×
Python

How Spam Flooded the Official Python Software Package Repository PyPI (bleepingcomputer.com) 41

"The official Python software package repository, PyPI, is getting flooded with spam packages..." Bleeping Computer reported Thursday.

"Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once..." PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-... Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI... The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality...

February of this year, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet. At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages... As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging...

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated. Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message. As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.

Programming

Computer Coding Could Count For Foreign Language Credit Under Bill (mercurynews.com) 144

An anonymous reader quotes a report from The Mercury News: Instead of learning a foreign language, Michigan students could take computer coding classes to replace the high school graduation requirement, under a bill that passed the state House Tuesday. Currently, the Michigan Merit Curriculum, which dictates the state's academic standards for graduation, requires students to take two world language credits to receive a high school diploma. Before the bill passed a vote, bill sponsor Rep. Greg VanWoerkom spoke about the value of coding in Michigan's prominent auto and tech industries, as well as it being a good alternative for those kids who struggle with traditional language classes.

"Besides being a hard skill, that employers actually want, coding. helps build soft skills. Coding promotes the use of logic, reasoning, problem solving and creativity," the Norton Shores Republican said. "Any professional coder will tell you that to be fluent in coding takes years of practice and a deep understanding of the language." In opposition to the bill, Rep Padma Kuppa said though she understands the importance of adding more technology education to curriculums, having had a career as a mechanical engineer, coding is not a foreign language. Students need both computer and tech skills and foreign language skills. "As technology helps the world become more interconnected, our ability to understand and work with others on technical projects around the globe is not only related to the ability to code, but to understand one another," the Troy Democrat said.

Python

Microsoft Funds a Team with Guido van Rossum to Double the Speed of Python (zdnet.com) 153

ZDNet reports: Guido van Rossum, who created popular programming language Python 30 years ago, has outlined his ambitions to make it twice as fast — addressing a key weakness of Python compared to faster languages like C++.

Speed in Core Python (CPython) is one of the reasons why other implementations have emerged, such as Pyston.... In a contribution to the U.S. PyCon Language Summit this week, van Rossum posted a document on Microsoft-owned GitHub, first spotted by The Register, detailing some of his ambitions to make Python a faster language, promising to double its speed in Python 3.11 — one of three Python branches that will emerge next year in a pre-alpha release... van Rossum was "given freedom to pick a project" at Microsoft and adds that he "chose to go back to my roots".

"This is Microsoft's way of giving back to Python," writes van Rossum... According to van Rossum, Microsoft has funded a small Python team to "take charge of performance improvements" in the interpreted language...

He says that the main beneficiaries of upcoming changes to Python will be those running "CPU-intensive pure Python code" and users of websites with built-in Python.

The Register notes that the faster CPython project "has a GitHub repository which includes a fork of CPython as well as an issue tracker for ideas and tools for analysing performance."

"According to Van Rossum, there will be 'no long-lived forks/branches, no surprise 6,000 line pull requests,' and everything will be open source."
United States

Apple Confronts Critics in Letter To Congress (axios.com) 41

Apple is swatting down criticisms about how it runs its App Store, arguing its policies are just like those of its peers, in a new letter to senators today. From a report: Apple is making similar arguments to Congress to the ones in its defense in the Epic Games lawsuit -- namely, that it has the right to run its marketplace as it sees fit, and that companies and consumers that don't like it have alternatives. The letter, addressed to the members of the Senate Judiciary subcommittee that held a contentious hearing on app stores last month, contends that Spotify, Tile and Match Group misstated Apple's policies and are actually examples of companies that have been successful on iOS.

"Rather than demonstrating a problem with competition, these witnesses -- representing companies that have thrived in Apple's ecosystem -- showcased how Apple and the iOS ecosystem foster competition," wrpte Apple chief compliance officer Kyle Andeer, in the letter to Congress. At points, Apple appears to overstate its case. In one part, it writes that Spotify is wrong to suggest that developers can't communicate with customers about alternate purchase options, saying "Apple simply says that developers cannot redirect customers who are in the App Store to leave the App Store and go elsewhere." However, this restriction doesn't just apply in the App Store, but anywhere within an iOS app.

