[Last Week in .NET #60]- Sourcing Your Packages

📣.NET Core 3.1.19 has been released Big news here is that Alpine 3.14 and Debian 11 “bullseye” are now supported. If you ever want to containerize your .NET applications, you’ll want to use Alpine if image size is a factor. Very small images. Very nice.

Something else that came across my radar while purusing these release notes is that “Arcade” is a thing. And it has nothing to do with gaming. Or adult stores (sorry, not sorry). Apparently it’s common build tooling for .NET Foundation projects. Now this project has probably been around with this name for years, but this is the first I’m seeing news about it.

📣.NET 5.0.10 has been released and it contains support for these docker images as well. It also has a few bug fixes in it. And in what is a break with tradition, no security fixes either.

📣Announcing .NET 6 Release Candidate 1. This is a “Go Live” release, meaning it’s supported for production workloads. There are lots of goodies in here, from JITing improvements in the form of PGO and crossgen2, to Source Builds, to W^X, to HTTP/3 (why are we skipping HTTP/2? Hit reply and let me know), and more. This isn’t ‘user facing’, but it will make your applications more secure and faster.

✅ The .NET Foundation elections are underway and they look a lot less diverse than I was hoping. I don’t run because we don’t need the opinion of yet another white dude; and also because it would be foolish to elect me as my entire platform would be to grow an ecosystem that competes with Microsoft’s first-party offerings and get OSS people paid, and that would be seem to be at odds with the purpose of the .NET Foundation.

5️⃣Nick Chapsas: 5 open source .NET projects that deserve more attention. The five? NBomber, CSharpRepl, Verify, FluentDocker, Cupboard. If you want to know what these do, watch the video.

📉Stack Overflow shows large drop in memory usage and increase in performance by upgrading from .NET 4.6.2 to .NET 5.0. Yaaas. Oh, and I’m sorry Webforms folks, you’re stuck on .NET 4.8.

🛠 Make Microsoft Edge Dev Tools Your Own I will say, for the record, I am not a fan of the consolidation of browsers around Chrome’s rendering engine. That said, however, Edge sucks a lot less since they moved to a version of Chromium. Anyway, this blog post tells you how to customize Edge Dev Tools; which for historical reasons I’ve never touched. I’ve been too scarred by Internet Explorer. I guess I’ll have to give this a try now.

🤖 Microsoft to let users completely remove account passwords and go passwordless We are about 10 years away from implanting security keys into our bodies. I’m not here for that.

🛑Use Azure Portal to create private link for managing Azure resources to which I am wondering: this didn’t already exist? Most of my experience is in AWS, and admittedly they’ve spoiled me; but I feel like this was in AWS years ago.

🗺Introducing Package Source Mapping. The big news here is that you can specify where packages should be pulled from — individually. No more “Try these in descending order, if you find it here, get it, if you don’t, try this one, and so on, and so on”. The stated reason is to avoid supply chain attacks; which would have been a stop-gap for the Solarwinds supply chain attack, but if I remember correctly they did patch an internal DLL anyway, sooo.

🙈TravisCI exposes environment variables to everyone; half-asses their security response. If you use Travis CI (unlikely but possible), find another CI Vendor. Today.

And that’s it for what happened Last Week in .NET. For once Microsoft was not the main character for the security-fuck-up-of-the-week.

Leave a Reply