Programming

JetBrains Announces 'Fleet' IDE to Compete with Microsoft's Visual Studio Code (jetbrains.com) 98

On Monday JetBrains (creators of the Kotlin programming language and makers of the integrated development environment IntelliJ IDEA) made an announcement: a preview for a lightweight new multi-language IDE called Fleet using IntelliJ's code-processing engine with a distributed IDE architecture and a reimagined UI.

By Friday they'd received an "overwhelming" number of requests, and announced the preview program had stopped accepting new requests. ("To subscribe for updates and the public preview announcement at jetbrains.com/fleet or follow @JetBrains_Fleet on Twitter.")

They'd received 80,000 requests in just the first 30 hours, reports Visual Studio magazine: Although JetBrains didn't even mention VS Code in its Nov. 28 announcement, many media pundits immediately characterized it along the lines of an "answer to Visual Studio Code," a "response to Visual Studio Code," a "competitor to Visual Studio Code" and so on...

"When you first launch Fleet, it starts up as a full-fledged editor that provides syntax highlighting, simple code completion, and all the things you'd expect from an editor," JetBrains said. "But wait, there's more! Fleet is also a fully functional IDE bringing smart completion, refactorings, navigation, debugging, and everything else that you're used to having in an IDE — all with a single button click."

"It starts up in an instant so you can begin working immediately..." boasts the Fleet web page, adding that Fleet "is designed to automatically detect your project configuration from the source code, maximizing the value you get from its smart code-processing engine while minimizing the need to configure the project in the IDE." And it also offers "project and context aware code completion, navigation to definitions and usages, on-the-fly code quality checks, and quick-fixes..."

Fleet also offers a collaborative environment allowing developers to work together — not just sharing the editor, but also terminals and debugging sessions. (There's even a diff view for reviewing changes.) "Others can connect to a collaboration session you initiate on your machine, or everyone can connect to a shared remote dev environment," explains Fleet's web page. "It supports a number of remote work scenarios and can be run locally on the developer's computer, in the cloud, or on a remote server," reports SD Times. (And Fleet's home page says soon it will even run in Docker containers configured with an appropriate environment for your project.)

SD Times adds that Fleet "currently supports Java, Kotlin, Go, Python, Rust, and JavaScript. The company plans to extend support to cover PHP, C++, C#, and HTML, which are the remaining languages that have IntelliJ IDEs." It's multi-platform — running on Linux, MacOS, or Windows — and Fleet's web page promises "a familiar and consistent user experience" offering one IDE for the many different technologies you might end up using.

And yes, there's a dark theme.
IT

Stripe is On a Hiring Spree. But It's Also Rescinding Job Offers and Angering Engineers. (protocol.com) 102

The prevailing narrative about tech workers assumes that they have more power than ever before. This even has a term -- the Great Resignation. But at the booming, much-revered payments company Stripe, some applicants have found themselves accepting job offers only to learn they have been rescinded without warning. From a report: Protocol spoke with two Stripe candidates who received either verbal or written offers from the company and then had those offers revoked because of "shifting business priorities." (We reviewed their communications with Stripe recruiters, including the offer letter, to confirm the candidates' stories). Protocol also spoke with a former Stripe recruiter who described the company as embracing a "hire and fire" mentality and constantly shifting priorities and reorganizing staff. All three of these sources were granted anonymity for fear of repercussions by their current and potential future employers. Protocol also reviewed multiple online complaints detailing similar rescinded offers; the most prominent of these complaints was posted on Hacker News and received a rousing defense of Stripe from Coinbase CEO Brian Armstrong.

"We want everyone who interacts with Stripe during a recruiting process to be treated professionally and with respect. We value feedback and are always looking for ways to improve our recruiting experience," a Stripe spokesperson wrote to Protocol. Stripe, which has the highest valuation of any private, venture-backed tech company in the U.S., has grown so rapidly over the last few years that many engineers and other tech workers see it as one of the most desirable, successful places to work. The former recruiter interviewed by Protocol said that she chose the job over offers at Google and two other tech companies, in part because of the extremely positive and enthusiastic way the company was sold to her and because of Stripe's reputation in the industry.

