A new take on the age-old question: Should you rewrite your application from scratch, or is that "the single worst strategic mistake that any software company can make"? Turns out there are more than two options for dealing with a mature codebase. Herb Caudill: Almost two decades ago, Joel Spolsky excoriated Netscape for rewriting their codebase in his landmark essay Things You Should Never Do . He concluded that a functioning application should never, ever be rewritten from the ground up. His argument turned on two points: The crufty-looking parts of the application's codebase often embed hard-earned knowledge about corner cases and weird bugs. A rewrite is a lengthy undertaking that keeps you from improving on your existing product, during which time the competition is gaining on you.

For many, Joel's conclusion became an article of faith; I know it had a big effect on my thinking at the time. In the following years, I read a few contrarian takes arguing that, under certain circumstances, it made a lot of sense to rewrite from scratch. For example: Sometimes the legacy codebase really is messed up beyond repair, such that even simple changes require a cascade of changes to other parts of the code. The original technology choices might be preventing you from making necessary improvements. Or, the original technology might be obsolete, making it hard (or expensive) to recruit quality developers.

The correct answer, of course, is that it depends a lot on the circumstances. Yes, sometimes it makes more sense to gradually refactor your legacy code. And yes, sometimes it makes sense to throw it all out and start over. But those aren't the only choices. Let's take a quick look at six stories, and see what lessons we can draw.

A blog post from developer turned writer Marty Jacobs caught my attention earlier this morning. In the post, Jacobs has listed some of the programming books he says he had discovered and read much sooner. He writes, "There are so many programming books out there, sometimes it's hard to know what books are best. Programming itself is so broad and there are so many concepts to learn." You can check out his list here. I was curious what books would you include if you were to make a similar list?

An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.

The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."

A company that claims to combat app piracy is a pirate itself, according to a report Oracle released this week. From a report: Oracle claims the company, Tapcore, has been perpetrating a massive ad fraud on Android devices by infecting apps with software that ring up fake ad impressions and drain people's data. Based in The Netherlands, Tapcore works with developers to identify when apps are pirated and then enables developers to make money from those bootleg copies by serving ads. Oracle says that Tapcore's anti-piracy code was a Trojan horse that was generating fake mobile websites to trick ad serving platforms into paying them for non-existent ad inventory.

"The code is delivering a steady stream of invisible video ads and spoofing domains," Dan Fichter, VP of software development at Oracle Data Cloud, tells Ad Age. "On all those impressions it looked like the advertiser was running ads on legitimate mobile websites. Not only were they not on a website, they were on an invisible web browser." On its website, Tapcore says it works with more than 3,000 apps, serving 150 million ad impressions a day. The apps whose pirated versions it has worked with include titles like "Perfect 365," "Draw Clash of Clans," "Vertex" and "Solitaire: Season 4," according to Oracle's report.

Google has sent out invites to this year's Game Developers Conference (GDC) press event, where the company is expected to unveil a new game streaming product. ExtremeTech reports: There have been rumors about a Google game stream product or service for several years. Initially, leaks pointed to a hardware platform called Yeti that would stream games to a connected display. In late 2018, Google rolled out a game streaming test called Project Stream. To publicize the demo, it worked with Ubisoft to give everyone free access to the new Assassin's Creed Odyssey. Google wrapped up Project Stream in early 2019, offering players a free copy of Assassin's Creed Odyssey as thanks. Of course, you'd need a real gaming PC to run that version.

Google's GDC event will take place on March 19th at 10 AM Pacific. All we know for sure is that Google is there to talk about a gaming project. It just seems extremely likely that it will be a new phase for Project Stream. It might remain browser-only, but Google does have a giant network of TV's out there with Chromecast streaming dongles plugged in. If it could leverage those to stream games, it could instantly have as many eyeballs as Sony or Microsoft.

Mark Gurman, reporting for Bloomberg: Apple wants to make it easier for software coders to create tools, games and other applications for its main devices in one fell swoop -- an overhaul designed to encourage app development and, ultimately, boost revenue. The ultimate goal of the multistep initiative, code-named "Marzipan," is by 2021 to help developers build an app once and have it work on the iPhone, iPad and Mac computers, said people familiar with the effort. That should spur the creation of new software, increasing the utility of the company's gadgets.

