8

I'm looking at .NET Core more closely and what I don't seem to find any info on is how do you apply security updates?

If I have all my assemblies with the application, detached from Windows Update, in case of security patches to the components, how would I update them?

When you use the framework that comes with the OS, you only update once, but if you have a bunch of sites, I need to update each of them separately? And I assume it would all need to start from my original source, do an update there and then re-deploy everything, because if I just update the deployments via command line, and I don't do the same with my source, I'll re-deploy the insecure bits again.

romeozor
  • 861
  • 1
  • 11
  • 26

1 Answers1

5

You will always have to do this anyways, as system updates would only affect the runtime, not the packages your app references that are from nuget or other sources.

.NET Cores in 2 flavors

1. Portable Applications

Portable applications are like what you are used from .NET Framework. You install the runtime/SDK and your application only references these core set of but doesn't deploys them with your application.

There it's sufficient to update the runtime. Advantages are smaller deployment packages. Disadvantages are that you require to install the correct version of the runtime on the system before deploying.

2. Self-contained Applications

Self-contained application on the other side do not require an installed runtime and will deploy the necessary system libraries with the application.

The advantages here are, that you can deploy applications and run multiple applications side-by-side which use the libraries they were compiled with without side-effects from framework or runtime updates.

Disadvantage is, bigger size and lack of central update mechanism for fixes and security updates.

But in the end, the issues is still same. Neither of the 2 flavors will solve the problem when one of your non-.NET-Framework dependencies will be upgraded or receive security fixes.

So rebuilding/redeploying your application with the updated set of libraries is still required with both flavors and it was required so with the old .NET Framework.

To upgrade older applications or versions you should utilize a source control system. Use tags for milestone/versions, so you can always check out the tag upgrade it's dependencies and commit + deploy it.

Also .NET Core can be utilized with docker, so deployment should be easy when you use some docker orchestration tool like Rancher.

On top of that, specific libraries (like cryptography) aren't shipped via NuGet/.NET Core Runtime, just their wrappers. Cryptography for example has a native dependency on CryptoAPI on Windows and OpenSSH on Linux/MacOS. When a bug gets fixed in OpenSSH this will be covered by the system update mechanism (i.e. apt-get etc.).

Community
  • 1
  • 1
Tseng
  • 61,549
  • 15
  • 193
  • 205
  • Yes I'm wondering about updates to the framework itself (System.Pancake etc), not packages like Json.Net or EntityFramework. Because as far as I can tell, the full framework comes with the OS, while I need to download the bits for Core, that the "lightweight" deployment references. But who will keep the Core bits updated? I'm certain Windows Update will not. (I'm asking cos I'll need to explain this to IT.) – romeozor Mar 22 '17 at 19:32
  • No, .NET Core isn't updated via Windows Update yet. No idea if there are any plans to do so. You have to keep it updated yourself (or more specific: portable apps => the admin; self-contained apps developer/devops), like with 98% of all other software – Tseng Mar 22 '17 at 19:58
  • If you search for .net core vulnerabilities, you can see that the process of patching these errors can be harder than previously, as with the standard .net framework. This is definitely a disadvantage, especially when a web application is developed, then the developers leave to work on other things. – Frank Hileman Mar 07 '18 at 00:13