Apple

Apple Gave Zoom Access To Special API to Use iPad Camera During Split View Multitasking (macrumors.com) 85

AmiMoJo writes: Zoom, a hallmark platform used by millions during the global health crisis, has been given access to a special iPadOS API that allows the app to use the iPad camera while the app is in use in Split View multitasking mode. This case of special treatment was first brought to attention by app developer Jeremy Provost, who, in a blog post, explains that Zoom uses a special API that allows the app to continue using and accessing the iPad camera while the app is being used in Split View mode. Zoom can do this thanks to an "entitlement," which grants developers the ability to execute a particular capability with an API. As Provost notes, Apple publicly documents the ability for developers to apply for several different entitlements, such as ones related to CarPlay, HomeKit, and more. However, the special API that Zoom has been given is not offered to other developers by Apple, nor is its existence acknowledged by the company itself. On the Zoom Developer Forum, a staff member for the video conferencing platform had confirmed earlier in February that Zoom has access to the "com.apple.developer.avfoundation.multitasking-camera-access," or iPad Camera Multitasking entitlement. Further reading: Apple Offered Special App Store API Access To Hulu and Other Developers.
Programming

IBM's CodeNet Dataset Can Teach AI To Translate Computer Languages (engadget.com) 40

IBM announced during its Think 2021 conference on Monday that its researchers have crafted a Rosetta Stone for programming code. Engadget reports: In effect, we've taught computers how to speak human, so why not also teach computers to speak more computer? That's what IBM's Project CodeNet seeks to accomplish. "We need our ImageNet, which can snowball the innovation and can unleash this innovation in algorithms," [Ruchir Puri, IBM Fellow and Chief Scientist at IBM Research, said during his Think 2021 presentation]. CodeNet is essentially the ImageNet of computers. It's an expansive dataset designed to teach AI/ML systems how to translate code and consists of some 14 million snippets and 500 million lines spread across more than 55 legacy and active languages -- from COBOL and FORTRAN to Java, C++, and Python.

"Since the data set itself contains 50 different languages, it can actually enable algorithms for many pairwise combinations," Puri explained. "Having said that, there has been work done in human language areas, like neural machine translation which, rather than doing pairwise, actually becomes more language-independent and can derive an intermediate abstraction through which it translates into many different languages." In short, the dataset is constructed in a manner that enables bidirectional translation. That is, you can take some legacy COBOL code -- which, terrifyingly, still constitutes a significant amount of this country's banking and federal government infrastructure -- and translate it into Java as easily as you could take a snippet of Java and regress it back into COBOL.

CodeNet can be used for functions like code search and clone detection, in addition to its intended translational duties and serving as a benchmark dataset. Also, each sample is labeled with its CPU run time and memory footprint, allowing researchers to run regression studies and potentially develop automated code correction systems. Project CodeNet consists of more than 14 million code samples along with 4000-plus coding problems collected and curated from decades' of programming challenges and competitions across the globe. "The way the data set actually came about," Puri said, "there are many kinds of programming competitions and all kinds of problems -- some of them more businesslike, some of them more academic. These are the languages that have been used over the last decade and a half in many of these competitions with 1000s of students or competitors submitting solutions." Additionally, users can run individual code samples "to extract metadata and verify outputs from generative AI models for correctness," according to an IBM press release. "This will enable researchers to program intent equivalence when translating one programming language into another." [...] IBM intends to release the CodeNet data to the public domain, allowing researchers worldwide equal and free access.

Social Networks

Game Developers Break Silence Around Salaries (axios.com) 89

Developers are sharing their salaries on Twitter under the hashtag #GameDevPaidMe to encourage pay transparency in their industry. Axios reports: The hashtag started circulating last year, but has returned periodically as developers fight for better working conditions. Salary sharing is a way to equalize the field. By removing the secrecy, as well as the stigma, around discussing pay, workers have more power to advocate for themselves when negotiating salaries and raises. In 2020, Blizzard employees shared their salaries anonymously via a spreadsheet to compare compensation. The pay gap between people at the top, and workers on the ground is measurable in hundreds of thousands of dollars -- even when those CEOs take pay cuts.