Later this year, Apple plans to let developers port their iPad apps to Mac computers via a new software development kit that the company will release as early as June at its annual developer conference. Developers will still need to submit separate versions of the app to Apple's iOS and Mac App Stores, but the new kit will mean they don't have to write the underlying software code twice, said the people familiar with the plan. In 2020, Apple plans to expand the kit so iPhone applications can be converted into Mac apps in the same way. Further reading: Tim Cook, in April 2018: Users Don't Want iOS To Merge With MacOS.

technology_dude writes: One by one, thresholds are being crossed where the collection and storage of personal data is accepted as routine. Being recorded by cameras at business locations, in public transportation, in schools, churches, and every other place imaginable. Recent headlines include "Singapore Airlines having cameras built into the seat back of personal entertainment systems," and "Arizona considering a bill to force some public workers to give up DNA samples (and even pay for it)." It seems to be a daily occurrence where we have crossed another line in how far we will go to accept massive surveillance as normal. Do we even have a line the sand that we would defend? Do we even see anything wrong with it? Absolute power corrupts absolutely and we continue to give knowledge of our personal lives (power) to others. If we continue down the same path, I suppose we deserve what we get? I want to shout "Stop the train, I want off!" but I fear my plea would be ignored. So who out there is more optimistic than I and can recommend some reading that will give me hope? Bill 1475 was introduced by Republican State Senator David Livingston and would require teachers, police officers, child day care workers, and many others to submit their DNA samples along with fingerprints to be stored in a database maintained by the Department of Public Safety. "While the database would be prohibited from storing criminal or medical records alongside the DNA samples, it would require the samples be accompanied by the person's name, Social Security number, date of birth and last known address," reports Gizmodo. "The living will be required to pay [a $250 processing fee] for this invasion of their privacy, but any dead body that comes through a county medical examiner's office would also be fair game to be entered into the database."

Programming interview questions can feel unnecessarily difficult. Sometimes they actually are, a new study has found. And this isn't just because they make interviews excessively stressful. The study shows that harder programming questions actually do a worse job of predicting final outcomes than easier ones. From the study: Programming under time pressure is difficult. This is especially true during interviews. A coding exercise that would seem simple under normal circumstances somehow becomes a formidable challenge under the bright lights of an interview room. Stress hormones cloud your thinking during interviews (even though, sadly, neither fight nor flight is an effective response to a menacing programming problem). And it can almost feel like the questions are designed to be perversely difficult. I actually think this is more than just a feeling.

Interview questions are designed to be hard. Because the cost of hiring a bad engineer is so much higher than the cost of rejecting a good engineer, companies are incentivized to set a high bar. And for most companies that means asking hard questions. Intuitively this makes sense because harder questions seem like they should result in a more rigorous screening process. But intuition turns out to be a poor guide here. Our data shows that harder questions are actually less predictive than relatively easy ones. Further reading: Programmers Are Confessing Their Coding Sins To Protest a Broken Job Interview Process.

Deep learning may need a new programming language that's more flexible and easier to work with than Python, Facebook AI Research director Yann LeCun said today. From an interview: It's not yet clear if such a language is necessary, but the possibility runs against very entrenched desires from researchers and engineers, he said. LeCun has worked with neural networks since the 1980s. "There are several projects at Google, Facebook, and other places to kind of design such a compiled language that can be efficient for deep learning, but it's not clear at all that the community will follow, because people just want to use Python," LeCun said in a phone call with VentureBeat. "The question now is, is that a valid approach?" Further reading: Facebook joins Amazon and Google in AI chip race.

An anonymous reader quotes a report from Gamasutra: In the wake of Activision Blizzard's massive layoff wave, a move that was announced in the same call as the company's record quarter, the union federation AFL-CIO has published an open letter to game developers urging members of the industry to organize. The AFL-CIO itself is the largest labor organization in the United States and counts 55 individual unions (and more than 12.5 million workers) among its affiliates. The letter, readable in full on Kotaku, calls out many of the issues that have prompted conversations about unionization in just recent years like excessive crunch, toxic work conditions, inadequate pay, and job instability. The industry, points out AFL-CIO's secretary-treasurer Liz Shuler, boasted sales 3.6 times greater than those of the film industry in 2018, yet much of that financial success isn't felt by the developers working on the games that generate those billions. "Executives are always quick to brag about your work. It's the talk of every industry corner office and boardroom. They pay tribute to the games that capture our imaginations and seem to defy economic gravity. They talk up the latest innovations in virtual reality and celebrate record-smashing releases, as your creations reach unparalleled new heights," says Shuler.

