×
The Military

DARPA Is Worried About How Well Open-Source Code Can Be Trusted (technologyreview.com) 85

An anonymous reader quotes a report from MIT Technology Review: "People are realizing now: wait a minute, literally everything we do is underpinned by Linux," says Dave Aitel, a cybersecurity researcher and former NSA computer security scientist. "This is a core technology to our society. Not understanding kernel security means we can't secure critical infrastructure." Now DARPA, the US military's research arm, wants to understand the collision of code and community that makes these open-source projects work, in order to better understand the risks they face. The goal is to be able to effectively recognize malicious actors and prevent them from disrupting or corrupting crucially important open-source code before it's too late. DARPA's "SocialCyber" program is an 18-month-long, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. It's different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.

Here's how the SocialCyber program works. DARPA has contracted with multiple teams of what it calls "performers," including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York -- based Margin Research, which has put together a team of well-respected researchers for the task. Margin Research is focused on the Linux kernel in part because it's so big and critical that succeeding here, at this scale, means you can make it anywhere else. The plan is to analyze both the code and the community in order to visualize and finally understand the whole ecosystem.

Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that -- like Huawei -- has been sanctioned by the US government, says Aitel. Margin has also mapped code written by NSA employees, many of whom participate in different open-source projects. "This subject kills me," says d'Antoine of the quest to better understand the open-source movement, "because, honestly, even the most simple things seem so novel to so many important people. The government is only just realizing that our critical infrastructure is running code that could be literally being written by sanctioned entities. Right now." This kind of research also aims to find underinvestment -- that is critical software run entirely by one or two volunteers. It's more common than you might think -- so common that one common way software projects currently measure risk is the "bus factor": Does this whole project fall apart if just one person gets hit by a bus?
SocialCyber will also tackle other open-source projects too, such as Python which is "used in a huge number of artificial-intelligence and machine-learning projects," notes the report. "The hope is that greater understanding will make it easier to prevent a future disaster, whether it's caused by malicious activity or not."
Programming

Hundreds of Tech, Business and Nonprofit Leaders Urge States To Boost CS Education 49

theodp writes: In partnership with tech-bankrolled nonprofit Code.org, over 500 of the nation's business, education and nonprofit leaders issued a letter calling for state governments and education leaders to bring more Computer Science to K-12 students across the U.S. The signatories include a who's who of tech leaders, including Bill Gates, Jeff Bezos, Satya Nadella, Steve Ballmer, Tim Cook, Sundar Pichai, and Mark Zuckerberg. A new website -- CEOs for CS -- was launched in conjunction with the campaign. "The United States leads the world in technology, yet only 5% of our high school students study computer science. How is this acceptable?" the CEOs demand to know in their letter addressed "To the Governors and Education Leaders of the United States of America." They add, "Nearly two-thirds of high-skilled immigration is for computer scientists, and every state is an importer of this strategic talent. The USA has over 700,000 open computing jobs but only 80,000 computer science graduates a year. We must educate American students as a matter of national competitiveness."

A press release explains that the announcement "coincides with the culmination of the National Governors Association Chairman's Initiative for K-12 computer science, led by Arkansas Gov. Asa Hutchinson." Hutchinson is a founding Governor of the Code.org-led advocacy group Govs for CS, which launched in anticipation of President Obama's tech-supported but never materialized $4 billion CS for All initiative. Hutchinson was a signatory of an earlier 2016 Code.org organized letter from Governors, business, education, and nonprofit leaders that implored Congress to make CS education for K-12 students a priority.
Bitcoin

Game Developer On 'Why NFTs Are a Nightmare' (pcgamer.com) 89

Game developer Mark Venturelli received a spirited ovation at Brazil's International Games Festival on Friday after he surprised the audience for his "Future of Game Design" talk with a new title: "Why NFTs are a nightmare." PC Gamer reports: Venturelli, who is best known for the game Chroma Squad, didn't just push back against those talks by calling NFTs a nightmare: He argued in detail that they're bad for gaming and run directly counter to his vision for the future of game design. In a follow-up interview with PC Gamer, Venturelli said the event's blockchain sponsors needed "to buy their relevance, because they're not relevant." [...] NFT projects in particular quickly became savvy enough to use phrases like "environment-friendly technology" in their press releases, but none of them grapple with the deeper criticisms of their ideas. That's what Venturelli zeroed in on in his talk and in our follow-up interview. There's the uncanny resemblance between these profit-driven grifts and pyramid schemes, but there's also the philosophical concern that things like cryptocurrency represent a libertarian ideal founded in paranoia about institutions, and about other human beings. That, Venturelli says, is in part why they're so inefficient in the first place.

