PackageDownloadAndReference should not be used with packages updated regularly - by sourcebuild or otherwise #122565
Description
I introduced PackageDownloadAndReference in df76a01 as a way to represent references to packages which we couldn't update due to external deployment by VS / MSBuild / SDK.
Since then, it looks like changes have been made to these that make some of these regularly updated. Being able to take regular updates is a good thing - since it means that there really should no longer be a need for pinning to the old version. If that need truly went away, then we can stop using PackageDownloadAndReference and just use PackageReference with IncludeAssets="Compile". To do so though, we need to ensure that the matching version of that package is made available at the time the project needs to run.
If the exact match cannot be guaranteed then it may be better to go back to a fixed version that doesn't update regularly. We don't want to introduce redistribution just to be on a newer package version than the SDK. We don't want to introduce a mismatch where we reference a higher version than what we run on either.
flowchart TD
Q1{Does the project<br />redistribute the reference?}
Q1 -->|Yes| A[Use `PackageReference`<br />and ensure the version is<br />regularly updated.]
Q1 -->|No| Q2{Can the project ensure<br />it will always reference the<br />exact version it runs<br />against?}
Q2 -->|Yes| B[Use `PackageReference<br />IncludeAssets="Compile"`<br />and keep the version in<br />sync with the runtime<br />version.]
Q2 -->|No| C[Use<br />`PackageDownloadAndReference`<br />against a fixed version<br />lower than the runtime<br />version.]
✔️ DO represented any version used with PackageDownloadAndReference in SBRP.
❌ DO NOT use PackageDownloadAndReference with version that updates regularly.