"My question is this: what have you gotten in return? They get rich. They get notoriety. They get to be crowned visionaries and regarded as pioneers. What do you get? Outrageous hours and inadequate paychecks. Stressful, toxic work conditions that push you to your physical and mental limits. The fear that asking for better means risking your dream job. [...] Change will happen when you gain leverage by joining together in a strong union. And, it will happen when you use your collective voice to bargain for a fair share of the wealth you create every day. No matter where you work, bosses will only offer fair treatment when you stand together and demand it."

After years of fighting the idea, Sony announced last September it is finally bringing "cross-platform gameplay, progression, and commerce" to the PlayStation Network, with Fortnite as the first example. Months later, the company's efforts have yet to gain wide traction and now we may have identified the bottleneck: Sony. Several major third-party developers have accused the company of standing in the way of letting the PS4 versions of their games play nicely with other platforms. ArsTechnica reports: "We just launched Wargroove with crossplay between PC, Switch, and Xbox," Chucklefish CEO Finn "Tiy" Brice wrote on the ResetEra forums. "We made many requests for crossplay (both through our [Sony] account manager and directly with higher-ups) all the way up until release month. We were told in no uncertain terms that it was not going to happen." Brice's comments came days after new Hi-Rez Studios CEO Stew Chisam tweeted at Sony that the studio was "ready to go when you are" for cross-play on Smite, Paladins, and Realm Royale. "It's time to stop playing favorites and tear down the crossplay/progression wall for everyone," he said.

In a follow-up tweet, Chisam explained that Xbox/Switch cross-play has led to a direct improvement in the Paladins online user experience, including reduced wait times, more balanced matchmaking, and fewer "bad" matches overall. Brice's comments in particular come in direct response (and contradiction) to a recent Game Informer interview in which Sony Interactive Entertainment chairman Shawn Layden said that cross-play was open to pretty much any PS4 developer that wants it.

In a year-in-review announcement today, Google said Play Store app rejections went up 55% last year after the OS maker tightened up its app review process. From a report: Similarly, stats for app suspensions also went up, by more than 66%, according to Google, which the company credited to its continued investment in "automated protections and human review processes that play critical roles in identifying and enforcing on bad apps." One of the most significant roles in the automated systems cited by Google in identifying malware is the Google Play Protect service, which is currently included by default with the official Play Store app. Google said this service now scans over 50 billion apps per day, and even goes as far as downloading and scanning every Android app it finds on the internet.

[...] Play Store's automated systems are now getting better and better at detecting threats, so much so that Google is now seeing clear patterns. "We find that over 80% of severe policy violations are conducted by repeat offenders and abusive developer networks," Ahn said. "When malicious developers are banned, they often create new accounts or buy developer accounts on the black market in order to come back to Google Play."

An anonymous reader shares an excerpt from an Ars Technica report: Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks. The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with. SGX has been designed for this particular threat model: the enclave is trusted and contains something sensitive, but everything else (the application, the operating system, and even the hypervisor) is potentially hostile. While there have been attacks on this threat model (for example, improperly written SGX enclaves can be vulnerable to timing attacks or Meltdown-style attacks), it appears to be robust as long as certain best practices are followed.

Video game publisher Ubisoft is working with Mozilla to develop an AI coding assistant called Clever-Commit, head of Ubisoft La Forge Yves Jacquier announced during DICE Summit 2019 on Tuesday. From a report: Clever-Commit reportedly helps programmers evaluate whether or not a code change will introduce a new bug by learning from past bugs and fixes. The prototype, called Commit-Assistant, was tested using data collected during game development, Ubisoft said, and it's already contributing to some major AAA titles. The publisher is also working on integrating it into other brands. "Working with Mozilla on Clever-Commit allows us to support other programming languages and increase the overall performances of the technology. Using this tech in our games and Firefox will allow developers to be more productive as they can spend more time creating the next feature rather than fixing bugs. Ultimately, this will allow us to create even better experiences for our gamers and increase the frequency of our game updates," said Mathieu Nayrolles, technical architect, data scientist, and member of the Technological Group at Ubisoft Montreal.