What they're saying:
A lead designer on "Hearthstone" working for Blizzard Entertainment: "I started getting paid fairly once I started asking questions. I only started asking questions once I better understood what I was worth. Understanding what your worth can be a difficult question, but this helps."

A lead designer at Blackbird Interactive: "Every single person who plays games should take a good look at #GameDevPaidMe and get a sense for what the people who make your art actually make."

A senior game designer at Reflector Entertainment: "Don't wait for your employer to give you the raise you deserve, be open to talking to other companies even if you feel you are at a 'great' spot."

Apple

Apple Offered Special App Store API Access To Hulu and Other Developers (macrumors.com) 12

App Store Vice President Matt Fischer is on the stand answering questions from Apple and Epic lawyers, and one of the emails shared as evidence confirms that Apple has established special deals with major app developers like Hulu. From a report: In 2018, a tweet from developer David Barnard commented about App Store subscriptions being automatically cancelled through the StoreKit API, questioning why there hadn't been more offers to swap billing away from the App Store. Matt Fischer asked Cindy Lin about it, and she explained that Hulu is a developer with special access to a subscription cancel/refund API. Hulu is part of the set of whitelisted developers with access to subscription cancel/refund API. Back in 2015 they were using this to support instant upgrade using a 2 family setup, before we had subscription upgrade/downgrade capabilities built in. Apple does not further detail who other developers with special access might have been in the correspondence, but these are not features that all developers have access to. Apple has long said that the App Store provides a "level playing field" that treats all apps in the App Store the same with one set of rules for everybody and no special deals or special terms, but it's clear that some apps are indeed provided with special privileges.
Games

Witcher Game Developer Quits Company Over Bullying Claims (bloomberg.com) 62

An anonymous reader quotes a report from Bloomberg: The director of Witcher 3, the most successful video game by Polish publisher CD Projekt SA, resigned after he was accused of bullying colleagues, sending its shares to their steepest decline since March. CD Projekt conducted a months-long investigation into the allegations against Konrad Tomaszkiewicz, according to an email to staff reviewed by Bloomberg. In the message, Tomaszkiewicz wrote that a commission had investigated the allegations and found him not guilty. "Nonetheless, a lot of people are feeling fear, stress or discomfort when working with me," he wrote. He apologized to staff "for all the bad blood I have caused."

Tomaszkiewicz's work on Witcher 3 inspired the creation of a popular Netflix series, both based on novels by the author Andrzej Sapkowski, and at one point turned CD Projekt into Poland's most valuable company. [...] Tomaszkiewicz was expected to play a significant role in the company's next game in the Witcher series. When reached for comment, Tomaszkiewicz confirmed his departure and said he was "sad, a bit disappointed and resigned." A representative for CD Projekt declined to comment. In the email to employees, Tomaszkiewicz said the decision was agreed upon with the company's board. "I am going to continue working on myself," he wrote. "Changing behavior is a long and arduous process, but I'm not giving up, and I hope to change."

Programming

Survey Confirms Popularity of JavaScript, Python, C/C++, While C# Overtakes PHP (zdnet.com) 68

Analyst firm SlashData surveyed over 19,000 respondents from 155 countries for its "State of the Developer Nation" survey — and now estimates that there's 24.3 million active developers worldwide.

TechRadar reports: The report pegs JavaScript as the most popular language that, together with variants including TypeScript and CoffeeScript, is used by almost 14 million developers around the world. Based on SlashData's observations over the past several years, more than 4.5 million JavaScript developers have joined the ranks between Q4 2017 and Q1 2021. This is the highest growth in terms of absolute numbers across all programming languages...

Next up is Python with just over 10 million users, followed by Java with 9.4 million, and C/C++ with 7.3 million. The report notes that Python added 1.6 million new developers in the past year, recording a growth rate of 20%.

