An anonymous reader writes: Undoubtedly in response to this politically motivated sort of claptrap, SQLite has released their own Code of Conduct. From the preamble:

Not everyone has found SQLite's attempt informative or funny (though many did). A developer wrote, for instance, "So is the SQLite CoC thing a joke or not? If it's not a joke, f*ck this. If it is a joke, that's even worse. Your CoC should be taken seriously." A security researcher, chimed in, "This sort of stunt will make actual code of conduct discussions harder. It's not funny, helpful, or wise."

Github engineers are trying to repair the data storage system underpinning the code hosting website, which has been presenting users with a "What!?" error for much of the Sunday. From a report: Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com -- and possibly failing miserably as a result of the outage. From about 4pm US West Coast time on Sunday, the website has been stuttering and spluttering. Specifically, the site is still up and serving pages -- it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, and posts. Sometimes, it appears to be serving a read-only cache or older backup of itself, although some fresh code pushes are coming through onto the site. From the status page, it appears a data storage system died, forcing the platform's engineers to move the dot-com's files over to another box. In the meantime, some older versions of files and repos are being served to visitors and users. "We're continuing to work on migrating a data storage system in order to restore access to GitHub.com," the team said just after 5pm PT, adding in the past few minutes: "We are continuing to repair a data storage system for GitHub.com. You may see inconsistent results during this process."

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

An anonymous reader quotes Martin Monperrus, a professor of software at Stockholm's KTH Royal Institute of Technology: Repairnator is a bot. It constantly monitors software bugs discovered during continuous integration of open-source software and tries to fix them automatically. If it succeeds to synthesize a valid patch, Repairnator proposes the patch to the human developers, disguised under a fake human identity. To date, Repairnator has been able to produce 5 patches that were accepted by the human developers and permanently merged in the code base...

It analyzes bugs and produces patches, in the same way as human developers involved in software maintenance activities. This idea of a program repair bot is disruptive, because today humans are responsible for fixing bugs. In others words, we are talking about a bot meant to (partially) replace human developers for tedious tasks.... [F]or a patch to be human-competitive 1) the bot has to synthesize the patch faster than the human developer 2) the patch has to be judged good-enough by the human developer and permanently merged in the code base.... We believe that Repairnator prefigures a certain future of software development, where bots and humans will smoothly collaborate and even cooperate on software artifacts.
Their fake identity was a software engineer named Luc Esape, with a profile picture that "looks like a junior developer, eager to make open-source contributions... humans tend to have a priori biases against machines, and are more tolerant to errors if the contribution comes from a human peer. In the context of program repair, this means that developers may put the bar higher on the quality of the patch, if they know that the patch comes from a bot."

The researchers proudly published the approving comments on their merged patches -- although a conundrum arose when repairnator submitted a patch for Eclipse Ditto, only to be told that "We can only accept pull-requests which come from users who signed the Eclipse Foundation Contributor License Agreement."

"We were puzzled because a bot cannot physically or morally sign a license agreement and is probably not entitled to do so. Who owns the intellectual property and responsibility of a bot contribution: the robot operator, the bot implementer or the repair algorithm designer?"

An anonymous reader quotes TechCrunch: For the longest time, GitHub was all about storing source code and sharing it either with the rest of the world or your colleagues. Today, the company, which is in the process of being acquired by Microsoft, is taking a step in a different but related direction by launching GitHub Actions. Actions allow developers to not just host code on the platform but also run it. We're not talking about a new cloud to rival AWS here, but instead about something more akin to a very flexible IFTTT for developers who want to automate their development workflows, whether that is sending notifications or building a full continuous integration and delivery pipeline.

This is a big deal for GitHub. Indeed, Sam Lambert, GitHub's head of platform, described it to me as "the biggest shift we've had in the history of GitHub... I see Continuous Integration/Continuous Delivery as one narrow use case of actions. It's so, so much more," Lambert stressed. "And I think it's going to revolutionize DevOps because people are now going to build best in breed deployment workflows for specific applications and frameworks, and those become the de facto standard shared on GitHub... It's going to do everything we did for open source again for the DevOps space and for all those different parts of that workflow ecosystem...."