"Computationally, like in real life, if you don't trust the people that you're working with, you have to spend a lot more energy to achieve the same things," he says. "If I'm living with you in the same house and we don't trust each other, I have to, every time before I leave my house, hide my valuables. I have to make inventory of the things that I own, and maybe put cameras or locks inside of things. When I come back home I need to check everything and see if you messed with any of my stuff, and make sure that you don't get into my room when I'm sleeping and all that shit. It's so much energy that I have to use just to exist in a room with you, because I don't trust you. That, I feel, is a very good metaphor about how computationally blockchain works, and what is the underlying philosophical idea behind it, which is, 'We want a world without any sort of centralized authority because we cannot trust any of them ever.' And that is the opposite of what we want as a society, in my opinion." [...]

Investors see potential value in South America right now due to exploitable political and economic instabilities, which for Venturelli means that presenting his counterargument is more important than ever. "If we don't take up some spaces, and we let these kinds of people take these spaces, suddenly they're dictating what's the future, suddenly they're taking the investments so that they are building our next big projects," he said. "That's when it starts to get really dangerous, because it can jeopardize our future as an industry, in my opinion. Because I don't feel like these things have long legs. I feel like they might be successful in the short term, but they are going to fall on the long term for sure." [He went on to say:] "Right now we are living in a crisis of trust in Western society -- trust in each other, in institutions, and even in our future together is in decline," Venturelli says. "We should be building systems that help connect people and build trust, build sustainable solutions, and build infinitely scalable human solutions. We should not be shifting away from culture, entertainment, and storytelling towards economic activity. We should not just be eliminating the final hiding places that we have to run away from the oppression of capitalist society."
You can watch Venturelli's The Future of Game Design talk on YouTube. An English version of the slides accompanying it is available here.
Security

PyPI Is Rolling Out 2FA For Critical Projects, Giving Away 4,000 Security Keys (zdnet.com) 19

PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language. ZDNet reports: PyPI, which is managed by the Python Software Foundation, is the main repository where Python developers can get third-party developed open-source packages for their projects. [...] One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind "critical projects" to use 2FA in coming months. PyPI hasn't declared a specific date for the requirement. "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," the PSF said on its PyPI Twitter account.

As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google's open source security team. "In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months," PSF said in a statement. "To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them. In the name of transparency, PyPI is also publishing 2FA account metrics here. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using a 2FA app like Microsoft Authenticator. There are over 3,800 projects rated as "critical" and 8,241 PyPI users in this group. The critical group is also likely to grow since projects that have been designated as critical remain so indefinitely while new projects are added to mandatory 2FA over time. The 2FA rule applies to both project maintainers and owners.

Programming

Meet Bun, a Speedy New JavaScript Runtime (bun.sh) 121

Bun is "a modern JavaScript runtime like Node or Deno," according to its newly-launched web site, "built from scratch to focus on three main things."

- Start fast (it has the edge in mind).
- New levels of performance (extending JavaScriptCore, the engine).
- Being a great and complete tool (bundler, transpiler, package manager).

Bun is designed as a drop-in replacement for your current JavaScript & TypeScript apps or scripts — on your local computer, server or on the edge. Bun natively implements hundreds of Node.js and Web APIs, including ~90% of Node-API functions (native modules), fs, path, Buffer and more. [And Bun also implements Node.js' module resolution algorithm, so you can use npm packages in bun.js]

The goal of Bun is to run most of the world's JavaScript outside of browsers, bringing performance and complexity enhancements to your future infrastructure, as well as developer productivity through better, simpler tooling.... Why is Bun fast? An enormous amount of time spent profiling, benchmarking and optimizing things. The answer is different for every part of Bun, but one general theme: [it's written in Zig.] Zig's low-level control over memory and lack of hidden control flow makes it much simpler to write fast software.