From ZDNet: SlashData estimates the next three largest developer communities are using C/C++ (7.3 million), Microsoft's C# (6.5 million), and PHP (6.3 million). Other large groups of developers are fans of Kotlin, Swift, Go, Ruby, Objective C, Rust and Lua...

SlashData, however, notes that Rust and Lua were the two fastest growing programming language communities in the past 12 months, albeit from a lower base than Python.

And Visual Studio magazine couldn't resist emphasizing that C# "has ticked up a notch in popularity, overtaking PHP for No. 5 on that ranking..." "C# lost three places in the rankings of language communities between Q3 2019 and Q3 2020, but it regained its lead over PHP in the past six months after adding half a million developers," the report states... "C# is traditionally popular within the desktop developer community, but it's also the most broadly used language among AR/VR and game developers, largely due to the widespread adoption of the Unity game engine in these areas..."

It was a different story one year ago, when the 18th edition of the report said: "C# lost about 1M developers during 2019... [I]t seems to be losing its edge in desktop development — possibly due to the emergence of cross-platform tools based on web technologies."

The language might see more desktop development inroads as new initiatives from Microsoft such as Blazor Desktop (one of those "cross-platform tools based on web technologies") and .NET MAUI provide a wide array of desktop approaches.

Google

Bytecode Alliance Expands as Microsoft, Google, Intel Promote Fast, Secure Development with WebAssembly (mozilla.org) 54

There was a big announcement this week from Mozilla. They've joined Fastly, Intel, and Microsoft "in announcing the incorporation and expansion of the Bytecode Alliance, a cross-industry partnership to advance a vision for fast, secure, and simplified software development based on WebAssembly." Building software today means grappling with a set of vexing trade-offs. If you want to build something big, it's not realistic to build each component from scratch. But relying on a complex supply chain of components from other parties allows a defect anywhere in that chain to compromise the security and stability of the entire program.

Tools like containers can provide some degree of isolation, but they add substantial overhead and are impractical to use at per-supplier granularity. And all of these dynamics entrench the advantages of big companies with the resources to carefully manage and audit their supply chains.

Mozilla helped create WebAssembly to allow the Web to grow beyond JavaScript and run more kinds of software at faster speeds. But as it matured, it became clear that WebAssembly's technical properties — particularly memory isolation — also had the potential to transform software development beyond the browser by resolving the tension described above. Several other organizations shared this view, and we came together to launch the Bytecode Alliance as an informal industry partnership in late 2019. As part of this launch, we articulated our shared vision and called for others to join us in bringing it to life... [W]e asked prospective members to be patient and, in parallel with ongoing technical efforts, worked to incorporate the Alliance as a formal 501(c)(6) organization. That process is now complete, and we're thrilled to welcome Arm, DFINITY Foundation, Embark Studios, Google, Shopify, and University of California at San Diego as official members of the Bytecode Alliance.

We have a real opportunity to change how software is built, and in doing so, enable small teams to build big things that are both secure and fast.

Achieving the elusive trifecta — easy composition, defect isolation, and high performance — requires both the right technology and a coordinated effort across the ecosystem to deploy it in the right way. Mozilla believes that WebAssembly has the right technical ingredients to build a better, more secure Internet, and that the Bytecode Alliance has the vision and momentum to make it happen.

Programming

Rust Programming Language: We Want To Take It Into the Mainstream, Says Facebook (zdnet.com) 74

Facebook has joined the Rust Foundation, the organization driving the Rust programming language, alongside Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. From a report: Facebook is the latest tech giant to ramp up its adoption of Rust, a language initially developed by Mozilla that's become popular for systems programming because of its memory safety guarantees compared to fast languages C and C++. Rust is appealing for writing components like drivers and compilers.