Over time -- and Lambert seemed to be in favor of this -- GitHub could also allow developers to sell their workflows and Actions through the GitHub marketplace. For now, that's not an option, but it it's definitely that's something the company has been thinking about. Lambert also noted that this could be a way for open source developers who don't want to build an enterprise version of their tools (and the sales force that goes with that) to monetize their efforts.

OpenSourceAllTheWay writes: There are many fantastic open-source tools out there for everything from scanning documents to making interactive music to creating 3D assets for games. Many of these tools have an Achilles heel though -- while the code quality is great and the tool is fully functional, the user interface (UI) and user experience (UX) are typically significantly inferior to what you get in competing commercial tools. In an nutshell, with open source, the code is great, the tool is free, there is no DRM/activation/telemetry bullshit involved in using the tool, but you very often get a weak UI/UX with the tool that -- unfortunately -- ultimately makes the tool far less of a joy to use daily than should be the case. A prime example would be the FOSS 3D tool Blender, which is great technically, but ultimately flops on its face because of a poorly designed UI that is a decade behind commercial 3D software. So here is the question: should open-source developer teams for larger FOSS projects include a professional UI/UX designer who does the UI for the project? There are many FOSS tools that would greatly benefit from a UI re-designed by a professional UI/UX designer.

MongoDB is taking action against cloud giants who are taking its open-source code and offering a hosted commercial version of its database to their users without playing by the open-source rules. The company announced today that it has issued a new software license, the Server Side Public License (SSPL), "that will apply to all new releases of its MongoDB Community Server, as well as all patch fixes for prior versions," reports TechCrunch. From the report: For virtually all regular users who are currently using the community server, nothing changes because the changes to the license don't apply to them. Instead, this is about what MongoDB sees as the misuse of the AGPLv3 license. "MongoDB was previously licensed under the GNU AGPLv3, which meant companies who wanted to run MongoDB as a publicly available service had to open source their software or obtain a commercial license from MongoDB," the company explains. "However, MongoDB's popularity has led some organizations to test the boundaries of the GNU AGPLv3."

So while the SSPL isn't all that different from the GNU GPLv3, with all the usual freedoms to use, modify and redistribute the code (and virtually the same language), the SSPL explicitly states that anybody who wants to offer MongoDB as a service -- or really any other software that uses this license -- needs to either get a commercial license or open source the service to give back the community. "The market is increasingly consuming software as a service, creating an incredible opportunity to foster a new wave of great open source server-side software. Unfortunately, once an open source project becomes interesting, it is too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community," said Eliot Horowitz, the CTO and co-founder of MongoDB, in a statement. "We have greatly contributed to -- and benefited from -- open source and we are in a unique position to lead on an issue impacting many organizations. We hope this will help inspire more projects and protect open source innovation."

At the company's first developer conference, Magic Leap announced they are opening orders of the Magic Leap One Creator's Edition headset to the 48 contiguous states of the USA. If you're in Hawaii or Alaska, no dice. TechCrunch reports: Previously, you had to be in Chicago, LA, Miami, NYC, San Francisco or Seattle in order to get your hands on it. Also, if you had previously ordered the headset in one of those cities, someone would come to you, drop it off and get you set up personally. That service is expanding to 50 cities, but you also don't need to have someone set it up for you in order to buy one now. It's worth reiterating that this thing costs $2,295. The company is doing a financing plan with Affirm so that interested buyers can spread the cost of the device over 24 months.

An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.

The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

The Internet Archive has launched a free, browser-based Commodore 64 Emulator with over 10,500 programs that are "working and tested for at least booting properly." Interestingly, the emulator comes just before the launch of Commodore's own C64 Mini. "It's based off the VICE emulator version 3.2, which is a triumph of engineering," adds HardOCP.

Economist Paul Romer, a co-winner of the 2018 Nobel Prize in economics, uses the programming language Python for his research, according to Quartz. Romer reportedly tried using Wolfram Mathematica to make his work transparent, but it didn't work so he converted to a Jupyter notebook instead. From the report: Romer believes in making research transparent. He argues that openness and clarity about methodology is important for scientific research to gain trust. As Romer explained in an April 2018 blog post, in an effort to make his own work transparent, he tried to use Mathematica to share one of his studies in a way that anyone could explore every detail of his data and methods. It didn't work. He says that Mathematica's owner, Wolfram Research, made it too difficult to share his work in a way that didn't require other people to use the proprietary software, too. Readers also could not see all of the code he used for his equations.