Open Source

Addressing 'Bus Factor', PHP Gets a Foundation (thenewstack.io) 69

How many members of your team are so irreplaceable that if they were hit by a bus, your project would grind to a halt?

For PHP, that number is: two. (According to a post by PHP contributor Joe Watkins earlier this year that's now being cited in Mike Melanson's "This Week in Programming" column.) "Maybe as few as two people would have to wake up this morning and decide they want to do something different with their lives in order for the PHP project to lack the expertise and resources to move it forward in its current form, and at current pace," Watkins wrote at the time, naming Dmitry Stogov and Nikita Popov as those two. Well, last week, Nikita Popov was thankfully not hit by a bus, but he did decide to move on from his role with PHP to instead focus his activities on LLVM.

Also thankfully, Watkins' article earlier this year opened some eyes to the situation at hand and, as he writes in a follow-up article this week, JetBrains (Popov's employer) reached out to him at the time regarding starting a PHP Foundation. This week, with Popov's departure, the PHP Foundation was officially launched with the goal of funding part/full-time developers to work on the PHP core in 2022. At launch, the PHP Foundation will count 10 companies — Automattic, Laravel, Acquia, Zend, Private Packagist, Symfony, Craft CMS, Tideways, PrestaShop, and JetBrains — among its backers, with an expectation to raise $300,000 per year, and with JetBrains contributing $100,000 annually. Alongside that, the foundation is being launched using foundation-as-a-service provider Open Collective, and just under 700 contributors have already raised more than $40,000 for the foundation.

One of the key benefits to creating a foundation, rather than sticking with the status quo, goes beyond increasing the bus factor — it diversifies the influences on PHP. Watkins points out that, for much of the history of PHP, Zend, the employer of Dmitry Stogov, has been a primary financial backer, and as such has had some amount of influence on the language's direction. Similarly, JetBrains had increased influence during its time employing Popov on PHP."To say they have not influenced the direction of the language as a whole would just not be true...." While Watkins says that everything has been above board and gone through standard processes to ensure so, influence is nonetheless indisputable, and that "The Foundation represents a new way to push the language forward..."

The current RFC process, JetBrains writes, "will not change, and language decisions will always be left to the PHP Internals community."

And in addition, Watkins adds, "It provides us the mechanism by which to raise the bus factor, so that we never face the problems we face today, and have faced in the past."
Programming

Rust's Moderation Team Resigns to Protest 'Unaccountable' Core Team (thenewstack.io) 265

On Monday morning the moderation team for the Rust programming language "resigned effective immediately," reports The New Stack: The resignation was tendered via a pull request on GitHub, wherein team member Andrew Gallant wrote that the team resigned "in protest of the Core Team placing themselves unaccountable to anyone but themselves."

According to the page describing Rust governance, the moderation team's purpose is to do just that — to help "uphold the code of conduct and community standards" — and according to the resignation letter, they are unable to do so, with the Core Team seemingly being outside of those bounds. "As a result of such structural unaccountability, we have been unable to enforce the Rust Code of Conduct to the standards the community expects of us and to the standards we hold ourselves to," Gallant continues, before making four specific recommendations to the Rust community as to how to move forward.

First, Gallant writes that the Rust community should "come to a consensus on a process for oversight over the Core Team," which he says is currently "answerable only to themselves." Next, the outgoing team recommends that the "replacement for the Mod Team be made by Rust Team Members not on the Core Team," and that this future team "with advice from Rust Team Members, proactively decide how best to handle and discover unhealthy conflict among Rust Team Members," with "professional mediation" also suggested. The final point, which they say is unrelated, is that the next team should "take special care to keep the team of a healthy size and diversity, to the extent possible," something they failed to do themselves. To that point, the outgoing team is just three members, Andre Bogus, Andrew Gallant, and Matthieu M...

