Epic: Improve package validation

[rrelyea]

dotnet/extensions#2744 details a break that occurred when dotnet core 3.1.0 shipped yesterday. Some packages had added embedded icons...but had two entries.

This item covers a new validation rule - "catch the duplicate zip item' problem. (note, pay attention to encoding too... "foo bar" and "foo%20bar" as item names get extracted to the same file. How should we treat that?

It also needs several places to run... sketch of plan is below:

They use some components of the dotnet pack codepath, but avoided a validation that our pack code already does.

As part of our PackageQuality epic that is coming up soon on our backlog, we have plans to:

• have a set of concrete guidelines for package quality.
• increase validations at dotnet pack time
• add a new entry point to CLI to allow people who custom pack packages to get most of our validation rules run - nuget verify -all foo.nupkg
• do more validations on the server when nuget.org gets packages submitted
• nuget.org and vs package manager UI would show a grade (or similar) to show how great (or not) a package is.

[aortiz-msft]

Ideas to incorporate:
https://github.com/dotnet/arcade/blob/f50767f96246063f33a6565d318f3adf9058bace/eng/common/post-build/nuget-validation.ps1

Doc for the script is here:
https://github.com/NuGet/NuGetGallery/tree/master/src/VerifyMicrosoftPackage

[Pilchie]

ASP.NET had previously built a validation system as well. It implemented a set of rules you can see here.

Some of these are .NET Core specific, some are Microsoft specific, but there have been a bunch of issues here.

Additionally, with package reservation and signing requirements, it would be extremely valuable to have a server that we can push to that validates everything that nuget.org does at publish time.