Instead of using Mathematica, Romer discovered that he could use a Jupyter notebook for sharing his research. Jupyter notebooks are web applications that allow programmers and researchers to share documents that include code, charts, equations, and data. Jupyter notebooks allow for code written in dozens of programming languages. For his research, Romer used Python -- the most popular language for data science and statistics. Importantly, unlike notebooks made from Mathematica, Jupyter notebooks are open source, which means that anyone can look at all of the code that created them. This allows for truly transparent research. In a compelling story for The Atlantic, James Somers argued that Jupyter notebooks may replace the traditional research paper typically shared as a PDF.

Four years after Microsoft acquired Minecraft developer Mojang, the company has decided to open source some of Minecraft's Java code. According to Kotaku, Microsoft and Mojang released two parts of Minecraft's Java code in library form, so that "anyone can pick them up and use them in their own game," says Lead Engineer Nathan Adams. From the report: For now, there's just the two libraries: "Brigadier," a "command parser and dispatcher"; and "DataFixerUpper," designed for "incremental building, merging and optimization of data transformations ... [to convert] the game data for Minecraft: Java Edition between different versions of the game." While the news doesn't mean much for players, it will be a boon for interested programmers and developers, keen to see the guts of Minecraft. The plan is to open source more components in the future, though no time frame is specified. For now, if you want to check out Brigadier or DataFixerUpper, both can be found on Mojang's GitHub page.

An anonymous reader writes: This October will see the fifth annual Hacktoberfest, "a month-long celebration of open source software run by DigitalOcean in partnership with GitHub and Twilio." Basically you sign up any time in October, then submit five quality pull requests to public GitHub repositories to win a t-shirt and stickers. (Issues and commits don't count, only pull requests created after October 1st -- but pull requests will still count even if they're not accepted or merged, "unless they are spam, irrelevant, or tagged as invalid.") "No contribution is too small -- bug fixes and documentation updates are valid ways of participating."
Here's Microsoft's own announcement about the event from their Open Source blog: We're excited to announce that we're participating in this year's Hacktoberfest! An annual celebration of all things open source, Hacktoberfest launched as a partnership between DigitalOcean and GitHub in 2014 and rallies a global community of contributors, with last year's event drawing more than 30K participants and nearly 240K pull requests.

This October, we'll recognize anyone who submits a pull request to one of our open source projects with a special limited-edition T-shirt (more details below)... Our projects span nearly all areas of computing, from developer tools and frameworks like .NET Core, Microsoft Cognitive Toolkit, Visual Studio Code, and Visual Studio Tools for Xamarin to Kubernetes tooling like Draft and the Service Fabric container orchestrator. Any contributions are welcome, so explore our GitHub repos, find something that interests you, and submit your first (or 100th) pull request.
Microsoft's t-shirt design includes a cameo appearance by.... Clippy, Microsoft's widely beloved default assistant for Office 2000/XP/2003.

An anonymous reader quotes a report from TechCrunch: Quantum computing represents tremendous promise to completely alter technology as we've known it, allowing operations that weren't previously possible with traditional computing. The downside of these powerful machines is that they could be strong enough to break conventional cryptography schemes. Today, BlackBerry announced a new quantum-resistant code signing service to help battle that possibility. The solution, which will be available next month, is actually the product of a partnership between BlackBerry and Isara Corporation, a company whose mission is to build quantum-safe security solutions. BlackBerry is using Isara's cryptographic libraries to help sign and protect code as security evolves.

"By adding the quantum-resistant code signing server to our cybersecurity tools, we will be able to address a major security concern for industries that rely on assets that will be in use for a long time. If your product, whether it's a car or critical piece of infrastructure, needs to be functional 10-15 years from now, you need to be concerned about quantum computing attacks," Charles Eagan, BlackBerry's chief technology officer, said in a statement. Some of the long-lived assets include aerospace equipment, connected cars, or transportation infrastructure -- basically anything that will still be in use several years from now when quantum computing attacks are expected to emerge.

Brian Merchant, writing for The Atlantic (condensed for space): In 2016, an anonymous confession appeared on Reddit: "From around six years ago up until now, I have done nothing at work." As far as office confessions go, that might seem pretty tepid. But this coder, posting as FiletOFish1066, said he worked for a well-known tech company, and he really meant nothing. He wrote that within eight months of arriving on the quality assurance job, he had fully automated his entire workload. When his bosses realized that he'd worked less in half a decade than most Silicon Valley programmers do in a week, they fired him. [...]