The Rust Foundation was established in February with initial backing from Amazon Web Services, Google, Huawei, Microsoft, and Mozilla. Microsoft is exploring Rust for some components of Windows and Azure while Google is using Rust to build new parts of the Android operating system and supporting an effort to bring Rust to the Linux kernel. Facebook's engineering team has now detailed its use of Rust beginning in 2016, a year after Rust reached its 1.0 milestone. "For developers, Rust offers the performance of older languages like C++ with a heavier focus on code safety. Today, there are hundreds of developers at Facebook writing millions of lines of Rust code," Facebook's software engineering team said.

Google

JavaScript Developers Left in the Dark After DroidScript Software Shut Down by Google Over Ad Fraud Allegations (theregister.com) 40

On the last day of March, DroidScript, a popular Android app for writing JavaScript code, had its Google advertising account suspended and a week later was removed from the Google Play Store for alleged ad fraud. From a report: David Hurren, founder of the non-profit DroidScript.org and of SoftCogs Ltd, a UK-based software firm, is baffled by the charge and asked Google to explain how it came to that conclusion and to reconsider its suspension of DroidScript. But his appeals have been answered by form letters and now the app, used by more than 100,000 developers, including students, teachers and professionals, is losing premium subscribers as well as ad revenue with no further explanation from Google.

The app had only a single banner, added "reluctantly added to cover our development and hosting costs," Hurren explained in a DroidScript forum post about the crisis. Denied access to ad revenue and details about the supposed infraction, Hurren set about creating a new version without the AdMob banner ad shortly after the AdMob account suspension, knowing this might also prevent DroidScript users from implementing AdMob in their own apps. But Google, on April 7, suspended the app on Google Play, preventing any new version from being released. Hurren said that means the app loses all the user-ratings, download statistics, and premium subscribers accrued over the past seven years.

Programming

Microsoft Previews 'Rust for Windows' (microsoft.com) 70

From Mike Melanson's "This Week in Programming" column: "The Rustening at Microsoft has begun," tweeted Microsoft distinguished engineer Miguel de Icaza.

What de Icaza is referring to is a newly-offered course by Microsoft on taking the first steps with Rust, which much of the Twitterverse of Rust devotees sees as a sign that the company is further increasing its favor for their crab-themed language of choice. Of course, this isn't the first we've heard of Microsoft looking to Rust to handle the 70% of Microsoft vulnerabilities that it says come from using the memory-unsafe C++ programming language in its software. A few years back now, Microsoft launched Project Verona, a research programming language that takes a bite from Rust in the realm of ownership and is said to be inspired by Rust, among others.

More recently, however, Microsoft announced the preview of Rust for Windows, which "lets you use any Windows API (past, present, and future) directly and seamlessly via the windows crate (crate is Rust's term for a binary or a library, and/or the source code that builds into one)." With Rust for Windows, developers can now not only use Rust on Windows, they can also write apps for Windows using Rust...

According to the project description, the Windows crate "lets you call any Windows API past, present, and future using code generated on the fly directly from the metadata describing the API and right into your Rust package where you can call them as if they were just another Rust module" and that, along with the introduction of a course for learning Rust, is precisely what has all those Rust devotees so excited.

InfoWorld has more information...
Social Networks

'Not Even Student Work': MyPillow CEO's Social Media Site Botches Rollout (salon.com) 191

"Salon reports amateur-hour mistakes in the attempted rollout of FRANK, a social media site envisioned by Mike Lindell of MyPillow," writes Slashdot reader Tom239. "A Drupal expert described the code as 'not even student work.'" From the report: Speaking to Salon on Thursday afternoon about Lindell's site, one "Acquia Certified Drupal Grand Master," who oversees a technology firm that employs numerous other "grandmasters," said that Lindell's site was set up for failure from its inception, noting that its developers -- whom Lindell compared to Navy SEALs -- had failed to carry out basic "Drupal 101" tasks. One coder who spoke to Salon in great detail explained the potential shortcomings of the pillow maven's program code and the patchy work done by his developer team. "Drupal can power high powerful websites, sites with lots of traffic," the expert said, adding that it isn't the right software to build a social media site with, since it's not designed to handle a large amount of user-generated content. "Lindell's website was basically trying to make soup for scratch for everybody," said the expert, who claimed more than 25 years of experience in the IT field.