IBM announced on Tuesday that some of its Watson AI services will now work on rival cloud computing providers as it seeks to win over customers that want greater flexibility in how they store and analyze data. From a report: The announcement builds on IBM's moves to position its services as compatible with nearly any form of computer infrastructure a customer wants to operate. Other efforts include a pending acquisition of open-source software company Red Hat for $34 billion. With the change, companies will be able to use Watson AI tools such as Watson Assistant, which can help them develop conversational services such as a virtual customer service agent, in mobile apps hosted on Amazon and Microsoft as well as IBM servers.

An anonymous reader quotes a report from TechCrunch: Google today announced the general availability of a new API for Google Docs that will allow developers to automate many of the tasks that users typically do manually in the company's online office suite. The API has been in developer preview since last April's Google Cloud Next 2018 and is now available to all developers. As Google notes, the REST API was designed to help developers build workflow automation services for their users, build content management services and create documents in bulk. Using the API, developers can also set up processes that manipulate documents after the fact to update them, and the API also features the ability to insert, delete, move, merge and format text, insert inline images and work with lists, among other things.

The canonical use case here is invoicing, where you need to regularly create similar documents with ever-changing order numbers and line items based on information from third-party systems (or maybe even just a Google Sheet). Google also notes that the API's import/export abilities allow you to use Docs for internal content management systems.

Over 20,000 programmers from more than 150 different countries provided answers for the second annual Python Developers Survey (conducted by the Python Software Foundation and JeBrains).

An anonymous reader submitted this condensed version of their results: 84% of Python users in our survey use Python as their main language...up 5 percentage points from 79% in 2017. But half of all Python users in the survey also use JavaScript, and 47% more say they use HTML/CSS. Reported use of Bash/Shell has also grown from 36% in 2017 to 45% in 2018. [Later 93% of respondents said that their activities included Software testing/Writing automated tests.] Python users who report that they also use Go and SQL have both increased by 2 percentage points, while many other languages (including C/C++, Java, and C#) have decreased their share...

When asked "What do you use Python for?" data analysis has become more popular than Web development, growing from 50% in 2017 to 58% in 2018. Machine learning also grew by 7 percentage points. These types of development are experiencing faster growth than Web development, which has only increased by 2 percentage points when compared to the previous year...

Almost two-thirds of respondents selected Linux as their development environment OS. Most people are using free or open source databases such as PostgreSQL, MySQL, or SQLite... Twenty-something was the prevalent age range among our respondents, with almost a third being in their thirties. [31% more were between the ages of 30 and 39.]

An anonymous reader quotes a report from TechCrunch: Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps -- or face removal from the app store, TechCrunch can confirm. In an email, an Apple spokesperson said: "Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity." "We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added.

It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app. We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user's app activity. Even though sensitive data is supposed to be masked, some data -- like passport numbers and credit card numbers -- was leaking.

Maximiliano Firtman: Chrome 72 for Android shipped the long-awaited Trusted Web Activity feature, which means we can now distribute PWAs in the Google Play Store! I played with the feature for a while, digging into the APIs and here you have a summary of what's going on, what to expect and how to use it today. Chrome 72 for Android is now shipping from the Play Store to all users and this version included Trusted Web Activity (TWA), that in a nutshell is a way to open Chrome in standalone mode (without any toolbar or Chrome UI) within the scope of our own native Android package. Let me start saying that the publishing process is not straightforward as it should be (such as "enter your URL" in the Play Console and it's done). It's also not a way to use the currently available WebAPK and publish it in the store. It's a Java API that communicates through services with Chrome and seem to be in the early stages, so there is a lot of manual work to do yet today.

Homebrew, a popular package manager for macOS, has released version 2.0 with official support for Linux and Windows 10 (with Windows Subsystem Linux). Cross-platform setup scripts just got a whole lot easier. Other highlights: Homebrew does not run on OS X Mountain Lion (10.8) and below. For 10.4 - 10.6 support, see Tigerbrew. This has allowed us to remove large amounts of legacy code.
Homebrew does not migrate old, pre-1.0.0 installations from the Homebrew/legacy-homebrew (formerly Homebrew/homebrew repository. This has allowed us to delete legacy code that dealt with migrations from old versions.
Homebrew does not have any formulae with options in Homebrew/homebrew-core. Options will still be supported and encouraged by third-party taps. This change allows us to better focus on delivering binary packages rather than options. Formulae with options had to be built from source, could not be tested on our CI system and provided a disproportionate support burden on our volunteer maintainers.