The former team concludes their resignation letter, writing that "we have avoided airing specific grievances beyond unaccountability" because they are choosing "to maintain discretion and confidentiality" and that the Rust community and their replacements "exercise extreme skepticism of any statements by the Core Team (or members thereof) claiming to illuminate the situation."

"Our relationship with Core has been deteriorating for months," they add in a thread on Reddit (where the subReddit's moderators have since locked out comments "in light of the volatile nature of this thread.")

There's just one more official update. Thursday former Rust moderation team member Andrew Gallant tweeted the URL to a new post which has now appeared on the "Inside Rust blog" — titled "In response to the moderation team resignation." The post reads: As top-level team leads, project directors to the Foundation, and core team members, we are actively collaborating to establish next steps after the statement from the Rust moderation team. While we are having ongoing conversations to share perspectives on the situation, we'd like to collectively state that we are all committed to the continuity and long term health of the project.

Updates on next steps will be shared with the project and wider community over the next few weeks. In the meantime, we are grateful to the interim moderators who have stepped up to provide moderation continuity to the project.

Programming

GitHub Fixes a Private-Package-Names Leak and Serious Authorization Bug (bleepingcomputer.com) 21

In 2020 Microsoft's GitHub acquired NPM (makers of the default package manager for Node.js). The company's web page boasts that npm "is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world."

But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com's 'replica' server (consumed by third-party services) were leaked — but in addition, a second flaw could've allowed attackers "to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks."

In a blog post this week GitHub's chief security officer explained the details: During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC. Upon discovery of the issue, we immediately began work on implementing a fix and determining the scope of the exposure. On October 29, all records containing private package names were removed from the replication database. While these records were removed from the replicate.npmjs.com service on this date, the data on this service is consumed by third-parties who may have replicated the data elsewhere. To prevent this issue from occuring again, we have made changes to how we provision this public replication database to ensure records containing private package names are not generated during this process.

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing.

This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.

BleepingComputer adds: Both announcements come not too long after popular npm libraries, 'ua-parser-js,' 'coa,' and 'rc' were hijacked in a series of attacks aimed at infecting open source software consumers with trojans and crypto-miners. These attacks were attributed to the compromise of npm accounts [1, 2] belonging to the maintainers behind these libraries.

None of the maintainers of these popular libraries had two-factor authentication (2FA) enabled on their accounts, according to GitHub. Attackers who can manage to hijack npm accounts of maintainers can trivially publish new versions of these legitimate packages, after contaminating them with malware. As such, to minimize the possibility of such compromises from recurring in near future, GitHub will start requiring npm maintainers to enable 2FA, sometime in the first quarter of 2022.

Programming

GitHub's Annual Developer Survey Finds Remote Developers Aren't Returning to the Office (zdnet.com) 28

GitHub's annual report on its user community "combined telemetry data from over four million repositories with direct survey from over 12,000 developers to identify current trends among software development companies and open-source projects," reports InfoQ.

ZDNet notes the data shows that remote developers "aren't planning to go back to the office." Before the pandemic, only 41% of developers worked at an office either full-time or part-time, but of the 12,000 surveyed in GitHub's 2021 State of the Octoverse report, just 10.7% expect to go back to the office after the pandemic ends... Pre-pandemic, 28.1% of developers had hybrid arrangements but after the pandemic, 47.8% expect some hybrid arrangements. Before the pandemic, 26.5% worked in places where all workers were remote. Now, 38.8% expect to be fully remote.
ZDNet also highlighted some other general statistics: GitHub says it now has 73 million developer users and that it gained 16 million new users in 2021. Users created 61 million new repositories and there were 170 million pull requests that got merged into projects... One of the biggest projects on GitHub is the container software Docker, which has a whopping 632,000 contributors from 215 countries and consists of 49,593 packages.
That's more than a magnitude larger than the estimated number of Linux contributors — and implies that for every 117 developers now on GitHub, there was one who contributed to Docker.

