Stories with Tag .NET

• Why F#?

  permalink

  Posted: 2025-04-01 12:34:07

  Verbose tl;dr

  F# offers a compelling blend of functional and object-oriented programming, making it suitable for diverse tasks from scripting and data science to full-fledged applications. Its succinct syntax, strong type system, and emphasis on immutability enhance code clarity, maintainability, and correctness. Features like type inference, pattern matching, and computational expressions streamline development, enabling developers to write concise yet powerful code. While benefiting from the .NET ecosystem and interoperability with C#, F#'s distinct functional-first approach fosters a different, often more elegant, way of solving problems. This translates to improved developer productivity and more robust software.

  This blog post, titled "Why F#?", by Ivan Batsov, extols the virtues of the F# programming language, portraying it as a robust and versatile tool suitable for a wide array of development tasks. The author meticulously lays out a comprehensive argument in favor of F#, highlighting its strengths and emphasizing its practical applicability.

  Batsov commences by acknowledging the perceived complexity of adopting a new programming language, recognizing the investment of time and effort required. He then proceeds to dismantle this potential barrier by showcasing the multifaceted benefits of F#. A key argument revolves around F#'s inherent ability to enhance developer productivity. This is attributed to features such as its concise syntax, strong type system, and powerful type inference, which collectively minimize boilerplate code and reduce the likelihood of errors. The result, according to Batsov, is a streamlined development process with faster iteration cycles and higher overall code quality.

  The post further emphasizes the suitability of F# for various programming paradigms. Its functional-first nature encourages immutability and pure functions, leading to more predictable and testable code. However, the language doesn't restrict developers to a purely functional approach. Batsov underscores F#'s seamless integration with object-oriented and imperative paradigms, providing developers with the flexibility to choose the most appropriate approach for each specific task. This hybrid nature allows developers to leverage the strengths of different paradigms while mitigating their respective weaknesses.

  The author dedicates a substantial portion of the post to showcasing F#'s prowess in specific domains. He highlights its suitability for web development, both backend and frontend, using examples like the SAFE stack and Fable. He also emphasizes its strength in data science and machine learning, pointing to the availability of powerful libraries and tools. Furthermore, the post advocates for F#'s effectiveness in scripting, build automation, and even game development, demonstrating its versatility and wide-ranging applicability.

  The robust tooling and active community surrounding F# are also cited as significant advantages. Batsov mentions the excellent IDE support provided by Visual Studio and Ionide, facilitating a smooth and productive development experience. He further points to the vibrant and supportive F# community, readily available to assist newcomers and contribute to the language's ongoing evolution.

  Finally, the post addresses the potential concern of limited job opportunities for F# developers. While acknowledging that F# might not be as widely adopted as some other languages, Batsov argues that its growing popularity and increasing demand in specific niche areas, such as FinTech, present promising career prospects for skilled F# developers. He concludes by reiterating his belief in F#'s potential as a powerful and enjoyable programming language, urging readers to explore its capabilities and consider it for their next project.

  • F#
  • Functional Programming
  • Programming Languages
  • .NET
  • OCaml
  • Type Inference
  • Immutability
  • concurrency
  • Software Development
  • Static Typing

  Summary of Comments ( 91 )
  https://news.ycombinator.com/item?id=43546004

  Verbose tl;dr

  Hacker News users discuss the merits of F#, often comparing it to other functional languages like OCaml, Haskell, and Clojure. Some commenters appreciate F#'s practicality and ease of use, especially within the .NET ecosystem, highlighting its strong typing and tooling. Others find its functional purity less strict than Haskell's, viewing it as both a benefit (pragmatism) and a drawback (potential for less elegant code). The discussion touches on F#'s suitability for specific domains like data science and web development, with some expressing enthusiasm while others note the prevalence of C# in those areas within the .NET world. Several comments lament the comparatively smaller community and ecosystem surrounding F#, despite acknowledging its technical strengths. The overall sentiment appears to be one of respect for F# but also a recognition of its niche status.

  The Hacker News post "Why F#?" with the ID 43546004 has several comments discussing the merits and drawbacks of F#, often in comparison to other functional languages like OCaml and Haskell, and also in relation to C#.

  Several commenters appreciate F#'s pragmatism and its smooth interoperability with the .NET ecosystem. One commenter highlights this by pointing out how easy it is to leverage existing C# libraries and infrastructure while still enjoying the benefits of F#'s functional paradigm. This sentiment is echoed by others who see F# as a practical choice for real-world projects where integration with existing .NET codebases is essential.

  The discussion also touches upon the learning curve associated with F#. Some find its syntax relatively easy to grasp, especially for those coming from a C# background. However, others point out the conceptual leap required to fully embrace functional programming concepts, suggesting that this can be a hurdle for some developers. The algebraic data types and pattern matching features of F# are mentioned as powerful tools, but potentially challenging for newcomers to the functional world.

  OCaml is frequently brought up as a comparison point, with some commenters viewing F# as a more practical, industry-focused alternative to OCaml's more academic roots. The stronger typing system of OCaml is mentioned as a potential advantage, while F#'s close ties to the .NET ecosystem are seen as a significant plus for many developers.

  Performance is another topic of discussion. One commenter mentions F#'s competitive performance, particularly when leveraging its ability to interoperate with optimized C# libraries. Another emphasizes the benefits of immutability for simplifying reasoning about code and potentially enhancing performance in concurrent scenarios.

  Finally, the relatively small community around F# is mentioned as both a potential downside (fewer readily available resources) and an upside (a tighter-knit and more supportive community).

  In summary, the comments generally paint a positive picture of F#, emphasizing its practicality, interoperability with .NET, and reasonable learning curve. While acknowledging the existence of a smaller community and the initial challenges of adopting functional programming principles, the commenters generally see F# as a powerful and viable option for a variety of development tasks, particularly within the .NET ecosystem.

• Span<T>.SequenceEquals is faster than memcmp

  permalink

  Posted: 2025-03-30 14:53:33

  Verbose tl;dr

  .NET 7's Span<T>.SequenceEqual, when comparing byte spans, outperforms memcmp in many scenarios, particularly with smaller inputs. This surprising result stems from SequenceEqual's optimized implementation that leverages vectorization (SIMD instructions) and other platform-specific enhancements. While memcmp is generally fast, it can be less efficient on certain architectures or with smaller data sizes. Therefore, when working with byte spans in .NET 7 and later, SequenceEqual is often the preferred choice for performance, offering a simpler and potentially faster approach to byte comparison.

  Richard Cock's blog post, "Span.SequenceEquals is faster than memcmp," explores a surprising performance discovery in .NET. The author initially sought a faster way to compare byte arrays, assuming the tried-and-true memcmp function from the C standard library would be the most performant option. This assumption stemmed from memcmp's likely optimized implementation at the assembly level, potentially leveraging specialized CPU instructions like SIMD.

  Cock's investigation began by benchmarking memcmp against several .NET-based comparison methods. Unexpectedly, the .NET's Span<T>.SequenceEquals method, designed for generic sequence comparison, consistently outperformed memcmp, even when comparing byte arrays. This result was surprising because Span<T>.SequenceEquals, being a generic method, might be expected to carry some overhead compared to a specialized function like memcmp designed solely for byte comparison.

  The blog post then delves into the reasons behind this performance disparity. Through detailed profiling and analyzing the generated assembly code, Cock discovered that the RyuJIT compiler, .NET's Just-In-Time compiler, applies significant optimizations to Span<T>.SequenceEquals when used with byte arrays. These optimizations include vectorization using SIMD instructions, effectively processing multiple bytes simultaneously. Furthermore, RyuJIT also eliminates bounds checks within the loop, further reducing overhead. The combined effect of these optimizations allows Span<T>.SequenceEquals to achieve a significant performance advantage over the unoptimized memcmp calls made through P/Invoke.

  Specifically, the author discovered that while their P/Invoke call to memcmp was not being inlined by the JIT compiler, the call to SequenceEquals was being inlined and heavily optimized. This inlining avoided the function call overhead and allowed the JIT to leverage the context of the comparison within the calling method, further improving performance.

  The post concludes by highlighting the power of .NET's runtime optimizations. The fact that a generic method like Span<T>.SequenceEquals can outperform a specialized C function speaks to the effectiveness of RyuJIT's optimizations. It encourages developers to consider and explore .NET's built-in functionalities before resorting to external libraries or P/Invoke, as the runtime can often provide surprisingly efficient implementations. The author further suggests that this performance difference underscores the importance of profiling and benchmarking to identify unexpected performance bottlenecks and discover optimal solutions within the .NET ecosystem.

  • C#
  • .NET
  • Span<T>
  • performance
  • memcmp
  • Memory Comparison
  • optimization
  • benchmarking
  • data structures
  • algorithms

  Summary of Comments ( 27 )
  https://news.ycombinator.com/item?id=43524665

  Verbose tl;dr

  Hacker News users discuss the surprising performance advantage of Span<T>.SequenceEquals over memcmp for comparing byte arrays, especially when dealing with shorter arrays. Several commenters speculate that the JIT compiler is able to optimize SequenceEquals more effectively, potentially by eliminating bounds checks or leveraging SIMD instructions. The overhead of calling memcmp, a native function, is also mentioned as a possible factor. Some skepticism is expressed, with users questioning the benchmarking methodology and suggesting that the results might not generalize to all scenarios. One commenter suggests using a platform intrinsic instead of memcmp when the length is not known at compile time. Another commenter highlights the benefits of writing clear code and letting the JIT compiler handle optimization.

  The Hacker News post "Span.SequenceEquals is faster than memcmp" sparked a discussion with several insightful comments. Many commenters focused on the nuances of performance comparisons and the specific scenarios where SequenceEquals might outperform memcmp.

  One commenter pointed out the importance of considering data alignment when comparing these methods. They highlighted that memcmp benefits significantly from aligned data, while SequenceEquals might not experience the same advantage. This difference in behavior, they argued, could explain some of the performance discrepancies observed in the original article. The commenter went on to speculate that the benchmark might have involved unaligned data, favoring SequenceEquals. They suggested repeating the benchmark with aligned data for a fairer comparison.

  Another commenter delved into the implementation details of SequenceEquals. They explained how the method likely leverages vectorized instructions, leading to performance gains. They also emphasized that the specific hardware and runtime environment play a crucial role in determining which method is faster. This comment reinforced the idea that performance optimization is context-dependent and requires careful consideration of various factors.

  Adding to the discussion about alignment, one user suggested that the choice between SequenceEquals and memcmp could depend on the expected data patterns. For frequently unaligned data, SequenceEquals might be the better option. Conversely, if data alignment is guaranteed or highly probable, memcmp could be preferred. This practical advice provided a useful guideline for developers facing similar optimization challenges.

  The potential overhead of range checks in SequenceEquals was also brought up. One comment suggested that these checks, while important for safety, might introduce some performance cost. However, they acknowledged that modern compilers are often capable of eliminating redundant checks, mitigating this potential issue.

  Finally, a commenter emphasized the importance of accurate benchmarking methodology. They suggested using established benchmarking libraries to ensure reliable and repeatable results. This comment highlighted the importance of rigorous testing when comparing performance.

  Overall, the comments provide a valuable extension to the original article. They offer insights into the complexities of performance optimization, emphasizing the importance of data alignment, hardware specifics, and accurate benchmarking. The discussion moves beyond a simple comparison of two methods and explores the nuances of their behavior in different scenarios.

• (Reasonably) secure Azure Pipelines on-prem deployments

  permalink

  Posted: 2025-03-04 16:25:54

  Verbose tl;dr

  This blog post details a method for securely deploying applications to on-premises IIS servers from Azure Pipelines without exposing credentials. The author leverages a self-hosted agent running on the target server, combined with a pre-configured deployment group. Instead of storing sensitive information directly in the pipeline, the approach uses Azure Key Vault to securely store the application pool password. The pipeline then retrieves this password during the deployment process and utilizes it with the powershell task in Azure Pipelines to update the application pool, ensuring credentials are not exposed in plain text within the pipeline or agent's environment. This setup enables automated deployments while mitigating the security risks associated with managing credentials for on-premises deployments.

  This blog post details a method for implementing reasonably secure deployments from Azure Pipelines to on-premises IIS servers, focusing on minimizing the attack surface and adhering to the principle of least privilege. The author outlines a process that avoids storing sensitive credentials like passwords directly within the pipeline definition, leveraging Azure Key Vault for secure secret management and Managed Identities for authentication.

  The core strategy revolves around establishing a dedicated deployment user account on the target IIS server. This account is granted only the necessary permissions to deploy and manage the specific application, adhering to the principle of least privilege. It explicitly does not have administrative privileges. This minimizes the potential damage if the account is compromised.

  The deployment process utilizes a self-hosted agent running on the on-premises server, which is registered with the Azure DevOps project. Critically, the agent itself doesn't hold any secrets. Instead, it leverages a Managed Identity assigned to the Azure DevOps project. This Managed Identity has permissions to access the necessary secrets stored in Azure Key Vault. During the deployment process, the pipeline instructs the agent to retrieve the deployment user's credentials from Key Vault using its Managed Identity. These credentials are then used to authenticate with the IIS server and perform the deployment tasks.

  The actual deployment steps involve using the msdeploy.exe utility. The retrieved credentials are passed securely to msdeploy.exe to authenticate with the target IIS server. The pipeline script then uses msdeploy.exe to sync the application files from the build artifact to the IIS server and configure the application within IIS. The author emphasizes the importance of using the -declareParamFile option with msdeploy.exe to avoid exposing sensitive information in the pipeline logs. This approach stores the sensitive deployment parameters in a separate file that is accessed securely during the deployment process.

  The author also touches on securing the web.config file. They recommend excluding the web.config from the initial deployment and instead using a separate, dedicated step to deploy a transformed web.config file. This transformed configuration file contains environment-specific settings retrieved securely from Azure Key Vault, ensuring sensitive information like connection strings isn't embedded in the application's source code. This approach separates configuration from code and allows for environment-specific configurations without compromising security.

  Finally, the post briefly discusses the option of using deployment groups as an alternative to individual self-hosted agents. However, the core principles of using Managed Identities, Azure Key Vault, and least privilege remain the same regardless of the chosen deployment method. The author advocates for this approach as a more secure and manageable way to handle deployments to on-premises IIS servers compared to traditional methods relying on stored credentials.

  • Azure DevOps
  • Azure Pipelines
  • On-Premises
  • deployment
  • Security
  • IIS
  • Self-Hosted Agents
  • DevOps
  • CI/CD
  • Continuous Integration
  • Continuous Deployment
  • Infrastructure as Code
  • Windows Server
  • .NET

  Summary of Comments ( 32 )
  https://news.ycombinator.com/item?id=43256802

  Verbose tl;dr

  The Hacker News comments generally praise the article for its practical approach to a complex problem (deploying to on-premise IIS from Azure DevOps). Several commenters appreciate the focus on simplicity and avoiding over-engineering, highlighting the use of built-in Azure DevOps features and PowerShell over more complex solutions. One commenter suggests using deployment groups instead of self-hosted agents for better security and manageability. Another emphasizes the importance of robust rollback procedures, which the article acknowledges but doesn't delve into deeply. A few commenters discuss alternative approaches, like using containers or configuration management tools, but acknowledge the validity of the author's simpler method for specific scenarios. Overall, the comments agree that the article provides a useful, real-world example of secure-enough deployments.

  The Hacker News post titled "(Reasonably) secure Azure Pipelines on-prem deployments" discussing the linked blog post about secure deployments to IIS using Azure DevOps has generated a small but focused discussion thread. Several commenters engage with the specific technical details and offer alternative approaches or raise potential concerns.

  One commenter points out a potential vulnerability if the deployment agent's machine account, which has write access to the web application directory, is compromised. They suggest an alternative where the build agent packages the application, and a separate deployment process, running under a more restricted account, handles the extraction and deployment to IIS. This separation of duties limits the potential damage from a compromised build agent.

  Another commenter discusses the complexity and challenges associated with using tools like Ansible for deployments, particularly in Windows environments. They acknowledge the benefits of such tools but highlight the effort required to learn and maintain them, contrasting it with the relative simplicity of the approach presented in the blog post. This commenter suggests that while more sophisticated tools exist, the author's method might be a pragmatic solution for those prioritizing simplicity and ease of implementation.

  A third commenter questions the security of storing deployment credentials within Azure DevOps, even if encrypted. They propose using a dedicated secrets management solution like Azure Key Vault for storing sensitive information and retrieving it during the deployment process. This approach enhances security by decoupling the secrets from the deployment pipeline itself.

  The overall sentiment in the comments is one of cautious appreciation for the author's approach. Commenters acknowledge the practicality of the solution while also highlighting potential security concerns and suggesting alternative, more secure, albeit potentially more complex, methods. The discussion revolves around the trade-off between simplicity and security in real-world deployment scenarios. No one outright criticizes the author's method but instead offer constructive feedback and alternative perspectives for achieving secure deployments.

• Why Tracebit is written in C#

  permalink

  Posted: 2025-01-31 23:22:55

  Verbose tl;dr

  Tracebit, a system monitoring tool, is built with C# primarily due to its performance characteristics, especially with regards to garbage collection. While other languages like Go and Rust offer memory management advantages, C#'s generational garbage collector and allocation patterns align well with Tracebit's workload, which involves short-lived objects. This allows for efficient memory management without the complexities of manual control. Additionally, the mature .NET ecosystem, cross-platform compatibility offered by .NET, and the team's existing C# expertise contributed to the decision. Ultimately, C# provided a balance of performance, productivity, and platform support suitable for Tracebit's needs.

  The blog post "Why Tracebit is Written in C#" by Dominik Reichl, the creator of Tracebit, meticulously details the rationale behind choosing C# as the primary programming language for developing the Tracebit system, a client-server application designed for efficient remote desktop control and monitoring, particularly targeting embedded devices.

  Reichl begins by acknowledging that selecting a programming language for a project of this magnitude is a multifaceted decision influenced by various factors beyond just technical capabilities. He then proceeds to systematically justify his choice of C# by evaluating it against several key criteria pertinent to Tracebit's specific requirements.

  Performance is paramount for remote desktop software, and while C# might not be the absolute pinnacle of performance compared to languages like C or C++, Reichl argues that C#'s performance is more than adequate for Tracebit's needs, especially considering the optimizations offered by the .NET runtime environment. He emphasizes the negligible performance difference in the context of the overall system latency, dominated by network communication rather than raw processing power.

  Cross-platform compatibility is another crucial factor, enabling Tracebit to run on various operating systems. Reichl highlights .NET's increasing cross-platform capabilities, facilitated by .NET Core (later renamed .NET), as a significant advantage, although he acknowledges some limitations and platform-specific nuances that require careful consideration. The desire to support both Windows and Linux is explicitly stated as a motivating factor for adopting C#.

  Developer productivity is a critical aspect, especially for a solo developer. Reichl asserts that C#'s clear syntax, robust tooling within the .NET ecosystem, and extensive libraries significantly boost developer productivity. This increased efficiency allows for quicker iteration and feature implementation, contributing to faster development cycles. He specifically mentions features like memory management and type safety as productivity enhancers.

  Familiarity with the language is also a crucial factor. Reichl admits his extensive experience with C# and the .NET platform played a significant role in the decision. This existing proficiency reduces development time and lowers the learning curve, allowing him to focus on core functionalities rather than grappling with a new language.

  Finally, the blog post touches upon the licensing aspect. Reichl explains that C# and .NET's open-source nature and permissive licensing align well with Tracebit's goals. This open-source approach fosters community involvement and ensures flexibility in deployment and distribution.

  In conclusion, the blog post presents a reasoned and comprehensive explanation for the selection of C# as the foundation of Tracebit. Reichl's arguments emphasize the balance between performance, cross-platform compatibility, developer productivity, familiarity, and licensing considerations, ultimately leading to the conclusion that C# offers the optimal blend of features to meet the specific demands of the Tracebit project.

  • C#
  • Tracebit
  • programming language
  • performance
  • .NET
  • Software Development
  • Cross-Platform
  • Windows Development
  • Backend Development
  • Microservices

  Summary of Comments ( 211 )
  https://news.ycombinator.com/item?id=42893622

  Verbose tl;dr

  Hacker News users discussed the surprising choice of C# for Tracebit, a performance-sensitive tracing tool. Several commenters questioned the rationale, citing potential performance drawbacks compared to C/C++. The author defended the choice, highlighting C#'s developer productivity, rich ecosystem (especially concerning UI development), and the performance benefits of using native libraries for the performance-critical parts. Some users agreed, pointing out the maturity of the .NET ecosystem and the relative ease of finding C# developers. Others remained skeptical, emphasizing the overhead of the .NET runtime and garbage collection. The discussion also touched upon cross-platform compatibility, with commenters acknowledging .NET's improvements in this area but still noting some limitations, particularly regarding native dependencies. A few users shared their positive experiences with C# in performance-sensitive contexts, further fueling the debate.

  The Hacker News post "Why Tracebit is written in C#" (https://news.ycombinator.com/item?id=42893622) has generated several comments discussing the author's choice of C# for their performance-sensitive tracing tool.

  Several commenters express surprise at the choice of C# for a performance-critical application, traditionally associated with languages like C/C++. One commenter questions why not Rust, Go, or C++ were considered, given their reputation for speed and efficiency. This sentiment is echoed by another who specifically mentions the garbage collection overhead as a potential performance bottleneck in a tracing tool.

  However, many commenters offer counterpoints, highlighting the strengths of C# and the .NET ecosystem. One points out that the .NET runtime is highly optimized and the garbage collector is sophisticated enough to minimize performance impact in many cases. Another commenter emphasizes the rich libraries and tooling available in .NET, which can significantly speed up development and potentially outweigh any performance disadvantages compared to lower-level languages. The maturity and stability of the .NET platform are also mentioned as factors contributing to developer productivity and application reliability.

  The discussion delves into specific performance aspects, with one commenter suggesting that C#'s allocation patterns might be advantageous in certain scenarios. Another highlights the performance benefits of using Span<T> and Memory<T> in modern C#, suggesting these features address some of the historical concerns about C#'s performance in managing memory. The availability of native interop is also brought up as a way to incorporate performance-critical components written in other languages if necessary.

  Some comments focus on the broader context of language choices. One argues that choosing the language that allows the fastest development and iteration is often the most pragmatic approach, even if it involves some performance trade-offs. Another commenter suggests that premature optimization is a common pitfall and that C#'s productivity benefits might outweigh any perceived performance disadvantages.

  Finally, several commenters share their own positive experiences with using C# for performance-sensitive applications, providing anecdotal evidence that the language is capable of delivering good performance in practice. One commenter specifically mentions using C# for a high-throughput trading system, demonstrating the language's capability in a demanding environment.

  Overall, the comments section reflects a nuanced discussion about the trade-offs between performance and developer productivity. While acknowledging the traditional association of C/C++ with high performance, commenters highlight the strengths of C# and the .NET ecosystem, suggesting that it can be a viable option for performance-sensitive applications, particularly when developer productivity and time-to-market are important considerations.