GitHub, Microsoft, and OpenAI "told a San Francisco federal court that a proposed class-action lawsuit for improperly monetizing open-source code to train their AI systems cannot be sustained," reports Reuters: The companies said in Thursday court filings that the complaint, filed by a group of anonymous copyright owners, did not outline their allegations specifically enough and that GitHub's Copilot system, which suggests lines of code for programmers, made fair use of the source code. A spokesperson for GitHub, an online platform for housing code, said Friday that the company has "been committed to innovating responsibly with Copilot from the start" and that its motion is "a testament to our belief in the work we've done to achieve that...."

Microsoft and OpenAI said Thursday that the plaintiffs lacked standing to bring the case because they failed to argue they suffered specific injuries from the companies' actions. The companies also said the lawsuit did not identify particular copyrighted works they misused or contracts that they breached.

Microsoft also said in its filing that the copyright allegations would "run headlong into the doctrine of fair use," which allows the unlicensed use of copyrighted works in some situations. The companies both cited a 2021 U.S. Supreme Court decision that Google's use of Oracle source code to build its Android operating system was transformative fair use.
Slashdot reader guest reader shares this excerpt from the plaintiffs' complaint: GitHub and OpenAI have offered shifting accounts of the source and amount of the code or other data used to train and operate Copilot. They have also offered shifting justifications for why a commercial AI product like Copilot should be exempt from these license requirements, often citing "fair use."

It is not fair, permitted, or justified. On the contrary, Copilot's goal is to replace a huge swath of open source by taking it and keeping it inside a GitHub-controlled paywall. It violates the licenses that open-source programmers chose and monetizes their code despite GitHub's pledge never to do so.

74.48% of developers use Microsoft's Visual Studio Code, according to one survey conducted by StackOverflow. And besides GitHub Copilot, there's over 40,000 other extensions in the VSCode Marketplace.

Unfortunately, InfoWorld reports, "Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them." It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. ["In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization's repositories."] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft's Visual Studio Code Marketplace.

Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.

Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.
"While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension," the blog post notes. Yet it points out that a blue checkmark on a VSCode extension "merely means that whoever the publisher is has proven the ownership of a domain. That means any domain."

And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. "To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads."

guest reader writes: The Open Standards site contains a new paper from Bjarne Stroustrup titled A call to action: Think seriously about "safety"; then do something sensible about it.

Bjarne reacts to an NSA report about Software Memory Safety since the report excludes C and C++ as unsafe. Bjarne does not consider any of the report's choices for "safe" languages as superior to C++ for the range of uses he cares about.
From Bjarne's response: I have worked for decades to make it possible to write better, safer, and more efficient C++. In particular, the work on the C++ Core Guidelines specifically aims at delivering statically guaranteed type-safe and resource-safe C++ for people who need that without disrupting code bases that can manage without such strong guarantees or introducing additional tool chains. For example, the Microsoft Visual Studio analyzer and its memory-safety profile deliver much of the CG support today and any good static analyzer (e.g., Clang tidy, that has some CG support) could be made to completely deliver those guarantees at a fraction of the cost of a change to a variety of novel "safe" languages.
Bjarne also complains that in the NSA's document, "'safe' is limited to memory safety, leaving out on the order of a dozen other ways that a language could (and will) be used to violate some form of safety and security." There is not just one definition of "safety", and we can achieve a variety of kinds of safety through a combination of programming styles, support libraries, and enforcement through static analysis.... I envision compiler options and code annotations for requesting rules to be enforced. The most obvious would be to request guaranteed full type-and-resource safety.
Bjarne notes that if you work in application domains which prioritize performance over type safety, you could "apply the safety guarantees only where required and use your favorite tuning techniques where needed." Partial adoption of some of the rules (e.g., rules for range checking and initialization) is likely to be important. Gradual adoption of safety rules and adoption of differing safety rules will be important. If for no other reason than the billions of lines of C++ code will not magically disappear, and even "safe" code (in any language) will have to call traditional C or C++ code or be called by traditional code that does not offer specific safety guarantees.

Ignoring the safety issues would hurt large sections of the C++ community and undermine much of the other work we are doing to improve C++.
The article also contains the following references for consideration:
- Design Alternatives for Type-and-Resource Safe C++.
- Type-and-resource safety in modern C++.
- A brief introduction to C++'s model for type- and resource-safety.
- C++ Core Guidelines, safety profiles.

