Lightup Deps.json feature

[gkhanna79]

Ported from PR #1630 and fixes https://github.com/dotnet/core-setup/issues/1597

[gkhanna79]

@eerhardt @ramarag PTAL

[pakrym]

How does this work with Microsoft.Extensions.DependencyModel .deps file loading? It only supports discovering two deps files: application and frameworks (see https://github.com/dotnet/core-setup/blob/master/src/Microsoft.Extensions.DependencyModel/DependencyContextPaths.cs)

[gkhanna79]

It does not @pakrym. This is intended to be a scoped change only to support Azure lightup scenarios.

[pakrym]

There may be unexpected consequences, for example if Azure Lightup brings controller and MVC uses runtime assembly scan to discover controllers it would not get discovered. Just wanted to make sure this is known.

[gkhanna79]

I think any assembly injected using this mechanism will not be discoverable via DependencyContext, from my naive understanding of it.

Either ways, I believe you own DependencyContext, so you may want to followup on this.

[analogrelay]

Could we have a flag in runtimeconfig.json to allow me, as an app developer, to turn this feature off completely, even if the environment variables are set?

I feel like some app developers may want to be a little paranoid and disable this loading completely, to avoid having to worry about it at all. It may be a little overkill (and it's certainly not perfect), but it feels a little cleaner to have a complete opt-out that remains in the control of the app developer.

In ASP.NET, our "plugin loading" system which will consume this additional deps file also has this "opt-out" functionality, but there could be cases where even loading the new deps file could be problematic to app developers, so having a global opt-out just seems like a Good Thing here ;).

Ideally, this runtimeconfig.json flag would be propagated from an MSBuild Property too ;)

(/cc @DamianEdwards @glennc)

[gkhanna79]

Having a flag to override a feature that is opt-in by design sounds extremely odd to me. You should not set it for the app in question.

[DamianEdwards]

It's not opt-in for the app, it's opt-in for the server/hoster.

…

On Mar 15, 2017 12:11 PM, "Gaurav Khanna" ***@***.***> wrote: Having a flag to override a feature that is opt-in by design sounds extremely odd to me. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1727 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAPNADwbGo61VvwXYb-8Ggkf3qdKaqY6ks5rmDfSgaJpZM4Mb8C8> .

[analogrelay]

It's not opt-in for the app, it's opt-in for the server/hoster.

Exactly. If I as an App Developer don't want hosters messing with my loaded app, I think it should be possible to disable this feature.

[gkhanna79]

But then why would they need to unconditionally apply to all apps? Why can't the app tell the host not do any "injection of plugins" so that the host only specifies the plugin deps for the apps that have not opted out.

I do not see why the host has to participate in enabling override for something that is optional by design. IMHO, the server/hoster should do the right thing in determining to whom they can apply the flag.

CC @richlander

[analogrelay]

It definitely shouldn't apply to all apps, I'm talking about a way for an individual app to set a setting in their own runtimeconfig.json file that tells the host not to load the additional deps files.

[gkhanna79]

It definitely shouldn't apply to all apps, I'm talking about a way for an individual app to set a setting in their own runtimeconfig.json file that tells the host not to load the additional deps files.

My understanding is that an application does not ever know that such an injection may happen - such an injection is magic. This was one of the reasons why the idea to include plugin dependencies in the app.deps.json, at the time of the app publish, was turned down since the app would then need to know about this.

What you are proposing above translates to app knowing about this even though we are claiming it is magical injection. I would assert that this is contradictory - either you make it explicit for the app to bring in (or not) the dependencies or handle things for them. The opt-in nature of the feature enables the server to exclude the injection from happening for apps that may choose to request.

[eerhardt]

IMHO, the server/hoster should do the right thing in determining to whom they can apply the flag.

Agreed. If the web host wants to allow individual apps from opting out of this behavior, the host should have the flag to allow individual apps from opting out. Then the host doesn't set the Environment Variable, and it doesn't pass in --additional-deps. That's how the opt-out should work. If someone set the variable, then this behavior kicks in. Don't set the variable if you don't want this behavior.

[gkhanna79]

@eerhardt PR is updated to only support the feature for portable apps.

[eerhardt]

Just a few minor test comments.