recommend usage of trusted package sources (#3318)

NuGet · Aug 5, 2024 · 44fca65 · 44fca65
1 parent 107b92e
commit 44fca65
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/docs/concepts/Security-Best-Practices.md b/docs/concepts/Security-Best-Practices.md
@@ -117,7 +117,7 @@ For more information about Dependabot alerts & security updates, [see the follow
 
 **📦 Package Consumer**
 
-When using multiple public & private NuGet source feeds, a package can be downloaded from any of the feeds. To ensure your build is predictable and secure from known attacks such as [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), knowing what specific feed(s) your packages are coming from is a best practice. You can use a single feed or private feed with upstreaming capabilities for protection.
+Use package sources that you trust. When using multiple public & private NuGet source feeds, a package can be downloaded from any of the feeds. To ensure your build is predictable and secure from known attacks such as [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), knowing what specific feed(s) your packages are coming from is a best practice. You can use a single feed or private feed with upstreaming capabilities for protection.
 
 For more information to secure your package feeds, see [3 Ways to Mitigate Risk When Using Private Package Feeds](https://azure.microsoft.com/resources/3-ways-to-mitigate-risk-using-private-package-feeds/en-us/).
 

diff --git a/docs/consume-packages/consuming-packages-authenticated-feeds.md b/docs/consume-packages/consuming-packages-authenticated-feeds.md
@@ -10,6 +10,10 @@ ms.topic: conceptual
 # Consuming packages from authenticated feeds
 
 Many NuGet operations, such as restore and install, require communication with one or more package sources, which [can be configured in *nuget.config* files](../reference/nuget-config-file.md#packagesources).
+
+> [!NOTE]
+> Use package sources that you trust.
+
 For HTTP feeds, NuGet will make an unauthenticated request, and if the server responds with an HTTP 401 response, NuGet will search for credentials in the following order:
 
 1. [An environment variable `NuGetPackageSourceCredentials_{name}`](#credentials-in-environment-variables).
@@ -37,11 +41,11 @@ This approach provides an extra layer of security by storing the credentials in
 For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files).
 
     > [!NOTE]
-    > Be aware that encrypted passwords are only supported on Windows. 
+    > Be aware that encrypted passwords are only supported on Windows.
     > Moreover, they can only be decrypted on the same machine and by the same user who originally encrypted them.
 
 1. **Using Environment Variable Macros in nuget.config**: If using encrypted credentials is not possible, consider storing the credentials in the *nuget.config* file with environment variable macros.
-This approach allows you to reference environment variables that contain the actual credentials. 
+This approach allows you to reference environment variables that contain the actual credentials.
 It enhances transparency and helps end users understand how their credentials are configured.
 For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files).
 

diff --git a/docs/reference/cli-reference/cli-ref-sources.md b/docs/reference/cli-reference/cli-ref-sources.md
@@ -13,6 +13,9 @@ ms.topic: reference
 
 Manages the list of sources located in the user scope configuration file or a specified configuration file. The user scope configuration file is located at `%appdata%\NuGet\NuGet.Config` (Windows) and `~/.nuget/NuGet/NuGet.Config` (Mac/Linux).
 
+> [!NOTE]
+> Use package sources that you trust.
+
 Note that the source URL for nuget.org is `https://api.nuget.org/v3/index.json`.
 
 ## Usage
@@ -54,7 +57,7 @@ where `<operation>` is one of *List, Add, Remove, Enable, Disable,* or *Update*,
   Specifies the password for authenticating with the source.
 
   > [!NOTE]
-  > Be aware that encrypted passwords are only supported on Windows. 
+  > Be aware that encrypted passwords are only supported on Windows.
   > Moreover, they can only be decrypted on the same machine and by the same user who originally encrypted them.
 
 - **`-src|-Source`**

diff --git a/docs/reference/nuget-config-file.md b/docs/reference/nuget-config-file.md
@@ -117,7 +117,7 @@ Lists all known package sources. The order is ignored during restore operations
 | :-- | :-- |
 | **Key** | (name to assign to the package source) |
 | **Value** | The path or URL of the package source. |
-| **protocolVersion** | The NuGet server protocol version to be used. The current version is "3". Defaults to version "2" when not pointing to a package source URL ending in `.json` (e.g. https://api.nuget.org/v3/index.json). Supported in [NuGet 3.0+](/nuget/release-notes/nuget-3.0.0). See [NuGet Server API](/nuget/api/overview) for more information about the version 3 protocol. |
+| **protocolVersion** | The NuGet server protocol version to be used. The current version is "3". Defaults to version "2" when not pointing to a package source URL ending in `.json` (e.g. <https://api.nuget.org/v3/index.json>). Supported in [NuGet 3.0+](/nuget/release-notes/nuget-3.0.0). See [NuGet Server API](/nuget/api/overview) for more information about the version 3 protocol. |
 | **allowInsecureConnections** | When false, or not specified, NuGet will emit a warning when the source uses http, rather than https. If you are confident that communication with this source will never be at risk of interception attacks, you can set the value to true to suppress the warning. Supported in NuGet 6.8+. |
 | **disableTLSCertificateValidation** | This configuration property allows you to disable SSL/TLS certificate validation for your HTTPS server. When set to true, the server will ignore any errors related to SSL/TLS certificates, such as expired or self-signed certificates, and establish the connection without validation. Supported in NuGet 6.11+. |
 
@@ -134,6 +134,9 @@ Lists all known package sources. The order is ignored during restore operations
 </packageSources>
 ```
 
+> [!NOTE]
+> Use package sources that you trust.
+
 > [!NOTE]
 > When using the CLI, you can express a [`RestoreSources`](../reference/msbuild-targets.md#restore-properties) MSBuild property or [`--source`(.NET CLI)](/dotnet/core/tools/dotnet-restore#options) | [`-Source`(NuGet CLI)](/nuget/reference/cli-reference/cli-ref-restore#options) to override the `<packageSources>` defined in the NuGet.config.
 
@@ -303,7 +306,7 @@ Identifies to the currently active source or indicates the aggregate of all sour
 
 ## trustedSigners section
 
-Stores trusted signers used to allow package while installing or restoring. This list cannot be empty when the user sets `signatureValidationMode` to `require`. 
+Stores trusted signers used to allow package while installing or restoring. This list cannot be empty when the user sets `signatureValidationMode` to `require`.
 
 This section can be updated with the [`nuget trusted-signers` command](../reference/cli-reference/cli-ref-trusted-signers.md).
 
@@ -439,7 +442,6 @@ The table below show environnment variable syntax and path separator support for
 | `$MY_VAR` | `/`  | No | No | No | No |
 | `$MY_VAR` | `\`  | No | No | No | No |
 
-
 ## Example config file
 
 Below is an example `nuget.config` file that illustrates a number of settings including optional ones: