we (homebrew) are aware of the dotnet sdk version security issue. |
Not trying to be awkward, just trying to bring clarity what you downstream need from us upstream. Patches for .NET is released on a regular basis For SDKs there are currently three supported feature bands
Many Linux distros has opted for .1xx feature band for the lifetime of a major .NET version. They make this choice because .1xx is (effectively) the "compatibility band". Higher bands can have breaking changes. All SDKs share the same runtime, so it's only developer tooling that differ. So i.e. Ubuntu will update regularly, but they build from the 8.0.1xx feature set, if you want 8.0.3xx or 8.0.4xx you'll need to fetch packages / containers from Microsoft's registries instead of the official ones. I'm not up to speed how the formula on Homebrew is setup, which distro / packages your using and which policy is being applied, but ideally it should at least keep up with security patches. If the policy is only LTS versions (which until November 2025 will be .NET 8), then I'm sure we can accommodate that somehow, even if we will switch to 9.0.100 when .NET 9 ships November 12th, but will still build for .NET 8, our policy is to support all versions currently supported by Microsoft which this November will be .NET 8 & 9. So to best assist you, what do you need? Is it the ability to build from source 8.0.1xx or something else? |
yeah, mostly just building from source. do you know why this global.json still points to 8.0.108? (I think that might be the issue on the homebrew side, as we just did the prep.sh, which installs the sdk from the global.json) |
Can't answer for other projects, but I would suspect there's a bit of a lag in their dogfooding, they're now pointing towards .NET 9 RC 1 and RC2 been out a few weeks, but they would need to build next version with current version so the lag makes sense. "tools": {
"dotnet": "9.0.100-rc.1.24452.12"
},If you use some think like renovate it'll pick latest releases from I.e. 8.x will now point towards I.e. as an example this PowerShell will get you the latest LTS version $currentLTS = Invoke-RestMethod `
-Uri 'https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json' `
| % 'releases-index'
| Where-Object {
$_.'support-phase' -ne 'eol' `
-and `
$_.'release-type' -eq 'lts'
} `
| Sort-Object -Descending {
[Version]::Parse($_.'latest-release')
} `
| Select-Object -First 1
$currentLTS | Format-Table
$lastSDKS = Invoke-RestMethod `
-Uri $currentLTS.'releases.json' `
| % releases `
| Where-Object {
$currentLTS.'latest-release' -eq $_.'release-version'
} `
| % sdks
$lastSDKS | Format-TableOutput So currently supported SDK versions are
Visual Studio 2022 / MSBuild v17.8 was what .NET 8 went live with and what |
|
I think it makes sense for us (homebrew) to ship with the latest dotnet sdk, just filed a PR to see how folks feel about it. |
Ok👍 |
currently, the dotnet sdk coming with the dotnet formula (8.x) is 8.0.108, so updating the sdk version value to it. since there is already
"rollForward": "latestFeature", the build behavior wont change that much.relates to Homebrew/homebrew-core#195372
also, this is the same thing adopted with kiota project, microsoft/kiota#5606