August 15, 2020 - Patch, Patch, Patch!

Microsoft releases updates to all its .NET ecosystem tooling to account for another big CVE; Microsoft humble-brags about OSS.

My favorite sentence from a "That's interesting" perspective is: "Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo" . With the flurry of patches for one CVE, I can only imagine someone at Microsoft is saying "Patch patch Patch patch patch patch Patch patch", to the same effect.

.NET Core 3.1.7 has been released
The big news here is another major CVE has been patched, this time against ASP.NET Core. CVE-2020-1597 which is a Denial of Service vulnerability that targets how ASP.NET handles unauthenticated web requests.

In typical CVE fashion there isn't a released proof of concept; so while it's unknown if there are any exploits in the wild, you should upgrade and patch your ASP.NET Core installations immediately.

Also released in .NET Core 3.1.7 is a change to how .NET Core applications are built; ASP.NET Core applications no longer generate a dylib on Mac, rather they generate a DLL; this is due to the new notarization requirements starting in Mac OS Catalina.

If you're running an Ubuntu image based on version 19.10; be advised that it has now fallen out of support for .NET Core. It's a brave new world folks where Microsoft takes a hatchet to OSes older than a year. Keep in mind Windows 7 just fell out of support, so you know what side their bread is buttered on.

Also included is a new .NET Core SDK update: 3.1.107

.NET Core 2.1.21 has been released
This is also a release that fixes the CVE for .NET Core 2.1; which is Microsoft's LTS supported version of .NET Core 2

Visual Studio 16.7.1 has been released;
Besides some IDE bugs fixed; the big news here is this also is listed as a product to update under CVE-2020-1597.

Visual Studio 2017 15.9.26 has been released:
Also if anyone is wondering whether your release cycle is complicated, the Visual Studio team is supporting no less than three different versions of VS 2019 version 16.x in production. 16.0.17, 16.4.12, and 16.7.1.

Please reach out to someone at the Visual Studio team and ask them if they're feeling ok.

An overview of Statiq with Dave Glick

Cecil Phillip sat down with David Glick to talk about Statiq; a static site generation framework for .NET Core. I'm just getting into statiq (I want to use it to host the web version of these newsletters and make the generation process less... manual) and this is a great video to watch if you want to learn about Statiq.

Jetbrains announces release 2020.02 for Jetbrains resharper
The 2020.2 versions of JetBrains .NET tools and extensions are here

and licensing changes:

There's another shoe to drop here somewhere, and I don't know what it is. I'm looking for it though, and when I find it I'll let you know. Between "Let's make things easy for our customers" and "licensing changes that increase revenue", I hope this action is at the center of that venn diagram.


NoVA Code Camp

NoVA does not stand for that fictional paramilitary unit in Short Circuit, although more's the pity. It stands for "Northern Virginia" which by all rights and politics should be its own state. Anyway, normally they have an in-person code camp; and that's not conducive due to the Virus That Shall Not Be Named, so here we have a virtual code camp. If you've got a talk you're working on, or you just want to hear some great talks; you should sign up for this event. It's free. I'm pitching a talk on Event Driven Systems, and I hope it's accepted (if the NoVA CodeCamp staff happen to read this; lemme know where to send the bribe).

Microsoft ranks #3 on OSS contributions:
I will give Microsoft credit here: 10 years ago they were nobody in the world of Open Source software. Literally not even on the radar.

That said, I've got some problems with this ranking. Yuu know the guy on youtube that sits in the forest and builds a house from first principles? It's pretty neat. Anyway, Microsoft is that guy, github is youtube, and we're the people who can watch but can't really force him to build a castle from first principles. Although there's a youtube channel for that too. Anyway, we're spectators. Microsoft pays the salaries of the .NET Maintainers (all of whom are Microsoft employees), and the .NET foundation's Executive director (And treasurer), are Microsoft employees. This isn't altruistic code contribution to OSS, this is "Watch us build our product on github and give us a cookie for doing that". You don't get a cookie for that. At least not a chocolate chip one. You can have an Oatmeal raisin cookie for that.

Microsoft is the benevolent dictator for .NET, at a time when benevolent dictatorship for Open Source is on its way out. 

Microsoft releases site that touts its OSS

I guess they're just displaying their own set of cookies at this point?