Meanwhile, 2021's most popular language rankings for GitHub are the same as 2020, with one exception: Shell has risen one position to become the 8th most popular language, edging out C (which now ranks as the 9th most popular language).

And InfoQ summarized some other interesting statistics from GitHub's report:
  • Good, reliable, and up-to-date documentation can boost productivity by 50%.
  • Documentation is often under-invested.
  • The number of pull requests merged within the workday goes down by 17% with each additional reviewer.

Google

Pentagon Asks Amazon, Google, Microsoft and Oracle for Bids on New Cloud Contracts (theguardian.com) 14

The U.S. General Services Administration said Friday that the Defense Department has solicited bids from Amazon, Google, Microsoft and Oracle for cloud contracts. From a report: The outreach comes after the Pentagon set aside a highly contested $10 billion contract that Microsoft had won and Amazon had challenged. The value of the new contracts is not known, but the Defense Department estimates it could run into the multiple billions of dollars. The new effort, known as Joint Warfighting Cloud Capability, or JWCC, appears like it will bolster the top global cloud infrastructure providers, Amazon and Microsoft, although it could also provide more credibility to two smaller entities.

"The Government anticipates awarding two IDIQ contracts -- one to Amazon Web Services (AWS) and one to Microsoft Corporation (Microsoft) -- but intends to award to all Cloud Service Providers (CSPs) that demonstrate the capability to meet DoD's requirements," the GSA said in its announcement. An indefinite delivery, indefinite quantity, or IDIQ, contract includes an indefinite amount of services for a specific period of time.

Java

Tea and Coffee May Be Linked To Lower Risk of Stroke and Dementia, Study Finds (theguardian.com) 62

Drinking coffee or tea may be linked with a lower risk of stroke and dementia, according to the largest study of its kind. The Guardian reports: Strokes cause 10% of deaths globally, while dementia is one of the world's biggest health challenges -- 130 million are expected to be living with it by 2050. In the research, 365,000 people aged between 50 and 74 were followed for more than a decade. At the start the participants, who were involved in the UK Biobank study, self-reported how much coffee and tea they drank. Over the research period, 5,079 of them developed dementia and 10,053 went on to have at least one stroke.

Researchers found that people who drank two to three cups of coffee or three to five cups of tea a day, or a combination of four to six cups of coffee and tea, had the lowest risk of stroke or dementia. Those who drank two to three cups of coffee and two to three cups of tea daily had a 32% lower risk of stroke. These people had a 28% lower risk of dementia compared with those who did not drink tea or coffee. The research, by Yuan Zhang and colleagues from Tianjin Medical University, China, suggests drinking coffee alone or in combination with tea is also linked with lower risk of post-stroke dementia.
"[W]hat generally happened is that the risk of stroke or dementia was lower in people who drank reasonably small amounts of coffee or tea compared to those who drank none at all, but that after a certain level of consumption, the risk started to increase again until it became higher than the risk to people who drank none," said professor Kevin McConway, an emeritus professor of applied statistics at the Open University who was not involved in the study.

"Once the coffee consumption got up to seven or eight cups a day, the stroke risk was greater than for people who drank no coffee, and quite a lot higher than for those who drank two or three cups a day."

The study has been published in the journal PLOS Medicine.
Education

Tech Billionaires Auctioning Twitter 'Follows' To Advance K-12 CS Education 21

theodp writes: Leading entrepreneurs and luminaries representing a swath of the technology sector are uniting to voice their support for Code.org and Hour of Code in a call for increased computer science access and equitable representation of women and people of color across the industry," Code.org announced Thursday. "For a limited time from November 9 through December 2, a collective of leaders -- including Marc Benioff, Stacy Brown-Philpot, Mark Cuban, Reid Hoffman, Ashton Kutcher, Ellen Pao, Jennifer Tejada, and more -- are offering supporters the unique opportunity to receive an elusive Twitter "follow" from one of them, and at the same time, make a meaningful impact in advancing computer science education, particularly for young women and students from groups underrepresented in computer science." Valued at $2,500-$5,000, the tech billionaires and others' Twitter 'follows' are being auctioned by Charitybuzz.
Education

