Fwd: [NuGet Gallery Support Notification]:Upcoming ASP.NET MVC, ASP.NET Web API, and ASP.NET Web Pages Release

[Chris Missal]

FYI

---------- Forwarded message ----------
From: NuGet Gallery Support <nugetg...@outercurve.org>
Date: Tue, Oct 8, 2013 at 1:42 PM
Subject: [NuGet Gallery Support Notification]:Upcoming ASP.NET MVC, ASP.NET Web API, and ASP.NET Web Pages Release
To: Kanchan Mehrotra <kanc...@microsoft.com>

	Hello,

We have identified you as the owner of a package that depends on packages from the ASP.NET team, and your package may be affected by an upcoming change they have.  The ASP.NET team asked us to forward the message below to affected package owners.

If you have any questions about this change, please reply back to Kanchan.

Thank you,
The NuGet Gallery Team.

-----------------------------------------------------------------------------------------------------------------------

Greetings,
 
As you may know we have published the Release Candidates for ASP.NET MVC 5, ASP.NET Web API 2, and ASP.NET Web Pages 3, and the RTM release is nearly complete. This is an important release with many great new features that you can see here: http://www.asp.net/visual-studio/overview/2013/release-notes-(release-candidate). We are contacting you because you are a package author that has a dependency on these frameworks. We would like to bring to your attention that with this major release we have removed the security transparent attribute from our assemblies. This means that packages with assemblies compiled against earlier versions of ASP.NET MVC, ASP.NET Web API, or ASP.NET Web Pages will be broken in certain cases (see examples below) when a customer upgrades to the new versions. We recommend you try our new bits and verify that your package still works as expected in your scenarios.
 
One specific case where you will be broken is if your assembly includes either of the following attributes:
•        [assembly:AllowPartiallyTrustedCallers]
•        [assembly:SecurityTransparent]
A common error that you might see is a “System.MethodAccessException” when code in your assembly calls a method in one of our NuGet packages. Another common error is if you have types that derive from a type in one of our NuGet packages.

If you are impacted by this change here is what you need to do:
•        Remove the [assembly:SecurityTransparent] and [assembly:AllowPartiallyTrustedCallers] attributes from your code.
•        Recompile and republish your NuGet package.
 
Note, if you would prefer to keep the attribute for packages depending on older versions of MVC, Web API, and Web Pages, and to remove the attribute for packages that depend on MVC 5, Web API 2, and Web Pages 3, you can do the following:
•        Update your current package to have a version cap so that it will be compatible with only the old version of our package.
o   For example, to have your package be compatible with only MVC 4, use this version range: Microsoft.AspNet.Mvc (≥ 4.0.20710.0 && < 4.1)
•        For your new package remove the [assembly:SecurityTransparent] and [assembly:AllowPartiallyTrustedCallers] attributes from your code and recompile your package against the new versions and publish the new package that has a dependency on the new version.
o   For example, to have your package be compatible with MVC 5 and higher, use this version range: Microsoft.AspNet.Mvc (≥ 5.0.0)

If you come across any additional issues that we need to address please file a bug on our CodePlex site: https://aspnetwebstack.codeplex.com/workitem/list/advanced

Thanks,
Kanchan Mehrotra (kanc...@microsoft.com)
Senior Test Lead on the ASP.NET team

--

Chris Missal

http://chrismissal.com

[Dominick Baier]

bye, bye ASP.NET partial trust. We won't miss you too much...