I really cannot understand this decision because it is a major breaking change not even emphasyzed enough in the release notes.
It will cause all sort of compile time issues all around and there’s no simple workaround (none that I’m aware of) that can mitigate the problem.
About the proposed workaround:
Delay Updating: this might not be an option, especially if new versions of the drivers fix critical bugs.
Manual Update: forking libraries (how many?), updating drivers, republish to internal nuget feeds “can be ok”, but will increase the workload on teams that actually deliver products; moreover:
How many custom-compiled versions of the same packages we’ll see being published in nuget?
What about “closed source” code that depends on MongoDB? are we forced to pay for packages just to update to the latest version of the driver?
Microsoft itself admits Strong Naming is a thing of the past, quoting from:
Strong-names are left over from previous eras of .NET where sandboxing needed to differentiate between code that was trusted, versus code that was untrusted. However in recent years, sandboxing via AppDomains, especially to isolate ASP.NET web applications, is no longer guaranteed and is not recommended.
And you also recognize that it has no benefits at all for .NET Core and .Net 5+… It might have some “benefits” only for legacy code that still runs in .Net 4.x and only for very rare (and outdated imo) situations.
I’d really like to know the actual reasons that lead you guys to break the driver contract after 9 years of publishing an unsigned package.
Why signing it now that it has no actual benefit for the current and future .Net echosystem ?