Last Week in .NET, December 26th 2020 – Fun-sized Holiday Edition

Here’s just a few things I bookmarked last week in .NET.  No episode this week, just these fun-sized things I found:

🐦A twitter thread from Anson Horton that talks about the genesis of .NET *before* C#.  Yes, *Before*.  What *did* you think BC stood for, anyway? 

🧠10 thought-provoking questions that are guaranteed to make you experience ennui from Polina Marinova Pompliano.  

πŸ’£A second backdoor was found in the Solarwinds update DLL. This one has been dubbed “SUPERNOVA” with the caps denoting… shouting?

Three more days to learn the lyrics to Auld Lang Syne, and four days until we can say goodbye to 2020.

I hope the holidays are good to you and yours, and I’ll see you in 2021.

Last Week in .NET #23 – Solarwinds gets hacked; Microsoft goes on the Attack

In what I can only describe as a β€œlead magnet”, here’s a copy of my weekly .NET newsletter, creatively titled β€œLast Week in .NET”. I’m posting it here in the vain hopes that you’ll sign up for the newsletter or subscribe to the podcast. β™₯

Between the SolarWinds hack, Microsoft releasing a working document detailing the problems with the .NET ecosystem, and a bouncy castle crypto vulnerability, it’s been a busy week. Let’s dive in and see what happened, shall we?

🀼 Immo Landwerth, PM for .NET, writes a document on the eco-system problems in .NET. This document is monumental in it being a candid take on the .NET OSS ecosystem problem; and while it says it softer than I will, it lays the blame for the state of the .NET Ecosystem on Microsoft. Building Trust with your community is the first step to solving any problem (and let’s be clear: Building trust if-you-don’t-already-have-it should always be the first step) and this document does just that. Microsoft is its own worst enemy when it comes to building a sustainable eco-system for .NET. Luckily they’re at least aware of the problem. There’s also a github issue devoted to feedback on The Document and you should chime in if you have passionate thoughts on the subject. I know I do.

⬆ .NET Core updates are coming to… Microsoft update (not Windows Update!). Well, not exactly. Client updates will happen through “Automatic Updates”, server updates will happen via WSUS and Microsoft Update. Somewhere a sysadmin is crying.

🚨 the Bouncy Castle project has a vulnerability in its authentication module which allows attackers to very easily figure out the hashed passwords. The flaw? It checks that the characters exist in the string instead of checking that the characters are at the correct index. Hugops to the Bouncy Castle team.

πŸ‘©β€πŸ’» Not to be outdone by Apple, Microsoft is designing its own ARM Chips for its servers and Surface PCs. No amount of designing your own chips will get Microsoft out of the “We must support all of our software from the beginning of time” problem they’ve created for themselves, and that problem is central to why “just making ARM chips” won’t make things better. Maybe this is the business person in me talking; but perhaps some of these 25 year old applications need to be re-written off of Win32?

πŸ“ CodeMaze walks through using Authentication in ASP.NET Core with Angular. I got excited for a second when I thought they were going to cover authorization, but no. No one covers Authorization. Authorization is like married couple sex. You know people do it, but you never see it and they really don’t talk about how they do it that much.

βœ… You can win $250 US dollars by taking part in the .NET Foundation “State of .NET” survey. Yes, I have jokes, but I’ll put those aside for a second to say: You should take this survey. The .NET Foundation needs to hear what you find important, and they need you to be as direct about it as possible. Also, how can Microsoft possibly figure out which open source project to torpedo next if you don’t tell them what you’re using?

🚨🚨🚨 The Solarwinds DLL used to hijack systems “Solarigate” was catalogued last week by the folks at Microsoft. In case you missed that fun, Nation state-level hackers found the deployment credentials for Solarwinds updates on Github; engineered an update with a malicious payload inside of it, got into a few dozen government agencies networks, used that payload to install backdoors and laterally move into other systems, and all the while kept it secret for 9 months. This post goes deep into an analysis of that DLL. This is what we need more of. Microsoft immediately stepped up, addressed how this happened and now provides an immensely valuable resource on learning more about the inner workings of this attack.

πŸ“ Lesley Carhart writes up her own thoughts on the SolarWinds attack. No snark here, Lesley is one of the smartest infosec people I know, and her commentary is always helpful in these trying times (gestures broadly).

πŸŽ₯ Remember when movie tie-ins were terrible video games? Now it’s using the movie to tech people how to code, and we’re all the better for it. Space Jam: a New Legacy is coming out, and why not use it to teach people how to code?

πŸ“ Xamgirl shows you how to implement Multi-binding in Xamarin forms blog posts on Xamarin are the programmer’s equivalent of a gym membership. I read them, and I really want to pick up Xamarin forms; but then I have Ionic sitting right there and I just don’t do it. I can just read the blog posts and learn Xamarin vicariously through that; right?

πŸ“ Telerik reminds you of 10 things you probably didn’t know about Blazor Not covered on the list is that Blazor is the programming language for stoners; and it represents an underground attempt to make Mary Jane mainstream. Sign. I can’t do it. I can’t write satire about QAnon without it sounding completely nuts and completely plausible that someone thinks that all at the same time.

πŸ“ So there’s a blog post by David Pine that shows you how to make localization using machine generated translations using Azure Well that’s pretty flipping neat.

🀼 The team working on System.Text.Json details what’s next. Given that Newtonsoft.Json is functionally stable and doesn’t seem to be getting many more updates, it doesn’t make a whole lot of sense for teams looking for new Json serialization to use Newtonsoft.Json, and so we may as well embrace what Microsoft has created here.

🐦 David fowler shares his progress on improving Http.sys for teams migrating from .NET Framework to .NET core, and given the age of the code in question; this PR serves as a really good way to see how to make performance improvements to code that’s almost 20 years old.

πŸŽ™ Dotnet Rocks interviews Laura Laban, CEO of InfiniteFlight on her product InfiniteFlight, which is a .NET and C# mobile flight simulator. Yes, a mobile flight sim written in C# and using .NET. That alone is amazing.

🐦 Nick Craver, Architecture Lead at Stack Overflow, deep dives into a mysterious bug the Stack Overflow team was running into and they found what was causing it it. Stack Overflow runs on .NET 5; and this twitter thread is about as close as you can come to “being along for the ride”. Well worth your time to read.

πŸ’Έ Microsoft Changes its certification programs and makes them free, but you have to renew them yearly This isn’t so bad, especially given the rate of change these days. One reason why a “Last Week in .NET” wouldn’t have worked before .NET core is that… well… release cycles were counted in years, not weeks.

πŸŽ₯ Channel 9 deep dives into what is MSAL + Microsoft.Identity.Web to which I have the same question, and a follow up if you will: how is this different from IdentityServer?

And that’s what happened last week in .NET. We’re going to be feeling the effects of the Solarwind attack for years. The sheer patience involved in the attack coupled with the way that systems were compromised and how lateral movement occurred means that it could be quite a while before we know the full extent of the damage. And on that happy note, I’ll see you next week; maybe. Depends on what sort of news comes out this week in the world of .NET. It being close to Christmas, probably not a whole lot.

Last Week in .NET #22 – Microsoft Parrots Google

In what I can only describe as a “lead magnet” for my newsletter, I’ve included this week’s newsletter as a blog post so you can see what you’re in for if you sign up. You could, of course, watch this space for new issues; but there’s no guarantee I’ll remember to put them here, and then where would you be? (exactly where you are right now, which is why I should probably just hire professional marketing copywriters).

This is Last Week in .NET for the week ending 12 December, 2020.

πŸ“’ .NET 5.0.1 has been released. Lots of Bug Fixes and Performance improvements in this one; with an focus on EFCore. If you use EF Core, take note.

🚨 There’s a Remote Code Execution Vulnerability in MS Teams that was apparently patched in October 2020. This github repository includes commentary and videos on the RCE itself.

πŸŽ₯ Microsoft’s ASP.NET Community standup covers “Material Design with Blazor”, which continues the tradition of tech parroting tech. Alternate Runtime that compiles to JavaScript? Check. Design library that mimics a flat design? Check. All we’re missing is a realization that in 5 years, Material design made design worse, not better, as we all relegate flat design to the dustbin of bad decisions, where it belongs.

πŸŽ₯ Did you know Microsoft has its own TV station devoted to .NET? The Zoomers are probably asking “What’s a TV Station?” but for the rest of us, .NET live is effectively a TV station devoted to… .NET. This is precisely as exciting as it sounds, and that excitement you feel is why you subscribe to my newsletter.

🐦 Scott Hanselmen reminds us, If you’re using .NET Core, you can generate a .gitignore file in one command dotnet new gitignore will generate a .gitignore file that is already set up for working in .NET. This is a pretty neat development and I’m here for it.

🎌 Jetbrains tells you how to make the most of init-only properties and records with Resharper 2020.3 and C#9. ReSharper remains one of the fastest ways to improve your productivity in Visual Studio. Even with VS 2019, which has come a long way in refactorings, ReSharper still beats Visual Studio’s out of the box developer experience, hands down.

πŸ‘©β€πŸ’» There are cryptography improvements in .NET 5 for the 5 of you that care about this, you probably already know about it. So really the only thing I can say is “Don’t roll your own crypto” and “don’t trust some random blog post on Crypto”, and let’s all ignore for the second that this blog post filled the latter. In all seriousness though: If your code even comes within 50 feet of dealing with Cryptography, hire an “InfoSec” centered developer that knows what they’re doing.

⏩ If you use blazor, there’s a library that claims to have somewhere between “0-1000x faster API responses on server side with Fusion’s caching and automatic dependency tracking abstractions.”. Yes, 0-1000x. That’s quite the range. This is one of those situations where I’m thinking “Ok, this could be bullshit”, or “I’d love to interview the developer of this to get a better understanding of what’s going on”, so if you run the Stl.Fusion project, or you know who does, make me an introduction?

🀼 Github Universe took place last week and there are lots of on-demand sessions available for your perusal. Oh, and drop ICE as a contract, please. Best, Me.

🎁 CSLA 5.4.0 for .NET 5 has been released No I don’t know what this does either; but according to the project page it’s a way to “build a reusable, maintainable object-oriented business layer for your app. This framework reduces the cost of building and maintaining applications.”

🎁 Infer# for .NET has been released this library does ‘interprocedural memory safety analysis for C#’, and if you know what that means you probably know whether this is good for you or not. It’s a .NET version of the “Infer” Static Analyzer; and I have no clue how it differs from FxCop or other Static analysis tools for .NET. If you do, let me know on twitter @gortok.

πŸ“ There’s a new site out that let’s you know what blogs to follow, no matter your tech stack Now Rust Developers have yet another way to remind you that they use Rust. This site was built by @monicalent, and is pretty fricking awesome. H/t to Stephanie Morillo for the link.

πŸ“ Claire Novotny shows you how to create Nuget packages that can use Source Link Source Link seems to be “Source symbols” for the 21st century. Instead of an esoteric way of downloading symbols (and the nightmare that ensued), you can now point your nuget packages to your public source repository, allowing developers to browse your source code without using that Godawful Visual Studio dialog to do so.

🎁 Microsoft Edge 89 has been released to the developer channel and I promise not to make any ‘edge’ jokes. I’m coming so close to doing it but I won’t do it. It’s really hard not to though.

🎁 Try-Convert 0.7.160902 Preview has been released this project “tries” to convert .NET Framework projects to .NET Core. This is also a Microsoft based project that for once has no support from Microsoft whatsoever. I consider this an especially good omen.

🌐 Dave A Brock talks about the “Route-To-Code” feature available in ASP.NET MVC Core on .NET 5. One day MVC will figure out what sort of framework it wants to be when it grows up. For my part; I’d be happy with as few files with code in them as possible. That’s all I want out of an MVC framework, to make it dead-ass simple to produce a crud web-app. That’s it. Maybe call it… C# on Rails?

πŸ“ There’s a blogpost from Microsoft detailing what’s new in Windows Forms in .NET 5, and if you think about it, Windows Forms is lucky to be included in .NET 5. Don’t get me wrong, I’m glad it is, but it could have just as easily received the WebForms treatment in .NET 5. It probably would have, too, if Microsoft’s desktop application strategy wasn’t so schizophrenic.

πŸ“ .NET development on Apple’s M1 Silicon is mostly there. With the exception of Docker working (which is a pretty big stumbling block to my own designs on picking up a new Macbook Pro) and some goofiness, it seems to… work, as long as you don’t want Debugger support.

🀼 There’s a working group assigned to address “eco-system growth for .NET” which means that they want to make the open source contributor eco-system for .NET Better. Claire Novotny mentions you too can participate but as of this release time, she hasn’t gotten back to me on how people would participate in this working group, or what type of participation would be most helpful.

πŸ“’ Windows 10 Insider Preview Build 21277 is now available Included is the ability to emulate x64 applications on ARM based Windows devices, like the Surface, lots of new emojis, and fixes you probably wouldn’t care about if they didn’t include new emojis in this release. Napolean Bonaparte once said “Man will fight to the death for a colored bit of cloth” and I think that’s a pretty good summation of our relationship to emojis in 2020.

🐦 Zac Bowden shows a screenshot purportedly to be of the new Microsoft Word UI it’s rounder, less cluttered, and still includes Icons people never use in prime real-estate space.

And lastly,

🎁 ReSharper 2020.3 has been released and it includes profiling analysis of .NET 5 applications and lots of other features that look cool but I can’t tell them apart by name, because naming is hard.

That’s what happened last week in .NET, I’m George Stocker, and when I’m not helping teams migrate to distributed systems (a bad idea for most), I’m working with teams to double their productivity through test driven development. That is much less boring than it sounds, and allows teams to focus on features without getting bogged down in regression bugs. It’s only boring until your boss realizes how much money it saves your company, and then it becomes cool. To learn more about how I can help your team save money and be cool again, reach out at https://www.doubleyourproductivity.io, and I’ll see you next week.

Last Week in .NET #21 – Remembering the women of Γ‰cole Polytechnique

Normally I’d start this out with some of the funnier things that happened; but before I dive into what happened last week, I want to talk about this week. Warning: death and violence follow.

Yesterday was the 31st anniversary of the Γ‰cole Polytechnique massacre. If you’re not familiar with this atrocity, let me quote Deb Chachra’s chilling telling of the event:

On December 6, 1989, in late afternoon a man had walked into the Γ‰cole Polytechnique, the engineering school of the University of Montreal, carrying a hunting rifle, ammunition, and a knife. He entered a mechanical engineering class of about sixty students, separated out the nine women, and told them, “I am fighting feminism.” One of the women, Nathalie Provost, responded, “Look, we are just women studying engineering, not necessarily feminists ready to march on the streets to shout we are against men, just students intent on leading a normal life.” She reports that his response was, “You’re women, you’re going to be engineers. You’re all a bunch of feminists. I hate feminists.”

He then opened fire on the women, killing six of them. Then he went from floor to floor in the building, targeting and shooting women.

Fourteen women were killed that day, twelve of them engineering students, one a nursing student, and one a university employee.

Here are their names: Anne St-Arneault, Geneviève Bergeron, Hélène Colgan, Nathalie Crotea, Barbara Daigneault, Anne-Marie Edward, Maud Haviernick, Barbara Klueznick, Maryse Laganière, Maryse Leclair, Anne-Marie Lemay, Sonia Pelletier, Michèle Richard, and Annie Turcotte. You can hear more about these women here.

An additional thirteen people were injured. Nathalie Provost was shot four times, but survived. In the weeks, months, and years that followed, among other responses, Canada implemented stricter gun-control regulations, and began to observe December 6th as a National Day of Remembrance and Action on Violence Against Women. The event remains the worst mass murder in Canadian history.

Our industry has problems with sexism, whether latent or outright. While we hope never to have another atrocity like this one; we should strive for equality and justice in our industry. As a white dude in tech, I’ll do everything I can; and I ask you to do the same. If you’ve never had to fear for your life just because you wanted to be an engineer, then you too need to stand up and help stop the sexism in our industry.

Now, on to what happened last week in the world of .NET.

😁 Christina Warren (@film_girl on twitter) submitted a feature request for Windows Terminal to include a “Stories” feature. It was closed far too quickly, in my option, and we all know how hard it is for Microsoft to design a terminal. This would be a nice way to include video tips about the terminal in the terminal itself. What could go wrong?

πŸ“ If you’re the type of developer that has a need to monitor the Garbage Collector, you should read about the newly updated in .NET 5 GC.GetGCMemoryInfo API from Maoni Stephens. We’re all in the boat where we don’t want to deal with the Garbage Collector until we need to deal with the garbage collector, so read this post, and save it for a rainy day.

πŸ“ Code-Maze continues their blazor series with a post on one-way and two-way binding in blazor applications. I maintain that two-way binding is evil and should be avoided at all costs. Think I’m wrong? Yell at me on Twitter @gortok.

πŸ“ How to Unit Test in Entity Framework Core 5 by Michal Bialecki. My preferred answer is: “Don’t unit test persistence”. Thank you for coming to my TED Talk.

πŸŽ₯ The Visual Studio team livecasted a Remote office Hours talking about the future architectural changes being made to Visual Studio Visual Studio is older than most college seniors these days, and it’s spectacular to see it still alive and kicking. It is probably the best in class IDE I’ve ever used, and probably the nicest product Microsoft has ever developed for a technical audience.

πŸ†• MVVM Toolkit PReview 3 has been released. Deeper dive into this is that Michael, the author of this blog post, deep dives into the API. I’m not quite sure what the MVVM Toolkit is for; it looks like some sort of platform-independent MVVM library. Special thanks to Dee Dee Walsh, @ddskier on twitter for the link.

πŸ‘ There’s an open feature request to get IDE support for Preprocessor symbols. YES. PLEASE. That is far better than the current state of: “What did we name that IFDEF? I don’t know. Guess I’ll just guess and have a timebomb waiting to blow up in my face.”

πŸ”Š Paul Sheriff talks about what’s new in .NET 5 on the Azure DevOps podcast. I checked, and they did start this podcast after TFS was renamed to Azure DevOps. I hope they’re comfortable with change because the name “Azure DevOps” reminds me of 70s disco. It’s cute but it’s gonna get old fast.

πŸ“ Khalid Abuhakmeh talks about Module Initialization in C# 9. If, like me, you have no idea what this is, you can probably skip it. But if your team bandies about “Secure coding” and “Threat Model” as terms of art, you may want to read this post. Basically it gives you a way of loading environment variables or code before your your code gets run.

πŸ§ͺ Microsoft is testing Windows Feature Experiance Pack updates with Windows Insiders. The Windows Feature Experience Pack, so named because Microsoft’s Marketing department has a minimum character limit quota; includes improvements to windows. In this case, an updated Snipping tool, text input panel, and a suggestion feature for the windows shell. According to this article, Microsoft wants to make future improvements to the…. Feature experience (Sorry not sorry) available through this… pack. If you are A Windows Insider, let me know how you like these updates.

πŸ“° Microsoft Teams adds support for answering calls via Apple Carplay, transferring calls between mobile and desktop, and adding call recordings to onedrive. Oh for fucks sake. Instead of someone saying “You know what? Enough is enough. This “Work from anywhere while you’re doing anything is nucking futz and we aren’t going to do it any more. The eight-hour workday is hereby abolished for a four-hour workday that you’ll actually be able to make it through and still get things done. I’ve never seen technology workers productive for an entire 8 hour day; and it’s about time we stop pretending that they will be.