About a year later, someone calling himself or herself Etherable posted a query to Workplace on Stack Exchange, one of the web's most important forums for programmers: "Is it unethical for me to not tell my employer I've automated my job?" The conflicted coder described accepting a programming gig that had turned out to be "glorified data entry" -- and, six months ago, writing scripts that put the entire job on autopilot. After that, "what used to take the last guy like a month, now takes maybe 10 minutes." The job was full-time, with benefits, and allowed Etherable to work from home. The program produced near-perfect results; for all management knew, their employee simply did flawless work.

The post proved unusually divisive, and comments flooded in. Reactions split between those who felt Etherable was cheating, or at least deceiving, the employer, and those who thought the coder had simply found a clever way to perform the job at hand. [...] Call it self-automation, or auto-automation. At a moment when the specter of mass automation haunts workers, rogue programmers demonstrate how the threat can become a godsend when taken into coders' hands, with or without their employers' knowledge. Since both FiletOFish1066 and Etherable posted anonymously and promptly disappeared, neither were able to be reached for comment. But their stories show that workplace automation can come in many forms and be led by people other than executives.

Last year, Apple co-founder Steve Wozniak announced a coding program called Woz U that's designed with the goal of offering an affordable education. "Our goal is to educate and train people in employable digital skills without putting them into years of debt," Wozniak said last fall. "People often are afraid to choose a technology-based career because they think they can't do it. I know they can, and I want to show them how."

Now that a round of students have been through the 33-week program, a number of problems have appeared. Former student, Bill Duerr, called the program "broken," and that "lots of times there's just hyperlinks to Microsoft documents, to Wikipedia." 9to5Mac reports: "Duerr said typos in course content were one of many problems. So-called 'live lectures' were pre-recorded and out of date, student mentors were unqualified, and at one point, one of his courses didn't even have an instructor," reports CBS. CBS heard from over 24 current and former students and employees that reiterated Duerr's experiences. Instead of a quality program, Duerr said Woz U was comparable to an ultra expensive e-book: "'I feel like this is a $13,000 e-book,' Duerr said. While it was supposed to be a program written by one of the greatest tech minds of all time, 'it's broken, it's not working in places, lots of times there's just hyperlinks to Microsoft documents, to Wikipedia,' he said."

A former Woz U enrollment counselor said that at times he had to do things that didn't feel right: "Asked whether he regrets working for Woz U, Mionske said, 'I regret in the aspect to where they're spending this money for, it's like rolling the dice. [...] But on the reverse side, I have to support my family.'" According to Business Insider, Steve Wozniak said that he's "not involved" in the "operational aspects" of Woz U and doesn't know anything about the report this morning.

Jeremy Horwitz, writing for VentureBeat: An obscure feature in Apple's Xcode development software enabled Apple Watch apps to make an instant transition from 32-bit to 64-bit last month, an unheralded win for Apple Watch developers inside and outside the company. The "Enable Bitcode" feature was introduced to developers three years ago, but the Accidental Tech Podcast suggests that it was quietly responsible for the smooth launch of software for the Apple Watch Series 4 last month.

Support for Bitcode was originally added to Xcode 7 in November 2015, subsequently becoming optional for iOS apps but mandatory for watchOS and tvOS apps. Bitcode is an "intermediate representation" halfway between human-written app code and machine code. Rather than the developer sending a completely compiled app to the App Store, enabling Bitcode provides Apple with a partially compiled app that it can then finish compiling for whatever processors it wants to support. The report suggests that this change allowed Apple to avoid the great "appocalypse" which occurred when it decided to kill support for 32-bit apps on iOS.

Long time reader theodp writes: Facebook last week announced the launch of CodeFWD, "a free online education program created in partnership with [robotic toy maker] Sphero to increase the amount of underrepresented and female students interested in studying computer science." Sphero and CodeFWD are offering a free Sphero BOLT Power Pack (a classroom set of 15 robots valued at $2,499) for a select number of accepted applicants through the program. So, what do you need to begin CodeFWD by Facebook? "No experience necessary. No experience preferred ," explains the website. However, that's not to say CodeFWD is for all. "CodeFWD is intended for educators who are credentialed K-12 teachers or 501(c)(3) non-profit staff members in the United States," the website makes clear, adding that "given the limited supply of robots, we will evaluate the information you've provided and prioritize those applications that help us achieve the goal of expanding access to computer programming opportunities." And Facebook, being Facebook, adds that it wants some data out of the deal: "Please note that Facebook will have access to aggregate, anonymous usage data from Sphero, but will not have access to user-identifiable data collected by Sphero."

Shadma Shaikh, reporting for FactorDaily: Chetan Gowda, 27, was speaking to a room full of students in IIIT Hyderabad for a workshop on OpenStreetMap for beginners organized by Swecha, a non-profit organization to support free software movement last month. There were close to 40 students in the room. Beginners often ask him: Why use open source maps when we already have Google Maps? For Gowda, it was the fact that Google Maps is a global, commercial product and did not capture local detail. Like the old banyan tree that was a major landmark in his hometown Hassan or public benches just outside the town where pedestrians could stop to catch a break or fire catchment areas in Bellandur lake in Bengaluru, India.

"It was fascinating to add little but important details of my town to open maps," says Gowda who was introduced in 2013 to OSM or OpenStreetMap, a global community of mappers formed as a collaborative project to create a free editable map of the world in 2004. Since then he has been an active contributor to OpenStreetMap and has conducted many workshops in colleges and institutes to induct more people in the community. Gowda has made 8500 edits in the OpenStreetMap, mainly covering areas in Bengaluru, Hassan and Hyderabad. Gowda and a few other contributors from India are part of a tiny yet growing resistance movement which doesn't want giant corporations to own all the mapping data. For the average consumer, this may not seem like a big deal. But mapping is big business.

The market opportunity for suppliers of mapping to the autonomous car industry is going to be worth over $24 billion by 2050, according to one estimate [PDF]. And that's just one industry. A study commissioned by Google in 2015 estimated that industries that run on top of the Global Positioning Satellite Systems and mapping generate nearly $73 billion in annual revenue. Worldwide, that industry is was estimated to generate $150- $270 billion in revenues. Although new research isn't available, with growing smartphone usage and the birth of companies such as Uber and many others it is safe to assume that the industry has only grown bigger. All the more reason why map data can't be held by only a few companies. With Google Maps beginning to charge small and medium-sized businesses and indie developers more for access to its platform, many have started to explore and switch to open source alternatives of Maps, and commercial services such as Here Maps.

Further reading: What OpenStreetMap Can Be, and Ten Years of Google Maps, From Slashdot to Ground Truth.

"There is a kind of programming trap I occasionally fall into that is so damn irritating that it needs a name," writes Eric S. Raymond, in a new blog post: The task is easy to specify and apparently easy to write tests for. The code can be instrumented so that you can see exactly what is going on during every run. You think you have a complete grasp on the theory. It's the kind of thing you think you're normally good at, and ought to be able to polish off in 20 LOC and 45 minutes.

And yet, success eludes you for an insanely long time. Edge cases spring up out of nowhere to mug you. Every fix you try drags you further off into the weeds. You stare at dumps from the instrumentation until you're dizzy and numb, and no enlightenment occurs. Even as you are bashing your head against a wall of incomprehension, consciousness grows that when you find the solution, it will be damningly simple and you will feel utterly moronic, like you should have gotten there days ago.

Welcome to programmer hell. This is your shtoopid problem.... If you ever find yourself staring at your instrumentation results and thinking "It...can't...possibly...be...doing...that", welcome to shtoopidland. Here's your mallet, have fun pounding your own head. (Cue cartoon sound effects.)
Raymond's latest experience in shtoopidland came while working on a Python-translating tool, and left him analyzing why there's some programming conundrums that repel solutions. "You're not defeated by what you don't know so much as by what you think you do know," he concludes. So how do you escape?

"[I]nstrument everything. I mean EVERYTHING, especially the places where you think you are sure what is going on. Your assumptions are your enemy; printf-equivalents are your friend. If you track every state change in the your code down to a sufficient level of detail, you will eventually have that forehead-slapping moment of why didn't-I-see-this-sooner that is the terminal characteristic of a shtoopid problem."

Share your own stories in the comments. Are there any programmers on Slashdot who've experienced their own shtoopid problems?