Last Week in .NET

Microsoft Shares your Info with Canonical if you use Ubuntu; .NET Turns 19; and three CVEs get patched in the .NET World.

Show Notes

🎂 .NET Turned 19 on February 13th. Awwww. and I learned about it from AWS. Nice Shade.

🚨🚨🚨 Microsoft releases a whitepaper on mitigating risk when using Private package feeds This dovetails with the security researcher who wrote about how they hijack'd namespaces for private feeds; and Microsoft releases a whitepaper on this issue and how to mitigate this. This is up top because it's crucially important for teams that use private Nuget feeds. Thanks to Barry "I love Beans" Dorrans for sharing this on Twitter.

If you use Azure Artifacts to store your private packages, Microsoft has done you a solid and fixed that behavior as well.

Releases
🚨🚨🚨 Several CVEs have been fixed with new .NET Core updates, including CVE-2021-1721 (Denial of Service) and CVE-2021-24112 (Remote Code Execution).

🍾 Visual Studio 16.8.5 has been released with the two above CVEs fixed and antoher CVE, specifically CVE-2021-1639, which is a TypeScript Language Service Remote Code Execution Vulnerability. There are also a few bug fixes in this release as well.

🍾 Visual Studio Code v1.53 has been released. You can now wrap tabs instead of horizontally scrolling when you have a lot of tabs open. I feel seen.

🎂 Cake v1.0.0 has been released. It's been 112 releases to 1.0, and congrats to Cake for getting there. For those of you just hearing about Cake, it's a C# build engine in the style of Make, from where it gets its name.

🚨 .NET 5.0.3 has been released this fixes the aforementioned CVEs and bug fixes for ASP.NET Core, Entity Framework Core, the runtime, and even Winforms.

🚨 .NET Core 3.1.12 has been released with the same CVE fixes but far fewer bug fixes for the Runtime, the CoreCLR, Winforms, and ASP.NET Core.

🚨 .NET Core 2.1.25 has been released and you get the aforementioned CVE fixes but only one lone fix for ASP.NET Core.

🍾 C#/WinRT Nuget Package has been updated to 1.1.2-prerelease.210208.6 So if you want to target WinRT, check it out.

🍾 Entity Framework Core 6.0 preview 1 is coming soon and the team is currently working on compiled models, Temporal tables and investigating GraphQL. They never sleep. They can't.

🍾 Microsoft releases Windows UI Library 3 preview 4 which has a few feaures but even more bug fixes.

.NET Events
🎥 Scott Hunter, Director of Program Management for .NET, is giving a talk on the state of .NET 5 and what's coming in .NET 6. It's an MS Teams event but let's not hold that against Scott. .NET 6 has big shoes to fill: It's the first LTS release under the ".NET" moniker; and it's when MAUI is due. Special thanks to Ginny Caughey (@gcaughey on Twitter) for the link.

📆 The Event List for .NET Conf Focus on Windows has been released. Github actions, Native App development in .NET 6, Azure SignalR and Desktop apps, and running WPF/Windows forms on Arm devices all make an appearance. .NET Conf "Focus on Windows" is February 25, 2021, so sign up today.

.NET News
💍 There's a proposal to allow Emojis in C# and I was about to 😂 but that's apparently not cool any more so I'll 😭 instead.

🏫 Tess Ferrandez updates her .NET debugging deep dive Tess set up a lab to allow you to practice how to debug .NET application using tools like windbg and procdump. This is an insanely informative and clearly written set of labs on how to master runtime debugging for .NET.

📝 Do you write ASP.NET Core Middleware? Steve Collins breaks down the potential pitfalls when using dependencies and writing ASP.NET Core Middleware. This is one of those 'have it in your back pocket' blog posts for the next time you have to write middleware.

🚢 System.Speech has been shipped as part of the Windows Compatibility Pack for .NET Core. Still no cross-platform speech; but at least it's something.

🧙‍♂️ David Fowler talks about .NET APIs you probably didn't know existed, including StringBuilder.GetChunks which is not, I repeat, not, about cleaning up after a party.

📝 Jeremy Miller talks about Event Sourcing with Marten. This is relevant to the microservices and SOA Crowd.

📝 Speaking of the Microservices Crowd, Matt Ellis, Principal Software Engineer for the Azure SDK, talks about how you can create a custom event hubs event processor in .NET. This looks super confusing and I'm either too dumb to get what's going on or the people who wrote it are too smart.

📝 Andrew Lock talks about how to use source generators to find all routable components in a Blazor WebAssembly App and I've now exhausted all of the vocabulary I know about Blazor.

📝 Eric Sink laments that more languages aren't supported on the CLR. Me too, Eric. Me too. I want Perl for .NET. I know I will never get it, but I want it.

Don't write async validators in ASP.NET Core. The Pipeline validators run on is synchronous so you'll run into problems. That's an important safety tip. Thanks Jeremy.

📝 Richard Lander talks about how to stay safe with .NET Containers We don't have near enough the tooling to handle the dependency chains our applications run on; and that does present a problem when a few major companies are effectively responsible for the security of the entire internet. With that statement, I don't know if things have gotten better or worse.

Microsoft News
👎IF you use Azure and you start up an Ubuntu instance, Microsoft shares your contact information with Canonical, the publishers of Ubuntu. This is a hard pass for me. Don't do this sh*t, Microsoft.

☠ Microsoft is removing Edge legacy in April from Windows 10](https://www.kunal-chowdhury.com/2021/02/ms-edge-chromium-update.html) Let's pour one out for browser competition.

General Interest
Skeletons in the IT Closet: Seven Common Microsoft Active Directory Misconfigurations that Adversaries Abuse This is more for the system adminstrator crowd but given that roles are getting blurred more and more, I thought I'd share.

🚩 There's a new RFC out that for Structured Header fields in HTTPS this is only about 25 years too late, but better late then never.

👶 The Rust Foundation is born Given that it's Rust, I had to tell you about it. Microsoft has also joined the Rust foundation, which means you'll be hearing about Rust more from me. Sorry?

🤯 Solarwinds, the hack that keeps on giving is going to get worse before it gets better If you work in enterprise security, I won't judge you for picking up drinking. This is a mess.

Jobs
💰 Microsoft is hiring a Principal Program Manager to help their business units develop open source best practices. This is an opportunity to help Microsoft better learn how to interact with Open Source Software, with all the challenges that entails.

And that's it for what happened last week in .NET. Patch your systems, and be prepared for the Solarwinds hack to get a lot worse.

P.S., I'm running a webinar on March 5th, 2021 going over how Test Driven Development (yes, that Test Driven Development) can help you and your .NET team make decisions. Sign up here if you're interested.

What is Last Week in .NET?

A podcast that details the happenings around the .NET ecosystem, generally a week at a time. I can neither confirm nor deny that there will be attempts at humor involved.

For any confusion caused to fishermen thinking they've gotten a new podcast devoted to the tools of fishing, I am sorry. This is about the technology stack. Naming is hard.