Respond to Breaking Change in Releases.Json #2129
Merged
+26,562
−86
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves dotnet#2126 Resolves dotnet#2125 Workaround fix for dotnet#2123 We have a list of possible safe domains as part of our threat model which is needed to verify the source of truth when we run executables with elevated permission. In the past releases json only hosted downloads on `download.visualstudio.microsoft.com` but now it can be `builds.dotnet.microsoft.com`. I've added some more urls to our azure front door and other CDNs in the event that we decide to change to those. The long term fix for this would be if signatures are ever published for releases.json to verify those instead, but that is not ready yet and this change needs to go in.
nagilson
changed the title
richlander
reviewed
Feb 11, 2025
vscode-dotnet-runtime-library/src/Acquisition/GlobalInstallerResolver.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Rich Lander <[email protected]>
richlander
approved these changes
Feb 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #2126 Resolves #2125
Workaround fix for #2123
We have a list of possible safe domains as part of our threat model which is needed to verify the source of truth when we run executables with elevated permission. In the past releases json only hosted downloads on
download.visualstudio.microsoft.combut now it can bebuilds.dotnet.microsoft.com. I've added some more urls to our azure front door and other CDNs in the event that we decide to change to those.The long term fix for this would be if signatures are ever published for releases.json to verify those instead, but that is not ready yet and this change needs to go in.
This is blocking a change: dotnet/core#9724 -- all of dotnet as the product is broken when we update releases.json, until this is fixed.