Should package metadata element names be case-insensitive?

[joelverhagen]

Consider the case of the hand-edited .nuspec file (because no one ever does that, right?) where someone mistypes the metadata name and provides and incorrect case. Should this be supported officially?

Example. The BlogML.Core 1,0.0 package on nuget.org has <ProjectUrl> in the .nuspec instead of <projectUrl> which is the official element name.

XML is case sensitive right? Well, yes, but the majority of cases in the official NuGet experiences accept this funky metadata element without blinking an eye:

1st Party

• ✔️ nuget.org: link
• ✔️ V2 non-hijacked: link
• ✔️ V2 hijacked: link
  • This is the thing ready by VS package manager UI on the V2 feed URL
• ❌ Package metadata resource, a.k.a. registration: link
  • This is the thing read by VS package manager UI on the V3 feed URL
  • Note this will likely change with my Catalog2Registration rebuild due to Newtonsoft.Json#815
• ✔️ Search: link
• ✔️ Package manager UI on local feed
  • 

3rd Party

• ❌ NuGet Package Explorer UI
• ❌ NuGet Package Explorer > Edit > Edit Metadata Source (???)

This is a good idea right?

My vote is NO, no, No, nO! We should not support this officially.

In fact I think we should explicitly state it is not supported and any implementation that treats metadata names as case-insensitive strings is doing so at it's own peril. For example, what's the defined behavior when there are two metadata fields with the same name but different case (e.g. <id> and <ID>). Life's too short!

Fortunately, nuget.org rejects packages with multiple ID and version casings defined so I think we're out of scary land -- just living in crazy land. NBD.

Okay, who's guilty of this cardinal sin?

No shame, we all hack around with .nupkgs. But the ones I've found on nuget.org are:

• StaticProxy.Fody 1.0.146-GenericMethods has "Summary" not "summary".
  • https://api.nuget.org/v3/catalog0/data/2019.10.02.07.14.49/staticproxy.fody.1.0.146-genericmethods.json
• Boolli 1.0.0 has "licenseurl" not "licenseUrl".
  • https://api.nuget.org/v3/catalog0/data/2019.01.02.03.56.37/boolli.1.0.0.json
• BlogML.Core 1.0.0 has "ProjectUrl" not "projectUrl".
  • https://api.nuget.org/v3/catalog0/data/2019.01.02.13.49.28/blogml.core.1.0.0.json
• Confuser.MSBuild 2.0.0-alpha-0191 has "iconURL" not "iconUrl".
  • https://api.nuget.org/v3/catalog0/data/2019.04.18.10.29.30/confuser.msbuild.2.0.0-alpha-0191.json
• SmartSeeder 0.0.1, 1.0.0-rc1-beta, 1.0.0-rc1-preview have "Language" not "language".
  • https://api.nuget.org/v3/catalog0/data/2018.12.19.07.07.41/smartseeder.0.0.1.json
  • https://api.nuget.org/v3/catalog0/data/2018.12.19.07.07.41/smartseeder.1.0.0-rc1-beta.json
  • https://api.nuget.org/v3/catalog0/data/2018.12.19.07.07.31/smartseeder.1.0.0-rc1-preview.json

🍻

[xavierdecoster]

My vote is NO, no, No, nO! We should not support this officially.

🥇

[nkolev92]

@joelverhagen

Do you have a list of all the packages with bad metadata?

[joelverhagen]

See the end of the issue. There is a list of package IDs, versions, and specific metadata properties that are bad.

[nkolev92]

@joelverhagen

I should've asked a better question.

Are those packages samples or all packages?

[joelverhagen]

All, at the time of filing the issue.

[nkolev92]

I think it makes sense to say that package metadata is case sensitive.