Last week Microsoft's Visual Studio Code editor suddenly stopped supporting Ubuntu 18.04 LTS.

But now Microsoft "has announced a temporary reprieve for developers who use VS Code to connect to servers, clouds, container, and other devices running on Ubuntu 18.04 LTS," according to the blog OMG Ubuntu: Microsoft [had] pushed out an update to VS Code that bumps its glibc requirement, dropping support for Ubuntu 18.04 LTS (which uses an older version of glibc) in the process. Innocuous though it sounds, that move had a huge impact, leaving thousands of developers who use VS Code unable to connect to/work with devices running Ubuntu 18.04 LTS or other Linux distros using glibc 2.27, including RHEL 7, CentOS 7, and Amazon Linux 2.

— "Screwed" was the term many of those affected used!

Well, good news: Microsoft says it plans to release a 'recovery' update for VS Code soon. This will restore the ability for developers to use the text editor's remote dev tools to connect to/work with machines running Ubuntu 18.04 LTS and other, older Linux distros.

But only for the next 12 months.
"We hope this will provide the needed time for you and your companies to migrate to newer Linux distributions," Microsoft's senior product manager for VS Code posted on GitHub. He added that the software will "show the appropriate dialog and banner that you are connecting to an OS that is not supported by VS Code." (The updated was released on Thursday.)

He also thanked developers for their feedback and "for sharing your passion for VS Code and sharing how it is being used to enable various scenarios."

Thanks to Slashdot reader motang for sharing the article.

An anonymous reader quotes a report from TechCrunch: The recent surprise announcement that Meta will soon be shutting down its Facebook Groups API is throwing some businesses and social media marketers into disarray. On January 23, Meta announced the release of its Facebook Graph API v19.0, which included the news that the company would be deprecating its existing Facebook Groups API. The latter, which is used by developers and businesses to schedule posts to Facebook Groups, will be removed within 90 days, Meta said. This includes all the Permissions and Reviewable Features associated with the API, it also noted.

Meta explained that a major use case for the API was a feature that allowed developers to privately reply in Facebook Groups. For example, a small business that wanted to send a single message to a person who posted on their Facebook Group or who had commented in the group could be messaged through the API. However, Meta said that another change in the new v19.0 API would enable this feature, without the need for the Groups API. But developers told TechCrunch that the shutdown of the API would cause problems for companies that offer solutions to customers who want to schedule and automate their social media posts. [...]

What's more, developers tell us that Meta's motivation behind the API's shutdown is unclear. On the one hand, it could be that Facebook Groups don't generate ad revenue and the shutdown of the API will leave developers without a workaround. But Meta hasn't clarified if that's the case. Instead, Meta's blog post only mentioned one use case that would be addressed through the new v.19.0 API. [...] On Meta's forum for developers, one developer says they're "pretty shocked" by the company's announcement, noting their app relies on the Groups API and will essentially no longer work when the shutdown occurs. Others are frustrated that Meta hasn't clearly explained if posting on Groups will be done with a Page Access token going forward, as the way the announcement is worded it seems that part is only relevant for those posting private replies, not posting to the group as a whole. [...] the whole thing could just be some messaging mistake -- like Meta perhaps forgot to include the part where it was going to note what its new solution would be. There is concern, however, that Meta is deprioritizing developers' interests having recently shut down its developer bug portal as well.

Apple, in a blog post: We are delighted to announce the open source first release of Pkl (pronounced Pickle), a programming language for producing configuration. When thinking about configuration, it is common to think of static languages like JSON, YAML, or Property Lists. While these languages have their own merits, they tend to fall short when configuration grows in complexity. For example, their lack of expressivity means that code often gets repeated. Additionally, it can be easy to make configuration errors, because these formats do not provide any validation of their own. To address these shortcomings, sometimes formats get enhanced by ancillary tools that add special logic. For example, perhaps there's a need to make code more DRY, so a special property is introduced that understands how to resolve references, and merge objects together. Alternatively, there's a need to guard against validation errors, so some new way is created to validate a configuration value against an expected type. Before long, these formats almost become programming languages, but ones that are hard to understand and hard to write.

