MyGet symbol server helps mitigate CVE-2018-1037

On April 10, 2018, Microsoft released a security update, CVE-2018-1037 , describing how Visual Studio can improperly disclose limited contents of uninitialized memory while compiling program database (PDB) files.

The memory leaked is limited to typically low-risk variables used in the application build environment, and only information that the Visual Studio executable uses when compiling projects. If your PDB/symbol files are shared publicly, this information could be extracted.

Visual Studio versions have been patched, so we recommend installing the latest security updates for your Visual Studio version.

While the security issue is unlikely to be exploited, KB4131751 was released to verify existing PDB files. Symbols served from MyGet symbols feeds are automatically checked for this vulnerability, and updated when necessary.

This security fix is gradually rolling out across all of our deployments.

Happy packaging!

Author: Maarten Balliauw on 18 Apr 2018

Deprecating Facebook, OpenID and StackExchange login to MyGet

TL;DR: MyGet will retire Facebook, OpenID and StackExchange login to MyGet on March 9, 2018.

Historically, MyGet has been using the Microsoft Azure Access Control Service (ACS). It allowed our users to easily create a MyGet account from an existing third-party login system, like Microsoft Account, Google Account, GitHub authentication, …

With Microsoft sunsetting the ACS service and having to migrate to a different service, we are re-evaluating which third-party login types we want to provide in the future. Right now, only a handful of our users are actively making use of the Facebook, OpenID and StackExchange authentication providers, which prompted us to retire these three providers. MyGet will retire Facebook, OpenID and StackExchange login to MyGet on March 9, 2018.

Affected users have been notified about this via e-mail.

If you are making use of Facebook, OpenID or StackExchange to login to MyGet, it’s always possible to use another third-party identity provider, like Google Account or GitHub. You can link these via your MyGet user profile.

Of course, you can always keep using your MyGet username/password combination to login to MyGet.

Happy packaging!

Author: Maarten Balliauw on 22 Feb 2018

MyGet 2017.2 Release Notes

We are happy to announce MyGet 2017.2 was released on December 13, 2017! Full release notes are available from our docs.

Highlights

Next to some new features and many fixes, this 2017.2 release of MyGet again adds some new functionality to the service.

Major highlights of this release are:

  • We added PHP Composer support, and welcome PHP developers to the MyGet family! (Announcement | Docs)

    In fact, this also resulted in a bug fix on Composer itself (which is now merged, yay!) - composer/composer#6717 will be part of Composer 1.5. Happy to contribute back!

  • In light of upcoming EU General Data Protection Regulation (EU GDPR), which will be enforced in May 2018, MyGet is taking proactive action to verify we are compliant, and take corrective measures if we spotted anything that is not compliant, or questionable (typical grey area in legislation). Being a EU-based company, we take privacy and security very seriously! As such, we focused in this release to ensure that:

    • user sign-ups by default opt-out of marketing communications or newsletters; unless the user explicitly takes positive action by ticking the checkbox to opt-in (which of course we do recommend, as we try to keep you informed about evolutions and guidance in the package management space)
    • first-time visitors see a proper cookie consent banner, requiring so-called double consent from the user (in other words: we ask you to explicitly accept/deny non-essential cookies instead of the automatic consent with cookies you see elsewhere on the Internet)
    • we verified our usage of essential and non-essential cookies and ensure we comply to GDPR in the way we handle these
    • we don’t retain any personally identifiable information (PII) data longer than necessary and only use it for the purposes intended (full details in our Terms of Service and Privacy Policy)

    As data protection is critical, MyGet can help organizations in protecting them against potential vulnerabilities imposed by third-party or open source dependencies using the built-in vulnerability report on each feed. More GDPR-specific changes are coming to MyGet as we continuously deploy our services, and will be aggregated in the 2018.1 release notes.

  • Another big theme we focused on lately is auditing. Similar to our activity streams, we made security related events accessible in an easy to use audit log to MyGet Enterprise administrators. (Announcement) In addition, we allow an export of these audit logs into a downloadable .csv file containing up to 25.000 entries.

Features

Full release notes with a list of all features and fixes are available from our docs.

We love hearing from you, so keep that feedback coming! MyGet is built for you!

Happy packaging!

Author: Xavier Decoster on 13 Dec 2017

Inspecting audit logs in MyGet Enterprise

A couple of weeks back, we released an audit log viewer on MyGet Enterprise. Administrators of a MyGet Enterprise plan can inspect every action that happens on their MyGet instance and see who did what, when, and where.

