Winning Marathons Before Getting New Shoes

I am a big fan of the Rands Leadership Slack, and I learn something multiple times per day. Today, of course, is no different. Because of the Chatham house Rules, I can’t link to exactly what was said, but I’ll share it with you here.

The conversation itself was around “building trust”. If you build software, you’ve inevitably heard this phrase uttered:

“We need to build trust with <stakeholders> that we <can deliver valuable software> in <timeframe stakeholders wanted it>”.

I’ve heard that (or a variation on the theme) more often than I can count.

Inevitably that comes up when the team wants to focus on ‘Paying down technical debt’, as it did in this conversation today. As developers, we know that technical debt is basically never going to get addressed, and if it does it won’t get addressed in the timeframe to actually be useful to us, and so incurring technical debt may as well be like incurring national debt: We’re never gonna pay it off, so we may as well ignore it.

Anyways, the whole reason I brought this up was a singular quote from this conversation that cleverly encapsulates the problem with the dynamic between ‘building trust by delivering what we want when we want it’ and ‘paying down technical debt’:

“We need you to start winning marathons before we buy you new shoes.”

πŸ’‹πŸ‘Œ

[Last Week in .NET #89] – CVE Inflation

A few CVEs patched, a book written on Regex. It’s an eventful week, let’s dive in.

.NET 7.0.0 Preview 4 is out. Looks like bug fixes here, nothing major. πŸ›


.NET 6.0.5 has been released which fixes three CVEs (all denial of service) and quite a few bugfixes. 🚨


.NET 5.0.17 has been released and it fixes those same three CVEs. 🚨


.NET Core 3.1.25 has been released and you guessed it, it fixes those same three CVEs. 🚨


That’s it on the release side, here’s what else happened Last Week in .NET:

Khalid Abuhakmeh shares a tip on how to use the Convert class to convert a number into its binary representation. After working in embedded C this is one of those things that I’ll never take for granted again. πŸ—


Microsoft launches [paid] cybersecurity services to help clients fight off ransomware and other attacks.

  1. Build an insecure OS.
  2. Charge people to make it more secure.
  3. Profit.

Even if this is all above board, it sure looks twisted. 🟑


Speaking of security vulnerabilities, CVE-2022-1388 is an F5 (network equipment) vulnerability, particularly against their REST APIs. Yes, some network devices support REST API access to the control plane. It’s a wild world that I used to work in, and not without its share of problems. 🚨


WSL now supports USB devices. Ouch. Microsoft makes a better linux than linux makes. πŸ‘‰πŸ‘ˆ


Microsoft has a knowledgebase of styles of architecture for Azure. This is nice. More, please. 😊


Shiny.NET 2.5.1 is out. What’s Shiny.NET you ask? I really have no idea. The twitter account description says,

“Make all your apps shiny with http://Shiny.NET -github.com/shinyorg/ – please don’t @ for support – go to github!”,

and the Github description says,

“We make shiny nuget packages for Xamarin, Windows, & All Things .NET”. Again, no idea.

If I go into the ‘shiny’ repository, it says,

“Shiny is a cross platform framework designed for Xamarin & UWP to make working with device services and background processes easy, testable, and consistent while bringing things like dependency injection & logging in a structured way to your code!”

…and that took long enough that I need a nap. πŸ€·β€β™€οΈ


I’ve touted Polly quite a few times here and elsewhere, and the .NET on AWS folks release a blog post series about it. With modern software, polly is a requirement. 🍾


Visual Studio 2022 17.2 is available and it includes support for C# 11’s “raw string literals”, and they’re making the Razor editor better (thank heavens!). There are a lot more goodies in the release, so give it a look-see.


And the team that works on Visual Studio 2022 version 17.3 Preview 1 also released their latest update last week. Lots of little fixes here, and if you like Preview bits, have at it. 🍾


Using the new .NET threading API sped up a benchmark by 4x. That’s… a lot. I always thought .NET [Framework] was pretty fast, but to learn how much faster .NET [Core] is astonishes me. πŸš„


Redefining the term 10x Developer The real 10x developers are the compilers we met along the way. πŸ‘‹


A shockingly deep dive on Regex Improvements in .NET 7 It’s a 30 minute read from this point, and worth every minute. πŸ“š


And that’s it for what happened Last Week in .NET. If you find something you think I’ll like, email me at george at georgestocker dot com or send me a tweet @ gortok on twitter.

