back to article Microsoft forks .NET and WHOMP! Here comes .NET Core app dev stack

Microsoft has revealed more details about .NET Core, "the foundation for all future .NET platforms". In a detailed post, Microsoft’s program manager Immo Landwerth explains why the company is forking .NET in order to make sense of shipping .NET for multiple platforms, including Windows desktop, Windows Store (or “Metro”), …

Silver badge
Pint

Er? Excuse me....

Another problem is how to update .NET libraries if security problems are found.

Another problem is how to update .NET libraries WHEN security problems are found.

There fixed it for you.

I think I might just treat myself to one of these tonight.

12
10
Anonymous Coward

Re: Er? Excuse me....

And fingers crossed the .net update doesn't screw up in Windows update.

3
1

Re: Er? Excuse me....

It won't; at least not for apps using .NET Core - the libraries are deployed with the apps so it's up to the dev to release app updates independent of Windows update. As it says in the article - the version of . NET deployed with the app is independent of the Framework version installed on the machine.

1
2
Anonymous Coward

Re: Er? Excuse me....

So,,, it's now up to the developer to push any security updates?

1
0

Re: Er? Excuse me....

Microsoft tried this approach ten years ago with the GDI+ graphics library... instead of rolling it into the OS or the C++ runtime, they required that developers build it into their installer and deploy it with their application. (Never mind that the name makes it sound like an OS component - GDI without the plus is a core part of the Windows API.) Then someone found a nasty vulnerability in the GDI+ jpeg parser. Microsoft released a patch that updated the GDI+ libraries used by Microsoft applications, but left it to the third party software developers to replace the GDI+ libraries used by other applications. Needless to say, most developers viewed this as Microsoft's problem and didn't ship an update. Microsoft eventually had to release a new patch that attempted to find and update all copies of GDI+ on the system. It didn't work very well, and vulnerable copies kept sneaking back on the system as software was reinstalled.

Another example of how this approach can go terribly, horribly wrong is Java applications that install their own, private, ancient versions of the JRE - and won't work with any other version.

Those who do not remember history are doomed to repeat it... what a mess.

9
0
Silver badge

Re: Er? Excuse me....

Agreed. This seems like MS has taken something that broadly works and have then just utterly fucked it up in order to get some all encompassing development World. Have a look at Java and the aforementioned ancient JRE versions that some apps require. Like a software developer is going to give much of a shit about a security hole in the version of the .Net libraries they shipped? Well, it might well prompt a next version of .Net is only available on the latest codebase, send your upgrade fees here.

4
0

I bet this will go well

It wont end well, we all know this.

BUT to be fair this seems like the least bad way of doing it. They're trying to go cross-platform as much as they can without doing "lowest common denominator" (think not QT, which renders its own crap, and wxWidgets which gives a standard API to native) stuff. This is good.

Take the "universal apps" - yes the name is a lie, but there's logic here. For apps which are simply front-ends this is a pretty good way of doing it, it becomes a bit weird when that program will use some resources (phone compared to desktop) but it's a good attempt.

I'll never use these tools (Linux! (Mint MATE)) but I can see that they're trying, it may not be great but it does seem they deserve credit for the least bad way.

Also regarding security, I would hope that if they find a problem that they release/push (whatever) packages containing JUST the security fix to all versions, that way version n will behave like version n just with the fix.

This means maintaining 4 versions per year which isn't nice but it's not a huge task, especially not if the fixes are trivial.

Just a thought.

2
4
Anonymous Coward

Re: I bet this will go well

BUT to be fair this seems like the least bad way of doing it. They're trying to go cross-platform as much as they can without doing "lowest common denominator" ... stuff. This is good.

Really? I'd call it a pretty damn bad way of doing it, and not at all good.

Each .NET "application" (and some .NET software is a hell of a lot bigger than a simple "application") ships with its own runtime? Oh, that's fucking brilliant. So every app will be hugely bloated with duplicate code everywhere, there will be unending mysterious incompatibilities ("how come this app can parse my new machine.config section, and this other one can't?"), and - as others have noted above - there's no good way of handling security updates and other fixes.

This is the abomination that is SxS, amplified and aggravated by losing even more central control over library versioning.

Microsoft's made multiple stabs at getting shared libraries right, and fucked every single one of them up. Now they're just giving up. That's not an improvement; it's a failure of vision. (And other platforms haven't managed to handle shared libraries much more successfully; it's not like Microsoft had no models to follow.)

0
0

Love poem to Microsoft

Roses are horrible

Violets are crap

Who on Earth would write a

'Windows Store' app?

20
0
Windows

If you have worked with NuGet packages, you will know that dependency issues, also known as DLL Hell, can still be a problem. Package A requires version n of Package B, but package C does not work with version n of Package B.

I've encountered this scenario on more than one occasion.

It is usually accompanied by a series of curses and incantations.

6
0
Silver badge

I admit I've never encountered it, but that's because I found NuGet so awful the first time I tried it, I never went back.

0
0
Anonymous Coward

'The .NET Framework and C# language were a hit with developers'

Really? Most of the shops I worked at felt that it was forced upon us before it was ready. A cynical con job due to Microsoft's die-hard envy of Java, or a 'Ribbon' to perpetuate endless upgrade cycles and force developers into retraining, when Visual-Studio was more than adequate for just about anything at the time.

I spent good money switching over to .Net and getting retrained and for what?! Example: Debugging and just-in-time editing (Edit & Continue). This has never worked as was promised IMHO... And now there's a push back from Redmond to HTML / JS. WTF???

I use JS / C# in Unity for game dev (Monodevelop). That's where it works well in my view and much better than C++ in UE4 or Unrealscript in UDK.... What MS could have done was leverage VBA and create a powerful Visual Programming paradigm like Kismet / Blueprints for its own platforms...

10
7
Anonymous Coward

Re: 'The .NET Framework and C# language were a hit with developers'

Interested to read comments from the downvoters...

2
0
Anonymous Coward

Re: 'The .NET Framework and C# language were a hit with developers'

.NET could only have been a hit with Microsoft's hypothetical, idealized "Joe Developer" who has a bunch of free time to learn new stuff and never has to work with any legacy code.

Back when Microsoft first released .NET and started pushing it hard, I was working on a multi-million line project written in C++. Microsoft kept trying to get us to rewrite the whole thing in C# as if it would be a weekend project. WTF? I can tell you definitively that .NET and C# were not a "big hit" with us.

5
0
Silver badge

Re: 'The .NET Framework and C# language were a hit with developers'

I haven't voted either way but, to be honest, I'd much rather be developing in .Net than Java.

2
1
Silver badge

Re: 'The .NET Framework and C# language were a hit with developers'

.NET's not bad for the one large project I've used it on. I'm not thrilled with the tooling (i.e. Visual Studio - but then I am not a fan of IDEs), but the Framework has a decent feature set of basic infrastructure classes, generics, and the like; the managed environment catches a lot of mistakes; the JITting system generally works pretty well; system functionality like AppDomains and GC control is mostly clean; the code-signing mechanism is easy to use.

I wouldn't try to port a lot of legacy code to it, except in an environment where that can be done with minimal changes (like, say, if I had a bunch of CICS COBOL apps I wanted to run under .NET). But for new development I've seen much worse environments.

I still do more work in C than anything else. I like C (which is more than I can say for C++, a language which seems to exceed nearly everyone's ability to write readable, maintainable code). But I like C largely because I generally work with clean, tidy, well-designed C code written by someone who knows the spec (me). If I had to work with a bunch of inferior developers, I'd much rather work in a managed environment that'd catch much of their crap for me, and make refactoring easier.

1
1

Oh really?

The .NET Framework and C# language were a hit with developers,

Let's be honest, it was only ever a "hit" with Microsoft developers who have very few other realistic choices.

9
6

Re: Oh really?

That rare breed of Microsoft developers developing for a platform with such a small user base and little uptake amongst business and consumers? Hmm...

3
2

Re: Oh really?

That rare breed of Microsoft developers developing for a platform with such a small user base and little uptake amongst business and consumers? Hmm...

As per my comment, they have very little choice - good luck going out on a limb by proposing the use of a non-Microsoft language or framework on a Microsoft platform.

The widespread use of something doesn't necessarily equate with it being a "hit", just as death isn't exactly a hit with the living. Some things are just... unavoidable.

2
2

Re: Oh really?

> good luck going out on a limb by proposing the use of a non-Microsoft language or framework on a Microsoft platform.

Really? Because I see quite a lot of php and far more Java than was ever good for anybody.

Even node.js runs on Windows servers, you know.

Honestly, I don't think you have much clue what you're talking about.

0
2

"the foundation for all future .NET platforms".

Or until they change their mind again.

8
0

Re: "the foundation for all future .NET platforms".

Once in 13 years ain't bad.

0
0
Anonymous Coward

Re: "the foundation for all future .NET platforms".

Once in 13 years ain't bad.

Huh? So there's been only a single "change of mind" for the .NET platform in the past 13 years?

You're obviously not a .NET developer...

3
3

Re: "the foundation for all future .NET platforms".

Actually, I am (among other things).

We've had new stuff come and go but the Framework itself has seen no changes of mind in 13 years, until now.

Even this is evolution rather than revolution.

0
0

Security disaster in the making

As Steve Davies mentioned, there will be security vulnerabilities found in the .NET libraries; it's a question of when, not if. The real problem is what to do about them, now that the libraries are bundled with apps.

On the one hand, they could let developers release new versions of their apps every time the libraries are updated. Realistically, most of them won't bother, which creates a large attack vector. I'm sure VXers will find a way to take advantage of it, such as convincing users to install vulnerable apps which can be exploited. (E.g., "you need XX video player to watch this clip of [celebrity]".) Will antivirus programs have to start flagging anything with outdated libraries as potentially harmful? This way lies madness.

The alternative is to push security patches through Windows Update. Except this is supposed to be cross-platform, so you don't necessarily have Windows Update. Maybe solvable with an updater service, but now that also has to be bundled with apps as well, and could lead to issues with multiple instances and version incompatibility if you install several .NET apps. Even with that solved, pushing updates could break signed apps.

Anyone have better ideas on how to not have this turn into a nightmare?

3
0
Silver badge

Re: Security disaster in the making

I guess the .net libraries could be deployed via the Mac App store and the linux distro repositories. That would work the same way as Windows Update.

0
0
Anonymous Coward

Re: Security disaster in the making

Anyone have better ideas on how to not have this turn into a nightmare?

Avoid using it. .NET is only good for the enterprise, and that's only if you've already committed to it - like I have.

This is why MS kill frameworks before their natural end of life - because if they kept them going this sort of crap happens.

1
2

When I see a program uses the .net runtime my heart sinks.

I know from experience it'll be slow and buggy.

5
5

Re: When I see a program uses the .net runtime my heart sinks.

Badly written programs will be slow and buggy. .net doesn't cause this; the problem is in the chair not the run time.

When I see an open source program my heart sinks: more abandon-ware and needless forks. We can all make random faulty generalisations...

10
0
Anonymous Coward

Re: When I see a program uses the .net runtime my heart sinks.

Badly written programs will be slow and buggy. .net doesn't cause this

Yes it does. Microsoft have bent over backwards making a dev environment that spoon feeds its users. This is fine for the corporate world where there are low skilled developers, a few internal users and the target environment is well defined and in house creating a simple run of the mill crud app. .NET is excellent for this type of work.

Anything beyond this, in my experience (yes, I speak from personal experience - I've been with .NET for a decade) it starts becoming complicated due to having to hack around the short-sighted "one size fits all" design of the framework.

So with this in mind, you do get a lot more inept developers with .NET (I'm not saying all of them are - just the majority, and more than other platforms) and it is .NET's fault. It isn't a generalisation, it's an observation.

0
8
Silver badge
Paris Hilton

Is it broken?

Does it really need fixing? Paris wants to know.

0
0
Anonymous Coward

Another Train Wreck... Stupid Devs this SH!T is worse than COBOL!

How long does the bully get to rule the whole damn playground and kick you out of the sandbox, take your marbles, eat your lunch and kiss your girl friend?

If you write apps and need them to run on Windows you had better start looking at Docker. If you write apps and have not had your head buried in your ass for the last 5 years you had better make code that can be presentable on Android tablets and Apple Tablets. Is that clear? You cannot keep writing software for JUST windows, even in the enterprise we have the whole board of directors with Apple products and all the C level execs are also Apple fans. The rest of the minions get the cheap Android devices for tablets.

Is that clear? At the end of 2015 there is said to be 1 billion Android users that could buy your app, use your app or hire you to develop apps for the Android platform.

The platform wars are over. Microsoft technology is legacy, i.e. think COBOL. If Microsoft has NO way to keep your runtime or your compiler working for the next 20 years you MUST re-write your app so that you are not in a pickle telling your clients or users to run Windows XPx86/XPx64/Vistax86/Vistax65/Win7x86/Win7x64/Win8x86/Win8x64/Win8.1x86/Win8.1x64 and server OSes on a dedicated machine in the corner cubicle.

1
8

Re: Another Train Wreck... Stupid Devs this SH!T is worse than COBOL!

COBOL is legacy now?

1
0

Re: Another Train Wreck... Stupid Devs this SH!T is worse than COBOL!

aw look, somebody who can write a whole page of HTML5

1
0
Anonymous Coward

Re: Another Train Wreck... Stupid Devs this SH!T is worse than COBOL!

You mean 1 Billion android users that expect to use your app for free?

0
0
Gold badge

Ahh static libraries

What a solution -- they're going back from dynamic libraries to effectively having static libraries. (Well, "effectively" because I'm not sure if it's all linked in or if the .exe and libs are just shipped in a directory together.)

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018