[Last Week in .NET #85] – Multi-threaded Boards

I asked the .NET Foundation when they were going to update us on their ED search, the discussions we opened in the wake of the Hot Reload incident, and what their plans are. I want the .NET Foundation to succeed, but quite frankly I’m worried they can’t walk and chew gum at the same time. The Board of Directors (“Directors” being the operative word), have been working on how to remove projects from the .NET Foundation for the past five months, from Rob Prouse:

We are communicating regularly with project maintainers in the Maintainers committee and individually with projects that want to leave GHE or want to leave the Foundation. Those issues are our current priorities.

Rob Prouse, .NET Foundation, Board of Directors

That’s, to put it mildly, not good at all.

I’m not saying the .NET Foundation needs a hard reset, but if you’ve got a Board of Directors focused on a tactical issue like this; and not, you know, directing the .NET Foundation, then why does the .NET Foundation Board even exist? They should call it, “People who volunteer their time to run the day to day operations of the .NET Foundation”, instead of the “.NET Foundation Board of Directors”. Officers run things. Directors plan and ensure the Officers are executing. It’s a complete mismatch of both talent and need; and it means that the foundation (heh) of the Foundation itself isn’t really well defined. This is the sort of problem you solve immediately, not one that persists in a non-profit 7 years after it was founded.

Anyway, that’s enough on that for now. Let’s get into what happened Last Week in .NET.

.NET (Core) 3.1.23 has been released. Like me, you should ignore the fact that they ignored the ‘Core’ on the release. This release has three security patches, and I’m a broken record about this, but I feel the need to reiterate that your deployment model with .NET Core should optimize for getting new patch versions out quickly and easily, which is the exact opposite of .NET Framework. So yea, that’s newer, but by now shouldn’t be new to you. For those of you that recite CVE numbers in your slack channels, the CVEs patched are CVE-2020-8927 (Remote Code Execution), CVE-2022-24512 (Remote Code Execution), CVE-2022-24464 (Denial of Service). ⬆

In an attempt to make my job easier, there’s a Blog Roundup that covers all three, titled .NET March 2022 Updates – .NET 6.0.3, .NET 5.0.15 and, .NET 3.1.23. Now, I was of the opinion omitting “Core” was an accident, but it shows up as omitted in this blog post title as well. If you’re Microsoft or Microsoft-adjacent (e.g., you know a guy) then could you ask them to fix the case of the missing ‘core’ moniker for .NET (Core) 3.1.23? Thanks. 🛠

.NET 6.0.3 has been released and it’s the same song and dance as before. Three CVEs patched, but no (Core) to omit. 🎉

.NET 5.0.15 has been released and you probably already know what I’m going to say. I’m repeating myself so that teams that are running a specific version can worry about their version, and not that I was being lazy and lumped all the releases together. 🎉

The Fastest GIF (pronounced JIF) does not exist. This is a fun little story about squeezing out all the framerates you can for a … GIF, and what those limits are. ⚡

Patch your systems, and I’ll see you next week.

[Last Week in .NET #58] – Deep Learning Means Never Having to Say You’re Sorry

👷‍♀️ Working with Nuget Local Packages An up to date look at how to publish nuget packages locally.

🤖🧠 Plan for Deep Learning in .NET The Machine Learning team at Micorosoft has published their plan for Deep Learning in .NET; and in case you don’t know the difference between Deep Learning and Machine Learning, I looked it up and the difference is ‘fuckall’. In all seriousness it looks like the difference is that the Deep Learning folks want AI to make its own decisions, instead of using human provided data to make decisions.

⬇Download New Azure Architecture Icons now! These icons look rather spiffy but you know some executive at Microsoft wanted the name ‘Azure’ somewhere on these icons.

1️⃣1️⃣Microsoft announces Windows 11 will release on October 5 for new and existing PCs, and in other news they’ve added about 10 CPUs from the 7XXX series Intel CPUs, AKA “Intel 7th-generation Core” chips. If there wasn’t a pandemic and a world-wide shortage of chips, I wouldn’t be so ticked at Microsoft for requiring a CPU from 2018 or later.