If your software is for everyone, it’s for no one

The first thing you can do when building software is defining who the software is for and why they’re using the software.

And please don’t say “My software is for everyone.” It’s not. I mean, you can make that an explicit goal, and suffer the consequences of that approach, but for the sake of your livelihood, please don’t. I actually can’t think of a single piece of software I’ve ever used that it’s for everyone. Don’t believe me? Even as broad as Operating Systems can’t be for everyone. As a case-in-point; iOS 13+ requires some sort of passcode to access the device. It’s important to note that even 5 years ago, passcodes weren’t ‘required’. There are entire generations of people who have never had a passcode, and at their age these days, are probably too advanced to remember what their passcode is. This happened to a friend of mine just last week. Their mother had been given an iPhone and had to set a passcode, and subsequently forgot that passcode. Their only option was to have the phone reset, losing everything on it.

It’s very clear that even for something as ubiquitous as a smartphone, it’s not for everyone, and we do a disservice to our users when we think it is.

Choosing who you are serving with your software allows you to set the appropriate expectations for what it will and won’t do, and allows you and your team to focus on making it the best possible experience for the people you’re trying to serve. Making software that tries to serve everyone makes software that is just frustrating enough for anyone, and is truly exceptional for no one.

Context-Sensitive Practices

I think quite a bit about “Best Practices”. Partly it’s me reacting to the aversion I have for that phrase, best practices, and partly it’s me trying to figure out a better way to say what we mean when we say “Best practices”.

What are we trying to convey when we say “Best Practices” anyway?

At least part of the time (though I suspect more of the time than we care to admit) we use that phrase as a way to shut down dissension or as an ‘appeal to authority’. I don’t think it’s done maliciously; but there is an element of ourselves that gets tied to a course of action, and even if it may objectively be wrong for our context, the ego is the ego, and the appeal to authority, well… feels good. It almost feels righteous.

Another part of the time it’s as a protection in case something goes wrong. If we’re doing it, and other people do it, it can’t be wrong, right? We can’t be held responsible for doing what is considered a ‘best practice’.

And for some situations, a context free ‘best practice’, may actually be a best practice and we use the term because the stars happen to line up and it’s an actual best practice.

I think this is far less common in practice than we judge it to be.

Too much of what we do when we build software is context-sensitive, that is, the particular circumstances and facts surrounding the why and the what are as important (if not more so) than the “typical” means we employ to build software.

Or put another way, we have far fewer immutable laws when building software than when engineers are designing and building roads or bridges. Gravity or inertia will not suddenly change on the bridge engineers, but our circumstances — our context can change on a dime.

I don’t know how far this thought extends, but I like to think that when I’m designing software, the context I’m designing on is front and center. It is the most important part, because it’ll define the rules by which we operate. So instead of using best practices, I use context-sensitive practices. Maybe that’ll keep my hubris at bay?

Feedback on “Soul > Features”

I’ve gotten some feedback on the whole idea that software should have a soul, and I’d like to share it with you.

Daily Email List reader Chris (shared with permission) said:

I’ve always seen it as “relational” … the software has to make a connection to the users either with its other sets of users (or the developer …. it depends). It has to evolve and feel like it to its users…. in my mind, you as the developer care enough (about the relationship) to improve it. But it also takes time either in the beginning (or later but probably earlier) to properly build an experience for the user (e.g. UX) that they just feel less friction. It just feels “right” – like you said about the Notes app (which I know nothing about … not a Mac guy) vs any sort of writing app. MS Word simply sucksΒ at offering a zillion features but making the usability of them such a horrific pain (especially that well-hated “ribbon” concept).Β 

Chris, from the Email List

I had MS Word in mind when I was writing the email; along with lots of other pieces of software. And Chris’s feedback introduces an interesting thought: at some point, features actively harm the soul (if one is present to begin with). When Microsoft Word came out; it felt like a joke against Wordperfect (which absolutely had a soul), and then after a little bit, it became the best thing around, but then it lost its purpose and became a box filled with every feature you can imagine, and started piling UI on top of UI, until now it’s Frankenstein’s monster from a UX perspective. Chris is spot on.

