Keynote: CTRL+SHIFT+(BUILD) PAUSE#

Speaker: Laila Bougria
YouTube link: https://www.youtube.com/watch?v=6UGgP8l7TA4

One big take-away mentioned in the Keynote by Laila Bougria, is that our “coding muscle” needs to be used to keep it sharp. In the AI/copilot world we currently live in, perhaps it doesn’t get the practice it needs. Maybe AI-free Friday should be a thing?

Thinking Functionally with C##

Speaker: Simon Painter
YouTube link: https://www.youtube.com/watch?v=NYPyI3IAO24

.NET supply chain: Protecting against hidden threats#

Speaker: Tom van den Berg
YouTube link: https://www.youtube.com/watch?v=eifBCQB71l8

Talked about the Cyber resilience act (EU), and tooling for supply chain security:

.NET tooling examples:

• dotnet list package (for listing packages and their versions per project)
• dotnet list package --include-transitive (for listing all packages including transitive dependencies)
• dotnet nuget why SolutionFile.sln Package.Name (to find out why a package is referenced in a project)
• <NugetAudit> - a MSBuild target that can be added to projects to check for vulnerabilities during build time
• <NugetAuditMode>All<NugetAuditMode> - Builds on <NugetAudit> to scan the whole dependency tree for vulnerabilities
• <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile> - enables package lock files to enforce deterministic and repeatable package restores of all dependencies (including transitive dependencies)
• Nuget signatureValidationMode to enforce package signature validation (https://learn.microsoft.com/en-us/nuget/consume-packages/installing-signed-packages)

Vulneravility scanning and license monitoring:

A tool worth having a look at: https://trivy.dev

For instance, it can be used to scan for licenses (e.g.: GPL):

trivy fs --scanner license

Other useful tools mentioned:

• Best practices for reproducible builds: https://github.com/dotnet/reproducible-builds
• Google SLSA framework: https://cloud.google.com/blog/products/application-development/google-introduces-slsa-framework

Tales from the trenches: Building a distributed system with Aspire and Dapr#

Speaker: Nico Vermeir
YouTube link: https://www.youtube.com/watch?v=AdCC9g4qU5g

Talks about some of the advantages of Aspire (e.g. can restart only one project/component rather than the whole solution) and Dapr with Aspire (not having to write yaml for configuring Dapr).

10 Things I Do On Every .NET App#

Speaker: Scott Sauber (https://scottsauber.com)
YouTube link: https://www.youtube.com/watch?v=SvcRvolP2NE

Quickly summed up:

• Sort/arrange files by features rather than type (by type is a bit SOAP…)
• Treat warnings as errors
• Use structured logging
• Separate logs/metrics/audits
• Fallback policy in case you forget [Authorize] on your controller
• Remove server header (e.g. Kestrel) in WebHost.UseKestrel()
• Modern .sln files in XML (.net9)
• Trunk based development rather than gitflow (build once - deploy many times)
• ServiceProviderOptions => config.ValidateOnBuild = true - to ensure scoping is done right
• Feature toggles to keep features disabled in prod
• Central package management for the solution

<!-- In Directory.Packages.props 👇 -->
<Project>
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
 </PropertyGroup>
 <ItemGroup>
   <PackageVersion Include="xunit" Version="2.6.6" />
 </ItemGroup>
</Project>

<!-- In consuming cproj's 👇 -->
<ItemGroup>
  <PackageReference Include="xunit" />
</ItemGroup>

Let’s Fight a Dragon with Godot#

Speaker Kristian Hiim
YouTube link: https://www.youtube.com/watch?v=1rSZlViwiwU

A fun, gamified talk about how to get started with game development using the Godot engine.