😷 TechBash 2021 has been postponed If you want some semblance of normal: Get vaccinated if you can. Otherwise we’re likely to hear this same tune in 2022 as well.

2️⃣2️⃣There’s a Microsoft Event on September 22nd at 11am ET. I’ll be live tweeting this (@gortok on twitter).

🚨 US CYBERCOM releases a cybersecurity alert about Atlassian Confluence CVE-2021-26084 and this CVE is bad enough for the US Fricking Government to use twitter to provide immediately and timely advice. If you use Atlassian Confluence on-prem, you want to patch immediately.

All in all a pretty light week; and with the short week this week it’s expected that next week will also be pretty light.

[Last Week in .NET #56] – Silverlighted Sorting

No releases this week; but lots of interesting tidbits nonetheless. If you read just one article this week, check out “The Myth of the Treasure Fox”. Link below, of course.

💧 Get the Drop on Sorting. Kevlin Henney does a deep dive on the drop-sort, a sorting algorithm that sorts by dropping elements in the collection. This is not as useless as it immediately appears, and Kevlin explains why. It’s engaging and informative.

🥉 In a screenshot that is strangely alluring Maarten shows off what VB looks like in the brave new world of .NET 6, with a pattern based XML Literal. If I were to rate VB on this screenshot alone, I’d give it a 12/10. Having worked in VB, I give it a 4/10. It’s slightly ahead of the readability of JavaScript 5, and slightly behind Python. These ratings are final.

🌟🤺 Chat Wars! How microsoft tried (and failed) to keep MSN compatibility with AIM. If AIM and MSN were still alive, they’d have graduated college by now and be grumbling about the state of the job market. I mean, they unemployed, strictly speaking, with AIM having been retired in 2017, and MSN Messenger having been retired in 2014.

🔑 .NET 5 Support of Azure Functions OpenAPI Extension Yes, now Azure Functions support .NET 5 for OpenAPI Extensions. If you, like me, have no idea what that is, then this blog post isn’t for you! (It’s becoming increasingly clear that these blog-posts with keyword laden titles are there to help hit some sort of internal Microsoft KPI related to pushing Azure). “George, you’re being unfair!”, I can hear you say. If I’m being unfair, then why aren’t these blog post titles telling you the outcomes they can help you acheive, instead of keywords of processes related to their own products?

🔮 No, NVidia Didn’t Fool Everyone with a Computer-Generated CEO In case you missed this, NVidia used a Computer Generated capture of its CEO for a short scene in its presentation, but their initial blog post on the subject made it seem like they used the CG’d CEO throughout. It’s still impressive, bu tnot nearly as impressive as initially made out to be.

🆕 Microsoft revamps Visual Studio JavaScript projects in forthcoming version. Visual Studio will now rely on whatever the ‘system’ has installed for JavaScript frameworks when creating a new JavaScript-ish project in Visual Studio 2022. I assume it will work seamlessly with things like nodeenv and other virtual environments, and if it doesn’t that would be a bit embarassing, wouldn’t it?

✅ .NET Optional SDK Workloads This came about because I saw the word ‘workload’ in reference to .NET, and had no idea what it meant. It means a way to extend the SDK to do other things than it’s meant to. I can’t figure out if this is a public thing (you too can write extensions for the SDK) or if this is a Microsoft Only addition, or who this is even for.

☠ A Decade Later, .NET Developers Still Fear being ‘Silverlighted’ by Microsoft. Killing Silverlight was the closest thing .NET Developers had to experiencing the Red Wedding. An entire developer stack killed overnight. I don’t claim there’s any sort of ‘guest right’ when it comes to Technology Stacks, but there’s a certain amount of creative destruction taking place that Microsoft was not known for previously. They have several hundred projects to kill to even get close to Google’s bloodthirstiness. There are, of course, differing views, as is the norm on Twitter.

✈ Async code has signficantly less overhead using .NET 5 compared to .NET Core 3.1. Screenshots of the benchmarks in the link if you like that sort of thing.