On the other end of the spectrum, a general-purpose language might be used instead. Languages like Kotlin, Ruby, or JavaScript become the basis for DSLs that generate configuration data. While these languages are tremendously powerful, they can be awkward to use for describing configuration, because they are not oriented around defining and validating data. Additionally, these DSLs tend to be tied to their own ecosystems. It is a hard sell to use a Kotlin DSL as the configuration layer for an application written in Go. We created Pkl because we think that configuration is best expressed as a blend between a static language and a general-purpose programming language. We want to take the best of both worlds; to provide a language that is declarative and simple to read and write, but enhanced with capabilities borrowed from general-purpose languages. When writing Pkl, you are able to use the language features you'd expect, like classes, functions, conditionals, and loops. You can build abstraction layers, and share code by creating packages and publishing them. Most importantly, you can use Pkl to meet many different types of configuration needs. It can be used to produce static configuration files in any format, or be embedded as a library into another application runtime.

We designed Pkl with three overarching goals:
To provide safety by catching validation errors before deployment.
To scale from simple to complex use-cases.
To be a joy to write, with our best-in-class IDE integrations.

Microsoft's Visual Studio Code editor now includes a voice command that launches GitHub Copilot Chat just by saying "Hey Code."

But one Linux blog notes that the editor has suddenly stopped supporting Ubuntu 18.04 LTS — "a move causing issues for scores of developers." VS Code 1.86 (aka the 'January 2024' update) saw Microsoft bump the minimum build requirements for the text editor's popular remote dev tools to â¥glibc 2.28 — but Ubuntu 18.04 LTS uses glibc 2.27, ergo they no longer work.

While Ubuntu 18.04 is supported by Canonical until 2028 (through ESM) a major glibc upgrade is unlikely. Thus, this "breaking change" is truly breaking workflows...

It seems affected developers were caught off-guard as this (rather impactful) change was not signposted before, during, or after the VS Code update (which is installed automatically for most, and the update was pushed out to Ubuntu 18.04 machines). Indeed, most only discovered this issue after update was installed, they tried to connect to a remote server, and discovered it failed. The resulting error message does mention deprecation and links to an FAQ on the VS Code website with workarounds (i.e. downgrade).

But as one developer politely put it.... "It could have checked the libc versions and refused the update. Now, many people are screwed in the middle of their work."
The article points out an upgrade to Ubuntu 20.04 LTS will address the problem. On GitHub a Microsoft engineer posted additional options from VS Code's documentation: If you are unable to upgrade your Linux distribution, the recommended alternative is to use our web client. If you would like to use the desktop version, then you can download the VS Code release 1.85. Depending on your platform, make sure to disable updates to stay on that version.
Microsoft then locked the thread on GitHub as "too heated" and limited conversation to just collaborators.

In a related thread someone suggested installing VS Code's Flatpak, which was still on version 1.85 — and then disabling updates. But soon Microsoft had locked that thread as well as "too heated," again limiting conversation to collaborators.

Ivan Mehta reports via TechCrunch: Nearly a week after Apple announced big changes to the App Store because of the European Union's Digital Markets Act (DMA) rules, the company said that the market represents 7% of its global App Store revenues. The company's chief financial officer Luca Maestri said that the monetary impact of these changes will depend on choices made by developers to adopt different systems. "A lot will depend on the choices that will be made. Just to keep it in context, the changes applied to the EU market, which represents roughly 7% of our global app store revenue," he said in reply to an analyst's question.

Because of DMA, Apple has to allow alternative app stores and let developers use third-party payment processors. The company plans to charge a core tech fee if an app crosses a million annual downloads across different app stores. Amid these changes, Apple noted a record quarter for App Store revenues. The company's overall services revenue was $23.1 billion with an 11% jump year-on-year. Apple continued its narrative of defending the App Store and its commission ecosystem by saying that it provides the best privacy and security. CEO Tim Cook emphasized that the company will fall short of providing the best experience to users because of these changes.

