I asked the .NET Foundation when they were going to update us on their ED search, the discussions we opened in the wake of the Hot Reload incident, and what their plans are. I want the .NET Foundation to succeed, but quite frankly I’m worried they can’t walk and chew gum at the same time. The Board of Directors (“Directors” being the operative word), have been working on how to remove projects from the .NET Foundation for the past five months, from Rob Prouse:
We are communicating regularly with project maintainers in the Maintainers committee and individually with projects that want to leave GHE or want to leave the Foundation. Those issues are our current priorities.Rob Prouse, .NET Foundation, Board of Directors
That’s, to put it mildly, not good at all.
I’m not saying the .NET Foundation needs a hard reset, but if you’ve got a Board of Directors focused on a tactical issue like this; and not, you know, directing the .NET Foundation, then why does the .NET Foundation Board even exist? They should call it, “People who volunteer their time to run the day to day operations of the .NET Foundation”, instead of the “.NET Foundation Board of Directors”. Officers run things. Directors plan and ensure the Officers are executing. It’s a complete mismatch of both talent and need; and it means that the foundation (heh) of the Foundation itself isn’t really well defined. This is the sort of problem you solve immediately, not one that persists in a non-profit 7 years after it was founded.
Anyway, that’s enough on that for now. Let’s get into what happened Last Week in .NET.
.NET (Core) 3.1.23 has been released. Like me, you should ignore the fact that they ignored the ‘Core’ on the release. This release has three security patches, and I’m a broken record about this, but I feel the need to reiterate that your deployment model with .NET Core should optimize for getting new patch versions out quickly and easily, which is the exact opposite of .NET Framework. So yea, that’s newer, but by now shouldn’t be new to you. For those of you that recite CVE numbers in your slack channels, the CVEs patched are CVE-2020-8927 (Remote Code Execution), CVE-2022-24512 (Remote Code Execution), CVE-2022-24464 (Denial of Service). ⬆
In an attempt to make my job easier, there’s a Blog Roundup that covers all three, titled .NET March 2022 Updates – .NET 6.0.3, .NET 5.0.15 and, .NET 3.1.23. Now, I was of the opinion omitting “Core” was an accident, but it shows up as omitted in this blog post title as well. If you’re Microsoft or Microsoft-adjacent (e.g., you know a guy) then could you ask them to fix the case of the missing ‘core’ moniker for .NET (Core) 3.1.23? Thanks. 🛠
.NET 6.0.3 has been released and it’s the same song and dance as before. Three CVEs patched, but no (Core) to omit. 🎉
.NET 5.0.15 has been released and you probably already know what I’m going to say. I’m repeating myself so that teams that are running a specific version can worry about their version, and not that I was being lazy and lumped all the releases together. 🎉
The Fastest GIF (pronounced JIF) does not exist. This is a fun little story about squeezing out all the framerates you can for a … GIF, and what those limits are. ⚡
Patch your systems, and I’ll see you next week.