Moq adds nagware; Where’s the .NET Foundation in all this?

Moq is a mocking library for .NET Unit Testing (cue the TDD folks reminding us mocks are unnecessary), and it is by far the most widely used mocking library in .NET (475 million downloads vs 87 million for the next largest, NSubstitute). Yesterday, its author released version 4.20.1; which added nagware and a backdoor to Moq, in a bid to drive up paid usages of Moq through ‘Sponsorships’.

This had the predictable result of enraging folks that use Moq, and the change was subsequently removed in version 4.20.2 (released a few hours ago as of this writing), ostensibly because it broke MacOS restore. The author of Moq wants discussion on the topic of sponsership under Github issue #1374.

I’ll get the tactical analysis out of the way first by way of these three points:

  1. This was a backdoor (unintentionally) to supply-chain attacks. The project linked to an obfuscated DLL that provided two functions: a) retrieving its settings from a third-party server, and b) spawning a git process, and sending hashed git email addresses to that same server.
  2. This is also nagware. A message popped up in the build window if the person wasn’t a supporter (by checking hashed email addresses found locally vs. what’s on the server), to tell them to sponsor the project.
  3. This action by the maintainer is a cry for help. They have 475 Million downloads, and their work on Moq can’t support them financially. This is a cruel and unjust world where giving away software that supports Fortune 50 companies would result in poverty if they didn’t keep their full time job. They get to choose between maintaining Moq, or seeing their family.

For the security minded among us, there are any number of ways for this to be exploited, from DNS based attacks to any code vulnerabilities to simply waiting for that domain to expire and taking it over, to any number of attacks that an enterprising malware author would find. This is a textbook opening for a supply-chain attack.

There’s also a betrayal of the social contract involved with OSS software: You don’t rely on closed-source software as a necessary part of ensuring your software does what it says it does, and you don’t surprise the folks that depend on your work.

This is also one of those character-building opportunities for the author and an object lesson to everyone else in the .NET OSS community on what not to do. But more so an object lesson for us that .NET open source is not sustainable. Popular projects become force multipliers for Fortune 50 companies that would otherwise have to spend hundreds of thousands of dollars in salaries recreating the functionality, or spending tens of thousands of dollars on licenses to buy software that does what OSS provides for free.

I won’t spend too much more time on the tactical part because there’s a much more interesting strategic problem sitting here waiting to be dined on: The .NET Foundation and .NET Open Source Software.

I wrote a while back about the .NET Foundation’s fundamental problem, and if the Discussions tab is any indication, the .NET Foundation as a community is dead. 4 discussions in 2022, and 4 in 2023 is not a healthy community. Also, all but one committee stopped meeting (wg-projects, wg-maintainers, wg-marketing, wg-membership, wg-corporate-relations, wg-education have all stopped meeting/posting their minutes/updating agendas) — the wg-outreach team is the only committee to have met recently.

Update: Glenn Watson, .NET Foundation Board Member, had the following response to the above:


Committees are meeting regularly. The thing is I went hunting for meeting details. if I wasn’t getting invites by the foundation I wouldn’t know the times and where and how to join. Something I need to fix. Also we hire a company at the moment to take notes and minutes and I need to discover where that is going. I will get back to you on this one too.

With that update down, back to the original post:

Ok, great, George, so an OSS project is feeling the pressure of producing software for free, and the .NET Foundation has about as much activity as your blog, how does this all connect? Allow me to quote from the .NET Foundation’s own front page:

The .NET Foundation is an independent, non-profit organization established to support an innovative, commercially friendly, open-source ecosystem around the .NET platform.

It appears the problem of supporting an innovative, commercially friendly, open-source ecosystem around the .NET platform is right up their alley. Literally. Now, I have my concerns with the way they wrote commercially friendly, and there’s been no clarification since that blog post of their intentions, so at this point that part is an open question: Who does the .NET Foundation want software to be made commercially friendly for? Is it for maintainers? Is it for Microsoft? Is it for other large companies? Who is the beneficiary of the .NET Foundation’s work? Who does it serve?

