How'd you like to listen to dot NetRocks with no ads?
Easy?
Become a patron for just five dollars a month you get access to a private RSS feed where all the shows have no ads. Twenty dollars a month will get you that and a special dot net Rocks patron mug. Sign up now at Patreon dot dot NetRocks dot com. Hey, welcome back to dot net Rocks episode two thousand and four. I'm Carl Franklin at Averagre Camra and Scott Sobers here.
We're going to be talking to him in a minute, but you might hear him jump in on the intro here, because that's what we do now, right.
Yeah, go to be at least for the next twenty or so episode, right, yeah, right, twenty two. I'm a little stressed about actually getting to the current history.
Well well you know the shows won't have that wonderful intro again. Well we'll do something, but all right, something. I regret to inform everybody that I've got another cold luck at you and the gig tomorrow. Nice, just like last time. Save your voice, brother, Yeah, I'm gonna save it all.
Right, A I fixed up?
Or no, you know the best line when I get up on the microphone with the band is thank you for coming tonight. And tonight's show has absolutely no AI and people lose their minds, they roar, I'm sure, all right. So being two thousand and four, let's talk about the top events or the news events, the major news events so that year, unfortunately, we'll start with the Indian Ocean earthquake and tsunami. And we remember that, Yeah, I did. We did a bunch of fundraising for that, that's right.
I remember Julie Lherman kind of spearheaded that she.
Had friends in Bandahar right and needed help. Yeah, so they happened to be there. We're just wrapping up a charitable project when the tsunami and everyone needs a lot of help, and so we all dove in. We did a bunch of eBay auctions for time and resources and things like that and raised a lot of money.
I think this might was am I wrong? Or is this one of the events that got you to consider doing the your charity?
Yep, it's one of the catalysts of H two Box was watching what Julie was able to do, like she's such an inspiration mm hm.
And we're talking about the humanitarian toolbox that Richard spearheaded. Okay, the Iraq war an insurgency escalation, So it didn't go well at first.
No, Sadam is now gone right at that point, and now that comes the whole you broke it, you bought it phase.
M Yeah, the Abu Grab prisoner abuse scandal. That was pretty bad.
Ye.
Madrid train bombings I remember this, Yeah, killed one hundred and ninety three people. I don't remember it having that big of a casualty number, but I guess it did. Trains are packed. Yeah, it was a right. Some more bad news. Darfur conflict escalated, big humanitarian crisis in Sudan. In the US, the presidential election of two thousand and four, George W. Bush defeated John Carry to win a second term.
This September Eleventh Commission Report, which was a detailed report on the nine to eleven tax, the US Patriot Act reauthorization debates, so people were debating over civil liberties versus national security. NSA was big. And I remember interviewing Christian Bayer and he said NSA stands for no security anymore. Same sex marriage got legal in Massachusetts. Yeah, Mars. The Stewart went to jail. Yeah, and it wasn't even that much.
It was like thirty grand or something something like that. Yeah, but insider trading is insider trading. The controversy over Mel Gibson's The Passion of the Christ boy, Oh Boy. And speaking of other movies, let's go through the top ten. National Treasure, which was a great fun movie. Nicholas Cage, Nicholas Cage. Yeah, Ocean's twelve, a bad Colooney, which was great at all. Think it was still pretty good. Shark Tale, which I never saw.
But well you're not you don't have the little kids at that point.
Well that's true, but I kind of still watched these big ones. Troy epic retelling of the Trojan War starring Brad Pitt. Brad Pitt is a gladiator. All the women's loved it. Day The Day after Tomorrow. I don't remember that one, but it was like a change global disaster film. And of course The Passion of the Christ to number five, The Incredibles number four. I did watch that and it was fun, fantastic, It was fun. And you know, my youngest daughter was only two years old, so I was
watching these kind of things. Spider Man two. Okay, how much to say about that? Harry Potter and The Prisoner of Azba Khan Azkaban oz Kban. This is number two, and the number one grossing movie of two thousand and four is Shrek two. Yay, Shrek It again, Shrek and again and wow, I think Shrek and.
Is it? Yeah?
Shark Tail and Shrek were both from DreamWorks. Yeah, and they're both the number one, well in the top ten of that year.
Awesome. Interesting forget what about Action's Janet Jackson's wardrobe malfunction. Wardrobe malfunction, Yes, at the at the power at Super Bowl. Yeah, we don't even remember the year, but that's what happened.
The funniest part about that was her interview on Letterman the next day or whatever, and she was like, it just happened. I don't know, so I don't know. You guys got anything. I know, Richard, you've got space and technology. But Scott, do you remember anything about two thousand and four you want to share?
Ah, Man, I don't know anything off hand. I mean I would have been a junior in high school at the time, but yeah, well that's an event. Yeah, it's almost done with high school all right, tell us about space and tech.
Well, we're in the midst of the Columbia accident investigation. Columbia was lost in two thousand and three, so there's no Shuttle flying that year while the investigation's ongoing, and that means no additional building of the International Space Station easier. So the Russians are supporting the space station with progress and so used flights to bring cruise down. But there's
plenty of other things going on at the time. The Stardust mission in January actually reaches Comet eighty one p wild and collects dust from a comet, which was its mission to return to the Earth, which is cool. Also in January, the Spirit Rover lands at the Gustev crater. Month later, the Opportunity Rover at Murdi and planum So and Nose rovers were designed to operate for ninety days. Yeah, and one lasted nine years and the other lasted fourteen.