πŸŽ₯ The .NET team hosts a community standup talking about LLBLGen. I have to be completely transparent here: I forgot LLBLGen existed. After Entity Framework came out, it sort of sucked the oxygen out of the room for ORMs in .NET. Which, I guess, was the point.

πŸŽ₯ Abel Wang, the Principal Cloud Advocate and DevOps lead talks about the history of DevOps at Microsoft. You can tell it’s Microsoft because of the heading: “Microsoft’s Enterprise DevOps Transformation Story”. It details how they went from a waterfall-esque organization to a waterfall organization on github. I’m kidding. They’re agile and they do devops now, and I’ve reached my monthly quota for saying the word “DevOps”.

πŸ’© Garter named Microsoft a “Leader” in the 2020 Magic Quadrant for Cloud DBMS platforms. “Leader” here means “Behind Amazon in Vision and execution, and behind Google and Oricle in vision, but beating them on Execution”. Or, they’re #2 in the space for execution, and #5 in the space for Vision, behind… IBM.

πŸ“ Jaana Dogan talks about things she wished more developers knew about Databases. Please tattoo these items to your architect’s forehead in reverse so he can see them every time he proposes a new architecture in the mirror.

πŸ“ Infoq details the performance improvements made in .NET 5 You’ve probably seen other writeups, but you haven’t seen this one. Short and concise, it’s worth your time.

πŸ“ InfoQ details ASP.NET Core Improvements in .NET 5 Did I say I love the InfoQ concise format?

🐦 Zac Bowden claims that Microsoft is hoping to sign off on an “RTM” build of Windows 10X sometime [this] week. Windows 10X is the OS for hot-shit Developers. I’ll be here all week. Try the veal.

πŸŽ₯ The Xamarin team released a MAUI update. MAUI is the ‘Multi-platform User-Interface’ project meant to unify all of the different UI frameworks into a common framework. The tag line for MAUI is “the next generation of Xamarin.Forms to build Cross-platform mobile and desktop Apps”, and I couldn’t have said that better myself.

πŸ“ Derek Comartin talks about Idempotent Consumers in distributed messaging architectures. One of the most crucial part about developing a messaging or event driven architecture is getting the consumption of messages right. Idempotent messages and enforcing idempotency in your system will make it much easier to reason about problems that will inevitably occur because you chose a distributed messaging architecture.

πŸŽ₯ David Wengier is building a game in .NET and has videos to bring you along for the ride. I missed Episodes 1-57, but I’m going to add this to my binge list.

πŸ› Don’t put the word ‘Android’ in your Xamarin App Namespace Apparently that can lead your application not building and you generally having a very bad day. Thanks to James Montemagno for having that bad day and then blogging about it so we wouldn’t.

πŸ’” Kubernetes is removing Docker from version 1.20. TL;DR: Docker the program has several ‘sensible’ defaults that Kubernetes does not want or need; and while docker containers will continue to work just fine, Docker the program will not work with Kubernetes.

πŸ“ How to use OpenAPI Auto-generated clients in ASP.NET Core Another one for the microservices crowds, but still pretty awesome. The tooling has come a long way since 2016, and at this rate by 2022 Microservices will be a viable development paradigm.

And finally,

πŸ“ There’s a recommended way to run EF Core Migrations in Azure DevOps and this blog post tells you how. Since I neither run Entity Framework Core nor Azure DevOps, I can’t be held responsible if this is considered ‘bad intel’.

And that’s what happened last week. I’m George Stocker, and I help teams double their productivity through test driven development because TDD helps you focus on what you’re doing, and not on the hellscape that is 2020. To find out more about how I can help you and your team, visit www.doubleyourproductivity.io, and I’ll see you next week.