HPE and Oracle have settled their long-running legal case over alleged copyright infringement regarding Solaris software updates for HPE customers, but it looks like the nature of the settlement is going to remain under wraps. The Register reports: The pair this week informed [PDF] the judge overseeing the case that they'd reached a mutual settlement and asked for the case to be dismissed "with prejudice" -- ie, permanently. The settlement agreement is confidential, and its terms won't be made public. The case goes back to at least 2016, when Oracle filed a lawsuit against HPE over the rights to support the Solaris operating system. HPE and a third company, software support outfit Terix, were accused of offering Solaris support for customers while the latter was not an authorized Oracle partner.

Big Red's complaint claimed HPE had falsely represented to customers that it and Terix could lawfully provide Solaris Updates and other support services at a lower cost than Oracle, and that the two had worked together to provide customers with access to such updates. The suit against HPE was thrown out of court in 2019, but revived in 2021 when a judge denied HPE's motion for a summary judgement in the case. Terix settled its case in 2015 for roughly $58 million. Last year, the case went to court and in June a jury found HPE guilty of providing customers with Solaris software updates without Oracle's permission, awarding the latter $30 million for copyright infringement.

But that wasn't the end of the matter, because HPE was back a couple of months later to appeal the verdict, claiming the complaint by Oracle that it had directly infringed copyrights with regard to Solaris were not backed by sufficient evidence. This hinged on HPE claiming that Oracle had failed to prove that any of the patches and updates in question were actually protected by copyright, but also that Oracle could not prove HPE had any control over Terix in its purported infringement activities. Oracle for its part filed a motion asking the court for a permanent injunction against HPE to prevent it copying or distributing the Solaris software, firmware or support materials, except as allowed by Oracle. Now it appears that the two companies have come to some mutually acceptable out-of-court arrangement, as often happens in acrimonious and long-running legal disputes.

Game developers are more skeptical of metaverse and blockchain projects, according to a new survey by the Game Developers Conference. From a report: "So much happened during 2022 for ups and downs, and I know crypto had a lot of issues mid year as well," said Alissa McAloon, publisher of Gamedeveloper.com, in an interview with GamesBeat. She noted it's not surprising to see the hype die down. In that respect, the skeptical view of the metaverse and blockchain is not so different from the view of virtual reality, after skepticism set in after a few years of hype. "A lot of developing technologies have ebbs and flows and then we see where things settle after the fact. VR is a good indicator of that," McAloon said.

McAloon helped figure out the questions for this year's survey to make sure that the report zeroed in on key questions. She said some of the questions were open-ended so that developers could offer more nuanced answers. She said that blockchain technology appeared to be highlighted as having some use, but exactly what that is isn't clear. Developers pointed to Fortnite as likely metaverse winner, though many remain skeptical that there will be a metaverse at all. [...] When asked which company is best positioned to deliver on the promise of the metaverse, Epic Games/Fortnite earned 14% of the vote, the highest of any individual company.

Next was Meta/Horizon Worlds and Microsoft/Minecraft (at 7% each), Roblox (5%) and Google and Apple (3% each), with VRChat and Nvidia also receiving some mentions. However, developers remain wary. Nearly half (45%) of respondents didn't select any companies/ platforms, instead stating that the metaverse concept will never deliver on its promise. This number is up from 33% in 2022, with many of the responses from this year specifically citing the unclear definition of the concept, the lack of substantial interactivity and the high cost of hardware (VR headsets in particular) as barriers towards sustainable metaverse experiences.

Microsoft has started testing Tabs in Notepad with Windows Insiders on the Dev Channel today. Thurrott reports: The update to the Notepad will start rolling out to all Dev Channel testers today alongside the new Windows 11 preview build 25281, which brings a couple of other changes. Tabs in Notepad was "a top requested feature from the community," the Windows Insider team emphasized today. The app now supports dragging a tab out into a separate window, and a new setting also lets users choose whether files should open in a new tab or a new window by default.