The .NET Foundation should be all over the open-source commercial viability problem. We should see leadership from them not only on this Moq issue, but on the state of open-source in .NET. Maintainers aren’t business folks, and they don’t know how to turn something that has 475 million downloads into a viable business, and yet every enterprise that uses .NET more than likely uses Moq. Heck, even the streaming music industry pays better than .NET Open source. If the foundation is foundering, and looking for problems to solve, the viability of open-source is right up there, waiting to be tackled.

The .NET Foundation should be that interest group for open source, enacting policies and frameworks to help OSS maintainers get paid, to build the foundation for what it means to be sustainable for open source.There’s no question, Open source software has to change, and money has to come into the equation. In one possible future, projects join the .NET Foundation, and their maintainers are paid by the .NET Foundation, while corporate members pay thousands to 10s of thousands in dues every year in return for support and commercial licenses to use .NET Foundation projects. Dual-licenses, and an interest group sitting in between that handles the payment backbone of OSS is a possible path forward, but it’s going to take someone like Microsoft leading the way. Do they have that leadership potential in them? Only time will tell. For our part, we should continue to remind the .NET Foundation as to why they exist, and use our soap-boxes to get them to take action on this pressing issue. We won’t have open-source viability until we fix the sustainability issue.

Think ‘experiment’ instead of ‘project’

I ranted a little bit yesterday on killing the word ‘project’, and and I was asked, “well, what should we use instead?”

Great question, I would love to tell you.

Projects give off an aura of “beginning, middle, and end”. At some point, this thing will be done. And that’s not true in software. There may be a point where we don’t use it any more (we ‘kill’ it), or it may fail at its purpose, but as long as we’re using it, it’s not done. It’s going to need security updates, framework updates, and at the very least bug fixes.

And so calling software a “project” is a bit like having a kid and calling it an accessory to your lifestyle.

Instead, software that isn’t meant to be a ‘product’ (that is, have the understanding going into it that there will be long term support and a budget) should be called an experiment. Because it is.

We’re not naive enough to believe this IT Modernization project (see, I just did it!) will succeed because we spent millions of dollars and tens of thousands of people hours on it. It’s an experiment. It’s an experiment because Sue in accounting who has been here for the last 25 years basically runs your entire payroll infrastructure even though her title is “Sue in accounting”. Your modernization project will fail if Sue in Accounting isn’t happy, regardless of how you dress up the project. So it’s not a project; it does not have a beginning, middle, or end. It has a beginning, Oh-god-I-hope-we-win-Sue-over, and then support. And if you don’t win Sue in accounting over, you’re going to have a bad day.

So call it an experiment, and don’t let anyone lie to you about the real nature of software: it only succeeds if we successfully sell it to the people who are going to use it.

This post originally appeared in my daily email list on January 13, 2023. I publish emails daily, and put them here when I remember to. If you want to stay up to date, join my mailing list. Details below.

Can we kill the word ‘project’ please?

One of the things I do in the realm of strategic architecture is help companies migrate their legacy systems. This can be referred to as ‘modernization’, and generally it means rewriting the application in a new stack that may get developers psyched to go to work again.

The current fad is to move .NET Framework to .NET Core/6+, and to migrate away from MVC/Webforms to a JavaScript SPA based front end. Now, there are several questionable decisions here; but I’m not going to focus on those (like that you should only use a SPA if your application needs to be a SPA. Most don’t. Especially, especially Line of Business applications). The questionable decision I want to focus on is the idea that this is a project.

As I said, these are typically termed as ‘projects’, which is detrimental to everyone involved; from the executive who got approval for this to the developers who will spend the next few years of their life on this ultimately doomed project.

There’s lots to say on this topic; but I want to focus on two parts:

1. software is only a project only if it never needs upkeep. That’s never true. Projects have a beginning, middle, and end. Software never ends. As long as that software exists, you must either pay to keep it running or you must pay to kill it. If you simply leave it alone and do nothing to invest in it strategically (or hell, tactically) the cost will be more expensive than you can ever imagine. For instance: you build a home-grown search application, and that sees use. Well, as that system sees more use (and it’s in ‘maintenance mode’ because we did it, we shipped the project!) the design of that system is stressed; or an unforseen bug comes to the surface. It doesn’t matter. Eventually that system’s usage will exceed its design, and years of neglect or leaving it in maintenance mode will come back to bite you.

As long as a system has users it is a living organism that needs to be fed, watered, and cared for, as often as you would your own pets.

2. You can both reduce the impact of a ‘modernization’ effort and keep the longevity of your working system going while you have time to rebuild it by instituting an event-driven architecture. In short, introduce events and queues into your present working system; let the system work as normal with those new primitives added in, and have your new system also act on those primitives; whether it’s storing the data from it or introducing new processing or replacing existing processing the old system does. The goal of a modernization shouldn’t be to turn the old system off, it should be that neglecting the old system no longer results in problems for your users.

Until next time,

George

This post originally appeared on my mailing list, if you want to get my emails as they’re sent, you’ll want to sign up for my mailing list below.

[Last Week in .NET #106] – A penny for your tweetise

I would like .NET Development (Desktop, API, and Web) to be as easy as it is to launch a web application with Django or Rails. I would love for a productive .NET ecosystem that rewards non-Microsoft based products. We get to dive into a little bit of why those things are impossible right now, let’s get to it.

Did you know there’s a roadmap for WPF? They cover Winforms too, in a “The decor says 90s but we can’t bear tearing down the house” sort of way. 🗺


How to build a cloud native application with AWS and .NET is one of the talks at JetBrain’s .NET Days Online on October 26th, 2022. I appreciate the realization that with the marketshare disparity between AWS and Azure that they’re not trying to make Fetch happen here. 🐕


Announcing Windows 11 Insider Preview Build 25227 This preview build includes changes to the Widgets location as Microsoft’s windows product time tries to find the least terrible location for something that there is mixed data at best that people actually use them. 🗺


Microsoft blames security researcher for publicizing data breach, says it’s overstated and refuses to answers questions about the breadth of the breach in its support tickets I appreciate Corey Quinn’s take on this, and overall it’s embarassing to see this sort of response from Microsoft and most certainly an unforced error on their part. If you leave an API endpoint open and people take the data, you’re the problem, not anyone else. 🐑 🐟


Cory Doctorow writes a treatise (or a tweetise, or a twitter thread if you’re boring) on the problems with Tech today. Shorter Doctorow: It no longer seeks to make our lives better; it has the same problems as American Capitalism: Scale and eyeballs over function and humanity. 💸


The Azure Devops podcast talks about Windows SDK. I don’t think this podcast was originally named the Team Foundation Server podcast; but I’m willing to be wrong. Interestingly this does not look like a Microsoft property; I’m somewhat surprised the podcast host hasn’t been hit with a trademark infringement cease and desist letter. 🪟


Hillel Wayne shares the most controversial opinion he holds regarding software quality: Get a Good Night’s Sleep. At the tender age of 40 I spent all weekend volunteering from before dawn to dusk both days and am absolutely dragging even two days later. Sleep is super important (no shit, right?) 😴


As you read this, .NET Days Online is tomorrow. Better that than .NET Daze Online, amirite? Ok, that was a terrible joke. They can’t all be winners. 🎈


And that’s it for what happened Last Week in .NET.

[Last Week in .NET #105] – A tale of two CVEs

Releases, CVEs, and a look into The Last Of Us’s Breathing System as a programming marvel. Let’s get into it.

.NET Core 3.1.30, .NET 6.0.10 and .NET 7 RC 2 are out. On the .NET 3.1 and .NET 6 side, they’re patching a privilege escalation CVE (CVE-2022-41032), interestingly enough this also affects NuGet. As security releases too often are, this one is mum on the details because there’s no way that showing users how vulnerabilities work is a good thing. It’s best if that’s kept to as few eyes as possible, because if people were to be educated, what would happen? Chaos. They also list a CVE fix for .NET 7 RC2, but they don’t list the same CVE, even though they copied and pasted the text from one release announcement to the other. Apparently that CVE for .NET 7 RC 2 that’s fixed is CVE-2022-38013 (though again, I wonder if that isn’t a transposition error). 🏴


The Breathing System in Last Of us shows off how programming is (as Jeff Atwood put it) getting millions of tiny details right. You never think of breathing being complicated, after all, you’re doing it right now. But try to program it, and suddenly a whole bunch of little details have to be figured out. This is a great thread showing the wonder of modern game programming. Don’t forget part 2. ✌


Marten and Friends Hopefully Big Future So Marten is a DocumentDB built on top of Postgresql; and Jasper (now rebranded as Wolverine) is a Message Bus for .NET. Long story short is that they’re working on commercializing and improving the story behind .NET CQRS/Event Sourcing/Distributed Frameworks; and I’m here for it. On the one side you have the extremely buttoned-up and corporate Orleans or Dapr, and on the other hand you have the people who make this an non-monolithic ecosystem. 🚧


With the new .NET 7 RC 2 release there were updates to ASP.NET Core including caching improvements and authentication diagnostics with Blazor and WebAssembly. 🆕


Terminal.Gui made the front page of the Orange Site, and it’s nice to see C# get some love. Special thanks to @ckindel for the mention. 👏


And finally, Jeremy Sinclair has a twitter thread on source generated Regex improvements (that’s a lot to type) in .NET 7 worthy your time to read. Do you want to make Regexes fast? Now you only have two problems. (Also, it’s pronounced regex, not regex). 🤷‍♀️


And that’s it for what I found last week in .NET. If you like internet shout-outs or sharing your favorite .NET (or let’s be real, Microsoft) content, send it my way @gortok on twitter, or if you’re getting this through email, hit reply. See you next week.

[Last Week in .NET #104] – Roast Beef CVEs

Roasts, Beefs, and CVEs. Let’s get into it.

Microsoft discontinued its iOS keyboard SwiftKey I would trade you a Microsoft Outlook and 4 Microsoft Teams for Swiftkey coming back. Microsoft needs a product arm of the company that isn’t affected by the whole 1990s-era synergy play that infects every action they take. Every time someone claims that Microsoft is a product company, in between fits of laughter I just want to point at things like this. To be fair, Microsoft is a product company, inasfar as it sells things that CIOs want. The only reason the games division at Microsoft is largely unaffected by this is that they haven’t figured out how to get the games folks in their synergy plays. 🎹


Preview channel release notes for the Windows App SDK (Version 1.2 Preview 2 (1.2.0-preview2) is available) I go back and forth between letting the subject write the title and choosing my own, and because I need something to smile at, I let the subject write the headline. The big news here is that Microsoft is dumping VS 2019 faster than they dumped customers feedback. It’s 2022 and if you aren’t on VS 2022, you’re screwed. 🔩


For Delightful Code Reviews, say Nice Things Who’s a good code review? who is it? I would say to say “kind” things, not “nice” things, but I’ve never been accused of being nice. 🐶


What we can learn from the sad tale of Java.util.date A little bit of programmer wisdom and schadenfreude all rolled into a single blog post. 🎻


A list of phrases you may not utter in New Zealand’s parliment take notes, there are some good ones here. Like “energy of a tired snail returning home from a funeral”. 💀


What the Hacker News Crowd wants Stack Overflow’s Architecture to look like vs what it actually looks like I am glad they called out the problems with having an in-process Job scheduler. And this may look different if you have lots of data-ingestion sources; but they don’t, and overall, it’s a picture of sanity. 🧱


Rachel Appel’s Annotated .NET Monthly for October is out It includes some sponsored content by Jetbrains (The company Rachel works for) which is to be expected. Still a good read. 📚


Hundreds of Microsoft SQL Server Systems backdoored with new malware It’s called maggie and it uses the extended stored procedure DLLs to do its magic. Of course you wouldn’t have this enabled, because your IT organization is forward thinking and doesn’t leave open decades old technology, right? right? ☎️


The NSA, CISA, and the FBI have published a joint advisory on Thursday with a list of the top 20 vulnerabilities exploited by Chinese state-sponsored threat groups. Not to be left out, Microsoft owns 4 of the top 19 spots, with Exchange making up all of the Microsoft CVEs. Please don’t run Exchange on-premise at this point. Embrace Azure, embrace blaming Azure. 🌨


Making laminated puff pastry is an example of chaotic behavior in dynamic system I am here for chaotic good croissants. (h/t to Deb Chachra on Twitter) 🥐


A once hopeful soul shares his thoughts on System.Text.Json vs Newtonsoft.Json You know me, and you know if I have beefs, I’m going to share them. This is a beef. Microsoft knew they wanted to have built in Json support. They had a library that ostensibly had the widest support for anything .NET, ever. We’re talking a library being used in the PS4, and they didn’t port it over as is. Not the API, not buying out the library, nothing. “Oh well we have different design constriants” horseshit. No you don’t, you have a problem with taking the timee to implement an API being used everywhere. this is as close to defacto standard as we get, and you have NIH syndrome. If you wanted to make it the standard, you could have. But you chose not to. Even if the internals were different, the public API is what gets people from point A to point B, and I haven’t yet seen a good example of why Newtonsoft.Json’s Public API couldn’t have been used. 🐄


Helix: A neovim inspired editor, written in Rust Because if someone’s using Rust they’re gonna tell you about it. 🤘


And that’s it for what happened Last Week in .NET. Reach out to me @gortok if you have something cool to share.

[Last Week in .NET #103] – .NET OS/12 Warp Speed

Yes, this is a day late. Luckily it’s free? (in all seriousness I beg your indulgence as our bathroom remodel is coming to its frenetic end).

TypeScript 4.9 beta is out. Yes it has new keywords and yes it has breaking changes. Those two things are pretty reliable in TypeScript land. I think the JavaScript disruption for disruption’s sake is a contagious virus. Of course, love is a virus, so maybe that’s not a bad thing? 🦟


[Microsoft Commerce’s .NET 6 Migration Journey](https://devblogs.microsoft.com/dotnet/microsoft-commerce-dotnet-6-journey/) This is a wonderful in-depth look at the Microsoft’s move from .NET Framework to ultimately .NET 6. The TL;DR? Faster, less expensive (in terms of CPU,Threads,Memory) and, yea. Linux comes out on top. One paragraph that bears repeating is on the “Windows Assumptions” their teams held previously:

As we moved services to .NET Core and then into Linux, we quickly found it important to remind teams that .NET Core and beyond does not mean that everything will “Work in Linux” out of the box. “Windows Assumptions” in your code can sneak in – or in your build, tooling, monitoring, troubleshooting, or other processes.

What are “Windows Assumptions”? These can be as simple as assumptions around folder slash direction (if not using Path.Combine), more complex such as relying on COM components, or even using an API which is only available on Windows. It also might be build process limitations, or tools that you use with your service that aren’t available. In all cases work is needed to identify these and replace these with platform-agnostic code where available. Testing your service end to end on multiple platforms early is key!🥇


A video of an engineering team hearing the outlandish promises sales is making to customers for the first time. It’s funny because it’s true, and if you haven’t ever been in this situation as a developer, I envy you. 🌠


Use .NET from any JavaScript app in .NET 7 Look. I get it. JavaScript is cool. You want to be cool and say you use JavaScript too but in reality it’s just .NET with JavaScript imports. I beg you to reconsider. Remember UpdatePanels? This is like that, only less cool. (h/t to @ddskier). 🥵