An infographic on the site claims its server-side rendering of React is more than three times faster than Node or Deno. And Bun.js can even automatically load environment variables from .env files, according to the site. No more require("dotenv").load()
Hackaday describes it as "a performant all-in-one approach," including "bundling, transpiling, module resolution, and a fantastic foreign-function interface." Many Javascript projects have a bundling and transpiling step that takes the source and packages it together in a more standard format. Typescript needs to be packaged into javascript, and modules need to be resolved. Bun bakes all this in. Typescript and JSX "just work." This dramatically simplifies many projects as much of the build infrastructure is part of Bun itself, lowering cognitive load when trying to understand a project... Some web-specific APIs, such as fetch and Websockets, are also built-in.
"What's even wilder is that Bun is written by one person, Jared Sumner," the article points out — adding that the all the code is available on GitHub under the MIT License ("excluding dependencies which have various licenses.")
Databases

Baserow Challenges Airtable With an Open Source No-Code Database Platform (techcrunch.com) 19

An anonymous reader quotes a report from TechCrunch: The burgeoning low-code and no-code movement is showing little sign of waning, with numerous startups continuing to raise sizable sums to help the less-technical workforce develop and deploy software with ease. Arguably one of the most notable examples of this trend is Airtable, a 10-year-old business that recently attained a whopping $11 billion valuation for a no-code platform used by firms such as Netflix and Shopify to create relational databases. In tandem, we're also seeing a rise in "open source alternatives" to some of the big-name technology incumbents, from Google's backend-as-a-service platform Firebase to open source scheduling infrastructure that seeks to supplant the mighty Calendly. A young Dutch company called Baserow sits at the intersection of both these trends, pitching itself as an open source Airbase alternative that helps people build databases with minimal technical prowess. Today, Baserow announced that it has raised $5.2 million in seed funding to launch a suite of new premium and enterprise products in the coming months, transforming the platform from its current database-focused foundation into a "complete, open source no-code toolchain," co-founder and CEO Bram Wiepjes told TechCrunch.

So what, exactly, does Baserow do in its current guise? Well, anyone with even the most rudimentary spreadsheet skills can use Baserow for use-cases spanning content marketing, such as managing brand assets collaboratively across teams; managing and organizing events; helping HR teams or startups manage and track applicants for a new role; and countless more, which Baserow provides pre-built templates for. [...] Baserow's open source credentials are arguably its core selling point, with the promise of greater extensibility and customizations (users can create their own plug-ins to enhance its functionality, similar to how WordPress works) -- this is a particularly alluring proposition for businesses with very specific or niche use cases that aren't well supported from an off-the-shelf SaaS solution. On top of that, some sectors require full control of their data and technology stack for security or compliance purposes. This is where open source really comes into its own, given that businesses can host the product themselves and circumvent vendor lock-in.

With a fresh 5 million euros in the bank, Baserow is planning to double down on its commercial efforts, starting with a premium incarnation that's officially launching out of an early access program later this month. This offering will be available as a SaaS and self-hosted product and will include various features such as the ability to export in different formats; user management tools for admin; Kanban view; and more. An additional "advanced" product will also be made available purely for SaaS customers and will include a higher data storage limit and service level agreements (SLAs). Although Baserow has operated under the radar somewhat since its official foundation in Amsterdam last year, it claims to have 10,000 active users, 100 sponsors who donate to the project via GitHub and 800 users already on the waiting list for its premium version. Later this year, Baserow plans to introduce a paid enterprise version for self-hosting customers, with support for specific requirements such as audit logs, single sign-on (SSO), role-based access control and more.

Programming

Vim 9.0 Released (vim.org) 81

After many years of gradual improvement Vim now takes a big step with a major release. Besides many small additions the spotlight is on a new incarnation of the Vim script language: Vim9 script. Why Vim9 script: A new script language, what is that needed for? Vim script has been growing over time, while preserving backwards compatibility. That means bad choices from the past often can't be changed and compatibility with Vi restricts possible solutions. Execution is quite slow, each line is parsed every time it is executed.

The main goal of Vim9 script is to drastically improve performance. This is accomplished by compiling commands into instructions that can be efficiently executed. An increase in execution speed of 10 to 100 times can be expected. A secondary goal is to avoid Vim-specific constructs and get closer to commonly used programming languages, such as JavaScript, TypeScript and Java.

The performance improvements can only be achieved by not being 100% backwards compatible. For example, making function arguments available by creating an "a:" dictionary involves quite a lot of overhead. In a Vim9 function this dictionary is not available. Other differences are more subtle, such as how errors are handled. For those with a large collection of legacy scripts: Not to worry! They will keep working as before. There are no plans to drop support for legacy script. No drama like with the deprecation of Python 2.

