Our development team is starting to run into vertical dependency issues. I’ve been on teams that used Ivy to deal with this, but NuGet seems to be a far superior solution for Visual Studio 2010 / C#.
What scares me about NuGet is it makes it so easy to publish to the global feed. If this happens accidentally, at best, I am going to get fired. At worst . . .
I am hoping someone can vet the following plan and tell me if I’m opening myself up to a disaster. Also, any advice to improve the workflow would be appreciated.
-
I am under the assumption, that if I never use the “push” command, and/or I never enter an API Key, NuGet cannot publish to the public repository. Is this true?
-
I will install a Package feed on our private intranet, where the package feed is created as described here: http://haacked.com/archive/2011/03/31/hosting-simple-nuget-package-feed.aspx
-
I will alter our CruiseControl/TeamCity builds to generate a new .nupkg file on every build, and push them to the ~packages directory.
-
Team members will be forced to install the NuGet plugin, and point it towards the private repository.
If you don’t enter an API key you are 100% safe. You can type push all day long and it won’t do a thing.