benjaminm's blog - Monday, October 25, 2004

Monday, October 25, 2004

Scott Guthrie on ASP.NET 2.0's development process

Scott Guthrie has written an excellent post about the ASP.NET 2.0 development process and the steps to Beta 2 and a 'go live' license. This is an interesting post on two levels. First, I love learning about how Microsoft builds software (I love the game of shipping of software and finding out ways to improve it). Second, I think ASP.NET is an incredible product and am excited about being able to 'use it anger' (as they say in the UK) soon.

Here are my notes on the key concepts from Scott's post. It's interesting to compare the ASP.NET 2.0 process to Hervey's description of the WSE 2.0 process.

Zero Bug Bounce (ZBB). A point where there are no open bugs for a particular milestone that are older than 48 hours. The point is "to push teams to sustain a high rate of bug fixing over a period of time". The present goals is to avoid pushing any bugs past Beta 2, meaning that there will be a true zero bugs bounce occurring. There is a lot more information on the ZBB concept: Eric Gunnerson provides a definition, Ron from the Visual C++ team talks about the three types of bounce, Larry Osterman a long-term Microosftie talks about it in the context of Zero Defects and it's also part of the Microsoft Solutions Framework (MSF).

Regression Rates. For the managed code parts of ASP.NET the 'regression rate is around 4% -- meaning approximately 1 in 20 fixes introduces a new bug in the product'

Bug Rates. The test team opened 514 bugs last week, and the dev team closed 648 bugs.

Automated Testing. The team has 102,000 test cases(!). Automated FxCop runs are done over the product. There are two levels of check in test suites. There are base-level unit test coverage of the product prior to checkin that have a block level code coverage of around 64% and take several hours to run. More extensive tests are run each night and take around 12 hours to run.

Checkin process. All code is peer-reviewed (even for senior devs).

Security push. After the ZBB returns to zero there is:

'an in-depth multi-week security analysis of the code in the product … The goal at the end is to feel confident that the product is solid and ready to be attacked by thousands of hackers out there while running on the Internet.'

Tell and Ask Mode
In Tell mode any team is allowed to fix whichever bug they wish, but they have to be able to stand up and justify their decision to the 'central division ship room'. This helps slow the rate of checkins, which reduces the chance of regression issues, helping the quality of the code base increase.

Ask mode means that the central division ship room must give permission to make a change. During this mode, the stress testing can continue. The low rate of checkins makes it easier to identify the source of stress-test failures.

Go Live License. Scott mentions that Beta 2 will provide the first 'go live' license. I can't wait for this to happen.

Another thing I think is admirable is that the ASP.NET 2.0 release seems pretty close to what Scott mentioned back in January as Chris Garty clarified off my notes from Scott's presentation. Although they have had to cut and descope some features (See this article from Jonathan Goodyear, fellow RD) the team look like they've done pretty well sticking to schedule.

.NET

posted on Monday, October 25, 2004 8:13:16 PM (GMT Daylight Time, UTC+01:00)

Sunday, October 24, 2004

Joel Spolsky: Indigo won't enable a new class of applications

In an interview with Mary Joe Foley, Joel Spolsky says that Indigo will make building applications easier, but it won't lead to a whole new class of applications.

If you look at the different aspects [of Longhorn], like Indigo, I'm not really even interested. It's just a big communications architecture that makes it easier for programmers to build communications things. But there's no application you can't build right now because you don't have a good communications architecture. It might be harder (without it), but it's not going to enable you to build a whole new class of applications.

I think there is some truth in this statement. As Steve Swartz has said, Indigo is a replacement of the infrastructure and an evolution of the programming model, through simplification and a unification. As Clemens has demonstrated that you can use existing Microsoft technologies (ASMX, MSMQ, Enterprise Services, and Remoting) to do many interesting things today. If you need to build a service oriented application it’s worth starting today and not holding off until Indigo arrives. However, I think Joel underplays the benefits of making the programming model for service oriented applications simpler.

The problem with building service oriented applications today is that it takes talented developers, like Clemens to do them. As Don has mentioned, one of Indigo's goals is to make things so easy that he will have to join MS to survive.

The applications that are developed on Indigo may not be ‘a whole new class of applications’ (though I think it’s highly likely that the killer apps of the future will be based on top of communication technologies), but the fact they are easier to develop them should lead to more of these types of applications being developed. This is in the same way that VB enabled an increased number of COM applications that could have been built with C++. It’s an interesting argument as to whether VB lead to ‘a whole new class of applications’ being developed.

There are several questions that I still have about the impact of Indigo:

Where will the business imperative to build applications that communicate more come from? Is it that there is a demand today but businesses aren’t developing the applications because of the technical cost?
Will the increased ease of development encourage businesses to build applications that they haven’t considered building today?
Will the pool of distributed application developers increase, or will Indigo just be adopted by the developers who are already building distributed applications?
Will the increased simplicity of Indigo mean that the architectural concepts behind service orientation will be more widely used? For example, I’m puzzled as to why MSMQ doesn’t get more love – message queuing is an important architectural design and MSMQ works very well with a very simple programming API – but I don’t see it used as widely as I think it could be.

Thoughts? Comments?

.NET | Indigo | Web Services

posted on Sunday, October 24, 2004 10:38:24 PM (GMT Daylight Time, UTC+01:00)

Tuesday, October 19, 2004

How to send attachments with Web Services today

Recently someone asked me what is the best way of sending a file to a webservice, given that we know that MTOM is the way forward and Soap with Attachments (SwA) and WS-Attachments/DIME are now deprecated. I agree with many others that using base64 encoding to send the attachment within the SOAP message is the best approach (until we get MTOM).

Background
For those who haven’t followed the attachment saga (Omri has a good overview or the whole sorry story), the basic problems with the previous ways of sending attachments was that they were slow to process and more importantly, placed the attachments outside of the envelope, making it hard to compose attachments with the SOAP processing model and WS-Security specifications. MTOM solves this by defining the rules that allow the content to be sent outside the message as binary (rather than base64) data, but using ‘includes’ to allow that content to be treated as part of the SOAP envelope XML Infoset.

(As an aside, does anyone else find it funny that even though SOAP was based on the analogy of an envelope, the original spec didn’t define where to put the address (hence WS-Addressing) and the three initial attempts at attachments didn’t think to put the attachments inside the envelope? But, I digress.)

MTOM to the rescue (soon)
The future looks bright since WSE 3.0 and Indigo will support MTOM but what’s the best approach today?

One way is to use WSE 2.0’s support for WS-Attachments/DIME, another is to look at SwA (though as Matt Powell points out, SwA was only ever a W3C Note and even that has expired). Since Microsoft doesn’t have any product support for SwA you would have to write your own, or contact a group who have already developed a .NET SwA solution.

Base64 encoding: a good solution for today
Another approach that will work today is to stick with base64 encoded text rather than using SwA or DIME. There are several benefits to using this approach. Martin Gudgin says the schema definition for ‘[an] element definition will work with both XML 1.0 based SOAP services and those that support MTOM as a serialization format.’ Simon Fell agrees that base64 encoding will make it easier to change in future. Matt Powell summarises it well in his great MSDN Article on Web Services, Opaque Data and the Attachments problem when he says:

Base 64 encoding is probably the best way to pass opaque data if transport size efficiency is not your first concern. It will work seamlessly with higher-level WS-* protocols and is smaller than a standard XML encoding.

So the only disadvantage is that the content is base64 encoded which means that it is larger (by about 4/3). Though, as Marc Hadley mentions, you’d have to Base64 encode an attachment even with MTOM if you wanted to sign it.

Simple implementation
Another benefit is that base64 encoding is simple to implement. Here’s an example ASMX endpoint that accepts one way messages containing a file. As you can see the file is defined as a Byte array:

[WebMethod]
[SoapDocumentMethod(OneWay=true)]
public void SaveFile(Byte[] file)
{
// Write the Byte array out using a FileStream
}

The message then looks like this on the wire. As can be seen the content is all inside the envelope, making it easy to use WSE and WS-Security to sign and encrypt the attachment if required.

<xml version="1.0" encoding="utf-8" ?>
   <soap:Envelope
      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:xsd="http://www.w3.org/2001/XMLSchema">
     <soap:Body>
         <SaveFile xmlns="urn:benjaminm.net:sendbinary">
            <file>R0l…slyvLIbabN mzMbAtjJsyfPgAA7file>
         </SaveFile>
      </soap:Body>
</soap:Envelope>

.NET | Indigo | Web Services

posted on Tuesday, October 19, 2004 11:12:23 PM (GMT Daylight Time, UTC+01:00)

Sunday, October 03, 2004

Adopting Indigo

Stu Charlton writes about ‘Microsoft, Service and Patents’ concluding that:

Even if Indigo is the all singing, all dancing thing that Microsoft hopes it will be, it doesn't mean people will adopt it en masse and quickly. Firstly, it's a Windows-only technology. That's a big limit to start with. Second, it's very new and rich. There's a learning curve. Third, other vendors are not sitting still. They can and will compete.

His first point, that Indigo may not be adopted because it’s a Windows-only technology, misses the difference between a programming model and the messages that it creates/consumes. Indigo is a programming model that can send messages, which are based on the WS-* specifications, to any other endpoint that can understand these messages. Yes, you have to use Windows to program with the Indigo programming model, but given that many other vendors were involved in creating these specifications and participating in feedback and interop workshops (more info here), it is likely that many Indigo applications will be built to interoperate with applications hosted in non-Windows environments.

His second point is that Indigo is a new programming model. This is true, but viewed another way it is just the combined next version of the existing distributed technology stacks at Microsoft (DCOM, Enterprise Services, MSMQ, Remoting, ASP.NET Web Services, WSE). Many of the Indigo team were involved in building these existing products. So it is new, but it is based on a strong foundation of experience developing other distributed technology stacks. As Steve Swartz comments:

it's important to think about Indigo not as a big change or something new and completely different, but rather as a replacement of infrastructure which you only have to look at if you're the kind of person who likes it, but an evolution of the programming model, a simplification and a unification. [Emphasis mine]

In terms of the learning curve, there’s no doubt that any programming model designed to support distributed computing will be complex. Having said that though, it's interesting to note how much time the Indigo team have devoted to refining the usability of the API to ensure the minimal learning curve for developers. If you compare what was announced at the PDC with what was shown on the Indigo .NET Show for instance you can see that they've been trying to simplify and refine the model and reduce the number of concepts a developer needs to know in order to be productive. In fact one of the reasons I’m so excited about Indigo is this focus on designing the programming model with developer usability as a goal. As Steve Swartz, the Program Manager responsible for the Indigo programming model, describes his role:

My job is to figure out how to make the whole thing approachable without having to know anything about the [WS-*] specs … One of my design goals is to make a programmer familiar with any one of those products [DCOM, Enterprise Services, MSMQ, Remoting, ASMX, WSE] look at Indigo and say ah, that's the next step in my product, mine was the winner. So I'd like a .NET remoting guy to be able to walk up here and say ah, this looks very familiar. Similarly with the Enterprise Services and ASP.NET people … What we're trying to do is to bring all those useful things together in one model.

Finally, in terms of the other vendors not standing still and competing - this is excellent. I would love to see other vendors try and offer a more usable and flexible API to develop WS-* compliant applications – this can only be a good thing for distributed application developers.

Indigo | Web Services

posted on Sunday, October 03, 2004 6:34:28 PM (GMT Daylight Time, UTC+01:00)

Thursday, September 30, 2004

Foamhenge and Australian 'Big' things

Craig Andera discovers Foamhenge, 'a full-scale replica of Stonehenge, only made out of foam' while driving around rural Virginia. Go and check out his photos.

I also find manufactured tourism hilarious. Australia has an abundance of 'big' things: Pineaple, Lobster, Potato (which looks a lot like a poo), Orange and Rocking Horse, just to name a few. I've always dreamt that when I retired I'd drive around Australia visiting them. Imagine my surprise then to find this guy who's already started cataloguing them all:

These truly awesome testaments to things Australian are sometimes unforgettable and inspiring, sometimes tacky and tasteless, often both.

Quality work. Here's my own photo of the Big Merino, which I read may soon be moved by helicopter closer to the highway:

posted on Thursday, September 30, 2004 4:24:39 PM (GMT Daylight Time, UTC+01:00)

Wednesday, September 29, 2004

IUnknown features in the WS-Transfer specification

I was suprised to see COM's IUknown interface makes an appearance in the WS-Transfer specification. If you look at the second example the WS-Addressing MessageID is 00000000-0000-0000-C000-000000000046 the GUID for IUknown.

Web Services

posted on Wednesday, September 29, 2004 8:39:26 PM (GMT Daylight Time, UTC+01:00)

Tuesday, September 21, 2004

Free Developer Security Day with Steve Balmer Keynote

As David Gristwood and Mike Shaw note, on October 4 in London there’s a free Microsoft Technical Briefing Day with sessions on IT security with Steve Ballmer presenting a keynote at the end of the day. Rafal Lukawiecki, a security guru and one of the top-rated speakers from TechEd Amsterdam, will be presenting on Threat Modelling as well as XP SP 2. There’s also a session that I’m particularly interested in on practical lessons learnt with WSE 2.0 on the UK Government Gateway project:

In February this year, a new release of the Government Gateway went live using WSE2.0 to deliver WS-Security, WS-Trust and WS-Policy for UK cross-government authentication and authorisation. With over 4 million users, the Gateway's authentication and messaging facilities provide the backbone of the e-government agenda - and also one of the biggest WS-* implementations to date, coded in just 8 weeks. Find out the good, bad (and ugly) of using WS-Security - hot tips on what makes for good design, and what pitfalls to avoid.

You can register for the event here.

.NET | UK .NET Community | Web Services

posted on Tuesday, September 21, 2004 7:45:52 PM (GMT Daylight Time, UTC+01:00)

Thursday, September 16, 2004

Refactoring-lite with Regular Expressions in VB.NET

I’ve been head-down coding for several weeks (not quite to the ‘having other people feed me’ stage, but close). I’m currently working on a VB.NET 2003 API for a large product and am missing refactoring tools. To make up for it, I’ve been improving my regular expression skills and using Visual Studio's Search and Replace dialogue. The VSEditor blog has a lot of good content on this feature (including a three part series). The search and replace dialogues (both regular and the ‘in files’ versions) have a nice drop-down that displays the regular expression characters along with a description of what they do.

It’s a poor replacement for decent automated refactoring tools but it has made my life considerably easier over the last few weeks.

.NET

posted on Thursday, September 16, 2004 10:41:28 PM (GMT Daylight Time, UTC+01:00)