[master] NuGet Feed Update

[dotnet-bot]

NuGet Feed Update

This pull request updates the usage of NuGet.org in cases where it is used in conjunction with other feeds.

Is this PR required?

Generally yes. If the target branch is no longer in use and will not need to be built in the future, please close this PR.

This PR is broken build, what do I do?

If packages are missing, please tag 'dotnet/dnceng' or 'mmitche' on this PR and note the missing packages.
If there are other unexpected failures, please contact 'dotnet/dnceng'.

[benvillalobos]

Looks good. I expect to see a failed pipeline build after this merges because of the dotnet-core feed. It doesn't end in: dev.azure.com or visualstudio.com per https://docs.opensource.microsoft.com/tools/nuget_security_analysis.html

[Forgind]

@mmitche, Maybe I'm confused, but I thought we were supposed to unify onto one feed rather than just not using public ones; is that wrong?

[benvillalobos]

@Forgind here's how the pass/fail logic works:

Roughly this translates to pass/fail logic of:

If the packageSources object is empty or does not exist -> Pass
If there is no statement present -> Fail
If one feed per file -> Pass
If multiple feeds per file (see Note below):
If all internal feeds -> Pass
If a mix of internal and external -> Fail
External feeds are considered to be those that do not end with a feed domain of:

dev.azure.com
visualstudio.com

[mmitche]

@benvillalobos We should try to get rid of the dotnet-core feed too. We can migrate necessary packages off of it.

[benvillalobos]

@mmitche we're attempting to do that here: #6141 and have an experimental pipeline build running with that change here: https://dev.azure.com/devdiv/DevDiv/_build?definitionId=9434