Skip to content

Update to use IceRPC 0.5.0, .NET 10, and Debian 13#15

Merged
pepone merged 2 commits intoicerpc:mainfrom
pepone:0.5
Dec 2, 2025
Merged

Update to use IceRPC 0.5.0, .NET 10, and Debian 13#15
pepone merged 2 commits intoicerpc:mainfrom
pepone:0.5

Conversation

@pepone
Copy link
Member

@pepone pepone commented Dec 2, 2025

No description provided.

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the Hello IceRPC server to use IceRPC 0.5.0, .NET 10, and Debian 13. The changes modernize the entire stack including the project configuration, Docker base image, runtime dependencies, and documentation references.

  • Upgrades project from .NET 8.0 to .NET 10.0 with C# 14 language features
  • Updates all IceRPC package dependencies from 0.3.* to 0.5.*
  • Migrates Docker base image from Ubuntu 22.04 to Debian 13

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/Hello/Hello.csproj Updates target framework to net10.0, adds C# 14 language version, bumps project version to 0.2.0, and upgrades IceRPC packages to 0.5.* and Microsoft.Extensions.Logging packages to 10.0.*
README.md Updates example client URLs to reference IceRPC 0.5.x branch instead of 0.3.x
Dockerfile Migrates from Ubuntu 22.04 to Debian 13, installs .NET 10 SDK and runtime, updates build output path to net10.0, and consolidates MsQuic installation into final stage

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +9 to 10
&& wget https://packages.microsoft.com/config/debian/13/packages-microsoft-prod.deb -O packages-microsoft-prod.deb \
&& dpkg -i packages-microsoft-prod.deb \
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile downloads and installs packages-microsoft-prod.deb with wget and then dpkg -i without any signature or checksum verification. If the download is tampered (e.g., via DNS/cert compromise or supply-chain attack), a malicious .deb can execute maintainer scripts during dpkg -i, compromising the image and persisting backdoored repositories. Verify integrity before installation (e.g., pin and check a published SHA256 checksum or verify a detached GPG signature), or install the repo using a pinned signed-by GPG key and a verified source, for example:

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates gnupg \
 && wget -O /usr/share/keyrings/microsoft.gpg https://packages.microsoft.com/keys/microsoft.asc \
 && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/debian/13/prod bookworm main" \
    > /etc/apt/sources.list.d/microsoft-prod.list

Then run apt-get update and install dotnet-sdk-10.0 from the signed repo.

Copilot uses AI. Check for mistakes.
@pepone pepone merged commit 650c337 into icerpc:main Dec 2, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments