[Last Week in .NET #96] – Light Guerilla Warfare

We’ve got a few new releases this week, some light corporate guerilla warfare at Github, and the third kind of lie, Statistics. Let’s get into it.

.NET 7 Preview 7 is out, and this will be the last Preview. The next release will be an “RC”. πŸ†•

.NET 6.0.8 has been released and it fixes CVE-2022-34716 a .NET Information disclosure vulnerability. πŸ†•

.NET 3.1.28 has been released and it fixes this same vulnerability. πŸ†•

Announcing .NET Framework 4.8.1 and the big thing they’re announcing are accessibility updates. If there’s more, it’s not being broadcast very loudly. πŸ†•

Kevin Jones (@vcsjones on twitter) continues his thread on new happenings in System.Security.Cryptography. I tried to punch up that sentence as much as possible, but writing about Cryptography can be as boring as it is important. Luckily Kevin makes it interesting. πŸ”

Microsoft Teams has 7x the Daily Active Users that Slack has. In completely unrelated news, Teams starts up automatically when Windows loads and there is no way on God’s Green Earth that affects the DAU count at all. Ok, so I lied. They are related. β™Š

Powerpoint now offers Dark Mode because we’ve completely lost the plot and do things because we can, and not because of their original meaning. πŸŒƒ

Kevlin Henney writes an article for O’Reilly on ML and Scaling False Peaks. It’s worth your time.πŸ”

Virtual Formatter in ReSharper 2022.2. I’ve read the blog post twice and I really don’t understand what this thing does. πŸ€·β€β™€οΈ

Visual Studio for Mac 17.3 is now available Lots of Goodies here, and I didn’t know the StringSyntaxAttribute was a thing but I think I’m going to use that going forward. 🍬

Nothing like a little light insurrection for a monday morning. Lucas Garron from Github shares a tweet warning that Github is changing their policy on non-essential cookies. Github used to have a policy of not tracking their users (the only used essential cookies) but now they’re making a switch and adding non-essential cookies to the list of cookies they ‘offer’. Frankly I’m surprised that Microsoft’s KPIs allowed them to even make it two years without reversing course, and I hope we see more of these corporate guerilla tactics. Of course for every action there is an equal and opposite reaction, and I’ll just leave that there for you to think about. 😐

The “Multi-Platform” part of MAUI has a giant asterisk, of course, and that is if you want Linux support, it’s gotta be supported by the community. Here’s where the “What’s good for the open-source platform is bad for Microsoft” tussle comes to a head. It’s great for open source to have Linux as a first class citizen, but that’s bad for Microsoft. 🐧

So if you know what %2f means in URL land, you’re gonna want to know about this change in behavior for Kestrel. I seemingly had to deal with this same sort of problem way back in the .NET 4.0 days and unfortunately never got it resolved. πŸ›

#OnDotNETLive talks about a new open source data processing framework for .NET. I love the smell of ETL in the morning. 🍡

Rider 2022.2 includes some new features for C# 11 and this reminds me I really ought to give Rider a try. Even with VS 2022 Resharper is still indispensible (especially vs. that weird AI/Intellisense thing Microsoft is trying out). ✨

Apparently Ready Player One was wrong about the first easter egg proving that if you want to get the right answer on the internet, just post the wrong one. πŸ₯š

And that’s it for what happened Last Week in .NET.

[Last Week in .NET #95] – Azure Honey is Free

We’re coming out of the summer haze slowly but surely, with the impending doom of school and the wonder of Autumn coming towards us here in the Northern Hemisphere.

Something that is near and dear to my heart (as I am currently working on refactoring code to pull out the exceptions as flow control and replace it with something that is a bit… saner is this talk on doing just that in ASP.NET 6. Don’t let the 6 part fool you, these are good examples whose pattern fits older .NET applications as well — but you don’t get a conference talk accepted if you talk about removing Exceptions as Flow Control in .NET Framework 4.8. 🚿

Microsoft has a rationale for disabling 3rd Party UEFI certificates by default and that rationale is indistinguishable from “we don’t want competition.” Don’t get pissy on me, there are lots of other explanations, but even simpler is that Microsoft doesn’t really see the independent PC market as a customer, and their solutions therefore ignore the independent PC market. πŸ‘¨β€πŸ’Ό

A New Linux Downtime podcast has dropped and this one talks about the Windows Subsystem for Linux (WSL) and spends some time saying “Microsoft has changed.” I’ll listen to the episode before I cast judgment, but see my above statement about ‘independent market’.πŸ‘›

Matt Warren has a talk up from NDC London 2022 about performance in the .NET Runtime. If you’re like me you watch this sort of stuff with pure fascination. ⏩

There’s a blog post out from Sadukie about Free Azure Services This “free” is not to be confused with a Van parked on your street with the words “Free Candy” spray-painted on the side. 🍬

XUnit v2.4.2 is released Go little rock star. 🌟

So it looks like someone is forking repositories on Github, adding malware, publishing those repositories on NPM, and hoping people download them. In other cases they’re hijacking accounts with commit rights and using those to push malware. Be careful out there folks. πŸ“›

In the “holy shit that’s cool how do I ever get Windows Terminal to be the default”, it looks like you can set WSL2 as your default shell in Windows Terminal. Ok, now can someone make a Winget package that just does all this for me? I’m getting too old to want to spend time customizing my terminal, sorry. πŸ§“

Winget package manager 1.3 is out I’m still salty about the AppGet Debacle though. πŸ“¦

If “Microsoft first” is your rallying cry when developing in .NET, here’s a blog post that tells you the best Microsoft technologies to use in your stack. If “Microsoft first” is not your rallying cry, we should be friends. 🀝

A visual aid to understanding why Queueing theory is a thing with cheeseburgers. If your WIP limit is the same size as your teamsize, you will run into this problem. Try halving it and see if that doesn’t get stuff out of WIP faster. πŸ”

Force HTTPs in your ASP.NET Core applications. I won’t even talk to my wife over HTTP. (If you’re reading this, honey, I love you and this is a joke, please don’t kill me). 🍯

And that’s all I found last week in .NET. If you’ve got something to share, hit me up on twitter @gortok, or via email at george at george stocker dot com all one word lowercase and no I am not using voice to text to do this newsletter

[Last Week in .NET #94] – The Summer of .NET

@foone on twitter takes you de-compiling Skifree in an epic twitter thread. If you’re bored at work (or work is just boring) give this a read, it’s worth it. β›·

Pluralsight Flow’s tries to quantify producitvity. Since we all know that’s a fool’s errand, there’s a twitter thread on what to use instead. 🌊

The 780th Military Intelligence Brigade (Cyber) links to a Microsoft Research paper about BlackCat. The research paper is actually interesting and linkable on its own but I’m not above making fun of the fact that in 2022, we still refer to the Internet as “Cyber”, and that there’s an Army Unit out there that are literally known as Cyber Warriors non-ironically. πŸ€–

Microsoft promises to be all-in on ARM Development. Contrary to their promises of UWP, WPF, XNA, and Linq2SQL, they’re going to keep it this time. And in all seriousness, ARM isn’t going away; and it’s the future, so I do believe they’re going to keep this promise. Still, if I’m wrong, [we can always reference this blog post about ARM Development on Windows](https://devblogs.microsoft.com/visualstudio/arm64-visual-studio/ as evidence. πŸ’ͺ

I get flak at times for being persistent in holding Microsoft to account. “If you don’t have something positive to say, don’t say anything at all” and all that. But, the lack of forthright discussion about Microsoft’s flaws is what got us into the mess where Azure’s Security team talks less than a cop under criminal investigation. If you think I’m being facetious, just remember that we still don’t have a full accounting of the ChaosDB incident, and the little they have said leaves a lot to be desired in the disclosure space. What concerns me is that this week’s newsletter is going to have more words in it than their supposed accounting of this incident.

What would solve this?

  • A deep dive into the technical part of how this was allowed to happen in the first place.
  • The extent of their security and logging practices that leaves them confident that this vulnerability didn’t go further than they say it did
  • Hiring someone who speaks like a frigging human when they write and doesn’t sound like they went to Harvard Law School, graduated with honors and then was accepted into the Washington State Bar, where they practiced and honed their craft of saying absolutely nothing that may have a detrimental effect on their legal liability or accidentally sound like they care about their customers.

Put simply, it appears to the outsiders that Microsoft’s Legal department has to OK all their communications, and their legal department airs on the side of extreme caution, to the point that it makes Microsoft seem less trustworthy because you know you’re not getting the full story.

Also, any time a company releases a blog post with the word “update” in it, the news is bad. βš–

David Fowler takes you through Microsoft Orleans; a project that seeks to make Distributed Computing look like Monolithic Computing. I love this dive, even if I’m on the fence about Orleans itself]. 🎷

Microsoft’s Windows Diagnostic Tool had a Vulnerability and a patch released for it, under the CVE categorization of CVE-2022-30190. 🩺

Barry Dorrans (he’s the Beans Guy) reminds you there are sometimes non-apparent reasons to update your .NET SDK, like a nuget publishing vulnerability being patched. πŸ†•

Scott Holden takes you through running .NET 7 ASP.NET Core Minimal APIs with top-level statements in a scratch container, with AOT enabled. It’s a beautiful thing, even if we’re still hoping for our killer app. πŸŒ‡

Microsoft Security Research Center’s Barry Dorrans (Again, he’s the beans guy) reminds us that it’s up to the Product Groups to do their jobs, and it’s not MSRC’s fault if the product groups don’t do their jobs (also, see above). πŸ™ˆ

Ory puts the “security” in enterprise cloud security, and apparently it’s easy to use. I raise awareness for this; not because I think Ory solves that problem (I honestly don’t know), but because until we get more eyeballs on these things, we won’t know what actually solves the problem. The problem? Enterprise Identity is still a mess. An unmitigated mess. πŸ”’

Incidentally, I stopped writing Last Week in .NET in part because I needed time to calm down about the issue of Microsoft once again retreating into closed source territory with .NET. You see, once you proclaim to the world that you love open source, you’re going to have a bad time any time you go against the open source world’s interpretation of that statement. Microsoft could have meant “We love to use Open Source, and we love that people think we’re in love with making our stuff open source”, and that is indistinguishable from their current actions.

For developer tooling, being Open Source is critical to having acceptance. Every single step that Microsoft takes in the other direction is a step that harms the already fragile .NET ecosystem.

As an aside, I had my suspicions about why Miguel De Icaza left Microsoft, and this tweet all but confirmed his reasons for leaving: Microsoft is reneging on its open source promises with the Debugger Licensing issues, Hot Reload, and now this.

Because words are free, I also gave my two cents on reasons for these issues at Microsoft in twitter thread form. πŸ€‘

Microsoft Terminal is now integrated with Visual Studio, increasing the number of shells that you can access in Visual Studio to 6. You’d think at some point they’d consolidate, but I’m guessing there are 6 different teams who would be very upset if that happened.

There’s the Package Manager Console, the Visual Studios Tools Command Prompt, the Command Window, the Developer Powershell Window, the Developer Command Prompt, and now the Terminal. There’s also the Immediate Window that is terminal-like. 6️⃣

In .NET 7, error messages are getting better. More of this please. βœ…

Cloudflare owns a wall full of LavaLamps that they use to generate randomness. The Computer industry holds up the lava lamp industry. πŸͺ”

SQL Server Management Studio 18.12.1 has been released Honestly SQL Server Management Studio should have been folded into Visual Studio a long time ago. Let’s just go ahead and do that and not pretend they’re different SKUs. πŸ‘¬

Rick Sthrahl takes you through how to render ASP.NET Core Razor Views to string. 🧡

There’s an ACL visualizer for Active Directory that looks pretty interesting. I’m not in this part of Windows, but if you are, give it a try and let me know how you like it? πŸ’β€β™€οΈ

.NET Conf “Focus on MAUI” is August 9th. 🌴

Finding some middle-ground between Old School .NET Framework apps and Self Contained Deployments. I hope this gets legs. 🦡🦡

Dave Glick wrote a piece for Twilio on Razor Templating. If you know Dave Glick you know it’s good, and if you don’t know Dave Glick you should read it anyway. He’s also the guy behind Wyam. πŸ‘

Speaking of Microsoft breaking promises, OneNote’s web version is getting updates, but not their UWP version. Update it or Sunset it… Or Merge it?πŸ€·β€β™€οΈ

Switching Git Branches in Visual Studio is getting faster, which is welcome (although being the old that I am I’ll probably always stick to the git-bash command line because you really can’t get faster on Windows than a linux based shell. Don’t believe me? Try to delete your bin and obj folders in Explorer or using cmd.exe vs an rm -rf in git bash). 🌲

No, C# is not dying, but no language lives forever. Perl would like a word. 😐

And that’s mostly it for what happened since the last time I published Last Week in .NET. I am rethinking whether to continue this newsletter, if I’m being honest. There are plenty of .NET link dropping newsletters, and while I like to think I’m offering something different, if it’s not what people want then I should spend my time doing something else. How can I prove this is what people want? More newsletter subscribers. So use the share URL at the bottom, and let your .NET Team know on slack that this is around. If they like it and I get subscribers, that’s a sign I should keep doing it.

The Green Boxes of Burnout

I was doomscrolling through twitter when I noticed Github was trending. While checking out why it was trending I noticed this tweet:

And, nothing against Eddie, but my entire being cringed at that image. It shows (on an otherwise entirely shades of green image) 5 days out 77 days as time where Eddie didn’t make a single ‘contribution’ on Github. No commits, not wiki edits, no issues, nothing. For 5 days, out of 77, and he claimed this is the time needed to recharge and come back stronger.

Let’s pump the hustle brakes for a moment.


Source image from original tweet. Mirrored in case the tweet is deleted.

All else being equal, in 77 days, we can roughly expect there to be 23 non-working days (including holidays, on average), so if we just kept to the capitalist maxim of ‘putting in 40’, you should see 18 more grey days than exist on that image.

Even if Eddie followed the Protestant work ethic and worked every day but Sunday, you still should see ~10 grey blocks on that image.

But instead, what we see is that absent a few days (not even consecutive), Eddie went full tilt. I tried visiting his github profile to see if I could match it up, but none of the years of contributions matched the image, and incidentally it’s not relevant to my larger point, which isn’t about Eddie.

It’s about us and about the myths we cling to as reality.

Writing Code isn’t valuable. Writing Lots of code less so.

Github profiles optimize for writing code, not solving problems.

Hustle culture optimizes for being busy over solving problems.

The irony is that to solve problems, we have to step away from the code, and step away from the outward signs that we’re hustling.

Hustle leads to burnout, and to quote Carl Richards: Time off is a prerequisite for good work, not a reward for it.

“What if We Paid for Bugs” Redux

I posted a thought experiment recently asking, What if we paid for bugs? The response was very interesting.

Some of the responses were supportive, others incredulous, and one person posted a link to a Dilbert article on an adjacent topic.

The software we build is the way it is because of our constraints and our motivations for building it. Software has bugs for lots of reasons, but our constraints and motivations are two of those reasons. Heck, bug-free software may not even be desirable; but it’s worth thinking about why we produce software the way we do.

Why do we have regression bugs?
Why do we have late night sev-1 incidents?
Why do we discontinue software people love?
Why do we not fix really easy bugs that our users report that are essentially paper cuts?
Why do we value launching this quarter over next?

The things we do, we value. The things we don’t do, we value not doing them. Two questions to ask that’ll help you understand your team and company:

1. What things do they value (both things they do and things they do not do)?
2. Why do they value those things?

[Last Week in .NET #93] – Performance Enhancing Code

Webforms working on .NET Core, Microsoft drops non-competes, and several teams talk about performance improvements. Let’s get into it.

A fan of WebForms (I can’t believe those words came out of my mouth) ported it to ASP.NET Core. It’s not public, but they’ve done it. πŸ€ͺ

Message and State Versioning in .NET (Using @AkkaDotNet) if you build event-driven applications, you need to worry about contract versioning. The contract here is layout of your messages. I haven’t used Akka, but I’m glad they can help with that. πŸ“š

.NET 6 supports HTTP/3 and .NET 7 will expose QUIC as a first class API I feel like the old man yelling at the cloud when it comes to these HTTP versions. 🌩

.NET MAUI is now ported to .NET 7 The big news here is that they’re no longer on MSBuild, they’re now on dotnet build. 🌴

Performance Improvements in .NET MAUI This is an incredible deepdive into well.. performance improvements made in MAUI. This is one of those blog posts that no matter your background with .NET, you’re going to learn something. πŸƒβ€β™€οΈ

Microsoft to curb use of non-competes, drop NDAs from worker settlements, disclose salary ranges, launch civil rights audit writes Geekwire. These are all wonderful additions, now if they could only take out the tattle-tale ware from their office products. πŸ‘

Exchange Online Journey to .NET Core How the Exchange team ported their .NET Code to .NET Core. Across the board everything got faster, and that tracks with every single story I’ve read about .NET Core. If you move to Core, code will execute more quickly. ⏩

And that’s it for what happened Last Week in .NET.

Go Left to Go Right

There’s an interesting phenomena I just learned the name for, even though I’ve experienced it dozens of times in my career (probably more), called β€œright-half-plane zero”.

Basically, right-half-plane zero is the idea that in order to correct an issue, sometimes you’re required to go the opposite direction first. The author uses a bicycle turning right from a stop, you have to turn ever so slightly to the left first. This can be confusing and nerve wracking, but without going in the wrong direction first, you won’t be able to succeed.

The idea and its implications are fascinating, and I encourage you to read more about it, but for this moment today, what are some situations in software development where executing a half right plane zero makes sense?

Here’s a few I’ve thought of. Hit reply and tell me yours.

  • Refactoring a codebase
  • Implementing TDD
  • Tightening Hockey Skates (not about Software, but something I had to do just this morning)
  • Diagnosing hard to find production issues

What’s after agile?

We put more value in agile than we could ever possibly gain from it.

Agile started as a lightweight development methodology to compete with waterfall.

What is it now? It’s everything and everywhere.

I have no data to back this up β€”- only anecdata, but it appears to me as if we place more value in what we want agile to be than what it is.

We want it to be the solution to building software. Is it? Empirically?

The answer is empirically β€œno”, and like any good defense, when an agile project fails, we look for the True Scotsman. β€œNo one who really followed agile would have tracked story points” or some such.

While this is maybe a little bit a comdemnation, our current situation is, at its core, remarkable, that is, worthy of remark.

Software is maybe 60 years old, certainly as a commercial industry younger than that. We are still very much in our infancy in figuring out how to build software reliably. Software runs the world, and any mistake has an outweighted value over the fact that just 60 years ago we would never have bet that self driving cars would be a reality.

We’ve moved pretty quickly for not knowing what the heck we are doing, and I believe there is value in figuring out how to build software better. Is agile it? No. But it’s been an improvement over what came before it.

What’s after agile?

Architecture is Medium

My 3 year old daughter has a hankering, yes, a hankering for the song “Let it Go”. Keep in mind, it’s 2022, and the original Frozen came out in 2012; but to her, every day is “Elsa” day. Every moment in the car, she wants Elsa. She has her sister’s elsa crown, she has multiple pairs of elsa jamas that she wears every night, and she is in love with the elsa bodywash. She even has an elsa palace that when she hits a button, plays, you guessed it, Let It Go. She’s seen Frozen, Frozen 2, Frozen Fever, and she’s read both the Golden Book styled Frozen, as well as the giant illustrated Frozen, and loves to color on the Frozen coloring book she has with the Frozen markers that are just made to not get Frozen colors over anything that shouldn’t be colored.

The interesting thing about each of these is that they all tell a piece (or all) of the Frozen Story (which itself is inspired by Hans Christen Andersen’s The Snow Queen), but each of them are markedly different. More importantly, you can’t tell the same story with the same effects from two different mediums.

We have the same constraint in software, though our medium is the architecture by which we build the software. If I say to you “website”, you automatically jump to a certain architecture. If I further say to you, “marketing website”, you narrow further to a specific type of architecture special suited for that. If I say, “data ingestion heavy”, you automatically start thinking of the right architecture — or medium — to make that happen.

But notice the interplay there, the architecture (medium) fits the purpose for the software (story to be told). And when we run into architectural trouble, it’s often not hard to see that the problem is either we didn’t use the right medium for the story, or we decided to tell an entirely different story using the previous medium.

The story and the medium fit together and go together.

[Last Week in .NET #92] – Minister of CVE Disinformation

Not too much happened last week; but what did happen was rather alarming. Nothing like a Zero-day RCE in Microsoft Office to get your blood pumping. Let’s get to it.

Zero-day vuln in Microsoft Office: ‘Follina’ will work even when macros are disabled This is a wild vulnerability that basically allows code execution even in a situation where you’ve explicitly set up Office to not allow code execution. Microsoft’s response to this has been wishy-washy, by closing the initial report, and then saying, Yea, “msdt executing with macros disabled is an issue” and then opening CVE-2022-30190 for it. This is not a rousing endorsement of when their PR and security practices collide. Oh, and in the intervening time there was an unofficial patch released if you are the daring sort.

Also shockingly, the zero-day was mentioned in a 2020 thesis. 🀯

Microsoft is on the cusp releasing ‘classifiers’ that will scan computers for messages that fit into one of several categories: “Leavers”, “Corporate Sabotage”, “Money Laundering”, “Gifts & Entertainment”, and more. Rightfully people bring up the false positive rate. I mean, who wouldn’t accept a $50,000 bribe from me so I can get the new Elder Scrolls before it’s released? πŸ™€

Code Signing is moving to a hardware key that will absolutely make it harder to sign certificates. If you can do your job, the security isn’t strong enough. πŸ“΅

Amazon SNS for the .NET Developer, Getting Started Quick and Easy Everybody and everything claims to be quick and easy, just once I want someone to lean in to long and hard. Like Python the Hard Way (which by the way is a lie). πŸŽ‚

Cory Doctorow talks about Apple’s sabotage of “Right to Repair” in a guargantuan twitter thread. In a time of rising inflation, we can ill afford the costs associated with a monopolized repair system. πŸ› 

And lastly, Gen Z is smarter than all of us: Quit Early and Quit Often. If you want employees to be loyal, offer them contracts. Contracts. With Severance. Yea, I said it.