"There are also new keyboard shortcut keys to support managing tabs as well as some improvements to managing unsaved files, like automatically generating the file name/tab title based on content and a refreshed unsaved changes indicator," the Windows Insider team explained. Microsoft is still working to fix issues causing some keyboard shortcuts to not work as expected, and performance will also remain a priority for the team.

theodp writes: On Tuesday, the Micro:bit Educational Foundation, a UK-based education non-profit "on a mission to inspire all children to achieve their best digital future," announced a partnership with US-based and tech giant-backed nonprofit Code.org to offer teachers computing resources to complement use of the handheld BBC micro:bit physical computing device as an extension to the Code.org CS Fundamentals curriculum, which is aimed at introducing Computer Science to children in Kindergarten-5th Grade.

"Physical computing is a great way to engage students in computer science, and I'm excited that Code.org is expanding its offerings in this maker education space," said Code.org CEO Hadi Partovi. "We're delighted to partner with micro:bit to provide physical computing extensions to our existing courses." Micro:bit Educational Foundation CEO Gareth Stockdale added, "Growing a diverse pipeline of tech talent who contribute to the creation of better technology in the world begins in the classroom. We are invested in excellence in computer science education for younger students and are excited by the size of the impact we can create together with Code.org to bring the benefits of physical computing to young learners."

Back in 2015, Microsoft -- a Founding Partner of both the Micro:bit Educational Foundation and Code.org -- partnered with the BBC to provide an estimated 1 million free BBC micro:bits to every 11 or 12 year old in the UK. "The chance to influence the lives of a million children does not come often," Microsoft Research wrote in a 2016 paper explaining the efforts to get the micro:bit into the hands of UK schoolchildren and make it part of the CS curriculum. The paper also cited Code.org and the UK's Computing at School (a Micro:bit Educational Foundation partner that was "born at Microsoft Research Cambridge") as "two significant success at the coding level" of "scaling out an initiative to influence an entire country of students, or even globally."

According to The Register, IBM has shifted the roles of US IBM Systems employees developing AIX over to the Indian office. From the report: Prior to this transition, said to taken place in the third quarter of 2022, AIX development was split more or less evenly between the US and India, an IBM source told The Register. With the arrival of 2023, the entire group had been moved to India. Roughly 80 US-based AIX developers were affected, our source estimates. We're told they were "redeployed," and given an indeterminate amount of time to find a new position internally, in keeping with practices we reported last week based on claims by other IBM employees.

Evidently, the majority of those redeployed found jobs elsewhere at IBM. A lesser number of staff are evidently stuck in "redeployment limbo," with no IBM job identified and no evident prospects at the company. "It also appears that these people in 'redeployment' limbo within IBM are all older, retirement eligible employees," our source said. "The general sense among my peers is that redeployment is being used to nudge older employees out of the company and to do so in a manner that avoids the type of scrutiny that comes with layoffs."

Layoffs generally come with a severance payment and may have reporting requirements. Redeployments -- directing workers to find another internal position, which may require relocating -- can avoid cost and bureaucracy. They also have the potential to encourage workers to depart on their own. We're told that IBM does not disclose redeployment numbers to its employees and does not report how internal jobs were obtained -- through internal search, with the assistance of management -- or were not obtained -- employees left in limbo or who choose to leave rather than wait.

InfoWorld reports: JavaScript, Java, and Python skills are most in-demand by recruiters, according to a report published this week by tech hiring platforms CodinGame and CoderPad. But while the supply of those skills exceeds demand, the demand for TypeScript, Swift, Scala, Kotlin, and Go skills all exceed supply.

The State of Tech Hiring in 2023, a CodinGame-CoderPad report published January 10, draws on a survey of 14,000 professionals and offers insights into what 2023 may hold for tech industry recruiters and job seekers. The demand for JavaScript, Java, and Python skills is consistent with previous years, the report notes.

Among development frameworks, Node.js, React, and .NET Core proved to be the best-known and most in-demand.
InfoWorld summarizes some other interesting findings:

• "59% of developers do not have a university degree in computer science. Nearly one-third consider themselves primarily self-taught."

• "Developers' main challenges at work include unplanned changes to their schedule, unclear direction, and a lack of technical knowledge by team members."

• "Most teams are now hybrid between remote and on-site work. Only 15% work onsite 100% of the time."

"Can editing code feel more tactile, like painting with Photoshop brushes?"

Researchers at GitHub Next asked that question this week — and then supplied the answer. "We added a toolbox of brushes to our Copilot Labs Visual Studio Code extension that can modify your code.... Just select a few lines, choose your brush, and see your code update."

