If a vulnerability were to be discovered for any versions 3/4/5 and a patch were to be released - where would ServiceStack publish vulnerability information?
If we've been made aware of a vulnerability we'd resolve it in the next release and include it in the Release Notes, e.g. a vulnerability we were notified about was discovered by Microsoft Vulnerability Research team when using object properties in DTOs.
Related
All previous versions, of the various Microsoft.ApplicationInsights.* packages on nuget.org have all switched to being deprecated. This feels unusual for a minor release, and it's not acknowledged in the release notes. Is there a reason for this?
e.g. https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore
To answer my own question for anyone else that might be wondering if they need to upgrade Application Insights packages, the short answer is no. You can keep on using the version you are on with the usual consideration for the patch and minor release notes.
This is a recent move by the Application Insights team to comply with the Azure SDK lifecycle and support policy that states:
or has been superseded by a more recent release. In both cases, the current library is deprecated in favor of a newer library.
The main driver, is that support requests are typically resolved by updating to the latest SDK version, so only 'supporting' the latest version ensures we all try that first before teams commit resources to support.
Source: Application Insights GitHub issue.
Our current production version is PC 11.52 patch1 and our company is going to start IE11 roll out soon. We don't have many issues with our current production version so we would like to use it. But 11.52 doesn't support IE11. Because full migration needs lots of work (we have more than 100 projects), we are investigating alternative solutions. We tested 11.52 Vugen with IE11 and it seems, that Vugen can record scripts in WinInet mode. Would it be possible to record scripts using WinInet level capture and run them using Sockets? Is there some limitations using WinInet capturing and what pitfalls this approach might bring?
I don't know about PC 11.52 but I can answer regarding LoadRunner 11.52 (VuGen 11.52) It doesn't support IE11 because in IE11 Microsoft added some API which we had to add to the LoadRunner in order for it to work. The API was officially added in version 12 but a patch exists for version 11.52. The problem is that the patch is not available for direct download so you will have to open a support case. When you open the case please describe the problem and ask the patch for defect (77102).
EDIT: If you ask the same question on the official LoadRunner support forum then the support staff will be able to attach the file directly.
I want to use OpenRasta in a Windows Service to accept REST calls and know it can be self-hosted by HttpListenerHost. OWIN seems to be the latest and greatest self-hosted web server. Is there an advantage to using OWIN over HttpListenerHost? In terms of performance, flexibility, etc? Is it even possible to use OpenRasta with OWIN?
Blake, we recently released a Owin middleware package on NuGet you can try out.
Some more details here
http://tech.just-eat.com/2014/10/07/opensourced-openrasta-middleware/
In addition to that I'm working on a vNext version as the IAppBuilder has now changed to IApplicationBuilder so need some tweaks.
Just adding to Thomas' answer, since 2.6 the Owin support started by Just-Eat has been moved to the main repository, and we have packages specifically targetting Katana and Mvc Core. A preview 3 will be released soon, but CI packages are of course available. More details are available at https://github.com/openrasta/openrasta-core
How do I get the source for a specifik stable release of servicestack from Github?
I'm trying to download and build the source for version 3.9.0.0 but I am having two sorts of problems.
1) There are no labels for the main service stack project so I can't figure out at what commit the 3.9.0.0 was built from.
2) Since Service Stack main project depends on ServiceStack.Text I also need to know against what version of ServiceStack.Text the ServiceStack 3.9.0.0 was built against.
If anyone wonders. The reason I ask this is because the later ServiceStack releases are not all backward compatible and a project I recently took over is throwing exceptions down in the ServiceStack.Text. And the version of ServiceStack.Text seems important since the version of ServiceStack and ServiceStack.Text I downloade, collided on build on extension.
The state I am at is that I got souce for what seems to be 3.9.4 and I managed to get hold of a nuget packet of ServiceStack.Text with version 3.9.0.0 that I could compile against (no source) and this actuallt killed of the trubbeling exception in ServiceStack.Text so that problem seems at least temporarely solved. At the next issue I'll probably be stuck again so I'd really like the source. (It is the point with open source after all right?)
Best regards, Nick
Although older versions are not supported by ServiceStack, you could to go back through the ServiceStack commit logs until you see a message that says INCR to v3.9.x.
One way to quickly browse releases is to look at changes to the Properties/Assembly.cs file which changes when the version is incremented.
As ServiceStack is uses components from different sub projects, you will need to do the same for ServiceStack.Text, ServiceStack.OrmLite and ServiceStack.Redis as well.
ServiceStack keeps the same version in-sync with the other components, so the v3.9.4 of ServiceStack uses a v3.9.4 of ServiceStack.Text, etc.
When using 3rd party libraries/components in production projects, are you rigorous about using only released versions of said libraries?
When do you consider using a pre-release or beta version of a library (in dev? in production, under certain circumstances)?
If you come across a bug or shortcoming of the library and you're already committed to using it, do you apply a patch to the library or create a workaround in your code?
I am a big fan of not coding something when someone else has a version that I could not code in a reasonable amount of time or would require me to become an expert on something that wouldn't matter in the long run.
There are several open source components and libraries I have used in our production environment such as Quartz.NET, Log4Net, nLog, SharpFTPLibrary (heavily modified) and more. Quartz.NET was in beta when I first released an application using it into production. It was a very stable beta and I had the source code so I could debug an issue and there were a few. When I encountered a bug or an error I would fix it and post the issue to the bug tracker or author. I feel very comfortable using a beta product if the source is available for me to debug any issues or there is a strong following of developers hammering out any issues.
I've used beta libraries in commercial projects before but mostly during development and when the vendor is likely to release a final version before I finish the product.
For example, I developed a small desktop application using Visual Studio 2005 Beta 2 because I knew that the RTM version would be available before the final release of my app. Also I used a beta version of FirebirdSQL ADO.NET Driver during development of another project.
For bugs I try to post complete bug reports whenever there's a way to reproduce it but most of the time you have to find a workaround to release the application ASAP.
Yes. Unless there's a feature we really need in a beta version.
There's no point using a beta version in dev if you aren't certain you'll use it in production. That just seems like a wasted exercise
I'll use the patch. Why write code for something you've paid for?
There's no point using a beta version in dev if you aren't certain you'll use it in production. That just seems like a wasted exercise
Good point, I was also considering the scenario of evaluation of the pre-release version in dev, but I supposed that taints the dev -> test/qa -> prod path.
I'll use the patch. Why write code for something you've paid for?
What if it's not a commercial library, but an open source one? What if the patch to be applied is not from the releasing entity (e.g. your own patch)?
I use:
Infragistics (.NET WinForms controls)
LeadTools (video capture)
Xtreme ToolkitPro (MFC controls)
National Instruments Measurement Studio (computational libraries, plotting, and DAQ)
I've found significant bugs in every one of these, so I try to limit their use as much as possible. Infragisitcs is pretty good for what it is, and National Instruments is by far the best, although quite limited. I would avoid LeadTools at all cost.