Jason Karns on twitter also said:

A key aspect that always bothers me when missing: consistency with its environment. Mac apps need to behave like Mac apps. (System shortcuts, text controls, etc) same with websites (which is one reason I hate most SPAs) they have features but they’re posing and have no soul

@jasonkarns, Twitter

And that brings up my dislike of SPAs, but before Jason mentioned them in this context, I hadn’t realized my dislike was directly attached to the fact that SPAs completely disrupt and eschew the power of the web for some semblance of a ‘rich’ experience. SPAs are a thing that acts contrary to itself.

Everyone, everything, even software, has a purpose. Once you get away from that purpose and into the blind alley of adding features to capture market share, or because someone said they wanted it, then you run the very real risk of your software becoming a thing contrary to itself — and just like in humans, that damages its soul.

Soul > Features

I’m still stuck on the “Software needs a soul” thought. I’ll probably write about it more in depth at another time, but for today, for right now, I want to share one implication of that thought.

If having a soul is what makes us us, then it’s not the physical features of a human being that make us human, it’s the soul.

For software, features are necessary — maybe less necessary than we think they are; but they aren’t sufficient.

How many times have you seen the ‘feature checklist’? Where the software lists all of its features, as if that makes up for its lack of purpose. Lack of… soul? I have a working theory that if the software we build had a soul, we wouldn’t need to put so many features into it.

As I said, I can’t shake this thought, and I’ll spend some more time on it later, but today I’ll leave you with that one thought: If we were to cut features and focus on giving the software we work on a purpose for its users, and hone the software to excel at that purpose, would we build better or worse software than we do right now?

Software with a soul


I have never said or heard β€” except colloquially, that someone is described as a human with a soul.

It goes without saying, right? Humans have souls. Now we have said there are humans without souls, but that is very much the exception.

Intrinsically, we know two things:

  1. Humans are more than the sum of our parts.
  2. The ineffable quality that is a soul defines who a person is.

I’ve been stuck in a train of thought for a while now on the quality of the software we use and build. Why is software β€” on the whole β€” worse than it should be? What makes ”good” software? why does any of this matter?

I’m not sure about the rest but I can answer the last question.

Software quality matters because software is meant to make our lives better. I don’t mean code quality, or process quality, or delivery quality. The closest defined term for what I mean is the User Experience. But it’s more than what we traditionally consider. It starts with how software makes us feel. It ends with whether that software has truly made our lives better. But it’s more than that. At least in part it’s whether that software feels human.

Whether that software has a soul. I can list lots of software that feels souless. But the software that truly makes me feel good is software that I could swear has a soul.

One example, because it’s not an easy thing to define. WordPress is a well written piece of software, but I am typing this up on an iPhone in a mobile web browser and it’s clear no one ever anticipated someone typing on an iPhone. All of the affordances the iPhone is renown for β€” autocorrect, auto-capitalization, response speed, enter doing the right thing, the screen acting correctly are gone or severely hobbled.

And yet, if I were to type the same words into the Notes App, it would have been a butter smooth experience. It would have not felt frustrating, to say the least.

WordPress is a collection of features ostensibly geared to helping you write, but the Notes App really helps you write.

Between the two, I would describe the Notes App as having a soul. I wouldn’t say the same about WordPress.

Software should have a soul. I can’t get that thought out of my head.

[Last Week in .NET #88] – PowerShell Pariah

Starting out this week a little differently, Sarah Dresner, @sarah_edo on twitter comments on the Batman movies, and it’s shockingly relevant to software we create:

When they make Batman movies, they say “ah yes, this has all the ingredients of a good movie” The trouble is, you don’t eat ingredients, you eat a meal. (Source)

She has an entire thread just on the problem with (primarily) DC movies, but it’s definitely relevant to our work, and it reminds me of our approach to business applications (and a bit broader; large companies that rhyme with smike-ro-croft approach to building software). We build software with features, (ingredients) but we generally forget the soul of software; that part of it that makes it relatable to the user. Features are not a soul, though a feature can be implemented with a soul. Software that we love and software we merely tolerate (at best) are separated by whether or not it has a soul. πŸ‘»