Databases

SQLite or PostgreSQL? It's Complicated! (twilio.com) 101

Miguel Grinberg, a Principal Software Engineer for Technical Content at Twilio, writes in a blog post: We take blogging very seriously at Twilio. To help us understand what content works well and what doesn't on our blog, we have a dashboard that combines the metadata that we maintain for each article such as author, team, product, publication date, etc., with traffic information from Google Analytics. Users can interactively request charts and tables while filtering and grouping the data in many different ways. I chose SQLite for the database that supports this dashboard, which in early 2021 when I built this system, seemed like a perfect choice for what I thought would be a small, niche application that my teammates and I can use to improve our blogging. But almost a year and a half later, this application tracks daily traffic for close to 8000 articles across the Twilio and SendGrid blogs, with about 6.5 million individual daily traffic records, and with a user base that grew to over 200 employees.

At some point I realized that some queries were taking a few seconds to produce results, so I started to wonder if a more robust database such as PostgreSQL would provide better performance. Having publicly professed my dislike of performance benchmarks, I resisted the urge to look up any comparisons online, and instead embarked on a series of experiments to accurately measure the performance of these two databases for the specific use cases of this application. What follows is a detailed account of my effort, the results of my testing (including a surprising twist!), and my analysis and final decision, which ended up being more involved than I expected. [...] If you are going to take one thing away from this article, I hope it is that the only benchmarks that are valuable are those that run on your own platform, with your own stack, with your own data, and with your own software. And even then, you may need to add custom optimizations to get the best performance.

Programming

The Really Important Job Interview Questions Engineers Should Ask (But Don't) (posthog.com) 185

James Hawkins: Since we started PostHog, our team has interviewed 725 people. What's one thing I've taken from this? It's normal for candidates not to ask harder questions about our company, so they usually miss out on a chance to (i) de-risk our company's performance and (ii) to increase the chances they'll like working here.

Does the company have product-market fit? This is the single most important thing a company can do to survive and grow.
"Do you ever question if you have product-market fit?"
"When did you reach product-market fit? How did you know?"
"What do you need to do to get to product-market fit?"
"What's your revenue? What was it a year ago?"
"How many daily active users do you have?"

It's ok if these answers show you the founder doesn't have product market fit. In this case, figure out if they will get to a yes. Unless you want to join a sinking ship, of course! Early stage founders are (or should be) super-mega-extra-desperately keen to have product-market fit -- it's all that really matters. The ones that will succeed are those that are honest about this (or those that have it already) and are prioritizing it. Many will think or say (intentionally or through self-delusion) that they have it when they don't. Low user or revenue numbers and vague answers to the example questions above are a sign that it isn't there. Product-market fit is very obvious.

Google

Google To Pay $90 Million To Settle Legal Fight With App Developers (reuters.com) 12

Google has agreed to pay $90 million to settle a legal fight with app developers over the money they earned creating apps for Android smartphones and for enticing users to make in-app purchases. Reuters reports: The app developers, in a lawsuit filed in federal court in San Francisco, had accused Google of using agreements with smartphone makers, technical barriers and revenue sharing agreements to effectively close the app ecosystem and shunt most payments through its Google Play billing system with a default service fee of 30%.

As part of the proposed settlement, Google said in a blog post it would put $90 million in a fund to support app developers who made $2 million or less in annual revenue from 2016-2021. "A vast majority of U.S. developers who earned revenue through Google Play will be eligible to receive money from this fund, if they choose," Google said in the blog post. Google said it would also charge developers a 15% commission on their first million in revenue from the Google Play Store each year. It started doing this in 2021.
"There were likely 48,000 app developers eligible to apply for the $90 million fund, and the minimum payout is $250," notes Reuters.
Facebook

Meta Sparks Anger By Charging For VR Apps (arstechnica.com) 32

An anonymous reader quotes a report from the Financial Times: Meta is facing a growing backlash for the charges imposed on apps created for its virtual reality headsets, as developers complain about the commercial terms set around futuristic devices that the company hopes will help create a multibillion-dollar consumer market. [...] But several developers told the Financial Times of their frustration that Meta, which is seen as having an early lead in a nascent market, has insisted on a charging model for its VR app store similar to what exists today on smartphones. This is despite Meta chief Mark Zuckerberg being strongly critical in the past of charging policies on existing mobile app stores.

"Don't confuse marketing with reality -- it's good marketing to pick on Apple. But it doesn't mean Meta won't do the exact same thing," said Seth Siegel, global head of AI and cyber security at Infosys Consulting. "There is no impetus for them to be better." The "Quest Store" for Meta's Quest 2, by far the most popular VR headset on the market, takes a 30 percent cut from digital purchases and charges 15-30 percent on subscriptions, similar to the fees charged by Apple and Android. "Undoubtedly there are services provided -- they build amazing hardware and provide store services," said Daniel Sproll, chief executive of Realities.io, an immersive realities start-up behind the VR game Puzzling Places. "But the problem is that it feels like everybody agreed on this 30 percent and that's what we're stuck with. It doesn't feel like there's any competition. The Chinese companies coming out with headsets are the same. Why would they change it?"