"In my professional opinion, it will be extremely unlikely, if not impossible, for Lindell to accomplish his vision with Drupal and his own servers," the expert told Salon. "Despite how much I love it, Drupal simply isn't the right tool for the number of users with the features that he wants to provide. It would take a massive effort of 12 to 18 months to build out the needed hosting setup and application architecture, and this would come with an enormous degree of risk. The idea that he could do this in just a couple of months is patently absurd, and I think the results speak for themselves."

"When I was looking at the code, in the browser, they basically launched the site while it was still in development mode," one expert told Salon, citing the fact that developers had failed to check a box to aggregate files on the platform as the first red flag he ran across. "Their files were not aggregated, and by the way, that's a check box in Drupal -- you literally check a box and click save, My jaw dropped when I saw that. I was like, 'They did not try to launch this thing without aggregation turned on!'" The second major red flag another Drupal expert found was that Lindell's site was spitting out coded error messages to users, which leaves the platform vulnerable to attacks. "This is a shit show," the expert said, calling this an "obvious" issue that coders learn how to prevent in "Drupal 101."

Elsewhere it was reported that Lindell's supposed free-speech haven will not allow swearing, pornography, or the use of 'god's name in vain'.
Education

Tech Giants Support Code.org's Amazon-Bankrolled Java-Based AP CS Curriculum 39

theodp writes: Code.org on Wednesday announced that dozens of industry, education, and state leaders are supporting a new Code.org AP CS A Java-focused curriculum for high school students, which will be available at no charge to all schools starting in the 2022-23 school year. "We are proud to have the following companies on our Industry Advisory Panel: Adobe, Amazon, Atlassian, Disney, Epic Games, Goldman Sachs, Google, IBM, Instagram, Microsoft, Riot Games, Roblox, Snapchat, Spotify, Tesla, Unity, Vista Equity," Code.org tweeted. "A big thank you to the following colleges and universities on our Education Advisory Panel: @BowieState @UBuffalo @CarnegieMellon @Harvard @montgomerycoll @NCWIT @thisisUIC @Illinois_Alma @unlv @UNOmaha @SpelmanCollege @UT_Dallas @UW @westminsterpa." In an accompanying Medium post, Code.org explained: "This work is all made possible through a generous [$15 million] gift from Amazon Future Engineer."

Despite having the support of some of the world's richest corporations and individuals whose goals the nonprofit helps advance, recently-released SBA records show that Code.org applied for and was approved for its second forgivable Federal Paycheck Protection Program loan in the amount of $1.9 million dollars on March 25, a month after Amazon and Code.org issued a joint press release announcing their $15 million plan to work on a new AP CS A curriculum and other initiatives. Amazon certainly has ambitious plans for influencing K-12 CS education. Last week, the company announced a 2021 goal to "reach 1.6 million underrepresented students globally through Amazon Future Engineer with real world-inspired virtual and hands-on computer science project learning." And an Amazon Future Engineer job listing for a U.S. Country Senior Manager notes the job will require working "with national and local educational non-profits and governmental entities such as BootUp, Project STEM, Code.org, and the US and State Departments of Education," as well as positioning Amazon "as subject matter experts on US computer science education, as well as the local education systems of our headquarter regions."
Programming

How Often Do People Actually Copy and Paste From Stack Overflow? (stackoverflow.blog) 124

Stack Overflow blog: They say there's a kernel of truth behind every joke. In the case of our recent April Fools gag, it might be more like an entire cob, perhaps a bushel of truth. We wanted to embrace a classic Stack Overflow meme and tweak one of our core principles. Our company was inspired by the founders frustration with websites that kept answers to coding questions behind paywalls. What would the world look like if we suddenly decided to monetize the act of copying code from Stack Overflow? Ok, jokes over, hope everyone had a good laugh and no one got too freaked out. But wait, there's more. Once we set up a system to react every time someone typed Command+C, we realized there was also an opportunity to learn about how people use our site. We were able to catalog every copy command made on Stack Overflow over the course of two weeks, and here's what we found.

