I am (g)root
Nuget can run arbitrary code on your system; Parler's woes get worse (yay!); and Khalid A. shares inspirational quotes from artists that apply to programming. Oh yea, Microsoft releases new .NET Core updates that fix a major CVE.
This is Last Week in .NET for the week that ended... well.. last week (January 16th, 2020). It was a rocky week last week; and more of the same expected this week for the Washington DC area, and with an inauguration and Martin Luther King day as our backdrop, let's dive into what happened last week in the world of .NET.
Releases π’
π’ .NET 5.0.2 has been released. This release fixes CVE-2021-1723 | ASP.NET Core Denial of Service Vulnerability attack. If you run .NET Core on Kestrel, you're vulnerable to this attack, so update immediately. There are several bug fixes for ASP.NET Core, the .NET runtime, and Entity Framework Core 5 included as well.
π’ In the same vein, .NET Core 3.1.11 has been released with the same CVE 2021-1723 fix, as well as some backported fixes from .NET 5.0.2 and other fixes specific to .NET Core 3.1.
π’ Not to be left out, .NET Core 2.1.24 has also been released and at this point you can probably guess what I'm going to say: They fixed the aforementioned CVE vulnerability, as well as several backported bug fixes and bug fixes specific to .NET Core 2.1.
After that time, .NET Core 2.1 patch updates will no longer be provided. We recommend that you move any .NET Core 2.1 applications and environments to .NET Core 3.1 in first half of 2021. Itβll be an easy upgrade in most cases.
Parenthetically, of course, I hope your upgrades go better than mine usually do. I seem to hit every upgrade problem that could exist.
π’ Windows 10 version 20H2 Build 19042.746 has been released to the beta channels and these are chock full of security fixes that probably don't matter to you and I, but matter greatly to enterprises.
π’ IdentityServer 5 has been released This is the first major release under the new company's banner, and here's to many more.
πΎ You can now write C# for embedded systems using NanoFramework THIS IS INCREDIBLE. I used C when writing the firmware for Jewelbots (Because let's be honest there were no alternatives), and I'm excited to see that .NET is now a viable option. Part of me wants to take a few weeks and rewrite the firmware in Nanoframework, just to see if it's possible, but the other part of me knows it'll have to take a backseat to my TDD courses and classes. I will add it to the list, however.
Other .NET News
π₯The EF Core team releases a video discussing what's coming in EF Core 6 They used the survey to help guide their thoughts for EF Core 6; and while I have a personal disdain for survey-driven-development, I understand why they'd want to do it. There's also a github issue related to EF Core 6 in case watching videos to get information is not your jam.
β
There's a cheatsheet showing how to use C# 9 features from the team at Okta. Real world use cases for these features is a nice thing to show off, and I'm here for it. Special thanks to Heather Downing ([https://twitter.com/quorralyne](@quorralyne on Twitter) for the link.
πΈMobilize.NET can convert your VB and VB.NET Apps to.NET Core This seems like a neat little utility, and while there's a company behind it, if you have a VB or VB.NET application, this may be your ticket to making the migration to .NET Core (and .NET 5). Check it out and let me know how it performs for you. (special thanks to Dee Dee Walsh (@ddskier on twitter) for the link.
πMana Pichova shares networking improvements made in .NET 5 this is a great read but is definitely on the heavier side. If networking is your jam, give this post a read.
πJimmy Bogard talks about ActivitySource and Listener in .NET 5. These classes are replacements for DiagnosticSource and Listener, so if you use either of those, give this post a read.
πZeroSharp - a way to compile C# to native code, has hit 1000 stars on Github this is a wonderful milestone, and while github stars don't pay the bills, it's nice to see a .NET library hit wide usage.
π²The analysis of the Solarwinds Hack digs deeper, this time into replacing MSBuild. SUNSPOT was another malware vector in the Solarwinds hack, and this article goes deep into how it was used to replace MSBuild. This thing gets scarier and scarier.