Meta defended its policies, pointing out that unlike iPhone owners, Quest users can install apps outside its official store through SideQuest, a third-party app store, or make use of App Lab, its less restricted, more experimental app store. "We want to foster choice and competition in the VR ecosystem," Meta said. "And it's working -- our efforts have produced a material financial return for developers: as we announced earlier this year, over $1 billion has been spent on games and apps in the Meta Quest Store." Developers welcome these alternatives but say their impact is limited. SideQuest has been downloaded just 396,000 times, versus 19 million for the Oculus app, according to Sensor Tower. App Lab, meanwhile, still takes a 30 percent cut of purchases.
Developers are also frustrated with Meta's shift to a more restrictive approach to allowing apps on its VR app store.

Chris Pruett, Meta's content ecosystem director, said Meta found that lax standards resulted in too many users being frustrated by low-quality content, so the company has opted to play more of a gatekeeper role. But developers said the resulting barriers could lack transparency.

"Getting something on the Quest store is painful," said Lyron Bentovim, chief executive of the Glimpse Group, an immersive experiences group. "It's significantly worse than getting on Apple or Android stores."
Programming

Svelte Origins: a JavaScript Documentary (youtube.com) 48

Svelte Origins: The Documentary tells the story of how Svelte came to be, what makes Svelte different, and how it changes the game as a JavaScript framework. From the description of the documentary, which was recommended by several Slashdot readers: Filmed in locations throughout Europe and the US, it features Svelte's creator Rich Harris and members from the core community who contributed to making Svelte what it is today. Svelte Origins was filmed in late 2021, produced by OfferZen and directed by Dewald Brand, with shoots in the USA, the UK, Ireland, Sweden and Germany.
Programming

Are Today's Programmers Leaving Too Much Code Bloat? (positech.co.uk) 296

Long-time Slashdot reader Artem S. Tashkinov shares a blog post from indie game programmer who complains "The special upload tool I had to use today was a total of 230MB of client files, and involved 2,700 different files to manage this process." Oh and BTW it gives error messages and right now, it doesn't work. sigh.

I've seen coders do this. I know how this happens. It happens because not only are the coders not doing low-level, efficient code to achieve their goal, they have never even SEEN low level, efficient, well written code. How can we expect them to do anything better when they do not even understand that it is possible...? It's what they learned. They have no idea what high performance or constraint-based development is....

Computers are so fast these days that you should be able to consider them absolute magic. Everything that you could possibly imagine should happen between the 60ths of a second of the refresh rate. And yet, when I click the volume icon on my microsoft surface laptop (pretty new), there is a VISIBLE DELAY as the machine gradually builds up a new user interface element, and eventually works out what icons to draw and has them pop-in and they go live. It takes ACTUAL TIME. I suspect a half second, which in CPU time, is like a billion fucking years....

All I'm doing is typing this blog post. Windows has 102 background processes running. My nvidia graphics card currently has 6 of them, and some of those have sub tasks. To do what? I'm not running a game right now, I'm using about the same feature set from a video card driver as I would have done TWENTY years ago, but 6 processes are required. Microsoft edge web view has 6 processes too, as does Microsoft edge too. I don't even use Microsoft edge. I think I opened an SVG file in it yesterday, and here we are, another 12 useless pieces of code wasting memory, and probably polling the cpu as well.

This is utter, utter madness. Its why nothing seems to work, why everything is slow, why you need a new phone every year, and a new TV to load those bloated streaming apps, that also must be running code this bad. I honestly think its only going to get worse, because the big dumb, useless tech companies like facebook, twitter, reddit, etc are the worst possible examples of this trend....

There was a golden age of programming, back when you had actual limitations on memory and CPU. Now we just live in an ultra-wasteful pit of inefficiency. Its just sad.

Long-time Slashdot reader Z00L00K left a comment arguing that "All this is because everyone today programs on huge frameworks that have everything including two full size kitchen sinks, one for right handed people and one for left handed." But in another comment Slashdot reader youn blames code generators, cut-and-paste programming, and the need to support multiple platforms.