A little bit of history in how “Protect Mode” got into Windows And ultimately why I’m not typing this from Microsoft’s OS/12 Warp Corporate Edition. 📔


Windows Fonts are what the Chrome is Made of and I couldn’t have been more confusing about that title if I tried; but read it, and I promise you’ll be rewarded. 🏆


And that’s it for what I found last week in .NET. If you find anything interesting, send it my way @gortok on twitter, or via email at george at georgestocker.com

[Last Week in .NET #102] – MAUIing Figma

Lies Developers tell themselves include, “I can get this done in a week, including testing”. Ouch. 🙈


Dev from Twitter remarks unironically that one of the perks of working at Twitter is being able to turn off Ads. @Carnage4Life notes that that exact mindset is why Microsoft continually fails at Products. Dev deletes tweet. 🙊


Javiar is working on integrating .NET MAUI with Figma This looks neat. 🧠


Do you want to build apps for Microsoft Teams? Garry teaches you how. 👯‍♂️


Microsoft is looking for a Junior PM but they refuse to use the word Junior. Why?🐣


Maarten Balliauw writes about how to create an ASP.NET Core Rate Limiting Middleware in .NET 7 I have a similar approach; make all of your web service resources singletons. (I may have done this with a spell-checker when I was a junior developer, with disasterous effects). 💥


And that’s all I found last week in .NET. I did get to go camping and avoid civilization for a few days, so I’ll chalk the lightness up to that.

[Last Week in .NET #101] – Remodeling dotnet

I don’t know if I told you this, but Khalid Abuakmeh is on a mission to change the name from .NET to dotnet.

I get it. I do. .NET is hard to search for, people end up typing .net or dot net or dotnet anyway, so why not just make the name what the people type?

I can see their point of view. It’s not like the .NET name means anything anyway, I mean, heck, even Microsoft couldn’t explain it.

But ultimately, rebranding efforts are hard enough with a company good at (what amounts to) consumer marketing. And that’s an area of growth for Microsoft.

With that aside, let’s get into what happened Last Week in .NET.

There were a flurry of releases last week (speaking of, what do you call multiple releases? Is it a flurry?) with .NET 7.0 RC 1, [.NET 6.0.9](https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.9/6.0.9.md and .NET 3.1.29 all getting version bumps. All of these releases address a CVE with the model binder under the CVE Number CVE-2022-38013.

I give it about 2 years until Microsoft dumps version numbers entirely and moves to CalVer. This is simply an unsustainable Pace of version numbers. 📅


Because we all need a little fun in our life; a joke design ended up making the N-Gage what it was. Also, if you’re of the demographic that doesn’t know the G-word in that article, I recommend… No, I strongly recommend… No, let me try again: DO NOT GOOGLE THAT WORD. There. I warned you. 🐐


The current work in progress to get Linux (?) controls working on MAUI. I want to believe. 🛸


The .NET foundation is removing its $100 membership fee. I’d rather they keep the $100 membership fee and act like an independent open source foundation instead of a mouthpiece for whatever antics Microsoft is up to in the .NET space. It’s not even subtle at this point. 💸


Entity Framework 7 RC 1 is out, and I’m glad they dropped the ‘core’ moniker because this isn’t just the essentials any more, this rivals the size of EF 6. 👣


Custom Dev Container Features for when you want to install development needs via Docker for VS Code. 🚢


Uber was hacked in part because the attacker told them he was hacking them and they thought it was a joke. I can’t add a punchline to that. 🙊


.NET 7 static AOT Initialization being demonstrated in drawing a circle, with … no code to compute the circle. I agree with Miguel on this one, that’s… impressive. 🤯


Geoff Huntley explains why it’s legally problematic to use VS code. I’m not saying I agree with the viewpoint, but I agree we need to look at these things more critically. 🤨


Sorry for the lateness on this one, I’m currently going through a surprise Bathroom Remodel.