Microsoft Is Very Determined That Kids Will Learn To Code Using Minecraft 56

theodp writes: On Tuesday, Code.org announced that the new activities for kids in this year's Hour Of Code will include yet another Minecraft-themed tutorial from Code.org Diamond Supporter Microsoft, making it seven years in a row that the best-selling videogame of all time has 'headlined' the Hour of Code during the holiday buying season. Going into the Hour of Code in 2018, Microsoft boasted that 100+ million Minecraft Hour of Code tutorials had already been logged by students.

In this year's Hour of Code: TimeCraft tutorial, kids will "learn basic coding concepts to correct mysterious mishaps throughout history!" An accompanying one-size-fits-all lesson plan for ages 6-18 instructs students to: "Experience a choose-your-own-adventure game, exploring key moments in human achievement. Using your coding superpowers, save the future by solving mysterious mishaps in time." Among other things, the coding challenges have K-12 students travel back in time to save Jazz from a kazoo future, prevent the Great Pyramids from being built as cubes, save the Great Wall of China from destruction by pandas, and wipe the frown off of the Mona Lisa. New this year, Microsoft notes, is that educators can sign up to have a Microsoft Education Expert lead their classroom through an Hour of Code lesson with Minecraft, thanks to the magic of Microsoft Teams Live Events.
Microsoft

Microsoft Makes Visual Studio 2022 and .NET 6 Generally Available (zdnet.com) 36

On November 8, Microsoft made generally available to users worldwide its latest versions of Visual Studio and .NET. Users can download Visual Studio 2022 and .NET 6 starting today. From a report: Visual Studio 2022 is the first release of a 64-bit version of Visual Studio. By making Visual Studio 64-bit, officials said that they expect the release to better use all system resources, especially when working with more complex solutions over longer periods. According to Microsoft, during early VS 2022 testing, customers were able to run the VS IDE for days, even with solutions containing 700 or more projects.

Visual Studio 2022 also includes a number of edits and debug improvements. It also provides Hot Reload, which allows developers to edit their source code while their apps are running in Visual Studio 2022 and from the .NET CLI. , It also has Live Preview capabilities and cross-platform testing on Linux, among other new and improved features. Visual Studio 2022 is available for immediate download. The release notes for Visual Studio 2022 v.17 are here.

Books

New Book Warns CS Mindset and VC Industry are Ignoring Competing Values (computerhistory.org) 116

So apparently three Stanford professors are offering some tough-love to young people in the tech community. Mehran Sahami first worked at Google when it was still a startup (recruited to the company by Sergey Brin). Currently a Stanford CS professor, Sahami explained in 2019 that "I want students who engage in the endeavor of building technology to think more broadly about what are the implications of the things that they're developing — how do they impact other people? I think we'll all be better off."

Now Sahami has teamed up with two more Stanford professors to write a book calling for "a mature reckoning with the realization that the powerful technologies dominating our lives encode within them a set of values that we had no role in choosing and that we often do not even see..."

At a virtual event at Silicon Valley's Computer History Museum, the three professors discussed their new book, System Error: Where Big Tech Went Wrong and How We Can Reboot — and thoughtfully and succinctly distilled their basic argument. "The System Error that we're describing is a function of an optimization mindset that is embedded in computer science, and that's embedded in technology," says political scientist Jeremy Weinstein (one of the book's co-authors). "This mindset basically ignores the competing values that need to be 'refereed' as new products are designed. It's also embedded in the structure of the venture capital industry that's driving the growth of Silicon Valley and the growth of these companies, that prioritizes scale before we even understand anything about the impacts of technology in society. And of course it reflects the path that's been paved for these tech companies to market dominance by a government that's largely been in retreat from exercising any oversight."