But youn adds that even with that said, "In the old days, there was a lot more blue screens of death... Sure it still happens but how often do you restart your computer these days." And they also submitted this list arguing "There's a lot more functionality than before."
  • Some software has been around a long time. Even though the /. crowd likes to bash Windows, you got to admit backward compatibility is outstanding
  • A lot of things like security were not taken in consideration
  • It's a different computing environment.... multi tasking, internet, GPUs
  • In the old days, there was one task running all the time. Today, a lot of error handling, soft failures if the app is put to sleep
  • A lot of code is due to to software interacting one with another, compatibility with standards
  • Shiny technology like microservices allow scaling, heterogenous integration

So who's right and who's wrong? Leave your own best answers in the comments.

And are today's programmers leaving too much code bloat?


Programming

Stack Overflow Survey Finds Developers Like Rust, Python, JavaScript and Remote Work (infoworld.com) 97

For Stack Overflow's annual survey, "Over 73,000 developers from 180 countries each spent roughly 15 minutes answering our questions," a blog post announces: The top five languages for professional developers haven't changed: JavaScript is still the most used, and Rust is the most loved for a seventh year. The big surprise came in the most loved web framework category. Showing how fast web technologies change, newcomer Phoenix took the most loved spot from Svelte, itself a new entry last year.... Check out the full results from this year's Developer Survey here.
In fact, 87% of Rust developers said that they want to continue using Rust, notes SD Times' summary of the results: Rust also tied with Python as the most wanted technology in this year's report, with TypeScript and Go following closely behind. The distinction between most loved and most wanted is that most wanted includes only developers who are not currently developing with the language, but have an interest in developing with it.
Slashdot reader logankilpatrick writes, "It should come as no surprise to those following the growth and expansion of the Julia Programming Language ecosystem that in this year's Stack Overflow developer survey, Julia ranked in the top 5 for the most loved languages (above Python — 6th, MatLab — Last, and R — 33rd)."

And the Register shares more highlights: Also notable in the 71,547 responses regarding programming languages was a switch again between Python and SQL. In 2021, Python pushed out SQL to be the third most commonly used language. This year SQL regained third place, just behind second placed HTML /CSS.

And the most hated...

Unsurprisingly, developers still dread that tap on the shoulder from the finance department for a tweak to that bit of code upon which the entire company depends. Visual Basic for Applications and COBOL still lurk within the top three most dreaded technologies.

The operating system rankings were little changed: Windows won out for personal and professional use, although for professional use Linux passed macOS to take second place with 40 percent of responses compared to Apple's 33 percent. Most notable was the growth of Windows Subsystem for Linux, which now accounts for 14 percent of personal use compared with a barely registering 3 percent in 2021.

But SD Times noted what may be the most interesting statistic: Only 15% of developers work on-site full time. Forty-three percent are fully remote and 42% are hybrid. Smaller organizations with 2-19 employees are more likely to be in-person, while large organizations with over 10k employees are more likely to be hybrid, according to the survey.
InfoWorld delves into what this means: "The world has made the decision to go hybrid and remote, I have a lot of confidence given the data I have seen that that is a one-way train that has left the station," Prashanth Chandrasekar, CEO of Stack Overflow told InfoWorld.

Chandrasekar says that flexibility and the tech stack developers get to work with are the most important contributors to overall happiness at work. "Many developers drop out of the hiring process because of the tech stack they will be working with," he said... Organizational culture is also shifting, and cloud-native techniques have taken hold among Stack Overflow survey respondents. Most professional developers (70%) now use some form of CI/CD and 60% have a dedicated devops function....

Lastly, Web3 still has software developers torn, with 32% of respondents favorable, 31% unfavorable, and 26% indifferent. Web3 refers to the emerging idea of a decentralized web where data and content are registered on blockchains, tokenized, or managed and accessed on peer-to-peer distributed networks.

AI

AI-Powered GitHub Copilot Leaves Preview, Now Costs $100 a Year (techcrunch.com) 36

It was June 29th of 2021 that Microsoft-owned GitHub first announced its AI-powered autocompletion tool for programmers — trained on GitHub repositories and other publicly-available source code.

But after a year in "technical preview," GitHub Copilot has reached a new milestone, reports Info-Q: you'll now have to pay to use it after a 60-day trial: The transition to general availability mostly means that Copilot ceases to be available for free. Interested developers will have to pay 10 USD/month or $100 USD/year to use the service, with a 60-day free trial.... According to GitHub, while not frequent, there is definitely a possibility that Copilot outputs code snippets that match those in the training set.
Info-Q also cites GitHub stats showing over 1.2 million developers used Copilot in the last 12 months "with a shocking 40% figure of code written by Copilot in files where it is enabled." That's up from 35% earlier in the year, reports TechCrunch — which has more info on the rollout: It'll be free for students as well as "verified" open source contributors — starting with roughly 60,000 developers selected from the community and students in the GitHub Education program... One new feature coinciding with the general release of Copilot is Copilot Explain, which translates code into natural language descriptions. Described as a research project, the goal is to help novice developers or those working with an unfamiliar codebase.