The tool's web page includes interactive before-and-after examples demonstrating:

• Add Types brush
• Fix Bugs brush
• Add Debugging Statements brush
• Make More Readable brush

And last month Microsoft's principle program manager for browser tools shared an animated GIF showing all the brushes in action.

"In the future, we're interested in adding more useful brushes, as well as letting developers store their own custom brushes," adds this week's announcement. "As we explore enhancing developers' workflows with Machine Learning, we're focused on how to empower developers, instead of automating them. This was one of many explorations we have in the works along those lines."

It's ultimately grafting an incredibly easy interface onto "ML-powered code modification", writes Visual Studio Magazine, noting that "The bug-fixing brush, for example can fix a simple typo, changing a variable name from the incorrect 'low' to the correct 'lo'....

"All of the above brushes and a few others have been added to the Copilot Labs brushes toolbox, which is available for anyone with a GitHub Copilot license, costing $10 per month or $100 per year.... At the time of this writing, the extension has been installed 131,369 times, earning a perfect 5.0 rating from six reviewers."

Apple today shared an update on its subscription businesses and global App Store, noting that the tech company has now paid out a record $320 billion to app developers since 2008 -- a number that reflects the revenue apps have generated, minus Apple's commission. From a report: In addition, the tech giant said it now has more than 900 million paid subscriptions across Apple services, with subscriptions on the App Store driving a "significant" part of that figure. [...] The company noted that more than 650 million visitors from 175 regions worldwide visit the App Store every week and it's still delivering new experiences. Among the highlights was the launch of Apex Legends on mobile earlier this year, and the growing popularity of a new form of social networking with BeReal, Apple's "app of the year."

Jacob Ridley writes via PC Gamer: MSI Afterburner is an app used the world over for graphics card monitoring, overclocking, and undervolting. It's become pretty synonymous with general GPU tinkering, yet the app's developer has suggested it might not have long left to live in a forum post earlier this month. MSI disagrees, telling us "we fully intend to continue with MSI Afterburner." MSI Afterburner is developed by Alexey 'Unwinder' Nicolaychuk, a Russian national who has kept the overclocking app functioning over many years. Nicolaychuk is also responsible for the development of RivaTuner Statistics Server, which is part of the foundational software layer powering Afterburner. In a post on the Guru3D forums (via TechPowerUp), Nicolaychuk suggests that Afterburner's development has been "semi-abandoned." "...MSI afterburner project is probably dead," Nicolaychuk says.

"War and politics are the reasons. I didn't mention it in MSI Afterburner development news thread, but the project is semi abandoned by company during quite a long time already. Actually we're approaching the one year mark since the day when MSI stopped performing their obligations under Afterburner license agreement due to 'politic [sic] situation'." Nicolaychuk says development of the app has continued over the past 11 months, but that may also be ending soon. "I tried to continue performing my obligations and worked on the project on my own during the last 11 months, but it resulted in nothing but disappointment; I have a feeling that I'm just beating a dead horse and waste energy on something that is no longer needed by company. "Anyway I'll try to continue supporting it myself while I have some free time, but will probably need to drop it and switch to something else, allowing me to pay my bills."

Development of the RivaTuner Statistics Server -- software is pivotal to many of the functions of Afterburner -- is materially separate from Afterburner and will continue, Nicolaychuk notes. Nicolaychuk suggests the issue comes down to Russia's invasion of Ukraine, and we've since confirmed with MSI that this is the case. MSI has stated to PC Gamer that the payments were halted due to the ongoing war in Ukraine, saying: "payments had been put on hold due to the RU/UA war and the economic regulations that entailed." [...] On this being the end for Afterburner, MSI disagrees. "We fully intend to continue with MSI Afterburner," MSI tells PC Gamer. "MSI have been working on a solution and expect it to be resolved soon."

"The Tiobe index gauges language popularity using a formula that assesses searches on programming languages in Google, Bing, Yahoo, Wikipedia, and other search engines," writes InfoWorld. And they add that this year the "vaunted" C++ programming language was the index's biggest gainer in 2022.