One out of every four users who visits a Stack Overflow question copies something within five minutes of hitting the page. That adds up to 40,623,987 copies across 7,305,042 posts and comments between March 26th and April 9th. People copy from answers about ten times as often as they do from questions and about 35 times as often as they do from comments. People copy from code blocks more than ten times as often as they do from the surrounding text, and surprisingly, we see more copies being made on questions without accepted answers than we do on questions which are accepted. So, if you've ever felt bad about copying code from our site instead of writing it from scratch, forgive yourself!

Programming

Student's First Academic Paper Solves Decades-Old Quantum Computing Problem (abc.net.au) 96

"Sydney university student Pablo Bonilla, 21, had his first academic paper published overnight and it might just change the shape of computing forever," writes Australia's national public broadcaster ABC: As a second-year physics student at the University of Sydney, Mr Bonilla was given some coding exercises as extra homework and what he returned with has helped to solve one of the most common problems in quantum computing. His code spiked the interest of researchers at Yale and Duke in the United States and the multi-billion-dollar tech giant Amazon plans to use it in the quantum computer it is trying to build for its cloud platform Amazon Web Services....

Assistant professor Shruti Puri of Yale's quantum research program said the new code solved a problem that had persisted for 20 years. "What amazes me about this new code is its sheer elegance," she said. "Its remarkable error-correcting properties are coming from a simple modification to a code that has been studied extensively for almost two decades...."

Co-author of the paper, the University of Sydney's Ben Brown, said the brilliance of Pablo Bonilla's code was in its simplicity... "We just made the smallest of changes to a chip that everybody is building, and all of a sudden it started doing a lot better. It's quite amazing to me that nobody spotted it in the 20-or-so years that people have been working on that model."

Programming

Linus Torvalds Says Rust Closer for Linux Kernel Development, Calls C++ 'A Crap Language' (itwire.com) 270

Google's Android team supports Rust for developing the Android operating system. Now they're also helping evaluate Rust for Linux kernel development. Their hopes, among other things, are that "New code written in Rust has a reduced risk of memory safety bugs, data races and logic bugs overall," that "abstractions that are easier to reason about," and "More people get involved overall in developing the kernel, thanks to the usage of a modern language."

Linus Torvalds responded in a new interview with IT Wire (shared by Slashdot reader juul_advocate): The first patches for Rust support in the Linux kernel have been posted and the man behind the kernel says the fact that these are being discussed is much more important than a long post by Google about the language. Linus Torvalds told iTWire in response to queries that Rust support was "not there yet", adding that things were "getting to the point where maybe it might be mergeable for 5.14 or something like that..." Torvalds said that it was still early days for Rust support, "but at least it's in a 'this kind of works, there's an example, we can build on it'."

Asked about a suggestion by a commenter on the Linux Weekly News website, who said, during a discussion on the Google post, "The solution here is simple: just use C++ instead of Rust", Torvalds could not restrain himself from chortling. "LOL," was his response. "C++ solves _none_ of the C issues, and only makes things worse. It really is a crap language.

"For people who don't like C, go to a language that actually offers you something worthwhile. Like languages with memory safety and [which] can avoid some of the dangers of C, or languages that have internal GC [garbage collection] support and make memory management easier. C++ solves all the wrong problems, and anybody who says 'rewrite the kernel in C++' is too ignorant to even know that."

He said that when one spoke of the dangers of C, one was also speaking about part of what made C so powerful, "and allows you to implement all those low-level things efficiently".

Torvalds added that, while garbage collection is "a very good thing in most other situations," it's "generally not necessarily something you can do in a low-level system programming."
PHP

Git.PHP.net Not Compromised in Supply Chain Attack, but User Database Leak Possible (inside.com) 18

Inside.com's developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April...

In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.

Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk."

"In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties.

The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges...

PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.

Slashdot Top Deals