Changes:
* Sign shared fx zips
* Sign metapackages
* Disable signing on inner repo builds and instead sign all packages at the end
* Add a list of files from other Microsoft teams which can be excluded from signing
* Add a list of 3rd party assemblies which are bundled in the shared frameworks.
This shares the DOTNET_HOME variable on CI builds between Universe and each sub-repo build. This prevents each repository build installing duplicate copies of .NET Core SDK and runtimes.
Our policy since 1.0.0 has been to always cascade version updates in the packages we own. e.g. if Logging has a product change in 2.1.x, then Kestrel, EF Core, Mvc, etc also re-ship with the updated Logging dependency. This has been done for a variety of reasons:
* NuGet does not show updates for transitive dependencies, only direct ones
* NuGet does resolves the lowest compatible transitive dependencies
* ASP.NET Core ships to both .NET Framework (where transitive dependency version matters) and .NET Core (where it matters less if you use the shared framework)
While transitive dependencies is still an important scenario, this practice of always patching has led to bigger issues.
* High probability users will unintentionally upgrade out of the shared framework: #3307
* Conflicts with metapackages that attempt to use exact version constraints: aspnet/Universe#1180
* A quality perception issue: the high volume of new versions in servicing updates with only metadata changes has created the impression that new versions of packages may not be very important. It's also made it appear like there are more issues product than there really are.
* High volume of packages changing with only metadata changes. Of the last 301 packages published in a servicing update, only 11 contained actual changes to the implementation assemblies. (3.5%)
This change implements a system to verify a new, non-cascading versioning policy for servicing updates. This required changes to repos to pin version variables to that matter per-repo,
and to remove some of the restrictions and checks.
Incidentally, this should make defining new patches easier because it automatically determines which packages are or are not patching in the release.
* Split compilation and tests into separate phases
* Ensure template tests are skipped, and reduce duplication between test/build repo targets
* Show summary at the end of which repos failed
As a part of making builds more reproducible, we want to start committing the exact sha of source dependencies used to build aspnetcore. This implements that using git submodules, and removes targets that were previously used to clone source on demand.
Nate McMaster
Nate McMaster
Ryan Brandenburg