TIOBE's announcement includes their calculation that C++ rose 4.62% in popularity in 2022: Runners up are C (+3.82%) and Python (+2.78%). Interestingly, C++ surpassed Java to become the number 3 of the TIOBE index in November 2022. The reason for C++'s popularity is its excellent performance while being a high level object-oriented language. Because of this, it is possible to develop fast and vast software systems (over millions of lines of code) in C++ without necessarily ending up in a maintenance nightmare.
So which programming languages are most popular now? For what it's worth, here's TIOBE's latest ranking:


- Python
- C
- C++
- Java
- C#
- Visual Basic
- JavaScript
- SQL
- Assembly Language
- PHP


InfoWorld adds that "Helping C++ popularity was the publication of new language standards with interesting features, such as C++ 11 and C++ 20."

More from TIOBE: What else happened in 2022? Performance seemed to be important. C++ competitor Rust entered the top 20 again (being at position #26 one year ago), but this time it seems to be for real. Lua, which is known for its easy interfacing with C, jumped from position #30 to #24. F# is another language that made an interesting move: from position #74 to position #33 in one years' time. Promising languages such as Kotlin (from #29 to #25), Julia (from #28 to #29) and Dart (from #37 to #38) still have a long way to go before they reach the top 20. Let's see what happens in 2023.

Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. BleepingComputer reports: While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won't have any negative performance impact. Administrators may leave the system to encrypt at the default 256-bit AES or choose one of the alternative methods, namely SSE-C or SSE-KMS.

The first option (SSE-C) gives bucket owners control of the keys, while the second (SSE-KMS) lets Amazon do the key management. However, bucket owners can set different permissions for each KMS key to maintain more granular control over the asset access system. To confirm that the changes have been applied to your buckets, admins can configure CloudTrail to log data events at no extra cost. Then perform a test object upload, and look in the event logs for the "SSEApplied": "Default_SSE_S3." field in the log for the uploaded file. To retroactively encrypt objects already in S3 buckets, follow this official guide. "This change puts another security best practice into effect automatically -- with no impact on performance and no action required on your side," reads Amazon's announcement.

"S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change."

January's Communications of the ACM includes an essay predicting "the end of programming," in an AI-powered future where "programming will be obsolete."

But IT analyst and ZDNet contributor Joe McKendrick remains skeptical, judging by a new essay sardonically titled "It's the end of programming as we know it — again." Over the past few decades, various movements, paradigms, or technology surges — whatever you want to call them — have roiled the software world, promising either to hand a lot of programming grunt work to end users, or automate more of the process. CASE tools, 4GL, object-oriented programming, service oriented architecture, microservices, cloud services, Platform as a Service, serverless computing, low-code, and no-code all have theoretically taken the onerous burdens out of software development. And, potentially, threaten the job security of developers.

Yet, here we are. Software developers are busier than ever, with demand for skills only increasing.

"I remember when the cloud first started becoming popular and companies were migrating to Office 365, everyone was saying that IT Pros will soon have no job," says Vlad Catrinescu, author at Pluralsight. "Guess what — we're still here and busier than ever."

The question is how developers' job will ultimately evolve. There is the possibility that artificial intelligence, applied to application development and maintenance, may finally make low-level coding a thing of the past.... Catrinescu believes that the emerging generation of automated or low-code development solutions actually "empowers IT professionals and developers to work on more challenging applications. IT departments can focus on enterprise applications and building complicated apps and automations that will add a lot of value to the enterprise."
Even the man predicting "the end of programming" in an AI-powered future also envisions new technology that "potentially opens up computing to almost anyone" (in ACM's video interview). But in ZDNet's article Jared Ficklin, chief creative technologist and co-founder of argodesign, even predicts the possibility of real-time computing.

"You could imagine asking Alexa to make you an app to help organize your kitchen. AI would recognize the features, pick the correct patterns and in real time, over the air deliver an application to your mobile phone or maybe into your wearable mobile computer."

Matt Welsh is the CEO and co-founder of Fixie.ai, an AI-powered software delivery company founded by a team from Google and Apple. "I believe the conventional idea of 'writing a program' is headed for extinction," he opines in January's Communications of the ACM, "and indeed, for all but very specialized applications, most software, as we know it, will be replaced by AI systems that are trained rather than programmed."