Guidance for developing with Entity Framework in ASP.NET Core Blazor has been released:
If this sort of thing doesn't jazz you, I don't know what to say to you. I mean, using Blazor *is* still experimental, and EF Core is getting there; but if you enjoy being on the bleeding edge, at least now you have some great documentation to help you.

https://docs.microsoft.com/en-us/aspnet/core/blazor/blazor-server-ef-core?view=aspnetcore-3.1


Transcript (To come, powered by Otter.ai)

George Stocker  0:00  
Hi, I'm George Stocker, and this is last weekend dotnet for the week ending 15 August 2020 dotnet core 3.1 point seven has been released. The big news here is another CVE has been patched this time against ASP. NET Core CVE is CVE dash 2020 dash 1597, which is a denial of service vulnerability that targets how ASP net handles unauthenticated web requests. In typical CVE fashion, there isn't a released proof of concept. So while it's unknown if there are any exploits in the wild, you should upgrade and patch your ASP. NET Core installations immediately. also released in dotnet. Core 3.1 point seven is a change to how dotnet core applications are built on Mac OS. ASP. NET Core applications no longer generate a DI lib on Mac. Rather they generate a DLL This is due to the new notarisation requirements. Get Started in Mac OS Catalina if you're running an Ubuntu image based on version 1910 Be advised this now had fallen out of support for dotnet core. It's a brave new world folks where Microsoft takes a hatchet OSS older than a year. Keep in mind windows seven just fell out of support so you know what side their bread is buttered on. Also included in this update is a new dotnet core SDK update to 3.1 point 107 dotnet core 2.1 point two one has been released. This is this this also fixes the issue with CVE dash 2020 dash 1597 for dotnet core 2.1 which is Microsoft's LTS supported version of dotnet core two, also for the CVE Visual Studio 16 point 7.1 and 15 point 9.26 and 16.4 point 12 have been released. And all of these Deal with CVE dash 2020 dash 1597. I feel like I'm saying that too much. Now the big notice for me here was that the Visual Studio Team supports three versions of Visual Studio in production. Right now. They're supporting 16 dot o dot 1716 dot four dot 12 and 16 dot seven dot one. please reach out to someone at the Visual Studio Team and make sure they're okay. Dave Glick gave us an overview on YouTube of his static website framework called static with a que si so Philip sat down with him on YouTube. And they go over what static is, what it does, and how to use it. It's a good watch and I'm thinking of using it for this newsletter, the website version of this newsletter, and you should give it a look to JetBrains announces release 2020 dot zero to four JetBrains resharper and writer. They also the big thing here for them is they announced licensing changes. They say they've simplified the model for licensing There is another sheet of drop here somewhere. And I don't know what it is. I'm looking for it though. And when I find it, I'll let you know, between, let's make things easy for our customers and licensing changes that increase revenue. I really hope this action is at the center of that Venn diagram. Now for resharper, there's a number of changes they've made. The one that I find the most intriguing is they've changed their unit test runner, so that the same process works on Visual Studio for dotnet core and dotnet framework. Nova Code Camp is going to be on 26, September 2020. This is going to be a virtual event. Now Nova does not stand for that fictional paramilitary unit in short circuit, although more as a pity. It stands for Northern Virginia, which by all rights in politics should be its own state. Anyway, normally, it's an in person Code Camp, and that's not conducive due to the virus that shall not be named. So we're having a virtual Code Camp. If you got to talk you're working on or you just want to hear Some great talks, you should sign up for this event. It's free. I'm pitching a talk on event driven systems. And I hope it's accepted. By the way, if you work for the Nova Code Camp, and you happen to hear this, let me know where to send the bribe. Microsoft ranks number three on open source software contributions. Now, I will give Microsoft credit here 10 years ago, they were nobody in the world of open source software. They weren't even on the radar. Literally. That's it. I do have some problems with this ranking. There's a guy on YouTube that sits in the forest and builds a house from first principles. It's pretty neat to watch. Anyway, Microsoft is that guy in GitHub is YouTube. And we're the people who can watch but can't really force him to build a castle from first principles, although there's probably a YouTube virgin channel for that, too. Anyway, what I'm saying here is we're spectators. Microsoft pays the salaries of the dotnet maintainers, all of whom are Microsoft employees. And the dotnet Foundation's executive director and treasure are Microsoft employees. This isn't some altruistic code contribution to the open source software community. This is watch us build our product on GitHub and give us a cookie for doing that. By the way, they own GitHub. Now you don't get a cookie for that, at least not a chocolate chip one. You can have an oatmeal raisin cookie for that though. Microsoft is the benevolent dictator for dotnet. at a time, when benevolent dictatorship for open source software is on its way out. They also released a site touting their own OSS software, you can go to this site and see what Microsoft releases under an open source live license. I guess at this point, they're just displaying their own cookies. Guidance for developing with Entity Framework in ASP. NET Core has been released. Now if this sort of thing doesn't jazz you I don't know what to say. I mean, documentation for bleeding edge systems like blazer and like Entity Framework core is hard to come by. and Microsoft is doing a really good job here of producing documentation that's useful to those of us that want to use blazer and any framework core. Now given that blazer really is still active. Fair mental and Entity Framework core is getting there. I don't think there are people that are going to use it in production. But either way, it's really nice that Microsoft is paying attention to the documentation. And that's it for what happened last week in dotnet. I'm George Stocker, and I help teams double their productivity through test driven development. If your team wants to go home at 5pm not worried about late breaking bugs at night that wake you up and upset your customers. Reach out at www.doubleyourproductivitity.io.

Transcribed by https://otter.ai

© 2020 Double Your Productivity