Critical: .NET install domains and URLs are changing #9671
Comments
|
Is there a risk that a malicious party later acquires azureedge.net and starts serving malware to systems that still use the old URLs? From WHOIS, it looks like azureedge.net is registered to Microsoft, not to Edgio. (Just wondering how urgent it is to update URLs in old version-control branches that are not actively developed but might get built some day.) Have there been any NuGet feeds in the domain? |
|
@KalleOlaviNiemitalo we took it over, so it won’t be taken away. |
so why not keep the current urls for like 1-2 more dont net versions so after .net 11 you have to use the new urls this would give people time to update their whitelists |
@KalleOlaviNiemitalo
|
Given this issue I'm wondering when Microsoft will provide their own domain registrar on Azure to prevent such issues in the future. Currently this is the only thing that is really missing on the Azure platform. I can host virtually anything on Azure but when it comes to domains I still need to resort to a third party. I can point all my nameservers to Azure, sure. But the domain itself needs to be hosted somewhere else. |
|
Does this affect the installers in the Azure Devops pipelines? We use a mix of classic and Yaml pipelines. |
Yes, it does.
|
See: dotnet/core#9671 They are changing CDNs. These changes have already been added in the official install scripts. https://github.com/dotnet/install-scripts/pull/555/files
Please make the following replacements: dotnetcli.azureedge.net -> builds.dotnet.microsoft.com dotnetcli.blob.core.windows.net -> builds.dotnet.microsoft.com dotnetbuilds.azureedge.net -> ci.dot.net dotnetbuilds.blob.core.windows.net -> ci.dot.net
|
Hi, I emailed [email protected] as instructed (twice), but never received a response. Is the inbox monitored? I had asked this question - now posting here: It appears that your new CDN does not utilize the Content-MD5 HTTP response header, which my software currently checks during updates to ensure the data was downloaded correctly. Any plans to add that header to the new CDN?
|
|
ACK. Will respond in the morning. |
|
Looks like this information is available via a $ curl -s --head https://builds.dotnet.microsoft.com/dotnet/WindowsDesktop/8.0.12/windowsdesktop-runtime-8.0.12-win-x64.zip
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: dJZSYimxFoMXhyGvvmfWKA==
Last-Modified: Tue, 14 Jan 2025 18:04:37 GMT
ETag: 0x8DD34C5E9028595
x-ms-request-id: 410c4d19-601e-004b-024e-6c9933000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 22 Jan 2025 05:41:53 GMT
Connection: keep-alive
Content-Length: 36822832
Akamai-GRN: 0.0f0e2017.1737524513.56f37fbdSeparately, we're working on a separate proposal to expose Related: dotnet/docs#44425 |
|
Hi @richlander, thanks for the info! Of course, stronger hashes are welcome, and that hash file would be great to have! |
|
We plan to start scream tests on the old domains soon, per #9676. |
|
.NET security chiming in :) Microsoft's internal policy has been, for years, to not use MD5 in new code or systems, and to deprecate it (and SHA1) everywhere else. Whilst yes, it's part of the HTTP spec, it's not something I want to push for, the hash file route, with stronger hashes would be the preferred option for us, when it's delivered over HTTPS. I'll leave it to @richlander to track that. |
|
I am hoping to have a good hash file acquisition option in place soon. It will be SHA 512 which is a vastly superior option (as Barry mentions). As they say, friend don't let friends ... |
|
@blowdart Totally understandable, thank you. I'll discontinue my use of this header. @richlander let me know when there's any details about obtaining the new strong hashes. |
Bump the update-dotnet-sdk action to v3.4.0 to pick up changes to react to dotnet/core#9671.
|
Sorry for this specific issue not being directly linked to .net, but Azure Labs uses the same azureedge.net domain for their icons. As of 2025-01-29 those icons are now broken. Do you have a way to correct this or will this not be fixed since Labs is being deprecated in 2027? (Side note: that is still 2 years away, please fix this) |
|
@slonkak This will be fixed. The Azure Labs team is already working on this. |
|
Thank you for the speedy response!On Jan 30, 2025, at 5:13 PM, Stan Ageev ***@***.***> wrote:
@slonkak This will be fixed. The Azure Labs team is already working on this.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
and others
.NET binaries and installers have moved to a new domain --
builds.dotnet.microsoft.com-- backed by a new Content Delivery Network (CDN). You may need to make changes to adjust.Tracking issue: #9674
Context
Some .NET binaries and installers have been hosted on Azure Content Delivery Network (CDN) domains that end in
.azureedge.net. These domains were hosted by edg.io, which has ceased operations due to bankruptcy. We migrated to a new CDN and will be using new domains going forward.We expect
azureedge.netdomains to cease by 5/31 (at latest)..NET Team Remediation
New domains were created:
builds.dotnet.microsoft.comfor signed official buildsci.dot.netfor unsigned buildsTest links for new CDN:
Test links for old CDN:
The following resources have been updated to use new domains.
releases-index.jsonOther changes are in progress.
User Remediation
Please make the following replacements:
dotnetcli.azureedge.net->builds.dotnet.microsoft.comdotnetcli.blob.core.windows.net->builds.dotnet.microsoft.comdotnetbuilds.azureedge.net->ci.dot.netdotnetbuilds.blob.core.windows.net->ci.dot.netAll the new domains are path-compatible with old domains, as they share the same origin.
Please also make the following changes:
Install script
The .NET install script is used to install .NET from our CDN. We are changing CDNs (documented in a following section), which requires us to change the install script to use the new CDN.
Updated scripts:
https://dot.net/v1/dotnet-install.shhttps://dot.net/v1/dotnet-install.ps1Notes:
Tracking PRs:
Official builds
Official builds and JSON files are hosted via a CDN, available for use by the install script and other installers.
Notes:
microsoft.comdomain was chosen to reflect that.You can change from old to new domains by changing the domain section of the URL. The other parts of the URL do not need to change.
Example URLs:
A set of short links are available for official builds.
Link pattern:
https://aka.ms/dotnet/[x.y]/[package].Example URLs:
These links produce
301HTTP results that forward to our CDN.We expect these links to be changed in mid January.
Tracking PR:
CI builds
Continuous integration (CI) builds are hosted via a CDN, available via the install script and GitHub README files.
Note: CI builds include a mix of tested and untested builds, signed and unsigned builds.
Example URLs:
A set of short links are available for CI builds.
Link pattern:
https://aka.ms/dotnet/[x.y]/daily/[package].Example URLs:
These links produce
301HTTP results that forward to our CDN.We expect these links to be changed in mid January.
Tracking PR:
CI build pages use the CI short links.
Example build pages:
Azure DevOps and GitHub Actions
UseDotnetTaskwill be updated in JanuaryThe text was updated successfully, but these errors were encountered: