The U.S. Cybersecurity and Infrastructure Security Agency (CISA) will start providing more hands-on support to open-source software developers as they work to better secure their projects, the agency said. From a report: CISA hosted a two-day, invite-only summit this week with leaders in the open-source software community and other federal officials. During the private event, the agency also ran what's likely the first tabletop exercise to assess how well the government and the open-source community would respond to a cyberattack targeting one of their projects.

During the summit, CISA and a handful of package repositories unveiled new initiatives to help secure open-source projects. CISA is working on a new communication channel where open-source software developers can share threat intelligence and ask the agency for assistance during an incident. The Rust Foundation is developing new public key infrastructure for its repository, which will help ensure that the code developers are uploading isn't malicious and is coming from legitimate users.

npm, which manages the JavaScript programming language, is requiring project maintainers to enroll in multi-factor authentication and is rolling out a tool to generate "software bills of materials," which provide a recipe list of what code and other elements are in a project. Additional repositories -- including the Python Software Foundation, Packagist, Composer and Maven Central -- are pursuing similar projects and also also rolling out tools to help detect and report malware and other security vulnerabilities.

The hype around AI language models has companies scrambling to hire prompt engineers to improve their AI queries and create new products. But new research hints that the AI may be better at prompt engineering than humans, indicating many of these jobs could be short-lived as the technology evolves and automates the role. IEEE Spectrum: Battle and Gollapudi decided to systematically test [PDF] how different prompt engineering strategies impact an LLM's ability to solve grade school math questions. They tested three different open source language models with 60 different prompt combinations each. What they found was a surprising lack of consistency. Even chain-of-thought prompting sometimes helped and other times hurt performance. "The only real trend may be no trend," they write. "What's best for any given model, dataset, and prompting strategy is likely to be specific to the particular combination at hand."

There is an alternative to the trial-and-error style prompt engineering that yielded such inconsistent results: Ask the language model to devise its own optimal prompt. Recently, new tools have been developed to automate this process. Given a few examples and a quantitative success metric, these tools will iteratively find the optimal phrase to feed into the LLM. Battle and his collaborators found that in almost every case, this automatically generated prompt did better than the best prompt found through trial-and-error. And, the process was much faster, a couple of hours rather than several days of searching.

An anonymous reader quotes a report from TechCrunch: Google today is sharing more details about the fees that will accompany its plan to comply with Europe's new Digital Markets Act (DMA), the new regulation aimed at increasing competition across the app store ecosystem. While Google yesterday pointed to ways it already complied with the DMA -- by allowing sideloading of apps, for example -- it hadn't yet shared specifics about the fees that would apply to developers, noting that further details would come out this week. That time is now, as it turns out.

Today, Google shared that there will be two fees that apply to its External offers program, also announced yesterday. This new program allows Play Store developers to lead their users in the EEA outside their app, including to promote offers. With these fees, Google is going the route of Apple, which reduced its App Store commissions in the EU to comply with the DMA but implemented a new Core Technology Fee that required developers to pay 0.50 euros for each first annual install per year over a 1 million threshold for apps distributed outside the App Store. Apple justified the fee by explaining that the services it provides developers extend beyond payment processing and include the work it does to support app creation and discovery, craft APIs, frameworks and tools to support developers' app creation work, fight fraud and more.

Google is taking a similar tactic, saying today that "Google Play's service fee has never been simply a fee for payment processing -- it reflects the value provided by Android and Play and supports our continued investments across Android and Google Play, allowing for the user and developer features that people count on," a blog post states. It says there will now be two fees that accompany External Offers program transactions:

- An initial acquisition fee, which is 10% for in-app purchases or 5% for subscriptions for two years. Google says this fee represents the value that Play provided in facilitating the initial user acquisition through the Play Store.
- An ongoing services fee, which is 17% for in-app purchases or 7% for subscriptions. This reflects the "broader value Play provides users and developers, including ongoing services such as parental controls, security scanning, fraud prevention, and continuous app updates," writes Google.

Of note, a developer can opt out of the ongoing services and corresponding fees, if the user agrees, after two years. Users who initially installed the app believe they'll have services like parental controls, security scanning, fraud prevention and continuous app updates, which is why opting out requires user consent. Although Google allows the developer to terminate this fee, those ongoing services will no longer apply either. Developers, however, will still be responsible for reporting transactions involving those users who are continuing to receive Play Store services.

Epic Games, in a blog post: We recently announced that Apple approved our Epic Games Sweden AB developer account. We intended to use that account to bring the Epic Games Store and Fortnite to iOS devices in Europe thanks to the Digital Markets Act (DMA). To our surprise, Apple has terminated that account and now we cannot develop the Epic Games Store for iOS. This is a serious violation of the DMA and shows Apple has no intention of allowing true competition on iOS devices.

The DMA requires Apple to allow third-party app stores, like the Epic Games Store. Article 6(4) of the DMA says: "The gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper."

In terminating Epic's developer account, Apple is taking out one of the largest potential competitors to the Apple App Store. They are undermining our ability to be a viable competitor and they are showing other developers what happens when you try to compete with Apple or are critical of their unfair practices. If Apple maintains its power to kick a third party marketplace off iOS at its sole discretion, no reasonable developer would be willing to utilize a third party app store, because they could be permanently separated from their audience at any time. Apple said one of the reasons it terminated Epic's developer account only a few weeks after approving it was because the Fortnite-maker publicly criticized its proposed DMA compliance plan, Epic said.

Wayne Williams reports via TechRadar: Qualcomm has unveiled its AI Hub, an all-inclusive library of pre-optimized AI models ready for use on devices running on Snapdragon and Qualcomm platforms. These models support a wide range of applications including natural language processing, computer vision, and anomaly detection, and are designed to deliver high performance with minimal power consumption, a critical factor for mobile and edge devices. The AI Hub library currently includes more than 75 popular AI and generative AI models including Whisper, ControlNet, Stable Diffusion, and Baichuan 7B. All models are bundled in various runtimes and are optimized to leverage the Qualcomm AI Engine's hardware acceleration across all cores (NPU, CPU, and GPU). According to Qualcomm, they'll deliver four times faster inferencing times.

The AI Hub also handles model translation from the source framework to popular runtimes automatically. It works directly with the Qualcomm AI Engine direct SDK and applies hardware-aware optimizations. Developers can search for models based on their needs, download them, and integrate them into their applications, saving time and resources. The AI Hub also provides tools and resources for developers to customize these models, and they can fine-tune them using the Qualcomm Neural Processing SDK and the AI Model Efficiency Toolkit, both available on the platform.

Long-time Slashdot reader theodp writes: CACM [Communications of the ACM] Is Now Open Access," proclaims the Association for Computing Machinery (ACM) in its tear-down-this-CACM-paywall announcement. "More than six decades of CACM's renowned research articles, seminal papers, technical reports, commentaries, real-world practice, and news articles are now open to everyone, regardless of whether they are members of ACM or subscribe to the ACM Digital Library."

Ironically, clicking on Google search results for older CACM articles on Aaron Swartz currently returns page-not-found error messages and the CACM's own search can't find Aaron Swarz either, so perhaps there's some work that remains to be done with the transition to CACM's new website. ACM plans to open its entire archive of over 600,000 articles when its five-year transition to full Open Access is complete (January 2026 target date).
"They are right..." the site's editor-in-chief told Slashdot. "We need to get Google to reindex the new site ASAP."

Rust's official survey team released results from their 8th annual survey "focused on gathering insights and feedback from Rust users". In terms of operating systems used by Rustaceans, the situation is very similar to the results from 2022, with Linux being the most popular choice of Rust users [69.7%], followed by macOS [33.5%] and Windows [31.9%], which have a very similar share of usage. Rust programmers target a diverse set of platforms with their Rust programs, even though the most popular target by far is still a Linux machine [85.4%]. We can see a slight uptick in users targeting WebAssembly [27.1%], embedded and mobile platforms, which speaks to the versatility of Rust.

We cannot of course forget the favourite topic of many programmers: which IDE (developer environment) do they use. Visual Studio Code still seems to be the most popular option [61.7%], with RustRover (which was released last year) also gaining some traction [16.4%].
The site ITPro spoke to James Governor, co-founder of the developer-focused analyst firm RedMonk, who said Rust's usage is "steadily increasing", pointing to its adoption among hyperscalers and cloud companies and in new infrastructure projects. "Rust is not crossing over yet as a general-purpose programming language, as Python did when it overtook Java, but it's seeing steady growth in adoption, which we expect to continue. It seems like a sustainable success story at this point."

But InfoWorld writes that "while the use of Rust language by professional programmers continues to grow, Rust users expressed concerns about the language becoming too complex and the low level of Rust usage in the tech industry." Among the 9,374 respondents who shared their main worries for the future of Rust, 43% were most concerned about Rust becoming too complex, a five percentage point increase from 2022; 42% were most concerned about low usage of Rust in the tech industry; and 32% were most concerned about Rust developers and maintainers not being properly supported, a six percentage point increase from 2022. Further, the percentage of respondents who were not at all concerned about the future of Rust fell, from 30% in 2022 to 18% in 2023.

An anonymous reader quotes a report from TechCrunch: A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users' access to their Facebook, Google and TikTok accounts. The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services. SMS routing helps to get time-critical text messages to their proper destination across various regional cell networks and providers, such as a user receiving an SMS security code or link for logging in to online services. YX International claims to send 5 million SMS text messages daily. But the technology company left one of its internal databases exposed to the internet without a password, allowing anyone to access the sensitive data inside using only a web browser, just with knowledge of the database's public IP address.

Anurag Sen, a good-faith security researcher and expert in discovering sensitive but inadvertently exposed datasets leaking to the internet, found the database. Sen said it was not apparent who the database belonged to, nor who to report the leak to, so Sen shared details of the exposed database with TechCrunch to help identify its owner and report the security lapse. Sen told TechCrunch that the exposed database included the contents of text messages sent to users, including one-time passcodes and password reset links for some of the world's largest tech and online companies, including Facebook and WhatsApp, Google, TikTok, and others. The database had monthly logs dating back to July 2023 and was growing in size by the minute. In the exposed database, TechCrunch found sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database. The database went offline a short time later.

Stack Overflow has launched an API that will require all AI models trained on its coding question-and-answer content to attribute sources linking back to its posts. And it will cost money to use the site's content. From a report: "All products based on models that consume public Stack Overflow data are required to provide attribution back to the highest relevance posts that influenced the summary given by the model," it confirmed in a statement. The Overflow API is designed to act as a knowledge database to help developers build more accurate and helpful code-generation models. Google announced it was using the service to access relevant information from Stack Overflow via the API and integrate the data with its latest Gemini models, and for its cloud storage console.

Apple is reversing its previous decision to remove support for Home Screen web apps in iOS 17.4 for EU users. Apple's statement: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA. The need to remove the capability was informed by the complex security and privacy concerns associated with web apps to support alternative browser engines that would require building a new integration architecture that does not currently exist in iOS.

We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU. This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.

Developers and users who may have been impacted by the removal of Home Screen web apps in the beta release of iOS in the EU can expect the return of the existing functionality for Home Screen web apps with the availability of iOS 17.4 in early March.

Angie Byron, a long-time member of the Drupal community, offers guidance on avoiding common mistakes and general good-practices for those new to contributing to open-source projects: [...] You might not know it yet, but as a newcomer to an open source project, you have this AMAZING superpower: you are often-times the only one in that whole project capable of reading the documentation through new eyes. Because I can guarantee, the people who wrote that documentation are not new. :-)

So take time to read the docs and file issues (or better yet, pull requests) for anything that was unclear. This lets you get a "feel" for contributing in a project/community without needing to go way down the deep end of learning coding standards and unit tests and commit signing and whatever other bananas things they're about to make you do. :) Also, people are more likely to take time to help you, if you've helped them first!

Jacob Kaplan-Moss, one of the lead developers of Django, writes in a long post that he says has come from a place of frustration: [...] Instead, every time a maintainer finds a way to get paid, people show up to criticize and complain. Non-OSI licenses "don"t count" as open source. Someone employed by Microsoft is "beholden to corporate interests" and not to be trusted. Patreon is "asking for handouts." Raising money through GitHub sponsors is "supporting Microsoft's rent-seeking." VC funding means we're being set up for a "rug pull" or "enshitification." Open Core is "bait and switch."

None of this is hypothetical; each of these examples are actual things I've seen said about maintainers who take money for their work. One maintainer even told me he got criticized for selling t-shirts! Look. There are absolutely problems with every tactic we have to support maintainers. It's true that VC investment comes with strings attached that often lead to problems down the line. It sucks that Patreon or GitHub (and Stripe) take a cut of sponsor money. The additional restrictions imposed by PolyForm or the BSL really do go against the Freedom 0 ideal. I myself am often frustrated by discovering that some key feature I want out of an open core tool is only available to paid licensees.

But you can criticize these systems while still supporting and celebrating the maintainers! Yell at A16Z all you like, I don't care. (Neither do they.) But yelling at a maintainer because they took money from a VC is directing that anger in the wrong direction. The structural and societal problems that make all these different funding models problematic aren't the fault of the people trying to make a living doing open source. It's like yelling at someone for shopping at Dollar General when it's the only store they have access to. Dollar General's predatory business model absolutely sucks, as do the governmental policies that lead to food deserts, but none of that is on the shoulders of the person who needs milk and doesn't have alternatives.

Tontoman shares a report: The White House Office of the National Cyber Director (ONCD) urged tech companies to switch to memory-safe programming languages, such as Rust, to improve software security by reducing the number of memory safety vulnerabilities. Such vulnerabilities are coding errors or weaknesses within software that can lead to memory management issues when memory can be accessed, written, allocated, or deallocated. They occur when software accesses memory in unintended or unsafe ways, resulting in various security risks and issues like buffer overflow, use after free, use of uninitialized memory, and double free that attackers can exploit.

Successful exploitation carries severe risks, potentially enabling threat actors to gain unauthorized access to data or execute malicious code with the privileges of the system owner. "For over 35 years, this same class of vulnerability has vexed the digital ecosystem. The challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem. Looking forward, new approaches must be taken to mitigate this risk," ONCD's report says. "The highest leverage method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language. Using memory safe programming languages can eliminate most memory safety errors."

Apple could soon face an investigation over its decision to discontinue iPhone web apps in the European Union, according to a report from the Financial Times. The Verge: The European Commission has reportedly sent Apple and app developers requests for more information to assist in its evaluation. "We are indeed looking at the compliance packages of all gatekeepers, including Apple," the European Commission said in a statement to the Financial Times. "In that context, we're in particular looking into the issue of progressive web apps, and can confirm sending the requests for information to Apple and to app developers, who can provide useful information for our assessment."

theodp writes: Asked at the recent World Government Summit in Dubai what people should focus on when it comes to education, what should they learn, and how they should educate their kids and their societies, Nvidia CEO Jensen Huang made a counterintuitive break from tech CEOs advising youngsters to learn how to code. Huang argued that, even at this early stage of the AI revolution, programming is no longer a vital skill. With coding taken care of by AI, Huang suggested humans can instead focus on more valuable expertise like biology, education, manufacturing, or farming

From the video: "You probably recall over the course of the last 10 years, 15 years, almost everybody who sits on a stage like this would tell you it is vital that your children learn computer science, everybody should learn how to program, and in fact it's almost exactly the opposite. It is our job to create computing technology such that nobody has to program and that the programming language, it's human, everybody in the world is now a programmer. This is the miracle, this is the miracle of artificial intelligence. For the very first time, we have closed the gap, the technology divide has been completely closed and it's the reason why so many people can engage artificial intelligence. It is the reason why every single government, every single industrial conference, every single company is talking about artificial intelligence today. Because for the very first time you can imagine everybody in your company being a technologist.

"And so, this is a tremendous time for all of you to realize that the technology divide has been closed. Or another way to say it, the technology leadership of other countries has now been reset. The countries, the people that understand how to solve a domain problem in digital biology, or in education of young people, or in manufacturing or in farming, those people who understand domain expertise now can utilize technology that is readily available to you. You now have a computer that will do what you tell it to do to help automate your work, to amplify your productivity, to make you more efficient. And so, I think that this is just a tremendous time. The impact of course is great and your imperative to activate and take advantage of the technology is absolutely immediate. And also to realize that to engage AI is a lot easier now than at any time in the history of computing. It is vital that we upskill everyone and the upskilling process, I believe, will be delightful, surprising, to realize that this computer can perform all these things that you're instructing it to do and doing it so easily."

Huang's words come as tech-backed nonprofit Code.org-- which is lobbying to make CS a high school graduation requirement in all 50 states -- hedges its bets by also including AI usage as part of its mission through its new TeachAI initiative (trademark pending). Interestingly, conspicuous by its absence from the Who's Who of tech giants on the advisory committee for the Code.org staffed-and-operated TeachAI is Nvidia (Nvidia is also missing from the list of Code.org donors). So, is it time to revisit the question of Is AI an Excuse for Not Learning To Code?

Julia 1.0 was released in 2018 — after a six-year wait.

And there's now another update. LWN.net gets you up to speed, calling Julia "a general-purpose, open-source programming language with a focus on high-performance scientific computing." Some of Julia's unusual features:

- Lisp-inspired metaprogramming
- The ability to examine compiled representations of code in the REPL or in a "reactive notebook"
- An advanced type and dispatch system
- A sophisticated, built-in package manager.

Version 1.10 brings big increases in speed and developer convenience, especially improvements in code precompilation and loading times. It also features a new parser written in Julia... [I]t is faster, it produces more useful syntax-error messages, and it provides better source-code mapping, which associates locations in compiled code to their corresponding lines in the source. That last improvement also leads to better error messages and makes it possible to write more sophisticated debuggers and linters...

Between the improvements in precompilation and loading times, and the progress in making small binaries, two major and perennial complaints, of beginners and seasoned Julia users alike, have been addressed... StaticCompiler and related WebAssembly tools will make it easier to write web applications in Julia for direct execution in the browser; it is already possible, but may become more convenient over the next few years.
Thanks for sharing the article to long-time Slashdot reader lee1 — who also wrote No Starch Press's Practical Julia: A Hands-On Introduction for Scientific Minds .

lee1 also reminds us that Gnuplot 6.0 was released in December: lee1 writes: This article surveys the new features, including filled contours in 3D, adaptive plotting resolution, watchpoints, clipping of surfaces, pie charts, and new syntax for conditionals.

Stack Overflow's blog reports on a new programming language called Mariposa.

They call it a "toy" programming language, "created as a way to play around with a novel or odd feature, like variable assignment outside of the normal order of execution — more colloquially, time travel." Computer science has long sought to reason about time in electronic systems, thanks to a consistent interest in concurrency and real-time messaging... Mariposa allows you to manipulate the order of execution by assigning an instant to a variable, then setting the context of that instance. Here's a basic example, taken from the Mariposa readme:

x = 1
t = now()
print(x)
at t:
x = 2

According to the normal order of operations, this code should print "1". But because t is assigned to the instance in the second line, any modifications specified within an at t: block are applied immediately, and this code prints "2"...

While Mariposa caught a fair amount of attention recently, it's not the first implementation of time travel in programming. There is a Haskell package appropriately called tardis, which creates two state transformers: one travels forward in time and one backward. As the docs explain, "The most concise way to explain it is this: getPast retrieves the value from the latest sendFuture, while getFuture retrieves the value from the next sendPast." One function's past is another one's future.
The article explores "the history and future of other programming paradigms" applying logic to time, including interval temporal logic systems as well as "modeling, analysis, and verification languages/tools that allow temporal and state modeling without requiring temporal logic understanding."

Ashley Belanger reports via Ars Technica: Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting facial-recognition data without their consent. The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, "Invenda.Vending.FacialRecognitionApp.exe," displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine. "Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered. The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS. [...]

MathNEWS' investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo's campus. Adaria Vending Services told MathNEWS that "what's most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface -- never taking or storing images of customers." According to Adaria and Invenda, students shouldn't worry about data privacy because the vending machines are "fully compliant" with the world's toughest data privacy law, the European Union's General Data Protection Regulation (GDPR). "These machines are fully GDPR compliant and are in use in many facilities across North America," Adaria's statement said. "At the University of Waterloo, Adaria manages last mile fulfillment services -- we handle restocking and logistics for the snack vending machines. Adaria does not collect any data about its users and does not have any access to identify users of these M&M vending machines." [...]

But University of Waterloo students like Stanley now question Invenda's "commitment to transparency" in North American markets, especially since the company is seemingly openly violating Canadian privacy law, Stanley told CTV News. On Reddit, while some students joked that SquidKid47's face "crashed" the machine, others asked if "any pre-law students wanna start up a class-action lawsuit?" One commenter summed up students' frustration by typing in all caps, "I HATE THESE MACHINES! I HATE THESE MACHINES! I HATE THESE MACHINES!"

Tech companies are famous for coddling their workers, but after mass layoffs the industry's culture has shifted. Engineers say that getting hired can require days of work on unpaid assignments. From a report: Nearly a dozen engineers, hiring managers, and entrepreneurs who spoke with WIRED describe an environment in which technical job applicants are being put through the wringer. Take-home coding tests used to be rare, deployed only if an employer needed to be further convinced. Now interviewees are regularly given projects described as requiring just two to three hours that instead take days of work.

Live-coding exercises are also more intense, industry insiders say. One job seeker described an experience where an engineering manager said during an interview, "OK, we're going to build a To Do List app right now," a process that might normally take weeks.

Emails reviewed by WIRED showed that in one interview for an engineering role at Netflix, a technical recruiter requested that a job candidate submit a three-page project evaluation within 48 hours -- all before the first round of interviews. A Netflix spokesperson said the process is different for each role and otherwise declined to comment. A similar email at Snap outlined a six-part interview process for a potential engineering candidate, with each part lasting an hour. A company spokesperson says its interview process hasn't changed as a result of labor market changes.

Jennifer Ouellette reports via Ars Technica: Famed naturalist Charles Darwin amassed an impressive personal library over the course of his life, much of which was preserved and cataloged upon his death in 1882. But many other items were lost, including more ephemeral items like unbound volumes, pamphlets, journals, clippings, and so forth, often only vaguely referenced in Darwin's own records. For the last 18 years, the Darwin Online project has painstakingly scoured all manner of archival records to reassemble a complete catalog of Darwin's personal library virtually. The project released its complete 300-page online catalog -- consisting of 7,400 titles across 13,000 volumes, with links to electronic copies of the works -- to mark Darwin's 215th birthday on February 12.

"This unprecedentedly detailed view of Darwin's complete library allows one to appreciate more than ever that he was not an isolated figure working alone but an expert of his time building on the sophisticated science and studies and other knowledge of thousands of people," project leader John van Wyhe of the National University of Singapore said. "Indeed, the size and range of works in the library makes manifest the extraordinary extent of Darwin's research into the work of others."