Home: Deprecate "authors" nuspec field

How should the IDE "Installed" tab figure out a package's owners? It is better to not show any information?

This information should come from the Search API and yes users should see it in any UI.

The bigger problem is whether ownership will be tracked absolutely or temporally? Should NuGet track ownership at the per published package level, or should it recognize ownership as a concept that transcends time and versions?

I would argue that ownership is absolute and likely needs to be reflected that way.

Is the search API enough?

Based on absolute ownership, I think the search API is enough, as package ownership needs to be validated against an authority (in this case NuGet).

This information should come from the Search API

FYI, you can't use the search protocol to lookup a specific package's metadata (you can do this on nuget.org using its search syntax, but that's not part of the protocol. It won't work on all NuGet servers). This may or may not be an issue depending on which experiences we need to display ownership information.

I would argue that ownership is absolute and likely needs to be reflected that way.

Could you explain your view a little bit more? Personally I'd prefer to see the latest information. Say Newtonsoft.Json was transferred to a new owner, I'd want to see that in Visual Studio.

From my perspective, when ownership is transferred to another individual or entity, that means the new owner owns the history of that package as well.

In your example. If Newtonsoft transferred Newtonsoft.Json to Microsoft, then I would expect any and all versions of Newtonsoft.Json should reflect Microsoft as the owner.

Knowing that Newtonsoft owned the package historically would actively be confusing.

I think we agree, "I'd want to see that in Visual Studio" reads as though only the current owner matters, which I believe is correct.

owners in the .nuspec is completely confusing and is essentially unused by nuget.org. It's considered deprecated.

Historically the authors field is a distinct concept from owners. Consider the analogy of a book publisher vs. a book author. In package world, the owner is the publisher and the author is... the author. Sometimes this is the same thing (the person writing the package is the same as the person publishing it) but it gets murky in other cases. Consider jQuery:
https://www.nuget.org/packages/jQuery/ (published by "outercurve", author is the jQuery folks)

Perhaps the 99% case is authors being the pretty display name and owners is the guaranteed, unique identifier of the person or organization that pushed the package. If that is indeed the case, maybe we could add a display name idea to nuget.org and override the authors field in APIs with that. Design is needed.

In short, I think it's too early to say that the "authors" should be deprecated. It would be a take-back to not provide a way for users to show a pretty version of who authored the package.

For the ownership at time of publishing vs. current ownership (which is essentially ownership at the ID level vs. version level given immutability of versions), we sort of have both already. On the package details page, we show the current owners of the package ID. In the package .nupkg, we have a repository signature that contains the owners at the time of publishing (visible via nuget.exe verify).

@joelverhagen the issue I'm running into now is that authors are fuzzy and change over time, so there is no way to concretely track a package by "author" over time. It might still be a relevant data point, but since it's a free-form field it makes it equivalent to a description field.

owners would be tied to the auth system of NuGet itself. More importantly, an owner is an owner, detached from time. This field would always reflect the current state, regardless of changing ownership in the past.

* Update *

Also finding folks change their names, even though they tie back to the same account. For example, dotnet foundation also has an author name of .net foundation. They are the same entity and account.

owners in the .nuspec is completely confusing and is essentially unused by nuget.org. It's considered deprecated.

Ah I didn't know this! Client folks, should we update the .nuspec docs to reflect this? I opened this pull request: https://github.com/NuGet/docs.microsoft.com-nuget/pull/2215

I think it's too early to say that the "authors" should be deprecated. It would be a take-back to not provide a way for users to show a pretty version of who authored the package

I agree we should still have a "pretty name" for the package's author. Our options are:

1. Live with inconsistencies between the server owners and the .nuspec authors. Improve UX to clarify distinction
2. Hide server's owner information, display NuGet package's author information everywhere
3. Hide NuGet package's author information, display server's owners information. Introduce a concept of a "pretty name" on the server side

Option 2 seems like a non-starter due to the impersonation problem. Option 1 is reasonable, but personally I prefer option 3 as I'd prefer to know which account on nuget.org owns the package. Option 3 also addresses @khalidabuhakmeh's point:

the issue I'm running into now is that authors are fuzzy and change over time ... This field would always reflect the current state, regardless of changing ownership in the past.

@loic-sharma do you have a corresponding issue for this on the server side?

@zkat There's no corresponding issue on server repos AFAIK. This item likely needs some PM love before we do anything though 😊