Sahami thinks our technological landscape should have a protective infrastructure like the one regulating our roads and highways. "It's not a free-for all where the ultimate policy is 'If you were worried about driving safely then don't drive.'" Instead there's lanes and traffic lights and speed bumps — an entire safe-driving infrastructure which arrived through regulation." Or (as their political science professor/co-author Rob Reich tells the site), "Massive system problems should not be framed as choices that can be made by individual consumers."

Sahami also thinks breaking up big tech monopolies would just leaves smaller "less equipped" companies to deal with the same problems — but that positive changes in behavior might instead come from government scrutiny. But Reich also wants to see professional ethics (like the kind that are well-established in biomedical fields). "In the book we point the way forward on a number of different fronts about how to accelerate that..."

And he argues that at colleges, just one computing-ethics class isn't enough. "Ethics must be embedded through the entire curriculum."
Programming

New Study Finds the World's Most Popular Programming Language: JavaScript (zdnet.com) 112

ZDNet reports: JavaScript is now used by more than 16.4 million developers globally, says a survey of more than 19,000 coders — making it the world's most popular programming language "by a wide margin".

SlashData's 21st State of the Developer Nation Report examined global software developer trends across 160 countries during Q3 2021, covering programming languages, tools, APIs, apps and technology segments, as well as attitudes of developers themselves... While not necessarily a surprise in itself — JavaScript has, after all, been the world's most-used language for a number of years now — SlashData found that upwards of 2.5 million developers had joined the JavaScript community in the past six months alone. That's the same as the entire user base of Swift; or, the combined communities of Rust and Ruby.

The data for JavaScript also included language derivatives TypeScript and CoffeeScript.

Python might not be a close second, but its popularity is impressive nonetheless: according to SlashData, the language is now used by some 11.3 million coders, primarily within data science and machine learning, and IoT applications. The brainchild of Guido van Rossum, Python's popularity has exploded in recent years, overtaking that of Java, which is currently used by 9.6m developers. Java remains a go-to for mobile and desktop apps, SlashData's survey found. According to SlashData, Python added 2.3m developers to its community in the past 12 months. "That's a 25% growth rate, one of the highest across all the large programming language communities of more than 7M users," the report noted.

"The rise of data science and machine learning (ML) is a clear factor in Python's popularity. More than 70% of ML developers and data scientists report using Python. For perspective, only 17% use R, the other language often associated with data science."

The survey concluded these are, in order, the 10 most popular programming languages:
  1. JavaScript
  2. Python
  3. Java
  4. C/C++ [Yes, it lumps them together]
  5. PHP
  6. C#
  7. "Visual development tools"
  8. Kotlin
  9. Swift
  10. Go

The report also found that Rust, although coming in at #14, grew faster than any other language in the past 24 months, "nearly tripling in size from just 0.4M developers in Q3 2019 to 1.1M."


Programming

Is Modern Software Development Too Complex? (infoworld.com) 273

"It has never been more difficult to be a software developer than it is today," says Nigel Simpson, a former director of enterprise technology strategy at Walt Disney.

And they're not the only one who thinks so, writes the U.K. Group editor of InfoWorld: "Complexity kills," Lotus Notes creator and Microsoft veteran Ray Ozzie famously wrote in a 2005 internal memo. "It sucks the life out of developers; it makes products difficult to plan, build, and test; it introduces security challenges; and it causes user and administrator frustration."

If Ozzie thought things were complicated back then, you can't help but wonder what he would make of the complexity software developers face in the cloud-native era. The shift from building applications in a monolithic architecture hosted on a server you could go and touch, to breaking them down into multiple microservices, packaged up into containers, orchestrated with Kubernetes, and hosted in a distributed cloud environment, marks a clear jump in the level of complexity of our software. Add to that expectations of feature-rich, consumer-grade experiences, which are secure and resilient by design, and never has more been asked of developers. "There is a clear increase in complexity when you move to such a pervasive microservices environment," said Amazon CTO Werner Vogels during the AWS Summit in 2019. "Was it easier in the days when everything was in a monolith? Yes, for some parts definitely."

