August 22, 2020 - Why we can't have nice things

Microsoft waits 2 years to patch an exploit in the wild, and other news from last week.

.NET 5 RC1 is coming soon
Ok so technically this isn't "released" yet but David Fowler of the .NET team shared this photo in a tweet that shows two interesting tidbits, .NET 5 preview 7 is the last preview (AKA 'alpha') release and .NET 5 (Version 5.0.100) RC1 is coming soon. The other interesting tidbit is the 'master' branch (poor naming choice) is .NET 6.0.x, and at least as of this moment .NET 6 is slated for November 2021.

Microsoft Ignite is September 22-24th, 2020, and is Free.
DevIntersection is hosting a 2-day series of workshops on .NET:!/ is hosting a virtual 2-day series of workshop for the corporate friendly price of $199 on October 26th and October 27th 2020. Speakers include some pretty big names in the .NET space, including the Gu (sigh. Fine, "Scott Guthrie"), Kimberly Tripp, , Carl Franklin, Michelle Bustamente, and Scott Hunter.

Each workshop is $199 and for that you also get access to the free keynotes. I signed up for the keynotes, and understand that if you do, you can be entered to win an XBox or a free workshop

Microsoft's Ignite conference is September 22-24, 2020, and is free. The subtitle of the conference is "Empowering the technical community to help customers innovate and rebuild in a changing world" which roughly translates to "Build new &$@#, get paid". Registration opens September 3rd, 2020.

Looks like CSharpForMarkup is staying in Xamarin Forms 5
do you ever see those fight videos on youtube that start just a few seconds too late so you don't know what caused it and you're left reading the comments to figure out what the hell is going on? This is like that, but on Github.

Anyway, turns out after the team was going to take out CSharpFormarkup support out of Xamarin Forms 5 and move it to .NET 6 (MAUI), the loud voices on Github convinced them to keep it in.

C# for Markup allows a programmer to write C# markup instead of XAML for Xamarin forms. Looks neat. Incidentally, it was the author of C#ForMarkup that let me know about this on twitter.

EFCore updates -- Many to Many is in the daily builds
You know an ORM is nascent when Many-to-Many support is just landing. I remember when EFCore was billed as a lightweight alternative to EF6. There's no doubt that Entity Framework 6 was plagued by three different ways to do the same thing with teams ending up mixing and matching and driving each other crazy. The hope is the EFCore team keeps their eye on the ball and keeps a unified focus on what the API should look like for EFCore. Given that Microsoft's bread is buttered by large enterprises that hate change, I'm not holding my breath, however.

Emotions we have but don't can't explain
Scott Hanselman releases a video explaining the .NET Ecosystem
If you're new to .NET (or even if you aren't) this video by Scott Hanselman explains the .NET ecosystem in all its 20 year sprawling majesty in a youtube video.

Tempted to make a TikTok. Let's GO!*.

The .NET Team releases a deep dive into how .NET is built and released
This is a follow-up to the public twitter statement that .NET daily builds aren't available when there are undisclosed security fixes; the .NET went through their entire build process. On a personal note, I made it through after a two-drink minimum. It also brings to sharp relief that .NET will always have Microsoft as its benevolent dictator for life.

Maoni Stephens releases a 3 part series on the .NET GC on Youtube
Maoni Stephens shares how the GC works in three parts. I love these sorts of videos. I had to learn about the GC from Jeffrey Richter's "CLR via C#" book (back when there was only 1 edition), and now we can learn this stuff on Youtube. There's a little bit of jealousy, but mostly I'm grateful for people who take the time to share this stuff.

Mads Torgerson addresses the viral "stuff I wish C# had but doesn't" tweet
Mads went to twitter to address the tweet that made it on the Orange Site that detailed some changes the author wishes C# had. Mads wrote:

 This is a great list of useful features missing from C#. They aren't fundamental flaws and could all be addressed; many are already on the radar for future versions. E.g. primary constructors are planned for C# 10.0, and could then be a building block for object expressions.

I'm not really one to ask about all these new features because I'd be perfectly happy with C# 5. Some of the newer features are rather nice; but I don't think fundamental tinkering with the syntax of a language is a great way to maintain language cohesiveness. Call me old fashioned.

Rick Brewster opines on what neat things you could do if we could get rid of the .Count property for certain collections:
Did you know the ASP.NET community team holds a weekly Standup?
I'm not sure it's actually a standup but naming is hard. Anyway, you can check it weekly, here.

Proposal to allow Wildcard using statements
If you've used Python or TypeScript, you've seen this sort of approach when importing modules from a third-party library. Dave mentions it as a way to handle the fact that some types of utility methods (like extension methods) should really be at the top level, even though organizationally, Visual Studio loves it when your namespaces reflect your folder structure, and penalizes you with red squigglies when you don't. It's an interesting proposal, and I'm going to keep an eye on it.

System.Text.Json getting more love for .NET 5.
After Microsoft bought out Newtonsoft and its author, it immediately set to replacing NewtonSoft.Json with it's own System.Text.Json (incidentally, I'm not clear as to whether James Newton-King worked on System.Text.Json), and for .NET 5 it appears System.Text.Json is getting some much needed additions. It even has its own Kanban board.

David Fowler of the .NET team shows off more Top-level statements
I'm torn on top-level statements. One of my favorite parts of Perl was the ease at which I could create a one-liner or a single file program, and from a nostalgia perspective I'm happy C# is getting that, but on the other hand, it's this "there's ten billion ways to do the same thing" that ends up plaguing all programming language environments and making it hard for new people to figure out what the hell is going on. Yea, "You're only new once", but it's an eternal september out here, folks.

What's coming with Blazor in .NET 5?
The .NET Team showed off blazor improvements during their .NET community standup, I missed this when it happened, but I absolutely refuse to rename this the "Last two weeks in .NET" newsletter.

Some of the touted improvements:

  • CSS Isolation
  • Lazy-loading
  • Auto refresh with dotnet watch
Blog post on C# 9 records has been released
C# 9 makes it easier to declare immutable data structures with the advent of Records.

Todo: Fix vulnerability
Microsoft patched CVE-2020-1464 on August 11 during their normal Patch Tuesday release. This CVE dealt with how Windows validates digital signatures for programs. Developers among us call this 'code signing', and it allows for a company to have their software blessed as being 'from them' and just as importantly verify that nobody mucked with the executable itself. One of the more frightening parts of the internet is that before code signing (and even after it), we just blindly trust software we downlaod, and that was fine when it didn't underpin our way of life, but this being 2020, software is everywhere, used for everything.

This CVE exploited that process to effectively spoof the origin of a piece of software, or more nefariously, be able to modify an executable without triggering a warning upon install.

All of this is normal so far, as far as CVEs go. They happen, and they get patched. What makes this remarkable is that Microsoft waited two years to patch this CVE, even though there was evidence it was being exploited in the wild and that researchers told Microsoft of this fact repeatedly.

In case that isn't enough to raise the hairs on the back of your neck, one of the people who knew it was being exploited, Bernardo Quintero, released a blog post detailing how it was being exploited -- after all, his company, VirusTotal, detects malware as a service. As Brian Krebs quotes in his post:

 “In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows,” Quintero wrote. [...] “Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” his blog post concluded.

The exploit is called Glueball (Developers, take note, security researchers are better at naming than we are).

But the over all part of this that burns my backside is that Microsoft knew and publicly did nothing about the exploit for two years. In fact, when asked the very question of "Why the hell didn't you do something for two years?" The representative from Microsoft answered (with temerity, I'm sure) "Windows user who have applied the latest security updates are protected from this attack".

 “A security update was released in August,” Microsoft said in a written statement sent to KrebsOnSecurity. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

I'm opining here, but I can't believe Microsoft would let such a risky exploit go for two years unless they were forced to. I wouldn't be surprised if a nation-state actor was using that exploit and politely asked Microsoft not to patch it.

Yes, that's an opinion, but that is slightly more plausible than Microsoft saying "No big deal, let's wait two years to fix an already exploited security Vulnerability.

We've seen Microsoft jump into action immediately on Zero-days; but this behavior from Mirosoft is just too weird to ignore.

C# 9 Natively Sized Integers
For the subset of programmers that code that needs to worry about such a thing (if you have no idea what this is, then you're not one of them), then this is good news, and one less reason to have to dive into Interop.

Raymond Chen talks about why you can't just hack off the GUID and use part of it for uniqueness
The .NET team is busy adding nullable annotations to the BCL
Ok, this took some reading and I'm still not sure I fully undestand what's going on, but my simple response is starting in C# 8.0, you have the ability to tell the compiler that a certain reference is 'nullable', that is that it can be assigned null; through the ? operator: string? myVar = null;. This tells other programmers that yes, a string can have a null value; (Yes, No, FileNotFound, anyone?); and helps to clearly express the situations where null is a good idea, and the situations where it's bad. Billion dollar mistake bad.

To lighten our loads, the .NET team has taken to adding these nullable annotations to the .NET BCL. Presumably this will help static analysis tools not be such unsympathizing assholes all the time. Presumably.

© 2020 Double Your Productivity