π²Speaking of scarier and scarier, nuget packages can run arbitrary code on your system, and now I'm going to lie in my bathtub and rock gently, and that fantasy of buying a mountain cabin and living off the grid grows a step closer to reality.
π€ΌJetbrains is hosting an AMA on January 21st, 2021 on Reddit and you'll now have the opportunity to ask them how it feels to have Microsoft nipping at their heels for 21 years straight.
πKhalid Abuhakmeh writes about what he's learned in his time in .NET and there are some good lessons in there. Give it a read.
π°There's a job opening for a REST API software engineer at Microsoft The only downside is it appears to be only for Redmond, Washington. In other words, not pandemic friendly.
π°There's another job opening for Microsoft in the Atlanta area, and this one appears to allow remote This is for the OXO team, which is not, to my chagrin, is not pronounced 'the hug and kiss and hug' team.
π₯Headspring is hosting a webinar on January 21st detailing how they migrated an application to .NET core, this will dive deep into the strategy and tactics behind the migration, and should be a good event to attend if you're thinking of doing the same.
πThe Azure team details its performance improvements from migrating from .NET Framework to .NET Core 3.1 It's always great to see these sorts of in-depth analyses, and this one is no different.
πAre you thinking of moving to Microservices, or event driven Architectures? IF so then you'll want to read about Durable queues from Stephen Cleary. These primitives are necessary for an event-driven architecture, and it's always great to read Stephen's work.
Other News and Sundries
πMicrosoft is close to running all its own services on Azure. Not running your own services on your own cloud is generally a bad signal to send to the world when you want them to trust your cloud, and kudos to Microsoft to fixing this glaring issue.
π²The Parler 'hack' is a masterclass in bad ideas having bad outcomes If you haven't kept up: Parler relied on several external services for security; but when those services were yanked away (due to Parler hosting neo-nazi and insurrectionist content), their code took the absence of such services as a reason to approve whatever action the user was trying to take. It's the equivalent of your house security system letting everyone in if the phone-line goes down. There's so much more to the Parler hack, from the lack of rate-limiting to the ability for people to pull down 60-70TBs of information from Parler's AWS hosted storage, which --- to add insult to injury, results in a massive egress bill from AWS to Parler, on top of AWS no longer hosting Parler.
π€In the Things to make you feel good department](https://khalidabuhakmeh.com/six-famous-artists-quotes-that-apply-to-programming) Khalid Abuhakmeh shares six quotes from artists that apply to programming. We could all use some good news right now.
πScott Hanselman interviews Amanda Silver about an entire division going remote during the pandemic When we said "The future of work is remote", I'm not sure we were counting on a pandemic being the catalyst.
π€¦ββοΈGithub fired and then re-hired the person who made an internal team chat that said "Nazis are about" in the Capitol Insurrection This disgusted me when it happened: A Jewish github employee was fired for warning the company about literal nazis. The head of HR later fell on their sword for this egregious failure of leadership by the company, and it reinforces my question: Where the hell is the adult leadership at Github? Between the ICE contract and this, I'm not sure they realize what political sphere their company inhabits.
π¨βπ©βπ§βπ¦Techbash 2021 is going to tentatively be in person in the Pennsylvania Poconos. Is it just me or is this a little too soon? I mean, we're recording the highest number of deaths ever from COVID and our vaccination plans are woefully under implemented at best. There is a virtual option, at least, so that's good.
π¦Microsoft's twitter game is getting better with a gif to show you show to de-clutter your screen. Where has this knowledge been all my life?
π£There's a phishing attempt at githubverification.com and it looks rather impressive. Be careful out there, folks. Special thanks to Tess Rinearson for the catch.
I'm hosting a webinar titled "Intro to TDD for .NET"), and if you've been wondering what TDD is, or at this point why you should care about it, this webinar is for you.
And that's it for what happened last week in .NET. I'm George Stocker, and I help teams double their productivity through Test Driven Development. As always you're a wonderful audience, and I will see you next week. Thanks.