Or, as his colleague, head of devops product marketing at AWS, Emily Freeman, said in 2021, modern software development is "a study in entropy, and it is not getting any more simple."

On the other hand, complex technologies have never been easier to consume off the shelf, often through a single API — from basic libraries and frameworks, to image recognition capabilities or even whole payments stacks. Simply assemble and build your business logic on top. But is it really that simple?

The article also cites a critical 2020 blog post by RedMonk analyst Stephen O'Grady. "The process of application development is simply too fragmented at this point," O'Grady wrote. "The days of every enterprise architecture being three-tier, every database being relational, and every business application being written in Java and deployed to an application server are over.

"The single most defining characteristic of today's infrastructure is that there is no single defining characteristic. It's diverse to a fault."
Security

Linux Foundation Adds Software Supply Chain Security To LFX (zdnet.com) 12

An anonymous reader quotes a report from ZDNet: LFX supports projects and empowers open source teams by enabling them to write better, more secure code, drive engagement, and grow sustainable software ecosystems," the Linux Foundation says. Now, to address the growing threat of software supply chain attacks, the foundation is upgrading its LFX Security module to deal with these attacks. Jim Zemlin, the Linux Foundation's executive director, announced this new tooling today at the Linux Foundation Membership Summit.

Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities. Software security firm BluBracket is contributing this functionality to the LFX as part of its mission to make software safer and more secure. This functionality builds on contributions from open source developer security company Snyk, helping make LFX the leading vulnerability detection platform for the open source community. [...] LFX Security will be further scaled out in 2022, helping to solve challenges for hundreds of thousands of critical open source projects under the Open Source Security Foundation. LFX Security is free and available now.

Education

Code.org and Scratch Access Yanked By Chicago Schools Due To Student Privacy Law 76

theodp writes: Chicago Public School (CPS) teachers were 'blindsided' after access to popular classroom software was yanked due to CPS's interpretation of Illinois' Student Online Personal Protection Act (SOPPA), the Chicago Sun-Times reports. Sneha Dey writes, "Among the software products that violate the law, CPS now says, are programs like Code.org, which is widely used in computer science classes, and Adobe applications used for artistic design and newspaper page layouts. That left has many high school newspapers unable to produce their print editions. Also off limits is Scratch, software to create interactive stores, animations and games. CPS had partnered with the Scratch Foundation to hold family coding nights, among other events."

The Blueprint's Karen Buecking has more on how the new student data protection law has upended the computer science curriculum at CPS, noting that CPS teachers received an email from tech-backed Code.org explaining the situation: "We've already signed student data protection agreements with over 150 districts across the state to comply with the new law," said the Code.org representative. "The bad news is CPS's agreement and application process contains onerous requirements unrelated to student privacy that make it prohibitive for organizations like Code.org to agree to CPS's requirements as written."
Oracle

Oracle's JDK 17 - Free Again for Commercial Use (infoq.com) 62

The Oracle JDK "is available free of charge for production use again," reports InfoQ, under a new "Oracle No-Fee Terms and Conditions" license.

The move, announced in mid-September, "reverses a 2018 decision to charge for Oracle JDK production use and does not affect Oracle's OpenJDK distribution," they write, noting that the new license "applies to the recently released version 17 of Oracle JDK and future versions." Donald Smith, Senior Director of Product Management at Oracle, explained the reason for this decision in a recent blog post, writing:

"Providing Oracle OpenJDK builds under the GPL was highly welcomed, but feedback from developers, academia, and enterprises was that they wanted the trusted, rock-solid Oracle JDK under an unambiguously free terms license, too. Oracle appreciates the feedback from the developer ecosystem and are pleased to announce that as of Java 17 we are delivering on exactly that request."

