Excluded Files Mistakenly Uploaded Anyway

Apr 4, 2011 at 3:07 PM

Hi Everyone,

I just checked in my solution for the first time to TFS but it included all of my strong-name key files, even though I explicitly excluded them from source control:

File > Source Control > Exclude [MyFile].snk from Source Control

This menu option is still checked for all of the files that I had excluded, and in solution explorer they appear with a red icon indicating their exclusion status; however, they are in source control and I can browse to them in the online viewer on CodePlex (so I assume they can be downloaded as well).

What have I done wrong?

BTW, this all sounds very familiar - I think I've been here before with another project in the past, but my search didn't yield any results.


P.S. Can somebody at CodePlex permanently delete these .snk files in source control for me?  I'll regenerate new ones if not.

Apr 5, 2011 at 11:24 PM

You can submit a support request for this using our Contact Us form and we'll get it permanently deleted for you.

Mar 18, 2012 at 7:10 AM
  1. Create a new project on CodePlex.
  2. Open Team Explorer in Visual Studio 2010.
  3. Connect to TFS server.
  4. Connect to the team project created in step #1.
  5. Open Source Control Explorer for the project.
  6. Select the root project node, right-mouse click and select Get Latest Version.
  7. Set the working directory when prompted.
  8. File > New > Project...
  9. Choose Visual C# > Windows > Class Library.
     a. Save the solution and project to the working folder, if prompted.
  10. Open the Properties window for ClassLibrary1.
  11. Select the Signing tab.
  12. Check "Sign the assembly"
  13. Select <New...> from the drop-down list.
  14. Uncheck "Protect my key file with a password".
  15. Enter the name, "Test.snk" and press OK.
  16. Save all changes.
     a. Save the solution and project to the working folder, if prompted.
  17. Open Solution Explorer.
  18. Right-mouse click the solution and select "Add Solution to Source Control...".  The solution is added with pending changes.
  19. Select the Test.snk file in Solution Explorer.
  20. Go to File > Source Control and select "Exclude Test.snk from Source Control".
  21. Confirm that the Test.snk file shows a red dot next to its icon in Solution Explorer.
  22. Open the Pending Changes window.
  23. Right-mouse click the ClassLibrary1.csproj.vspscc file and select View.
  24. Confirm that the following lines exist:
     "EXCLUDED_FILE0" = "Test.snk"
  25. Check in all changes.
  26. Close Visual Studio.
  27. Open Visual Studio and load the solution.
  28. Notice that Test.snk is still excluded according to Visual Studio.
  29. Browse to the Source Code tab for your project on the CodePlex website.
  30. Download the changeset that you just created.
  31. Open the .zip file and notice that Test.snk exists.  It was not excluded from source control.

The pending change was not cancelled automatically.  That's fine, you say.  You could have decided to manually undo the pending change for the .snk file because you didn't trust VS to do it for you based on your explicit exclusion.  Well that's the correct decision because although VS should exclude your file, it doesn't.  Manually undoing the change is the only way to exclude the .snk file from the initial check-in and the zipped source code, even after you've told VS to exclude it.  But now that VS knows that the file is excluded everything is secure, right?

Wrong.  Now imagine that years later your project has grown to have many, many files.  And over the course of years you've branched, merged, moved, etc.  Regular project management stuff.  At some point you realize that you've been a fool.  Nobody has told you that your secure key files have actually been uploaded to CodePlex at some point without your knowledge.  The keys may have even been there for YEARS.  You look in Visual Studio and it shows that your key files are "Excluded".  That's right, they are excluded, but somehow got uploaded anyway in multiple projects.

I've been extremely careful to ensure that new check-ins for branches and moves always have the .snk files excluded, but perhaps it's my fault anyway.  Perhaps in the shuffle of trying to remember all of the several files that needed to be excluded and reorganizing the hundreds of files that I was branching or moving at different times, I simply let the .snk files pass through without manually undoing their pending changes.

In other words, I've never forgotten to actually mark them as excluded, as is evident by the status in Visual Studio, but I had just forgotten to actually exclude them.  Essentially, I excluded them yet included them.  I guess I should've been more careful to prevent my explicitly excluded files, which VS acknowledges as excluded, from being included.

I've spent time documenting the process for teammates to request keys and instructing users to disable signing on my projects because they don't have access to my secure keys, though now I realize that they actually do have access to them.

It's embarrassing for me.  Not sure whether it's embarrassing for MS though.  Maybe I just don't understand the purpose of this "Exclude" feature.  Am I trying to abuse it somehow?  What is it supposed to do?

I understand that this isn't a major issue for an open source project.  But it concerns me greatly because it violates my trust and the security of my projects when I see that VS marks my key files as excluded yet for years people have been downloading them without my knowledge, and I've been making foolish statements to the public about how the keys aren't available for download - according to my initial tests and the status in VS.  I also seem to recall having a related discussion a few years ago about exclusion not working as expected, but I don't remember if it was on CodePlex or the TFS forum.