🦊 The myth of the treasure fox in Skyrim. This is why I love twitter. You learn things you’d otherwise never hear about. I won’t spoil the story for you, but it’s worth your time to read.

💼 Introducing DevOps-Friendly EF Core Migration Bundles. DevOps here means “Deploying your code easily” and has nothing to do with Azure DevOps (either Azure DevOps On-Prem, or Azure DevOps on Azure — and no, I’m never letting Microsoft live that atrocious naming down). Anyway, The EF Core team has made it easier to run database migrations in a CI environment.

🟡 Highlights from Git 2.33. The news here is that git now has a new rewritten and faster merge strategy called merge-ort. To try it out (it’s not the default yet), you can use the command git merge -s ort when merging two branches in git. The -s ort is some sort of a cruel joke, I think. Or at least proof that no one talks their way through commands any more. Can you imagine telling someone with your mouth-words how to do it? “Type g i t space dash s space o r t”.

🚄Performance Improvements in .NET 6. If you like performance blog posts and you tolerate IL, this blog post is for you. As deep a dive as you’ll get on just what performance improvements have been made in .NET 6, and what it looks like under the covers.

⏩Visual Studio 2022 Preview 3 offers a new breakpoint context menu to set advanced breakpoints more easily. If you don’t use advanced breakpoints, they’re quite magical to improving productivity when debugging — like setting a breakpoint after a specific number of times, or setting conditional breakpoints.

👎In the “We can’t help being evil” department, It’s harder to switch default browsers in Windows 11. Besides the tweet, there’s an in-depth article about it on the verge, and what that means for us. Since 90s clothing is come back in style, I suppose 90s monopoly practices should too?

🙃 You can now have global using static <class>.. This is a great idea. I mean, globals are already a time-honored programmer tradition, and of course seeing methods being called that you have to have an IDE to trace is a wonderful idea.

And that’s it for what happened last week in .NET. It was a light week; but as we get closer to November (and .NET 6), we should see more releases.

[Last Week in .NET #49] – Automated Printer CVEs

I swore up and down I would not release a newsletter this week owing to the July 4th holiday (Treason day for the Brits out there), and then Microsoft’s Github announced and released Github Copilot, and my promise fell apart.

CoPilot is an ML trained code snippet generator. What is it trained on, you ask? All the public code on Github, GPL’d or otherwise. This has angered the internet lawyers and is generally considered to be a Dick Move™ by everyone else (except those that have read the parable of the Scorpion and the Frog). And since there really isn’t any magic in ML, that’s led to some interesting bugs… like reproducing the inverse-sine function from Quake to include the PG-13 rated comments. Or giving internet randos the API keys that Sendgrid users put in their source code on accident, or even reproducing the GPL in its entirety in a source code header file and none of this includes the mundane but possibly Office Space plot inducing every day bugs present in CoPilot.

It’s almost trite to call these ‘bugs’, these aren’t bugs. These aren’t misunderstandings of product requirements, or bad coding. No, these are Ian Malcoms:

Your scientists engineers were so preoccupied with whether or not they could, they didn’t stop to think if they should. (original source)

AI and ML have given us a new class of software defect: the Ian Malcom, the defect that exists due to hubris and a lack of foresight into how it could actually be misused. We can thank Github for playing the role of movie villain here.

With that out of the way, here’s what else happened last week in .NET.

🚉 In Windows 11 you can now specify which Terminal you want to use and not have to have cmd.exe launch all the time. I don’t want to be cruel; but would anyone willingly choose cmd.exe as their terminal? @ me if you would, and why.

🚅 ZDNet’s Jason Berlow says he’ll bite the bullet and buy a new PC for Windows 11 and it’s important to note that ‘more secure’ here means “less likely to get taken down by ransomware”. Microsoft’s usual track record for security post-boot-up still applies.

👔 Adam Storr has a blog post out titled Test Your .NET HttpClient Based Strongly Typed Clients Like a Boss, and I’m not clear from the title if he means the every day “exploit them” or if there’s a more sinister meaning, like “gaslight them into believing working 60 hours a week means you’re a team player”.