Smith explicitly stated that the No-Fee Terms and Conditions license "includes commercial and production use" [although the license does not seem to highlight this fact] and stated that "redistribution is permitted as long as it is not for a fee."

Programming

COBOLing Together Unemployment Insurance Benefits: How Delays in Fiscal Stabilizers Impact Aggregate Consumption (ssrn.com) 116

Abstract of a paper written by Michael Navarrete of University of Maryland: The United States experienced an unprecedented increase in unemployment insurance (UI) claims starting in March 2020, mainly due to layoffs caused by COVID-19. State unemployment insurance systems were inadequately prepared to process these claims. Those states using an antiquated programming language, COBOL, to process UI claims experienced longer delays in benefit disbursement. Using daily card consumption data from Affinity Solutions, I employ a two-way fixed effects estimator to measure the causal impact of COBOL-induced delays in UI benefits on aggregate consumption. The delays caused a 4.4 percentage point relative decline in total card consumption in COBOL states relative to non-COBOL states. Performing a back-of-the-envelope calculation using 2019 data, I find that real GDP declined by $181 billion (in 2012 dollars).
Bug

Indie Dev Finds That Linux Users Generate More, Better Bug Reports (pcgamer.com) 58

An indie developer has found an interesting observation: Though only 5.8% of his game's buyers were playing on Linux, they generated over 38% of the bug reports. Not because the Linux platform was buggier, either. Only 3 of the roughly 400 bug reports submitted by Linux users were platform specific, that is, would only happen on Linux. PC Gamer reports: The developer, posting as Koderski for developer Kodera Software on Reddit, makes indie game [Delta] V: Rings of Saturn -- that's Delta V, or DV, for the non-rocket-science-literate. [...] Koderski says he's sold a little over 12,000 copies of his game, and about 700 of those were bought by Linux players. "I got 1040 bug reports in total, out of which roughly 400 are made by Linux players," says Koderski's post. "That's one report per 11.5 users on average, and one report per 1.75 Linux players. That's right, an average Linux player will get you 650% more bug reports." Koderski's numbers are a limited sample size drawn from one person's experience, but tell a compelling story.

Koderski also says that very few of those bugs were specific to Linux, being clear that "This 5.8% of players found 38% of all the bugs that affected everyone." The bug reports themselves were also pretty high quality, he said, including software and OS versions, logs, and steps for replication. Multiple commenters on the post chalked this up to the kind of people who use Linux: Software professionals, IT employees, and engineers who would already be familiar with official bug reporting processes. It's a strong theory as to why this might be, though the sheer passion that the gaming on Linux community has for anyone who supports their favorite hobby may be another.

Open Source

After Open Source Community Outcry, Microsoft Reverses Controversial .NET Change (theverge.com) 56

"Microsoft is reversing a decision to remove a key feature from its upcoming .NET 6 release, after a public outcry from the open source community," reports the Verge.

"Microsoft angered the .NET open source community earlier this week by removing a key part of Hot Reload in the upcoming release of .NET 6, a feature that allows developers to modify source code while an app is running and immediately see the results." It's a feature many had been looking forward to using in Visual Studio Code and across multiple platforms, until Microsoft made a controversial last-minute decision to lock it to Visual Studio 2022 which is a paid product that's limited to Windows. Sources at Microsoft, speaking on condition of anonymity, told The Verge that the last-minute change was made by Julia Liuson, the head of Microsoft's developer division, and was a business-focused move.

Microsoft has now reversed the change following a backlash, and anger inside the company from many of Microsoft's own employees. "We made a mistake in executing on our decision and took longer than expected to respond back to the community," explains Scott Hunter, director of program management for .NET. Microsoft has now approved the community's pull request to re-enable this feature and it will be available in the final version of the .NET 6 SDK...

This eventful episode came after weeks of unrest in the .NET community over Microsoft's involvement in the .NET Foundation. The foundation was created in 2014 when Microsoft made .NET open source, and it's supposed to be an independent organization that exists to improve open source software development and collaboration for .NET.

Slashdot Top Deals