Description
Is your feature request related to a problem? Please describe.
NuGet has a feature called "Repeatable Builds", which is really a lock file that lists every package version and package hash used. When restoring on a different machine, it's possible to use "locked mode" which will fail the restore if the package graph is different, and this has been a way to mitigate "package confusion" or "package substitution" attacks since before that became widely publicized in 2021.
Some customers using this feature are confused why NuGet is failing when the same project is restored on Linux vs Windows:
Its root cause is when the .NET SDK adds the win7-x64 or win7-x86 RID, but on Windows only:
Describe the solution you'd like
While this can be mitigated by customers adding <RuntimeIdentifier>win7-x86<RuntimeIdentifier> in their own project fie, it would be great if the SDK was consistent across platforms. I assume that the $([MSBuild]::IsOSPlatform(Windows)) condition is added for some legacy compat reason, but I really can't guess why or what benefit it brings. Would it be "harmful" if the SDK either stopped adding this RID on Windows, or alternatively added it on Windows when all the other conditions (TFI==.NETFramework, etc) are true?
I'm not sure under what other scenarios the SDK adds specific RIDs, or PackageReferences, but I think the implicit PackageReferences have mostly gone away since PackageDownload was added.
If RIDs and PackageReferences can't be consistent by default across platforms, then guidance or recommendations on how to make the SDK more "determinstic" that that NuGet's lock files can be used would be appreciated. While I could document "specify you own RIDs" as something that "worked for me", I don't know if this would introduce different problems.