🎭 There was a LinkedIn Breach announced on June 29th, with the field “Inferred Salary” included. Since no one knows what “inferred” means here, we’ll just go with the face-value interpretation that LinkedIn calculates what your salary should be based on your experience and roles and local market and that is exactly why naming is so important in software.

🍞 I got a little flak last week for suggesting that Azure Static Web Apps were mundane but being touted as The Next Great Invention After Sliced Bread, and here’s just another example. Now, I get that if you work at Azure, you should be touting Azure products — but my concern here is that treating something mundane like Static site hosting as revolutionary in your verbiage (awesome, awe inspiring? Really?) is overplaying the marketing angle without understanding that a crucial part of marketing is credibility, and it’s easy to lose it if you overplay your hand.

🖨😲 There’s a new CVE out for Windows dubbed “Printer Nightmare”. CVE-2021-1675 allows an attacker to take over your system through the windows printer spooler service. and this is reason #2 why I had to release a newsletter this week. Holy forking shortballs Microsoft.

🖨😲 Kevin Beaumont gives us an indepth report on “Printer Nightmare” including most importantly how to mitigate this zero-day. Also important to note there appear to be 2 CVE classifications for “Printer Nightmare”, the aforementioned -1675, and CVE-2021-34527. 1675 covers Privilege Execution, and 34527 covers Remote Code Execution. Happy Monday.

🖨😲 There’s a POC out for Printer Nightmare that was promptly deleted but still available via caching sites if that’s your thing. I’m not going to look and see whether or not my old Livejournal is cached somewhere, thanks.

🖨😲📊 Interested to know if you’re affected and you like Flowcharts? @StanHacked has you covered.

🖨😲🚉 Interested in seeing if your machine is exploitable for “Printer Nightmare”? Try this powershell one-liner (please don’t).

📢 YARP Preview 1.0.0-preview12 has been released and we are promised that this is the last ‘big set of API changes’. I admire their optimism.

📢 The Pull request for finishing out W^X support for .NET is open and the problem with naming it W^X is that I can’t find — either on github in my old releases or on google any reference to what this means. My memory seems to recall it means Write Xor Execute; which means that a piece of memory is either writable or executable, but not both. I could be way off on this, and I take corrections @Gortok on Twitter and via email at george+lwidn@georgestocker.com.

🚫👴💻 Windows 11 will leave millions of machines behind and Microsoft is struggling to explain why writes TheVerge. I guess “We’re getting hammered by side-channel attacks and ransomware attacks because we have the most popular operating system of all time and we’re sitting on a long legacy of a single-user disconnected operating system vs an internet connected system” is hard to say?

👩‍💻🥌 There is a Fortnite VS Code theme and I have not played First Person Shooters since Battlefield 2 so I don’t really know what the hype is. Fortnite really just looks like Team Fortress 2 meets Starseige:Tribes Without the Jetpacks, he says, yelling at the kids to get off his lawn.

💉☁ AT&T is moving its 5G Network to Azure for Operators and now I guess the COVID Vaccine will give you Azure interopability as a side-effect?

👋 Valid Kubernetes YAML that also happens to be AT&T x86_64 assembly code and I need a shower after seeing that. Ew.

☕ Leslie Richardson and Cecil Phillips have a .NET video out on Exception Filters and I promise if you catch System.Exception and don’t filter it, bad things will happen (also please don’t filter on System.Exception, just pick the execption sublcass and filter on that. Your maintenance programmer and I will thank you).

📖 dotnet-wtrace Command Line Tool has been released and it captures .NET traces. No, I don’t know anything more than that and Open Source Projects aren’t exactly known for their Marketing.

🔧 The .NET team has a blog post that covers the Object allocation tool in Visual Studio. Think of this tool like dotMemory or ANTS Profiler, just built into Visual Studio.

UWP Projects will not have ongoing support in the new WinAppSDK World, according to a Youtube video by the WinUI team, and the longer discussion that alerted me to this fact is here.

And that’s it for what happened Last Week in .NET. I’m especially interested to see if there’s any legal action around CoPilot (ha), and how bad PrintNightmare turns out to be, so if either of those get more press, you’ll hear about it here.