John Papa takes us through the early history of JavaScript and why jQuery saved JavaScript. We look at these technologies with derision today, “Oh, you’re still coding in jQuery? How can you?” but everything that is old and busted was once new and wonderful. ✨


Aaron Stannard asks, “Why does it seem like Microsoft deprecates all of their Azure SDK NuGet packages and replaces them with an entirely new one every 18 months?”. That’s a great question, and the comments on the tweet offer possible explanations, but no one is speaking up in an official capacity. ❓


The people inside Microsoft using Windows Containers are talking about the cool stuff they can do. If you’re one of the five outside of Microsoft using Windows Containers voluntarily, you’ll enjoy this as well. Also, if you’re not a part of Microsoft and you’re using Windows Containers because you want to please drop me an email. It’s george at georgestocker dot com. 5️⃣


dotMorten shows you have to add OAuth to your WinUI application with one line of code using WinUiEx (Windows UI Extensions). πŸ‘


Windows App SDK 1.1 Preview 3 is out and it includes Mica and Background Acrylic; which are two UI styles in Windows 10. πŸ“’


Apparently Windows 11 Cumulative Preview KB5012643 breaks .NET 3.5 (in Windows Server 2022 as well) so watch out. ⌚


Microsoft 3D MovieMaker was released into opensource and the amazing part is that the software was built last. The entire manual and documentation was created first. That’s astonishing. πŸ“š


.NET 5.0 is out of support, so if you haven’t updated to .NET 6, now is the time. Literally. ⏳


This old tweet by Scott Hanselman came up again on what should be included in a Windows Developer Checklist and I maintain that GNU Utils is a requirement. I also want a native Perl Runtime, but you can’t have it all. πŸ”


Jimmy Bogard writes You Probably Don’t Need to Worry about MediatR which itself is a response to this post that says, You probably don’t need MediatR as someone who has never used MediatR, they’re both right.

But what I want to bring up here is this mentality in software where we find these castles we believe in, live in those castles, and then eschew all the other castles we see. We build moats around ours, and see others as inferior. We tie the software we use and create to our identity. We defend it.

I also want to point out that Jimmy does a great job of not doing that in his post. He gives a reasoned rebuttal without it crossing any lines into attacks. βš”


Not an Internet Of Sh*t joke but “This toilet installation is connected to Microsoft Azure IoT Central”. I just can’t with this. πŸ’©


Power Platform Conference in September in Orlando, FL is looking for speakers. Submissions are due by May 16th. 🀼


Jeffrey Snover talks about the time he was demoted and made a corporate pariah for five years for inventing Powershell. There’s an accompanying talk on it. Sometimes I get asked, “why do you hit Microsoft so hard when they do <something I think is wrong>”, and stuff like this is the reason. There’s an inertia present in all businesses towards the present. Not towards innovation or getting better, but for extracting as much from the cash cow as possible. Microsoft is not only not immune to this, but there are many recent examples of this happening (Hot Reload, to name just one). The ‘new Microsoft’ has not gotten away from this inertia, and if we just stay silent, there won’t be any external forces helping them to see they are just relying on inertia. As much as I dump on Powershell, it was revolutionary for Windows administrators, and it deserves more accolades. In the replies another Microsoftie talks about the fact that BitLocker was also one of these anti-inertia projects. 🐚


And that’s it for what happened Last Week in .NET.

[Last Week in .NET #87] – The Windows Development Roadmap Has U-Turns in it

It’s an abbreviated (and rather late) Last Week in .NET this week, due to a convention and a golf fundraiser on Monday. Mea culpa, even though I’m really not sorry having a vacation day.

With that behind us, let’s get into what happened Last Week in .NET.