Ryan J. Salva, VP of product at GitHub, told TechCrunch via email... "As an example of the impact we've observed, it's worth sharing early results from a study we are conducting. In the experiment, we are asking developers to write an HTTP server — half using Copilot and half without. Preliminary data suggests that developers are not only more likely to complete their task when using Copilot, but they also do it in roughly half the time."

Owing to the complicated nature of AI models, Copilot remains an imperfect system. GitHub said that it's implemented filters to block emails when shown in standard formats, and offensive words, and that it's in the process of building a filter to help detect and suppress code that's repeated from public repositories. But the company acknowledges that Copilot can produce insecure coding patterns, bugs and references to outdated APIs, or idioms reflecting the less-than-perfect code in its training data.

The Verge ponders where this is going — and how we got here: "Just like the rise of compilers and open source, we believe AI-assisted coding will fundamentally change the nature of software development, giving developers a new tool to write code easier and faster so they can be happier in their lives," says GitHub CEO Thomas Dohmke.

Microsoft's $1 billion investment into OpenAI, the research firm now led by former Y Combinator president Sam Altman, led to the creation of GitHub Copilot. It's built on OpenAI Codex, a descendant of OpenAI's flagship GPT-3 language-generating algorithm.

GitHub Copilot has been controversial, though. Just days after its preview launch, there were questions over the legality of Copilot being trained on publicly available code posted to GitHub. Copyright issues aside, one study also found that around 40 percent of Copilot's output contained security vulnerabilities.

Games

Goodbye Zachtronics, Developers of Very Cool Video Games (kotaku.com) 18

An anonymous reader quotes a report from Kotaku: On July 5, Zachtronics will be releasing Last Call BBS, a collection of stylish little puzzle games wrapped up in a retro PC gaming vibe. After 11 years in business (and even longer outside of commercial releases), a time which has seen the studio develop a cult following almost unrivaled in indie gaming, it will be the last new game Zachtronics will ever release. We spoke to founder Zach Barth to find out why.

Named for founder Zach Barth, Zachtronics has spent most of those 11 years specializing in puzzle games (or variations on the theme). And pretty much every single one of them has been great (or at least interesting). [...] The result has been a succession of games that may not have been to everyone's tastes, but for those with whom they resonated, it was their shit. It's not hard seeing why: most of Zachtronics' games involved challenging puzzles, but also a deeply cool and interesting presentation surrounding them, such as the grimy hacker aesthetic of Exapunks, or the Advance Wars-like Mobius Front 83. Given those initial and superficial differences, it can sometimes be hard pinpointing exactly what makes a game so clearly a Zachtronics joint, but like love and art, when you see it you just know it.

So it's sad, but also awesome in its own way, that 2022 will see the end of Zachtronics. Not because their publisher shuttered them, or because their venture capital funding ran out, or because Activision made them work on Call of Duty, or any other number of reasons (bankruptcy! scandal!) game developers usually close their doors. No, Zachtronics is closing because...they want to.
"We're wrapping things up!" Barth tells Kotaku's Luke Plunkett. "Zachtronics will release Last Call BBS next month. We're also working on a long-awaited solitaire collection that we're hoping to have out by the end of the year. After that, the team will disband. We all have different ideas, interests, tolerances for risk, and so on, so we're still figuring out what we want to do next."

"We felt it was time for a change. This might sound weird, but while we got very good at making 'Zachtronics games' over the last twelve years, it was hard for us to make anything else. We were fortunate enough to carve out a special niche, and I'm thankful that we've been able to occupy it and survive in it, but it also kept us locked into doing something we didn't feel like doing forever."

