I notice a package manager to replace the current nuget workflow is in the roadmap for 2022.6.
Which is great! Im sure it will make vvvv even more accessible for users to pull in all sorts of solutions to problems.
I love how you can install a nuget and moments later have helppatches that you can run live, but I also see some risk there.
My proposal is to use the development of this package manager to think about how to minimise the security risks of installing and running code from the internet.
I think vvvv will have an increasing role in the future as an accessible entry point for new coders and I would hate to see that abused by bad actors.
Best case would be a sandbox … but sounds like a very big project and unclear to me at least if .net really supports this in our context
Achieve parity with any protections already implemented by microsoft for Visual Studio if possible
Improving developer security with Visual Studio 2022 - Visual Studio Blog
Visual Studio Code Workspace Trust security
Could automatically use the existing nuget vulnerability scanning tools and block downloads where vulnerabilities found.
How to Scan NuGet Packages for Security Vulnerabilities - The NuGet Blog
Start untrusted patches in pause mode with idea that user reviews first (although how do they review C# code? What if they don’t know C#?)
Also ensure the help browser itself is not creating any vulnerabilities when scanning packages
Whitelist of community trusted packages, I.E dev approved packages from trusted vvvv community members.
(Could also whitelist for dataflow context usability)
UI gives warnings if you search download outside this list.
Warning to remind you that even help patches are executing someone elses code.
Greater highlight in vvvv culture security due diligence. We could have a page on what you should consider before downloading a nuget in documentation and ensure it’s part of appropriate getting started tutorials.
Trust and NuGet | You’ve Been Haacked
(comments on that article also very interesting)
Generally increase cultural alignment of vvvv developer security practices with the latest .net developer security practices. If there’s an important announcement for security for .net than we could also copy that into our newsletters. At the least to make people aware that Microsoft and vvvv devs cannot reduce the risks to zero, every developer must also think about security when they get code from the internet.