Windows Dev Docs reminds developers about what they need to know for developing Windows Desktop Applications, and in a completely not-self-aware moment they don’t realize that the sheer need of this document means their strategy is not going to work. It’s slightly better than a flowchart; but gives off the same vibes: If your desktop development strategy, for a stack you own, is this complicated, how can you actually expect people to be able to follow it? How can you expect them to want to develop for your platform? The mind boggles. 🧠


Jeff McJunkin says “Your threat model has to allow for attackers gaining local admin-rights” to which I reply that none of the alternatives are any better for the developers. There are no ‘fully cloud’ based development and integration setups that keeps legal from screaming in latin, while also keeping developers happy enough not to leave your company. Local Admin rights has been a staple of the developer experience for as long as there’s been a Windows Operating System (heh. Does that make the current state of affairs Microsoft’s fault?), and VDI or ‘thin clients’ are terrible for the developer experience. πŸ•΅οΈβ€β™€οΈ


One of the great things about #aspnetcore is that it’s really easy to run different frameworks side-by-side now if only Microsoft would stop eating its young, we might have different web frameworks to run side-by-side. πŸ€·β€β™€οΈ


Microsoft Build is May 24-26, 2022 and Registration is open. There is some irony here that people ‘have to go back to the office’ to have spontaneous collaboration but the conferences are still virtual. πŸ€”


Did you know HTML has the ‘inert’ attribute? If you’re building your site to be ‘accessible’, then you need to know about this element. πŸ’€


Remote Working has Changed the Rules of the Workplace, so Watch Out There’s one part to this that makes me happy: Maybe this will be the straw that kills notifications as a viable means to alert people to what’s going on. πŸ“’


CVE-2022-27774 and CVE-2022-27776 existed in curl release code for 8603 days. I will wait patiently while someone explains to me that open-source means that given enough eyeballs, all bugs are shallow. πŸ›


Template Studio is now supported in Visual Studio 2022. Template studio ‘accelerates the creation of new Apps using a Wizard-based experience’. This looks interesting, but I’ll need to dive into it to see if it’s more than demo-ware. πŸƒβ€β™€οΈ


Hillel Wayne explains the genesis of the Microsoft book, “Mommy, Why is there a Server in the House” and for those of you that missed my 40th Birthday, I’ll happily take a copy of this book. πŸ“š


And that’s all I found last week in .NET. If you’ve got something to share, you can @ me on twitter @gortok, or email me at George at GeorgeStocker dot com. We still do this to defeat the bots, right? Right?

[Last Week in .NET #86] – Spring has Sprung and so have Security breaches

It’s been a while, and I appreciate all the well-wishes I received from you all. Unfortunately my FIL is still in the hospital (he’s been in the hospital for 105 days, which is itself a shocking number), but as they say, the show must go on.

I’ll spend this time catching you (and let’s be real, me too) up on what happened in the world of .NET since we last talked.

πŸ™ˆ Microsoft is caught testing ads in Windows 11 File Explorer and then once chastised, said it was ‘not intended to be published externally’](https://www.theverge.com/2022/3/15/22979251/microsoft-file-explorer-ads-windows-11-testing).

I’m grateful Microsoft didn’t try to lie, but I almost would have preferred a lie over the eventuality that Ads are going to be in my operating system.


πŸ™‹β€β™€οΈ Nadine Dorries, Britain’s Big Tech Slayer asks Microsoft “When are you getting rid of the algorithms?” I don’t know if it’s better or worse that Microsoft’s business decisions have been made by humans to this point. All kidding aside, as an industry we rely on the almighty algorithm as God and it thankfully is backfiring. Sure, it’s easier to rely on a computer than it is to make humans make decisions, but in true Computer Science form we are only, at best, adding another layer of indirection. Or, as the saying about using a regex goes, now you have two problems.


1️⃣Uno Platform v4.2 has been released. This includes .NET 6 Mobile RC1 (what is .NET 6 Mobile? I’ve been gone far too long) and support for Visual Studio 2022 17.2 Preview 4. Apparently it also includes support for using OpenGL to render the UI chrome. This feels important but UI programming has long been a convuluted mess for me to understand. I’m not proud of it but it took me over a decade to understand what the “X Window Server” even did.


πŸ₯šπŸ₯šOkta had a security incident, followed by a mea culpa, followed by a blog post that says, “Secure your .NET 6 Web API [with Okta]“. I could not read the blog post because the author’s cojones were blocking the screen.


πŸ’ΈTim Cochran and Carl Nygard write a rather extensive article on MartinFowler’s website about tech debt. I like the article, though I take issue with branding accidents, mistakes, and inexperience as technical debt.


😎How do we remove the ‘not cool’ label from .NET? Do you want to be cool? or do you want to be successful? Which one really matters?


