I @glennawatson board member of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority.

I @Perksey can confirm through correspondence with .NET Foundation board members and personnel that the purpose and contents of this proposal to relinquish exclusive control over package signing authorities (pursuant to the policies within this proposal) to project maintainers is understood, discussed, and agreed through usual .NET Foundation communication processes with affected .NET Foundation projects, including my own project Silk.NET. I acknowledge that this shall grant me as a package owner, along with other package owners including the dotnetfoundation where applicable, the permission to add certificates signed by a trusted root certification authority as defined in this proposal and that this shall be an ongoing requirement, including in the event the .NET Foundation is no longer associated with the project. This attestation is as a result of an independent evaluation of the proposal as a .NET Foundation project maintainer as requested by @glennawatson.

I @1kevgriff President of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority.

I @mitchelsellers Vice-President of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority.

To Whom It May Concern,

I @ChrisPulman am writing to formally attest that through my role as a maintainer of the .NET Foundation project, ReactiveUI. And as a dedicated member of the ReactiveUI team, I have been actively involved in the development, maintenance, and enhancement of this advanced, composable, and functional reactive model-view-viewmodel (MVVM) framework for all .NET platforms.

Throughout my tenure, I have contributed to various aspects of the project, including but not limited to:

Implementing new features and improvements to enhance the framework’s functionality and performance.
Collaborating with other maintainers and contributors to review and merge pull requests, ensuring high-quality code standards.
Providing support and guidance to the community through forums, GitHub issues, and other communication channels.
Writing and updating documentation to help users understand and effectively utilize ReactiveUI.
My commitment to the ReactiveUI project is driven by a passion for functional reactive programming and a desire to empower developers to build robust, testable, and maintainable applications. I am proud to be part of a project that significantly contributes to the .NET ecosystem and helps developers create better software.

In order to continue these works we require the ability for Nuget to use certificates only requiring a root trusted authority author signature for the packages, thereby relaxing the dotnetfoundation user author signing requirements.

Sincerely,

@ChrisPulman

Thank you all so much. Let me get this in the team's review queue now.

Would anyone like to attend? Otherwise, we can just go do the work.

We met earlier today and there’s no major concerns here. I do however want to inform you on some limitations.

We can relax the signing requirements, but we do not have the granular control such as keeping the signing requirement AND allow owners to provide whatever author signing certificate they want.

We would have to disable the signing requirement and the DNF will have to enforce the requirement to get the desired experience.

Is that okay?

Filed this issue to best write down the discussed requirements for the desired long-term solution:

NuGet/NuGetGallery#10202

This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 330 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch.

~yes~ activity ~yes~