So for a variety of reasons, mostly to do with they got really good at understanding how the very thin atmosphere can actually kick up enough wind to blow the dust off the solar panels, and so they're able to keep clearing the solar panels off and keep the machines running. They loose spirit first, because it'll get stuck in sand at the wrong angle and ultimately we'll run out of power.
The issue here for them primarily is to make sure they charged with the batteries enough to last overnight, because it gets very cold at night and equipment will freeze, and so you need to charge the batteries off solar panels to generate enough heat to be operational the next day, and so you're positioning before nightfall is super important.
I remember doing a bit with Professor Schmackel on Mondays, which also started in two thousand and four. By the way, goodness forgot I left that one off the cultural list, Yeah, such as it is counter cultural, but yeah, I do remember that that happened.
That was a big deal. Yeah. Also in two thousand and four, in June, the first flight of Spaceship one. This was Bert Rutan's technology trying to capture the Ansari prize. It's a subordable flight, but it does get above the Carmen line, and so Mike Melville becomes the first civilian astronaut ever in order to win the and sorry, prize, we'll have to do it again, which he will in September and so demonstrate that a reusable spacecraft. I mean, it's funny to think about, but in two thousand and
four was an incredible breakthrough. Yeah.
Wasn't the Shuttle supposed to be a reusable spacecraft? Is that what you're laughing about?
Yes, it's also government not civilian. Yeah, And that was the whole point. Was privately funded, and that private funding was mostly Paul Allen. In July, the Cassini spacecraft, this bus size spacecraft flying to Saturn, reaches Saturday and gets into orbit round surround, the first thing to ever go into orbit around Saturn. And by December we'll release the Huygens probe onto Titan, the first time we'll ever soft land and the only time so far was soft landed anything on Titan.
And Cassini also the name given by I think it was Scott gu three and team to the.
Web server and visual studio. Okay, Cassini, there was a few of them. Messenger is the first spacecraft to go into orbit around Mercury. It launches in August of two thousand and four. It won't actually get into orbit around
Mercury till twenty eleven seven years. It'll take longer than it takes Cassini to get to Jupiter because it needs to slow down so much to actually be able to be captured by Mercury that it'll do a flyby of Earth, two fly bys of Venus, and three flybys of Mercury to slow itself down enough to finally be captured by Mercury twenty eleven, and it'll do a complete map of Mercury and a bunch of further cool mission.
See scientists, real folks, it's tricky laws of physics. Yeah, not just a good idea.
And as you get closer to the Sun, it accelerates you a lot, so scrapping speed is hard. Finally, in December, Voyage Year one, launched in seventy seven or seventy nine, reaches the termination shock. That's the point at which the solar wind being pressed out from our star is pushed back by the interstellar wind, and so he crosses through that and we get new information from it. So that's all we get from space. Let's talk a little bit on the compute side, because I find I feel like
two thousand and four is more important year than you realize. Okay, I would argue that this is the year that we recover from the dot com boom, Right, So, I mean the dot com boom it sort of ended in two thousand and one, and all the money it sort of disappeared.
It's not like the web or anything went away. But I would argue that the harbinger event was Google's IPO, So they you know, had been born during the dot com boom, but they were in one of the companies that did not fail became the fundamental search tool of all time arguably still is today, and they were essentially forced to IPO they had too many shareholders and the SEC required it, so that they went somewhat reluctantly, but
the response by the market was very positive. It's sort of the first good news about the web post dot com. This is also the year that O'Riley starts their Web two point zero conference where they talk about the focus on user contributed content things like wikis and blogs and ultimately social media, so how that comes from that. And speaking of social media, this is the year that a young Harvard student named Mark Zuckerberg starts a website called
the Facebook. The Facebook. Oh, and also speaking of Google, on April first, they launch Gmail and everybody thinks it's a joke. Yeah, yeah, why I remember you had to thinking you had to be invited to that program. Yeah, that's right. It was the longest beta ever and just kept going and going and going. That turned out for them. On the Intel side, Intel final delivers the EM sixty four t on a Xenon. This is based on Dave Cutler's Windows on Windows mindset of like can we make
sixty four bit process? It'll run thirty two bit properly. It actually makes sixty four come true because it has become the Itanic and so the Zenon No Kona is sort of the first towards that Cutler had actually worked with AMD first. So AMD had solved this problem and now Intel was playing catch up. One would argue this is the point where Intel really fell behind. Two thousand and four, the year of XP s P two. Oh boy, what a year that was. Yeah, one would argue the
setup for the debacle that becomes Vista. You know, The argument here is that it was a breaking change to Windows XP, so it should have been XP version two. But in back in those days, you charged for a new version of an operating system, and Microsoft rannted everybody to install SP two, So making it a service pack was the right thing to do from a let's get this security out into the world perspective, but with lots
of long term consequences from that yep. Two thou four is the year of the final version of fox Pro visual fox Pro nine, which had been booted out a visual studio as a visual Studio dot net in two thousand and two. It's now living on its own, and this is the final version of they will Ship. Beth Massy wasn't happy, No, none of the They can't really blame him, it's fair now. Two thousand and four is the year that Miguel diac has a Ship's the first
version of Mono. He'd announced it in two thousand and one at another O'Reilly conference that he thought it was a good idea and effectively destroyed his career because all the Microsoft people are like, are you that Linux guy? And all thewis people are like, don't you work with Microsoft technology? So he couldn't win. It's hard to be Miguel, But yeah, that's the first time Mona comes out. Another
important open source product Ruby on rails. In July, David Heinemeier Hansen DHH, who is a very controversial figure today, certainly guy behind base Camp. Takes an old language from the nineties Ruby that nobody cared all that much about, combines it with a scaffolding he calls rails and makes a phenomenal an old web tool, and again we talk about the rebirth of the web, reinterest in the web. Ruby all rails became this incredible prototyping tool for building
websites fast. Yeah. People thought of it as like visual basic for the web. Yeah really, and you know, build it up, tear it down, just give data off you go. It was amazing. And I'm gonna mention two games only because I think they're profoundly important in gaming even today. This is the year that World of Warcraft launches under Blizzard, so that massive multiplayer game. It's still ongoing today. Wow and Wow from Valve Half Life two, and that's all I got.
All right, I got I got one from two thousand and four tech related me. Firefox got released.
So yeah, they they came out. It was no longer Phoenix, right as the first version was called Phoenix. Then they found oh you can't call it Phoenix, so they rebranded as Firefox. In two thousand and four.
Yeah, and I don't think Firebug wasn't out at the time, but I did credit Firefox for like the developer tools that we have today in inspiring that with fire firebugg.
So what about Firebase. Was that part of that whole thing or is that a separate thing part of the suite as well?
All right, you're right. It does tie you into my larger message of this is the webabilitating because what the Mozilla Foundation was doing was building real dev tools for web devs. You weren't just hacking away like your ability to work in fire I was not necessarily a Firewok Fox fan, but if you had to build a web page and you weren't using Firefox, you were just torturing yourself like they figured out all F twelve before everybody else. Yep, yeah,
like that's where that came from. Good enough that everybody copied it. All right, are we ready for better? No framework, Let's do the thing with the stuff, roll the music?
All right, man?
What do you got? All right?
Well, although he didn't write it, our friend Simon Kropp brought this to my attention.
I'm shocked Shock has done. This is cool.
This is a Windows Defender performance tool interesting. It's a dot net application that monitors Windows Defender ETW events and visualizes scan durations in real time using a stacked bar chart. It can also visualize snapshots recorded offline with the PowerShell command lit and so listens to the Anti Malware Engine stream scan request tasks, stop ETW events, displays the scan durations per process, and a stacked bar chart. This is
all real time. You can drag and drop files or folders onto the window to trigger an immediate scan of the dropped items and export to CSB when more than one snapshot is dragged to the window. It's all I know. It looks really cool. It's MIT licensed, and you know that.
I think.
There's an urgency about knowing what threats are out there as soon as possible, because by the time you see it, you're vulnerable.
ILS argue that people blame Defender for performance problems all the time, and this is a tool that surfaces this is what Defender's actually doing. Yep.
So it's very very cool. And Defender should always be on. If you ask me, that's you have to fight to turn it off.
Yeah, right, And it's on by default mostly you know, the average mortal has it on, doesn't even know it doesn't even know, right, I think for us in dev, because we torture our machines, so you're often looking for like what's eating up all the resources? And let's be clear, you dump, especially new executables that you have generated that are unsigned. You trigger a defender when you do that, and sometimes those things can really hit a lot of cycles.
Yeah, so hats off to Alexander Eulatin for putting this out there.
Go get it. I'm gonna awesome. So who's talking to us today? Richard grad to comment off a show two thousand?
Wow.
Yeah, we published two thousand episodes. When do you know what a great show? And Aaron Old said, this podcast has been my longest continually listened to podcasts. The information that you have shared has been instrument to my twenty five plus year career in dot net. I remember the first time that one of my comments was read on the air. I was driving to work and I had to pull off on the road in the parking lot and listen to Richard read my comment. I was so excited.
I do hope you guys continue to do the good work. Yeah, well, there you go eron, I read another one, so don't crash. Yeah right, it's gonna be fine, it's gonna be fun. Everything's okay. Yeah, and thanks so much for sticking with us, because we've been we're still doing this thing somehow Sometimes I wonder how all right? Yeah, two thousand shows in so thank you so much for your comment. And a copy of music co buy is on its way to you.
And if you'd like copy of musicobe I read a comment on the website at dot NetRocks dot com or on the facebooks publish every show there. And if you comment there and to reading the show, well, I do you copy music?
Go buy music to code by dot net if you want to just go get it? Okay, nice, go get it.
Good link.
So let's introduce Scott. You heard from him before just recently a couple of things. Scott Sober is the director of Engineering at Lean Techniques, a consultancy of about one hundred and seventy people based in the Midwest. Besides advising clients and delivering solutions for them, he enjoys helping teams realize their potential through technical practices and working more effectively together. He's a Microsoft MVP a Redgate Community Ambassador, international speaker,
dome train author. He co organizes the Iowa dot Net User group and co organizes the Iowa Code Camp. You can find him pretty much anywhere online at Scottsaber. Welcome Scott.
Yeah, thanks for having me, guys, first time, right it is. It is my first time. So excited to be here.
Awesome. We've seen each other at the conferences for many, many years, so sorry about that. Shouldn't have been this lot, But I think his talk You've got is really cool, Like it's such a good idea to just sort of have a I gues you call it a checklist of things you're going to do in a dot net app.
Yeah, totally, and uh yeah, just fair warning. This might be a little bit of a dense show of just random fire of different tips, but hopefully people will be able to walk away with something that they and literally take and apply immediately after the show.
So it's called nutritional value.
Unlike what we just did for the last twenty minutes.
Dark here comes to Broccoli, right, Yeah, well where do we start?
All right? All right?
You go, Yeah, so probably one of the first things I talked about, and I know you guys have had people on the show talking about this topic is around feature folders. So I'm a big fan of organizing my code around feature folders as opposed to the traditional kind of way. So to kind of talk through that, a lot of people are familiar with, like you know, you might have like a data project or like you know, repository services, and like those all kind of live in
different folders. You know, if you're doing NBC and rendering that on the server, you got like your views folder, your controllers folder, models folder.
And just the way you don't look for anything exactly right.
Yeah, So anytime you need to add a feature, you got to go touch upwards of you know, five ten folders just to add a feature. And if you want to delete a feature, now you got to go find it everywhere too, and it's just kind of scattered. So future folders kind of flips that on its head, and rather than organizing by like type of things, rather than having like a model's folder, controllers folder, you organized by feature.
So let's say you've got my profile feature for instance, anything to do with that feature goes in a folder called my profile, so it's all kind of co located together. It's very easy to see at a glance what your features are, and so we want that code by future.
Yep, it makes sense really. I mean it's kind of like we do that with projects, right. We have projects that are based you know, components or DLLs or whatever, they are based on what they do, and just take it another step inside those projects organizing feature folders.
Yeah.
Great, So I kind of use the analogy if in case somebody still thinks that this is like heresy, I challenge people think about, Oh.
It's it's heresy, but it's good heresy.
Yeah, exactly. If you think about like your house or your apartment or wherever you live, think about where you keep the soap in your house, Like do you have a closet full of all the different soap like hand soap, shampoo, body soap, dishwasher soap. Yeah, probably not. You probably keep that soap close to where it's used, Like you keep the hand soap by the sink, the shampoo in the shower,
and so you use it where it's most used. You don't just have a soap closet you go reach into to go grab the soap.
So God, I love the idea of a soap closet, the.
First time I heard about feature folders, I was just like, duh, why didn't I do that? You know, it's it's just makes your life easier.
Any any gotcha's what do you have to do to make feature folders work?
Well, honestly, not a whole lot. I mean, if you're doing like server rendered NBC or raise the pages, is just a slight change you need to do to have a go look in that folder. But it's usually one liner to add that. I've got a blog post on how to do that, so we could drop that in the show notes in case people are interested. But otherwise, if you're just building an API, it should just work.
Yep.
So there's nothing magic about a controller's folder, for instance, as long as you are you know, there's a few different ways that can discover it. Whether you know it has the API controller attribute or the suffix of the classes controller, it'll find it that way. So there's really nothing magical about these folders for the most part, other than in like server rendered NBC.
So how many folders deep like you do you have like my profile and under that controllers or do you just have the if you have one or two controller files, you just put them right there.
Yeah, that's that's a good question. Usually I'll I won't start with nesting more folders underneath that until I find i, you know, starting to get tons of files in there and things like that. Yeah, it just kind of depends. But a lot of times I'll just kind of put things in there, and usually it's not more than you know, four to six files or so. So I find that usually pretty easy to manage.
Very good, cool, good stuff.
That's number two, all right, moving on to number two. So this is treat warnings as errors.
Look at your believer.
You being consultant, you get dropped into different projects all the time, and it's always not the best experience when you pull down a project for the first time you build it and there's like hundreds or even thousands of warnings of compiler warnings that you know, you're like, okay, which ones of these are valid? Which ones are not? I don't know what to do, And so I like treating warnings as errors. And so basically warnings don't exist
in my world. It should either be something that I fix or something like I explicitly ignore because for whatever reason that warning is invalid.
It's not necessary. Yeah, I mean and to your point there, it's more about don't be blind to the warnings that are actually important. So when you leave all those warnings on, you ignore them all correct, Yeah, because.
A lot of times you're getting those warnings and there's something that's going to happen, might not be right away.
Yeah, like there deprecation warning.
Yeah, that you should be making the change to actually, you know, go go fix whatever the thing is.
So yeah, often those warnings suddenly become real errors when you move up a version of the framework because there were a deprecation warning has been going on for like three versions that you've been ignoring you and would have been easy to fix yep at some point.
And that's as simple in case people are wondering, that's a simple as going in your csprog and there's a treat warnings as errors flag and you just split that to true in the XML.
So that's very good.
As simple as that.
Awesome cool.
So the third one is authorization using something called fallback policy in asp DO core. So let's talk about why the why first before we get into the what it is. So the problem is, by default, ASPI core security is opt in, meaning if you're doing controller, you got to add an authorized attribute and have to remember to do that, or in minimal APIs you have to remember to say like require authorization on a minimal API, and if you forget, now that API is exposed to the whole world, which
is obviously not great. And so instead what I want is secure by default. So with something called the fallback policy and ASP do core. The idea there is, if you haven't specified anything else, you apply this fallback policy. So you can set the fallback policy to say, hey, require an authenticated user, and so at least you have to be logged in to hit that API or or whatever the case is. Or you know, if you are building like Razor pages or Blazer app, you have to
be logged in to hit that page. Now, you can still opt out, so you can add like an allow anonymous attribute on a controller, endpoint, or whatever the case is, and that will take precedence over the fallback policy. The fallback policy is basically like, hey, if you didn't add anything else, this is what security policy is going to run. So by default you're secure and you can always add more security saying hey, you have to be an admin to hit this endpoint or whatever the case.
Is if you have no fallback policy, is it fallback then no security?
Correct?
Yes? Yi?
So that's that's the default in ASPI core because it doesn't know what you want to do, and so this kind of flips that on its head. And it's really just like a one liner. When you're setting up authorization, you can just say, hey, set the fallback policy to require authenty kid, you use her right?
Good? Yeah, that's a good fault.
Yep, all right. Next one logging best practices. So, uh, just see a lot of people who uh spray logs and don't really know what what it is that they're doing, or you know, they go to the hitting exception and suddenly they don't have all the information that they need. And I'm not going to get into like open telemetry and things like that because it's like its own show and whatnot. More so, just I use a package called saraalog. It's really popular.
Great the donet I.
Use it too, ye, And you'll serialize your objects and put them in the log messages.
Yep, yep for sure. And yeah, so I'll do like the structured logging you're talking about, and so you can like query off those things. So like basically you can write essentially SQL like queries saying like, hey, grab me all the logs from this user, and you don't have to like search through strings and things like that.
Yeah. Right, it's really good game changer.
Yep, and sarah loogs got a good feature in pretty much every logging framework out there has this feature too, of you can add certain properties to every single log. So for instance, you might want the user.
ID yep, yeah, you want the user yes.
Or like whatever point are they trying to hit? Or you know what version of the app is deployed. Is also another thing that's useful because let's say you fix something and ship it out. You can say like, okay, do I have any exceptions from this latest version I just deployed out?
And so I typically use a class that I write around zero log that had that takes a dictionary of strings as parameters, so a string string dictionary.
Right. So right there in.
The you know, in the catch, you add the parameters that you want to put in there, which might include the objects or you know.
The things that you were for. First of all, the thing that you were.
Calling is in there, but you know, all the detai that one would need to make intent intentional queries yep, yeah.
And Sarah loog so yeah, Sarah logs, yeah, log context you can slap uh slap those things together too, so on every log statement you don't. You kind of just get those things for free, which is pretty nice. So so yeah, that's some logging best practices. But I kind of want to transition into like this concept of logs. Sometimes I hear like, let's say we're doing some refinement or something and talking like, oh, yeah, we should log that piece of information, And I think there's a subtle
difference between like logging versus metrics versus audits. And again I'm not going to get into open telemetry stuff, but technically sarah log does not guarantee delivery, meaning a lot of that a lot of times depending on what they call sinks, which is kind of like your end destination, like are you sending this to measure or where wherever you're sending it to. They don't guarantee delivery, so like they might depending on your settings, they might buffer those
messages and memory. So what happens if the app suddenly crashes when all that stuff was in memory? Now all of those logs are gone. Yeah, and did not actually get flushed out, and so there's no guarantee of delivery, which is fine if you're using logs as they're meant to be used, which is like more of a developer tool, But if you're using it for like a replacement for like an audit tracking or audit logs, that's the problem.
And right, so it's almost it a log everything except you accept the stuff you needed to understand what happened. Yeah.
So with the logging system, though, can't you set up multiple sinks? Like you could have it right locally to a file so so it's there, and then on top of that you would have you know, some process to get it to another place that might you know, need to use poly or something. Yep, make sure it goes.
Yeah, I just see some people like let's say you have a user management system and you want to log hey, who added who adds a user, changed the role or whatever the case is. Technically Sarah Loog's not going to guarantee that you get it to the place you set it too, so like instead you should just use it a good old fashioned audit table or something like that
that has more guarantees around those things. And I've been in the healthcare industry at various points, and like they have some laws around like HIPPA that you have to keep data around for sure seven years, and so it's really not good if you don't keep that data around for seven years. And that's another problem with logging if you use audits as logs is your logging system might only keep things around for like thirty days or a year or something like that. So that's like another thing.
You got to kind of consider the data store that you're using there.
Yeah, it's usually a circular store and it has it's limited by space or time whatever that may be. Is also where you should call your friendly system men, who is also responsible for how long that stuff should be stored. So even if you are in a thirty day rotation, we take a snap of it periodically so that we have another copy somewhere. Like, yep, they have conversations. You're not the only one of this problem. Yep.
This seems like a good place to take a break and we'll be right back after these very important messages don't go away. Hey Carl here, you probably know text control is a powerful library for document editing and PDF generation, But did you know they're also a strong supporter of the developer community. It's part of their mission to build and support a strong developer community by being present, listening to users, and sharing knowledge at conferences across Europe and
the United States. So if you're heading to a conference soon, check if text Control will be there and stop buy to say hi. You can find their full conference calendar at dubdubdub dot textcontrol dot com and make sure you thank them for supporting dot NetRocks.
And we're back. It's dot net Rocks.
I'm Carl Franklin, that's Richard Campbell eight and we're talking to Scott Sober with his ten things that he does in every dot net project.
Yeah, stealing something from David Letterman.
I guess, and I think we're on four or five? Are we on five?
Or six? Where are we?
We've gone through five? Now we are non number six? So how about that six to one? Is we? I like to do validation with a library called Fluent Validation, so out of the box, uh you it's kind of I don't know, encouraged to use something called data annotations, which are just like little attributes saying hey, this field's required, and things like that when you're let's say you're taking in a form and you're someone signing up and you know their first name, last name, email, all that kind
of stuff is required. Like data notations work well for those scenarios, but I find making custom ones when you have more advanced scenarios is a little awkward to make. Like let's say you're taking their birth date and you know they have to be above a certain age to sign up for the website. That's not out of the box and something customer you'd have to make, and that gets a little awkward. With data annotations, Yes, they're also
hard to unit test. If you want to get really particular, you could argue the single responsibility principles violated because like you're kind of mixing your model business rules that you have with your validation. Yep. So instead, I like using fluent validation, which allows you to kind of separate your model from your validation, and it basically gives you this fluent like syntax, so you can say, like, hey, first name should not be empty, and you can write customer
rules super easily. They read super nice, And I've even given the rules like literally screenshotted the c sharp and send it to a business person said hey, are these rules right, and they're like, yep, that's good.
It all makes sense and they can read them. Yeah, yes, it makes sense to them, versus that's.
Important showing them like, you know, attributes and things like that, and it's like, good luck with that. And so Flume validation also has a test helper built in too, so you can write automated tests around it super easily. So I really like Fluent validation for this.
Was a better no framework a couple of years ago, and yeah I love it.
Yep, yeah, cool, just a better way think about the problem. Yeah, sure, awesome.
All right, Numero seven, we're going to talk about just generic coding guidelines. So you can probably make the argument there's like twenty five plus tips in here, but total, but I'm going to kind of bucket all these into generic coding guidelines. So, okay, I try and structure my methods where I put the happy path at the bottom of a method. And part of the reason for that is I don't like having to scan like a new code base, like what what does this method even do?
Right?
And let's say it's one hundred lines long and somewhere at lines sixty to seventy is the happy path of what went well? Like everything went right right? This is this is what this method does.
Don't nest your success states, yes, and then get into something that's tabbed in you know, eight tabs or something exactly. You do your centuries, you return if you need to return, and at the bottom happy path yep.
Yeah, don't test if it have nested if ELS's do early returns like you said, so you know, if let's say I've got an endpoint. If I'm if the request isn't valid, I'm going to bomb out and return a four hundred. If I'm not authorized, I'm a bomb out, returning forbidden, whatever the case is, and then kind of get to my happy path.
It's just just a legibility thing that it's easier to see the correct path out if you put it at the end.
Yes, and it forces you into that early return pattern that Carl was talking about, where you kind of bomb out if things aren't aren't good, versus that nested success case like oh I am valid, oh I am authorized? Okay, now let's do the thing.
Well what about this? What about that? Yeah, fail early and often and only succeed at the.
End and the kind of way I think about this too is a principle called the indentation proclamation. Now, if you google that, that doesn't exist. I made it up just to honest indentation proclamation.
Nice.
But the idea is the more indented your code is usually the harder it is to read. If you have nested if statements, if you have nested loops, all those kinds of things. So I try and avoid.
Psychlomatic complexity yep. Not good, yep.
And then I just have some like generic warning lights and not hard and fast rules. Now I'm about to offend somebody if I haven't already is and these are not like hard stops. Just like when I get over this number, I start to think, hmm, is there a better way to do this? Should I break this out? So classes that get, you know, a few hundred lines long, I start to think, like, hm, could I start breaking this out methods? Over twenty lines? I start thinking, hey,
can I break this out? If people are using regions? I am not a regions fan, and I feel like when somebody uses a region, I feel like Clippy should pop up in their ID and say, hey, you're trying to use a region? Did you mean to add a new class or method instead, because we already have these code organization tools called classes and methods, and a lot of times I see people use regions when they really should have reached for a new class or method.
And covering up code. Yeah, so fair.
I know there's some region fans out there, so I know I offended somebody out there with with that. So sorry in advance opinions defense, yep. And it's also getting into the point. I mean we're kind of talking AI. We briefly talked about AI earlier, but I mean, some of these things are kind of interesting as we started to get into a world of how much does code quality matter? And I'm still in only in the camp of it does, but as agents are writing more and more of our code, I think it's.
An interesting including more and more of our test Yes.
I think it's a kind of an interesting question. I know Uncle Bob who wrote the Clean Code Book, who he tweeted out saying that he's actually not looking at the code that he's generating anymore, which I thought was interesting. But he is writing like he has code coverage enforcement he enforces like cyclomatic complexity constraints and those kinds of things, so he has a lot of automation around those things
to enforce code quality. So he says, if passes all those things, then I'm not actually looking at what the agent generates. I'm not quite there yet, but I understand how some people are starting to get there.
I've had a few folks say I never got to one hundred percent code coverage until I had automation to generate tests. Yep, humans won't create one hundred percent code coverage, but you can torment in the LLM to do it.
Oh, yeah, for sure. And honestly that those like writing the test is a good way to keep AI on track because I've had lots of times where uh, you know, it makes a change and it unintentionally broke something, but like it just auto fixes it and I don't have to tell it to fix it. It just detected. Hey, reran the test and this is broken. So yeah, we'll get into tests on a little bit where I'll talk about that too. Okay, cool, So that's number seven. Let's move
on to number eight. Modern solution files. So solution files and dot net. If you've ever cracked one of those suckers, open it looks a little I don't even know what the format is. It's like a tabbed format and things like that. So back in the dot nine time frame they actually released a modern solution style format. The format is modern, which means it's XML, right, so modern, yes,
but I actually like it. So basically it takes your like twenty lines of like GUIDs and things like that that you didn't necessarily read, and it turns it into like three lines just saying hey, I'm referencing this project in the solution, so cleans it up a little bit as well as it prevents some merged conflict.
And you're talking about sl.
N X right, yes, yep, the sl nx format, So yeah, it'll change your file format s l n x. And if you want to migrate from an sl N file to sl n x, it's just a dot Net SLN migrate at the command line and boom you're migrated over.
Nice. Yeah, I remember that. I'll go find the old blog post about that. It's a good format.
Yep. So we got modern cs prog files a few years back with dot dot net Core, and now we've got modern solution files.
So that's cool. Yeah, nice, Yeah, do love the idea of associating modern and XML.
That's all right. So ninth one is kind of an obscure feature called validate on build and what this means and it's not build as in compiling of your app. It's build as in building of the dependency injection container and asp dow it core. So basically make sure that the lifetime of your things that you register match what they should be. So what I mean by that is a singleton can only depend on singletons, otherwise it's not
a singleton. So let's say you've got a singleton that takes in a dB context, which is a scope to dependency. Now you have this problem where that scope dependency is trapped in that singleton, and it's what's known as the captive dependency problem, which it might not be a huge deal depending on what your dependency is doing, but like in a dB context case, it might leave a connection open or leave a leak something, depending on what code
that you're doing. So this validate on build setting basically forces ap on corea check to make sure that you don't get into that situation. And this will happen by default if your local environment is called development, so you might see this. It basically throws an error, won't even boot your application. But if you don't have your environment set to development, like let's say you change it to
dev or local for whatever reason, this won't run. So there's a flag off of Vieus service provider that you just say validate on build true, and now it will always validate.
So interesting. Yeah, that's good, and so it'll when you have to build, now just generate an error correct yep.
So when you go to run your application, it will just basically not even boot the application because it's you're in an invalid state. So sometimes this can cause little small ears and production that you can't really explain, like the connection lead problem or something like that.
So yeah, but you got to Yeah, you go from random random error sometimes the hard ones to hunt down to No, I will not build for you because you have done this thing, yep, and you've got to go. You've got to do a refactor here, architect differently. Don't invoke inside that singleton like you're going to create trouble. Yep. That's right. I appreciate that.
All right.
They seem like good defaults, like they should have been on in the first flip in place, right.
I know, I think. I think part of the problem is like the validate on build setting didn't get added until later in a sped on it core, And I think they didn't want to break people even though yeah, they're kind of you know.
They're running in traffic.
Potentially broken in production. Yeah, yeah, not realize it.
So yeah, I know, he's exactly that. Like you've been running a piece of software that randomly crashes and you've probably even covered up the crash, right, You've got to reboot mechanism, things like that, and just not realizing, no, you have an architectural problem that Valuide don't build would have told you. Yep, yeah, all right, good stuff. But yeah, I appreciate that Microsoft doesn't want to break code.
Yeah for sure, and we've all benefited from that mindset. It's just sometimes the trade off happens where right now they don't change a default that they should have changed.
A long time ago. Yeah, I mean it also if they do turn it on by default, then it creates a bunch of tex support costs for them they don't want to incur, as well as anger. It's the right choice. Don't move up to this version of dot net because my app now crashes. It's bad, right.
I think backward compatibility is their number one, I think, and I think that's good. Yeah, so you have to do a couple of things to get you know, working better or you're working better. It's always a wrestling match on this one, right, yeah, one percent. I hope it's spitting all kinds of warnings out, at least that they'll happily ignore along with the other five hundred warnings, unless you have warnings as errors errors, in which case, if you go through the list, it all works all right.
Sorry, Scott, let's keep going.
You're good. So number ten, although I think I'm gonna sneak in eleventh here, but uh, Number ten is a feature called central package management. So this has been in dot net since dot net six. But I when I gave this talk at a conference, I asked how many people are using this? And probably ten percent of the room raise their hands. So even though this has been out for a number of years, people still aren't using it.
It's like four years now that central packages around yep.
So the kind of the problem it solves is you might have multiple projects in your solution that reference the same package. Like let's say you've got multiple test projects and you're using x unit or n unit or whatever the case is. Well, now when you want to upgrade that, you got to kind of touch multiple CS projects to kind of upgrade them all to the same version. Or maybe you have anyy framework in multiple pack projects or
whatever the case is. So the ADA behind central package management is to centralize that so you have one spot to upgrade your package is not multiple. So you put a directory dot packages dot props file at the root of your project and you kind of define saying, hey, I want x unit, I want anity framework, here's the version I want. And then in your cs prode you just say, hey, the cs proge references Entity framework and
you don't have a version in your cs proge. And because that's now managed centrally, right, so now you can keep everything in sync. You don't have to worry about like, oh, I'm upgrading dot net ten, I need to go upgrade all my packages the ten dot x in all my different projects. I can just do that centrally in the directory packages prop style. And this works in Visual Studio Writer,
so there's integrations there too. So any ID you're using most likely has integrations with it at this point, so yeah, super easy.
Yeah, another thing you should just be on. Hey, you were talking about more about testing, like, we obviously are keen to use tools, but what do you what's your approach to testing?
That was gonna be my last thing I was going to talk about was of.
Course I'm stealing your thunder brother, I, So I apologize.
So I guess first off, I'll say, like automated tests, you should be doing it at this point.
Yes, And the tooling is so good now right, Really we're running out of excuses yep.
And I find most companies I work with now I don't have to convince them of this. But ten years ago that was a different story. Sure, because they've done like research, the Dora DevOps Research Assessment did a bunch of studies and basically one of the things that they proved was when they interviewed a bunch of software teams, like tens of thousands of software teams, that you move faster with tests, long term and with higher quality. So but I think it's even more important in this era
of agentic coding. Like I mentioned, it keeps it on the rail, keeps a on the rails. I've been in projects that are have minimal tests versus ones that have a lot of tests, and AI does a way better job when they have those rails. So I personally use x unit for automated tests, but I don't get too caught up in it, Like the more important thing is you're writing tests, not that you're using x unit VERSU nd unit. Maybe not MS test. Don't do that one.
Just kidding, Just have to take a shot at Microsoft. You're not kidding, come on, yeah, uh, but Microsoft themselves actually use x unit for dot net, the dot net repos and ASPN core repos. You can go see and they're using x unit. Little thing people don't know is there's x unit came out with a V three package about a year ago, and it's not just a version upgrade. It's actually called x unit dot v three. So if you want to get the new latest bits of x unit,
you need to install that package. So I'm not going to get into the y. They didn't just bump the version instead create a new package. But a lot of people don't know that that it's a whole separate package. So I just want to call that out.
Well, it was breaking changes, wasn't it. Fundamentally? That was the issue.
Yep, it was breaking changes, and it was enough that the main primary maintainer thought it warranted a whole new package name, not just a higher version. So yeah, some people disagree, but right or wrong, that's what That's what the reality is.
So yeah, but.
As I'm creating tests, I start to sometimes what people do when they create tests is they have a lot of setup code, so like the arrange step step in arrange act assert And so I want to kind of call call back to this idea of Chekhov's gun, which is, uh, Chekhov was a.
Russian playwright, sick, yeah, metamorphosis.
He's a Russian playwright who basically said, if a gun is hanging on the wall in the first act, it should fire in a later act of the play. Otherwise it shouldn't be hanging there. So basically, removed should be mentioned. Yes, remove what's not relevant to the story. And now everybody's brains are racking all the shows that they've seen, where like Game of Thrones that didn't actually have a lot of relevance to the story later on, So yes they did.
Speaking of irrelevant, Metamorphosis was written by Kafka and not Chekhov. Sorry, about that. You're good, I got my Russian authors mixed up.
And so we can actually apply that same logic of remove what's not relevant to the story to our tests, because lots of times I come into tests and there's like five ten twenty fifty lines of code for the range step, and then I go to the next next test and there's five ten twenty fifty lines of the range step, but there's like one slight difference and at a glance I can't tell what the difference is.
Yeah, So instead covering so much code.
Yeah, and instead I want to like rip that out and have the setup be more centralized in some way. Now, there's lots of different ways to do this. You might have a method do this, or an end unit you can put it in a setup method, or an ex unit you can put in constructor. But a lot of times if I set up the happy path in whatever setup construct that I have, then I'm just tweaking sad
paths in my test. And it's super obvious that, like, oh, I'm setting first name to NOL and then I'm asserting that, hey, I get an error message when first name is NOL, And it's super easy to see versus you know, five to twenty lines of setup that it's hard to pick out. Oh, it's the null that's different. Right, So something to think about when you're writing tests is, hey, what's actually relevant to the story and what can I rip out and
make it a little bit easier at a glance? What's different about this test versus a different test in this file. So so that's just kind of a concept you can apply. Is that Chekhov's gun concept of remove what's not relevant to the story when it applies comes to your test.
Good stuff, And if you're using AI to write your tests, then make sure you put that in the system prompt yep, for sure.
Yeah, AI's applied Chekhov's gun. Yeah.
AI is really good at following pattern So if you don't do that from the get go, it will start to just proliferate that through your code base.
Yeah, it's fair enough.
This is such good advice, Scott, And it reminds me of the pattern and practices blocks that we used to use.
Back in the day.
Back in the day. Yeah, just the right way to do logging and the right way to do database access and all that stuff. And of course those things change and things get irrelevant, but it's really great to hear your your thoughts and they're they're wonderful, So thank you.
Yeahoris, it's from a lot of pain I've experienced over the years, so trying to distill that pain into sure tips for people to go back and apply immediately back at work.
Great. Well, thanks again, Scott.
It's been great talking to you and we'll talk to you next time on dot net rocks. Dot net Rocks is brought to you by Franklin's Net and produced by Pop Studios, a full service audio, video and post production facility located physically in New London, Connecticut, and of course in the cloud online at pwop dot com.
Visit our website at d O T N E T R O c k S dot com for RSS feeds, downloads, mobile apps, comments, and access to the full archives going back to show number one, recorded in September two.
Thousand and two. And make sure you check out our sponsors.
They keep us in business.
Now go write some code, see you next time. You got a Javans
And