Last Call BBS will be released on July 5 on Steam. You can view the trailer here.
AI

Amazon Launches CodeWhisperer, a GitHub Copilot-like AI Pair Programming Tool (techcrunch.com) 13

At its re:Mars conference, Amazon today announced the launch of CodeWhisperer, an AI pair programming tool similar to GitHub's Copilot that can autocomplete entire functions based on only a comment or a few keystrokes. From a report: The company trained the system, which currently supports Java, JavaScript and Python, on billions of lines of publicly available open-source code and its own codebase, as well as publicly available documentation and code on public forums. It's now available in preview as part of the AWS IDE Toolkit, which means developers can immediately use it right inside their preferred IDEs, including Visual Studio Code, IntelliJ IDEA, PyCharm, WebStorm and Amazon's own AWS Cloud 9. Support for the AWS Lambda Console is also coming soon. Ahead of today's announcement, Vasi Philomin, Amazon's VP in charge of its AI services, stressed that the company didn't simply create this in order to offer a copy of Copilot. He noted that with CodeGuru, its AI code reviewer and performance profiler, and DevOps Guru, its tool for finding operation issues, the company laid the groundwork for today's launch quite a few years ago.
Cloud

Apple Will Now Allow Developers To Transfer Ownership of Apps That Use iCloud (9to5mac.com) 10

"The most impactful change to come out of WWDC had nothing to do with APIs, a new framework or any hardware announcement," writes Jordan Morgan via Daring Fireball. "Instead, it was a change I've been clamoring for the last several years -- and it's one that's incredibly indie friendly. As you've no doubt heard by now, I'm of course talking about iCloud enabled apps now allowing app transfers." 9to5Mac explains how it works: According to Apple, you already could transfer an app when you've sold it to another developer or you would want to move it to another App Store Connect account or organization. You can also transfer the ownership of an app to another developer without removing it from the App Store. The company said: "The app retains its reviews and ratings during and after the transfer, and users continue to have access to future updates. Additionally, when an app is transferred, it maintains its Bundle ID -- it's not possible to update the Bundle ID after a build has been uploaded for the app."

The news here is that it's easier for developers to transfer the ownership of apps that use iCloud. Apple said that if your app uses any of the following, it will be transferred to the transfer recipient after they accept the app transfer: iCloud to store user data; iCloud containers; and KVS identifiers are associated with the app.

The company said: "If multiple apps on your account share a CloudKit container, the transfer of one app will disable the other apps' ability to read or store data using the transferred CloudKit container. Additionally, the transferor will no longer have access to user data for the transferred app via the iCloud dashboard. Any app updates will disable the app's ability to read or store data using the transferred CloudKit container. If your app uses iCloud Key-Value Storage (KVS), the full KVS value will be embedded in any new provisioning profiles you create for the transferred app. Update your entitlements plist with the full KVS value in your provisioning profile."
You can learn more about the news via this Apple Developer page.
Programming

Researchers Claim Travis CI API Leaks 'Tens of Thousands' of User Tokens (arstechnica.com) 7

Ars Technica describes Travis CI as "a service that helps open source developers write and test software." They also wrote Monday that it's "leaking thousands of authentication tokens and other security-sensitive secrets.

"Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report." The availability of the third-party developer credentials from Travis CI has been an ongoing problem since at least 2015. At that time, security vulnerability service HackerOne reported that a Github account it used had been compromised when the service exposed an access token for one of the HackerOne developers. A similar leak presented itself again in 2019 and again last year.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

China

Leaked Audio From 80 Internal TikTok Meetings Shows That US User Data Has Been Repeatedly Accessed From China 54

Speaking of TikTok moving US users' data to Oracle, a new report says that ByteDance staff in China accessed US TikTok users' data between September 2021 and January 2022. From the report: For years, TikTok has responded to data privacy concerns by promising that information gathered about users in the United States is stored in the United States, rather than China, where ByteDance, the video platform's parent company, is located. But according to leaked audio from more than 80 internal TikTok meetings, China-based employees of ByteDance have repeatedly accessed nonpublic data about US TikTok users -- exactly the type of behavior that inspired former president Donald Trump to threaten to ban the app in the United States.

The recordings, which were reviewed by BuzzFeed News, contain 14 statements from nine different TikTok employees indicating that engineers in China had access to US data between September 2021 and January 2022, at the very least. Despite a TikTok executive's sworn testimony in an October 2021 Senate hearing that a "world-renowned, US-based security team" decides who gets access to this data, nine statements by eight different employees describe situations where US employees had to turn to their colleagues in China to determine how US user data was flowing. US staff did not have permission or knowledge of how to access the data on their own, according to the tapes.

"Everything is seen in China," said a member of TikTok's Trust and Safety department in a September 2021 meeting. In another September meeting, a director referred to one Beijing-based engineer as a "Master Admin" who "has access to everything." (While many employees introduced themselves by name and title in the recordings, BuzzFeed News is not naming anyone to protect their privacy.) The recordings range from small-group meetings with company leaders and consultants to policy all-hands presentations and are corroborated by screenshots and other documents, providing a vast amount of evidence to corroborate prior reports of China-based employees accessing US user data.

Slashdot Top Deals