His essay is titled "The End of programming," and predicts a future will "Programming will be obsolete." In situations where one needs a "simple" program (after all, not everything should require a model of hundreds of billions of parameters running on a cluster of GPUs), those programs will, themselves, be generated by an AI rather than coded by hand.... with humans relegated to, at best, a supervisory role.... I am not just talking about things like Github's CoPilot replacing programmers. I am talking about replacing the entire concept of writing programs with training models. In the future, CS students are not going to need to learn such mundane skills as how to add a node to a binary tree or code in C++. That kind of education will be antiquated, like teaching engineering students how to use a slide rule.

The engineers of the future will, in a few keystrokes, fire up an instance of a four-quintillion-parameter model that already encodes the full extent of human knowledge (and then some), ready to be given any task required of the machine. The bulk of the intellectual work of getting the machine to do what one wants will be about coming up with the right examples, the right training data, and the right ways to evaluate the training process. Suitably powerful models capable of generalizing via few-shot learning will require only a few good examples of the task to be performed. Massive, human-curated datasets will no longer be necessary in most cases, and most people "training" an AI model will not be running gradient descent loops in PyTorch, or anything like it. They will be teaching by example, and the machine will do the rest.

In this new computer science — if we even call it computer science at all — the machines will be so powerful and already know how to do so many things that the field will look like less of an engineering endeavor and more of an an educational one; that is, how to best educate the machine, not unlike the science of how to best educate children in school. Unlike (human) children, though, these AI systems will be flying our airplanes, running our power grids, and possibly even governing entire countries. I would argue that the vast majority of Classical CS becomes irrelevant when our focus turns to teaching intelligent machines rather than directly programming them. Programming, in the conventional sense, will in fact be dead....

We are rapidly moving toward a world where the fundamental building blocks of computation are temperamental, mysterious, adaptive agents.... This shift in the underlying definition of computing presents a huge opportunity, and plenty of huge risks. Yet I think it is time to accept that this is a very likely future, and evolve our thinking accordingly, rather than just sit here waiting for the meteor to hit.
"I think the debate right now is primarily around the extent to which these AI models are going to revolutionize the field," Welsh says in a video interview. "It's more a question of degree rather than whether it's going to happen....

"I think we're going to change from a world in which people are primarily writing programs by hand to a world in which we're teaching AI models how to do things that we want them to do... It starts to feel more like a field that focuses on AI education and maybe even AI psychiatry. In order to solve these problems, you can't just assume that people are going to be writing the code by hand."

Remember when MIT researchers did fMRI brain scans measuring the blood flow through brains to determine which parts were engaged when programmers evaluated code? MIT now says that a new paper (by many of the same authors) delves even deeper: Whereas the previous study looked at 20 to 30 people to determine which brain systems, on average, are relied upon to comprehend code, the new research looks at the brain activity of individual programmers as they process specific elements of a computer program. Suppose, for instance, that there's a one-line piece of code that involves word manipulation and a separate piece of code that entails a mathematical operation. "Can I go from the activity we see in the brains, the actual brain signals, to try to reverse-engineer and figure out what, specifically, the programmer was looking at?" asks Shashank Srikant, a PhD student in MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). "This would reveal what information pertaining to programs is uniquely encoded in our brains." To neuroscientists, he notes, a physical property is considered "encoded" if they can infer that property by looking at someone's brain signals.

Take, for instance, a loop — an instruction within a program to repeat a specific operation until the desired result is achieved — or a branch, a different type of programming instruction than can cause the computer to switch from one operation to another. Based on the patterns of brain activity that were observed, the group could tell whether someone was evaluating a piece of code involving a loop or a branch. The researchers could also tell whether the code related to words or mathematical symbols, and whether someone was reading actual code or merely a written description of that code.....

The team carried out a second set of experiments, which incorporated machine learning models called neural networks that were specifically trained on computer programs. These models have been successful, in recent years, in helping programmers complete pieces of code. What the group wanted to find out was whether the brain signals seen in their study when participants were examining pieces of code resembled the patterns of activation observed when neural networks analyzed the same piece of code. And the answer they arrived at was a qualified yes. "If you put a piece of code into the neural network, it produces a list of numbers that tells you, in some way, what the program is all about," Srikant says. Brain scans of people studying computer programs similarly produce a list of numbers. When a program is dominated by branching, for example, "you see a distinct pattern of brain activity," he adds, "and you see a similar pattern when the machine learning model tries to understand that same snippet."
But where will it all lead? They don't yet know what these recently-gleaned insights can tell us about how people carry out more elaborate plans in the real world.... Creating models of code composition, says O'Reilly, a principal research scientist at CSAIL, "is beyond our grasp at the moment." Lipkin, a BCS PhD student, considers this the next logical step — figuring out how to "combine simple operations to build complex programs and use those strategies to effectively address general reasoning tasks." He further believes that some of the progress toward that goal achieved by the team so far owes to its interdisciplinary makeup. "We were able to draw from individual experiences with program analysis and neural signal processing, as well as combined work on machine learning and natural language processing," Lipkin says. "These types of collaborations are becoming increasingly common as neuro- and computer scientists join forces on the quest towards understanding and building general intelligence."