From the MyGet Enterprise administration dashboard, all actions performed on the Enterprise installation can be consulted:

The list of audit entries is searchable and can be exported to a CSV file so additional querying can be done in, for example, Excel. Details for each audit entry can be consulted and display the action that was performed, who performed it, and where it was executed. We can also see the location the user performed the action from, including the IP address (last octet always 0 for privacy reasons).

With audit logs available on MyGet Enterprise, we are confident MyGet can help larger teams and enterprises with auditing and dependency lifecycle management.

Happy packaging!

Author: Maarten Balliauw on 16 Nov 2017

PHP Composer packages just arrived on MyGet

MyGet supports hosting private PHP Composer packages

Good news everyone! We just shipped PHP Composer support on MyGet! If you are building PHP applications and libraries, you can now package them and add these to your MyGet feeds.

PHP Composer support is available for all MyGet accounts - check the PHP Composer features described in our documentation

Which features are available?

We currently support almost all features we have available for other package managers. Of course you can upload your own packages (via the web UI as well as via a curl POST) or packages from upstream repositories like Packagist.

Packages can be consumed in any PHP Composer-based project. It’s possible to proxy upstream repositories into your MyGet feed. You can manage permissions and users, inspect package licenses and vulnerabilities, …

Build services are supported as well: as long as there is a composer.json in your repository, we’ll run tests against it, package it up and make it available as a PHP Composer package on your Myget feed.

Sounds great! How do I get started?

Quite easy: head over to www.myget.org and sign in (or register). You can then create a feed and start adding packages. Our getting started documentation has some more details on how to upload your first PHP Composer package to MyGet.

We’re really excited about introducing PHP Composer support on MyGet! You can now use MyGet to securely host and collaborate on NuGet, symbols and sources, Chocolatey, PowerShell, NPM, Bower, Maven, PHP Composer and VSIX packages.

Happy composing!

Author: Maarten Balliauw on 11 Sep 2017

Using a private MyGet feed with JetBrains Rider

image_thumb2JetBrains just released a new .NET IDE: Rider. At MyGet, we’ve been using Rider for our internal development since it was announced. So far, we have really enjoyed this IDE built around ReSharper! And since it comes with a lightning-fast NuGet client, let’s see how we can consume packages from a MyGet feed.

Adding a MyGet feed package source

The first step in connecting Rider to a MyGet feed is adding it as a package source. We can do this using NuGet.exe (via good old NuGet.config), or from within Rider. From the NuGet tool window, open the Sources tab. This will show us all of the NuGet configuration files that are in play, and a list of all feeds configured.

image25

From here, we can add our MyGet feed (or edit an existing entry). We will have to give our feed a name so we can easily recognize it in Rider, and the URL to our feed. This URL can be found on the MyGet feed details page after logging in to www.myget.org.

image31

The NuGet client in Rider supports working with public and private MyGet feeds. While Rider supports using pre-authenticated feeds as well as feeds that require entering credentials, we recommend using the latter. Rider safely stores our MyGet username/password in its password store, which is based on KeePass.

Using MyGet together with JetBrains Rider makes it possible to develop .NET applications and let your development team consume both public and private packages hosted securely on MyGet.

Happy packaging!

Author: Maarten Balliauw on 04 Aug 2017

New and improved gallery details page

The MyGet Gallery contains a collection of interesting feeds where open-source projects and software vendors share their NuGet, npm, Bower and VSIX packages with the world. Most often the packages in the gallery are nightly builds or preview versions, so we can keep our projects on the cutting edge of technology using the latest dependencies.

We just deployed some improvements to the gallery details page:

  • We now display the feed’s README, where we render Markdown and the feed owner can provide additional information like links to GitHub, documentation and so on.
  • Underneath, the list of packages on the feed is shown, including a description. We also added a search box so we can do a quick search across the packages listed on the feed.
  • The top bar has a Connect to Feed button, which will provide connection details to, for example, connect to the feed from Visual Studio or npm.

Using nightly builds for MongoDB

Have a look at the feeds in the MyGet Gallery, and let us know what you think using the comments below or via Twitter.

Happy packaging!

Author: Xavier Decoster on 01 Aug 2017

MyGet 2017.1 Release Notes

As MyGet is a software-as-a-service leveraging a subscription model, we're transitioning our versioning scheme towards a format that is more understandable: YYYY.R. As such, these release notes comprise our first milestone of 2017, hence the version number 2017.1

The MyGet 2017.1 milestone was tagged on June 1st, 2017.

