August 15, 2020 - Patch, Patch, Patch!

Last Week in .NET

English - August 17, 2020 18:22 - 6 minutes - 5.97 MB
Technology News Tech News Homepage Download Google Podcasts Overcast Castro Pocket Casts RSS feed

Previous Episode: August 8, 2020 - You can build .NET when *I* say you can

Next Episode: August 22, 2020 - Why we can't have nice things

My favorite sentence from a "That's interesting" perspective is: "Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo" . With the flurry of patches for one CVE, I can only imagine someone at Microsoft is saying "Patch patch Patch patch patch patch Patch patch", to the same effect.

.NET Core 3.1.7 has been released

Release Notes

The big news here is another major CVE has been patched, this time against ASP.NET Core. CVE-2020-1597 which is a Denial of Service vulnerability that targets how ASP.NET handles unauthenticated web requests.

In typical CVE fashion there isn't a released proof of concept; so while it's unknown if there are any exploits in the wild, you should upgrade and patch your ASP.NET Core installations immediately.

Also released in .NET Core 3.1.7 is a change to how .NET Core applications are built; ASP.NET Core applications no longer generate a dylib on Mac, rather they generate a DLL; this is due to the new notarization requirements starting in Mac OS Catalina.

If you're running an Ubuntu image based on version 19.10; be advised that it has now fallen out of support for .NET Core. It's a brave new world folks where Microsoft takes a hatchet to OSes older than a year. Keep in mind Windows 7 just fell out of support, so you know what side their bread is buttered on.

Also included is a new .NET Core SDK update: 3.1.107

.NET Core 2.1.21 has been released

This is also a release that fixes the CVE for .NET Core 2.1; which is Microsoft's LTS supported version of .NET Core 2

Visual Studio 16.7.1 has been released;

Besides some IDE bugs fixed; the big news here is this also is listed as a product to update under CVE-2020-1597.

Visual Studio 2017 15.9.26 has been released:

Same for the CVE-2020-1597.

https://docs.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes

Also if anyone is wondering whether your release cycle is complicated, the Visual Studio team is supporting no less than three different versions of VS 2019 version 16.x in production. 16.0.17, 16.4.12, and 16.7.1.

Please reach out to someone at the Visual Studio team and ask them if they're feeling ok.

An overview of Statiq with Dave Glick

Cecil Phillip sat down with David Glick to talk about Statiq; a static site generation framework for .NET Core. I'm just getting into statiq (I want to use it to host the web version of these newsletters and make the generation process less... manual) and this is a great video to watch if you want to learn about Statiq.

https://www.youtube.com/watch?v=43oQTRZqK9g

Jetbrains announces release 2020.02 for Jetbrains resharper

The 2020.2 versions of JetBrains .NET tools and extensions are here

https://www.jetbrains.com/resharper/whatsnew

https://www.jetbrains.com/rider/whatsnew

and licensing changes:

https://blog.jetbrains.com/dotnet/2020/07/15/licensing-update-net-tools/?mkt_tok=eyJpIjoiT0RkbFltUmpaREF5TW1KaiIsInQiOiJGRTJMdEFFaDYybUNRWkVaeVpRY3lBTTQzczI3ODVCd1luNlpWSkxTR0xVeUZXaTNpMWpaTlpENEpEQkw2WEJuTjd1MDlRMjZ0YmRyWG5cLys0cFVUTmZVTkdXNGE0TnR1RWhpN1wvMzRHVlFiMEMzRG03RENDa0dYQWhKRCt2N2VGIn0%3D

There's another shoe to drop here somewhere, and I don't know what it is. I'm looking for it though, and when I find it I'll let you know. Between "Let's make things easy for our customers" and "licensing changes that increase revenue", I hope this action is at the center of that venn diagram.

NoVA Code Camp

NoVA does not stand for that fictional paramilitary unit in Short Circuit, although more's the pity. It stands for "Northern Virginia" which by all rights and politics should be its own state. Anyway, normally they have an in-person code camp; and that's not conducive due to the Virus That Shall Not Be Named, so here we have a virtual code camp. If you've got a talk you're working on, or you just want to hear some great talks; you should sign up for this event. It's free. I'm pitching a talk on Event Driven Systems, and I hope it's accepted (if the NoVA CodeCamp staff happen to read this; lemme know where to send the bribe).

https://sessionize.com/northern-va-codecamp-fall-2020/

Microsoft ranks #3 on OSS contributions:

https://twitter.com/gortok/status/1293566607986491394?s=20

I will give Microsoft credit here: 10 years ago they were nobody in the world of Open Source software. Literally not even on the radar.

That said, I've got some problems with this ranking. Yuu know the guy on youtube that sits in the forest and builds a house from first principles? It's pretty neat. Anyway, Microsoft is that guy, github is youtube, and we're the people who can watch but can't really force him to build a castle from first principles. Although there's a youtube channel for that too. Anyway, we're spectators. Microsoft pays the salaries of the .NET Maintainers (all of whom are Microsoft employees), and the .NET foundation's Executive director (And treasurer), are Microsoft employees. This isn't altruistic code contribution to OSS, this is "Watch us build our product on github and give us a cookie for doing that". You don't get a cookie for that. At least not a chocolate chip one. You can have an Oatmeal raisin cookie for that.

Microsoft is the benevolent dictator for .NET, at a time when benevolent dictatorship for Open Source is on its way out.

Microsoft releases site that touts its OSS

I guess they're just displaying their own set of cookies at this point?

Twitter Mentions

@gortok