.NET 2.0 The Silence is Deafening

[joshcombs]

Brad keep up the great work! I have had nothing but great experiences with your company and hope to do so well into the future.

[bootNumlock]

sorry if i have offended, my comments really should be kept more to myself... often times, when i call people out... it is to give some perspective and levity to the situation.

Mascon... sometimes things get tough and i am sorry if i only made them worse.

BTW -- Ballyhoo... the Bears would definitely win [unless bad rex really screwed up and the defense couldn't bail him out ]

[Brangwyn]

Personally I'm still in no hurry for .NET2 only just put it on my own servers recently, as with .NET1 it's still not exactly security friendly in a shared environment, so I'd rather it was done right and take time then be hurried and we find out anyone who requests write permissions under .NET has full access to everyones folders (which trust me can easily happen if it's not done right) .. I'd also like to see it implemented with medium-trust rather than full-trust too.

[PeterD]

Quote:

Originally Posted by Brangwyn

.NET2 only just put it on my own servers recently

So when are you going to offer a reseller plan!

[Brangwyn]

I have for several years actually Peter

[hex]

ROTFLMAO

thats good stuff...

[desirea]

We're closing in on the end of the month. Are there any updates on this issue?
I can't really justify this to myself anymore.

[TNV]

Still not ready, I am still not 100% on .net security I have seen way to many issues and ways to hack just about anything with it and will cause security issues on the local server.

Sorry but I can't justify putting 1000's of customers at risk for something as shooty as .net 2.0 still is. So if you find your self wanting .net 2.0 that bad to move to a .net 2.0 server I wish you luck with .net 2.0 if not 100% configured right and watched your site is bound to get hacked it's along with the server it's on.

We may do a .net 2.0 cluster like the cf off spring from the cluster, it would be a high risk setup and only sites running .net 2.0 code would be allowed. This is something we could rather easy and might be a lot better in the long run. This way everyone on the same box has the same risk for the same reason. But I still hate the idea of any one getting hacked because of it. Grrr..


MS sucks thats my 2 cents..

[logic404]

Brad, if you did that could we (and how easily) move existing customers over to the new cluster?

My biggest (e.g - pays my Vortech bill every year!) customer has been hasseling me for months now on when this is coming and I keep telling them "soon".

[Brangwyn]

If you run .NET in medium trust you considerably reduce the risk of anything bad happening, if you can also isolate domains into their own appPool you'll further reduce the risks if you run each app pool under a unique IIS user.

flip-side is though some aps don't run well or at all under medium trust, but AFIC that's the apps fault.

.NET trust levels work something like this

Full trust - your code can do anything that the account running it can do.
High trust - same as above except your code cannot call into unmanaged code. i.e. Win32 APIs, COM interop.
Medium trust - same as above except your code cannot see any part of the file system except its application directory.
Low trust - same as above except your code cannot make any out-of-process calls. i.e. calls to a database, network, etc.
Minimal trust - code is restricted from anything but the most trival processing.

[bootNumlock]

couldn't brangwyn be brought in as a consultant on this to speed the process? It appears he has a pretty solid knowledge base on this stuff and has been around since the dawn of time (not saying your old B, but you have been around longer than me and are about a million times sharper when it comes to this stuff.)

does this sound like a possibility?

i have huge issue with denying this feature for so long by hiding behind PSOFT first and now security... i can understand the PSOFT thing... but PSOFT should have been secondary to the security issue.

security should not have been a response to, 'so where are we on this project?'

just my .02

[desirea]

So basically what you're saying Brad is that you aren't going to put .Net 2.0 on these servers.... that's what I'm getting right now.

[TNV]

Even brangwyn has recommend not seeing .net 2.0 on these servers and I don't blame him.

As for the appPool's thats not going to happen on our level there is no way we could run and app pool for every sites on a .net server that would not be cost efficient for us as it's going to just kill the server.

What I am saying is there is no way to run it in it's current state in our setup, some due to psoft some due to the way .net would need to be run. If we did a branch off the cluster then we could do it easier like CF is done. This would make more senese but does make more work for the reseller and our self but could be less work if box is getting hacked due to shady .net code.

I have not ruled anything out, in any case I still need to wait until H-Sphere is ready to be upgreaded before we can even work towards this.

[PeterD]

Quote:

Originally Posted by admin

If we did a branch off the cluster then we could do it easier like CF is done.

If security and resource usage really are such big issues, I'd favour a CF-type cluster and would gladly create some new plans for .NET 2. Although it'd also be great to see such a cluster still support PHP and classic ASP too. How about a poll Brad?

[desirea]

Well .net 2.0 current state isn't going to be changed significantly since MS has released v. 3.0. so unless you are willing to change or adapt, you're not going to put .Net 2.0 on your servers. (psoft aside)