profile

Aaronontheweb

The Latest from Aaronontheweb: So Microsoft Deleted Some of Our Packages From NuGet.org Without Notice

Published 6 days ago • 1 min read

So Microsoft Deleted Some of Our Packages From NuGet.org Without Notice

Published on July 11, 2025 in

7 minutes to read

“Software supply chain management” is one of those terms that sounds like Venture Capital-funded vendor marketing bullshit right up until it isn’t.

In 2016 the npm left-pad incident taught many of us in the software industry the importance of:

  1. The fragility of depending directly on central package management systems, such as npm or nuget.org, hence why artifact proxying tools like JFrog Artifactory became so important; and
  2. How centralized package management systems probably need to make stronger security and availability guarantees, such as not allowing hard deletes of packages in the first place.

One of the distinguishing features of nuget.org is they make it very, very hard for authors to delete their packages - only in exceptional cases, such as malware inclusion, will they allow the permanent deletion of packages.

Imagine my surprise yesterday, when I discovered that two of our Akka.NET packages were deleted1, by Microsoft, without any advanced notice. I only discovered that this was an issue when one of my own Akka.NET applications failed to build on CI/CD due to missing package versions.

Akka.Coordination.Azure deleted from NuGet.org

I’ll get into the reasons why they did this, but the bottom line is: this is a disturbing precedent that really should never be repeated.

In essence, Microsoft’s adjacent business units abused NuGet to deal with their own security vulnerabilities - getting a level of access that would never be granted to any other publisher on the platform.

Click here to read the full article.

Read more...

Aaronontheweb

.NET, Open Source, Startups, and Outer Space

I write about .NET, open source software, the Microsoft ecosystem, my adventures with startups, and outer space.

Read more from Aaronontheweb
Deploy with Docker Compose and GitHub Actions

Continuous Deployment of Docker Compose Applications Using GitHub Actions Published on April 23, 2025 in 12 minutes to read Intro Over the past year or so we’ve built out a decent-sized test lab environment for Akka.NET and I’ve also personally started a small homelab environment for creating some useful services for my family’s use. Both of these networks use the same components: Tailscale for secure networking and ssh access; docker compose for running infrastructure services such as...

3 months ago • 1 min read
Our trust SignService dying after 7 years of uninterrupted service

Signing NuGet Packages Using Azure DevOps and Workload Identity Federation Published on April 14, 2025 in 12 minutes to read Azure released a major update to some of their VM images last week and it’s caused a number of problems for me: mono support was removed from ubuntu-latest, which caused all of our FAKE v4.0 builds to no longer work for Akka.NET and several of our other mature projects; SignService, our workhorse for Authenticode signing all Petabridge NuGet packages for the past seven...

3 months ago • 1 min read

The Future of AI Belongs to Experienced Operators with Good Taste Published on March 27, 2025 in 14 minutes to read I have a lot of respect for Geoffrey Huntley. So when I read his blog posts about AI over the past couple of months: “Dear Student: Yes, AI is here, you’re screwed unless you take action…” and “The future belongs to people who can just do things” among others, I thought to myself - “am I missing something?” This image of his, in particular, summarizes his take on AI and the...

4 months ago • 1 min read