Phoronix checks systemd's Git activity in 2022 (and compares it to previous years): If measuring a open-source project's progress by the commity activity per year, while not the most practical indicator, systemd had a very good year. In 2022 there were 6,271 commits which is under 2021's all-time-high of 6,787 commits. But this year's activity count effectively ties 2018 for second place with the most commits in a given calendar year.

This year saw 201k lines of new code added to systemd and 110k lines removed, or just under one hundred thousand lines added in total to systemd in 2022....

Systemd continues to grow and is closing out 2022 at around 1,715,111 lines within its Git repository.
Also interesting: "[W]hen it comes to the most commits overall to systemd over its history, Lennart Poettering easily wins the race and there is no competition. As a reminder, this year Lennart joined Microsoft as one of the surprises for 2022."

An anonymous reader quotes a report from TechCrunch: A recent study finds that software engineers who use code-generating AI systems are more likely to cause security vulnerabilities in the apps they develop. The paper, co-authored by a team of researchers affiliated with Stanford, highlights the potential pitfalls of code-generating systems as vendors like GitHub start marketing them in earnest. The Stanford study looked specifically at Codex, the AI code-generating system developed by San Francisco-based research lab OpenAI. (Codex powers Copilot.) The researchers recruited 47 developers -- ranging from undergraduate students to industry professionals with decades of programming experience -- to use Codex to complete security-related problems across programming languages including Python, JavaScript and C.

Codex was trained on billions of lines of public code to suggest additional lines of code and functions given the context of existing code. The system surfaces a programming approach or solution in response to a description of what a developer wants to accomplish (e.g. "Say hello world"), drawing on both its knowledge base and the current context. According to the researchers, the study participants who had access to Codex were more likely to write incorrect and "insecure" (in the cybersecurity sense) solutions to programming problems compared to a control group. Even more concerningly, they were more likely to say that their insecure answers were secure compared to the people in the control.

Megha Srivastava, a postgraduate student at Stanford and the second co-author on the study, stressed that the findings aren't a complete condemnation of Codex and other code-generating systems. The study participants didn't have security expertise that might've enabled them to better spot code vulnerabilities, for one. That aside, Srivastava believes that code-generating systems are reliably helpful for tasks that aren't high risk, like exploratory research code, and could with fine-tuning improve in their coding suggestions. "Companies that develop their own [systems], perhaps further trained on their in-house source code, may be better off as the model may be encouraged to generate outputs more in-line with their coding and security practices," Srivastava said. The co-authors suggest vendors use a mechanism to "refine" users' prompts to be more secure -- "akin to a supervisor looking over and revising rough drafts of code," reports TechCrunch. "They also suggest that developers of cryptography libraries ensure their default settings are secure, as code-generating systems tend to stick to default values that aren't always free of exploits."

Game developer Archer Maclean recently passed away at the age of 60. Maclean was a longtime programmer and designer best known for Dropzone on the Atari 8-bit and Commodore 64. Game Developer reports: Born January 28, 1962, Maclean's first game was the aforementioned Dropzone. Following the success of that title, he would go on to do design and graphics for 1986's International Karate (and its 1987 sequel, International Karate+), and several snooker simulation games, including Archer Maclean Presents Pool Paradise. Several of these titles were developed at Awesome Studios, a subsidiary of the now defunct Ignition Entertainment. Maclean co-founded Awesome in 2002, and later left the developer in 2005. He went on to found Awesome Play, creators of the 2009 Nintendo Wii title Speedzone (or Wheelspin in Europe). Though Speedzone marked the end of his time as a game developer, Maclean also wrote columns for Retro Gamer Magazine.