Highlights

MyGet again adds some new functionality to the service. The following are the major highlights of this milestone.

We've built a MyGet Credential Provider for Visual Studio 2017! This extension allows you to authenticate against your MyGet feeds using OAuth. Install it from the Visual Studio Gallery!

Install the MyGet Credential Provider for Visual Studio 2017!

We added Maven support, and welcome Java/Android developers to the MyGet family! (Announcement | Docs)

Getting started with Maven on MyGet!

We've built a web utility to help you learn and adopt Semantic Versioning: check out our MyGet SemVer Explorer!

MyGet SemVer Explorer

We've partnered with OSSIndex.net to check for potential package vulnerabilities on your MyGet feeds! (Announcement | Docs)

Check for potential package vulnerabilities on your MyGet feeds!

Features

MyGet (all plans)

The following applies to all MyGet plans:

  • NPM: added support for token authentication
  • NPM: added support for upstream token authentication, which now also supports Telerik's NPM registry as an upstream package source
  • NPM: added support for the fast search endpoint
  • NPM: added support for package deprecation
  • NPM: added support for package tagging
  • NPM: added support for dist-tag
  • NuGet: added support for NuGet's SemVer2 protocol, and added support for modifying build metadata on push upstream dialog
  • Maven: introduced support for Maven artifacts
  • Maven: introduced support for Android AAR artifacts
  • Symbols: added a toggle to support pushing symbols upstream as well
  • Symbols: when the upstream target feed is a MyGet feed, we automatically also push the symbols upstream
  • Usability: no longer show symbols packages separately on the Gallery's feed details view
  • Usability: minor modifications to the Gallery feed details UI to improve the user experience
  • Usability: added a download all button to the packages dropdown in build results view
  • Usability: hide pre-authenticated feed endpoints from Feed Details view when the feed is not a private feed
  • Usability: added a copy-to-clipboard button to the connection details popup on Gallery feeds
  • Security: we've built a MyGet Credential Provider for Visual Studio 2017! This extension allows you to authenticate against your MyGet feeds using OAuth.
  • Security: we've consolidated the login page: one page to rule them all!
  • Security: we no longer display access tokens (you can still copy them though)
  • Security: improved auditing
  • Security: added support for feed and privilege scopes to access tokens / api keys (in addition to expiration support which we already had)
  • Integrations: SymbolSource.org integration has been retired in favor of MyGet's own Symbols functionality
  • Integrations: added OSSIndex.net integration to detect package vulnerabilities and report them on your feed details view

MyGet Enterprise

The enterprise plan has all functionality from the paid subscription plans, and more! The following applies only to the MyGet Enterprise plan:

  • Usability: the Gallery index is now the default landing page when authenticated on MyGet Enterprise
  • Security: added support for marking users as external to the tenant. This prevents the external user from accessing Enterprise feeds, unless privileges are explicitly assigned at the feed level. (see Feed Types)

MyGet Build Services

  • Added support for Visual Studio 2017.NET Core and the new PackageReference project format (Announcement)
  • AssemblyInfo patching now supports globbing patterns (like **\**.cs)

Bug Fixes & Other Improvements

  • MyGet has been upgraded to run on .NET Framework 4.6.2, which seemed to have positive effect on performance
  • Overwriting source symbols is now blocked when forbid overwrite is enabled on the feed
  • Fixed a bug in semantic version range parsing of npm dependencies (tilde and carret ranges)
  • Show quota per feed on user profile page (helps answer the question: 'which of my feeds consumes most?')
  • Fixed an issue caused by breaking changes in VSTS API (repository remoteUrl returned by VSTS API no longer contained VSTS collection name)
  • Fixed an issue in the Gallery index view related to feed icons
  • Fixed an issue that caused an HTTP 500 when a nuspec contained some invalid data
  • Fixed an issue that caused NPM push upstream to fail when no package description was given
  • Fixed an issue with the symbols code browser when a file was not found or could not be displayed
  • NuGet: allow packages.config files to be uploaded without version number specified

Please tell us how we're doing by taking 10 seconds of your time to answer a single question (and optionally provide any feedback you want). We love hearing from you, so keep that feedback coming! MyGet is built for you!

Happy packaging!

Host your packages on MyGet!

Author: Xavier Decoster on 17 Jul 2017