πŸ‘The null parameter checking feature x!! has been removed from C# 11. I’ve been banging the drum against syntax explosion for years and while I have no doubt that I’ve had no effect at all on anyone about this, I’m still happy to put a point up on the “please stop” board. C# is a wonderful language, but the more baggage you add to it, the harder it becomes to maintain, and someone has to go through the years of legacy code and remember the ‘old ways’ (that were considered ‘new’ as of 2018). You know what happens when you just add syntax on a whim? Perl happens.


πŸ“ƒMatt Zorich says you should use Azure AD Password Protection on-prem if you are licensed for it. Azure AD Password protection sets up global lists of ‘bad passwords’ to keep people from using them. They’ve got the money, why not just buy LastPass and integrate it into the OS? Why this half-step?


β€ΌSecurity Alert: Attack Campaign involving stolen OAuth user tokens issued to two third-party integrators. On April 12th, Github Security uncovered that attackers were using OAuth app tokens to download data from their customers. It appears that either Heroku or Travis-CI (Or both) had a breach, and the attacker used the OAuth Tokens to get into the github repositories. Heroku’s take on this incident is linked previously, but Travis-CI has been mum on this topic as far as I can tell.

Security breaches are bad. Not saying anything when another comnpany accuses you of having a security breach is worse. You understand how it’s worse, right TravisCI?


πŸ“ΉMalwareTech takes you through how to reverse engineer an RPC vulnerability in windows (specifically CVE-2022-26809 This is a must watch video.


πŸ“Mysteries of the Registry I preferred the old days of file based configurations, since File-based backups are as old as computers themselves. But despite that, the registry is still an interesting thing to read about.


πŸ—„Speaking of which, you can download File Manager from Windows 3.1 for Windows 11. This is about where we peaked, if I’m being honest.


🏠New Security Features for Windows 11 will help protect hybrid work, I too also know a cheaper and easier way to protect hybrid work: Don’t go into an office. Work Remote 100% of the time. If your house gets broken into you have more pressing issues.


🀡Kenney Myers releases a demo-app built in .NET 6 and using Server-side blazor. The Jury is still out on blazor. It’s adoption rate is dismally low. Why aren’t you using blazor? Hit reply and let me know.


🌭The Software Development industry is a sausage fest. 91.67% (The .67% is just adding insult to injury) of the industry identifies as a dude. Not coincidentally, diverse eco-systems have better survival rates than non-diverse ecosystems.


πŸ’ͺAzure Virtual Machines support ARM. No snark, just cool.


πŸͺWill DockerTools ever support .NET Hot Reload? If you give a mouse a cookie, they’re gonna want a glass of milk.


πŸŽ‰Windows App SDK 1.1 Preview is out Also turns out in the intervening time they also released 1.1 Preview 2.


πŸ’€.NET 5 End of Life is May 8th, 2022 followed by .NET Core 3.1 on December 3rd, and tomorrow.. Yes, tomorrow, .NET 4.5.2 through 4.6.1 are End of Life’d.

I wish they’d just go ahead and EOL everything before .NET 4.7.2 — that’s when the “.NET Standard 2.0” is more or less guaranteed to work with .NET Framework.

πŸ₯ŠMiguel de Icaza brings up an old beef with .NET bindings and Unity It’s a tale as old as tech: Platform A writes hooks into Platform B. Platform B gets upset, fearing a bridge is being built over its moat, and kills the hooks. Who loses? We do. We all do.


πŸŽ‰NET 7.0 Preview 3 has been released. As usual he EF Core team operates at a frentic pace.


πŸŽ‰.NET 6.0.4 has been released with “non security fixes and performance improvements”, and you can click through to learn more depending on what you use.


πŸŽ‰ And .NET 5.0.16 is out also with those same sorts of non-security updates and performance improvements. Interestingly Microsoft is making .NET Core updates available via Microsoft Update on an opt-in basis. Does Microsoft Update support Linux Server OSes? Probably not.


πŸŽ‰ Finally, .NET 3.1.24 was released, along with the others, with the same sort of updates. I’m gonna go ahead and say it, if you’re still using .NET Core 3.1, it’s way past time to adopt .NET 6. Way past time.

And that’s what’s happened since the last time you and I talked about .NET. I hope you are well, and I’ll see you next week.