"If you think about what we've done over the years is, we've really majored on privacy, security and usability. And we've tried our best to get as close to the past in terms of the things that are -- that people love about our ecosystem as we can, but we are going to fall short of providing the maximum amount that we could supply, because we need to comply with the regulation," he said.

An anonymous reader quotes a report from TechCrunch: The pace is picking up for the Apple Vison Pro apps ahead of the spatial computing device's Friday launch as developers ready their apps for the new platform. While just last week, only 150-plus apps had been specifically designed for the Vision Pro so far, according to a third-party analysis of the App Store, Apple announced today that more than 600 new apps and games are being readied for the Vison Pro ahead of its debut. These join the more than 1 million already compatible apps across iOS and iPadOS, the company says. [...]

The company says more than 600 apps and games have been designed to take advantage of the Vision Pro's capabilities and its 3D user interface that's navigated using your eyes, hands and voice. Several streaming apps have already announced their support, including Disney+, ESPN, MLB, PGA Tour, Max, Discovery+, Amazon Prime Video, Paramount+, Peacock, Pluto TV, Tubi, Fubo, Crunchyroll, Red Bull TV, IMAX, TikTok and MUBI. The PGA Tour Vision app offers a golf game with real-time shot tracking across models of real golf courses, while the NBA app will allow streaming up to five broadcasts live or on-demand at once, Apple notes. Red Bull TV will include 3D maps of races. Soccer fans will also be able to stream MLS Season Pass via Apple's own Apple TV app. That app will offer access to Apple's Originals, more than 200 3D movies and Apple Immersive Video.

An anonymous reader shares a report: Microsoft's adoption of Rust continues apace if a posting on the IT titan's careers website is anything to go by. Although headcount at Microsoft might currently be down -- by two percent compared to the previous year -- recruitment persists at the Windows giant. In this case, the company is forming a team of Rustaceans to tackle a platform move away from C#.

The job, a principal software architect for Microsoft 365, has responsibilities that include "guiding technical direction, design and implementation of Rust component libraries, SDKs, and re-implementation of existing global scale C# based services to Rust." According to the post, the job lurks within the Substrate App Platform group, part of the Microsoft 365 Core Platform organization. The Substrate does the heavy lifting behind the scenes for Microsoft's cloud services, making a rewrite into Rust quite a statement of intent. Microsoft said: "We are forming a new team focused on enabling the adoption of the Rust programming language as the foundation to modernizing global scale platform services, and beyond."

theodp writes: Visual Studio Magazine reports on new research on the effect of AI-powered GitHub Copilot on software development which sought to investigate the quality and maintainability of AI-assisted code compared to what would have been written by a human. Countering the positively-glowing findings of some other studies, the Coding on Copilot whitepaper from GitClear cites some adverse results.

"We find disconcerting trends for maintainability," explains the paper's abstract. "Code churn -- the percentage of lines that are reverted or updated less than two weeks after being authored -- is projected to double in 2024 compared to its 2021, pre-AI baseline. We further find that the percentage of 'added code' and 'copy/pasted code' is increasing in proportion to 'updated,' 'deleted,' and 'moved 'code. In this regard, AI-generated code resembles an itinerant contributor, prone to violate the DRY-ness [don't repeat yourself] of the repos visited." The paper concludes, "How will Copilot transform what it means to be a developer? There's no question that, as AI has surged in popularity, we have entered an era where code lines are being added faster than ever before. The better question for 2024: who's on the hook to clean up the mess afterward?" Further complicating matters, Computing Education in the Era of Generative AI (Feb. 2024 CACM) notes that "generating and inserting large blocks of code may be counterproductive for users at all levels. This requires users to read through code they did not write, sometimes at a more sophisticated level than they are familiar with."

Interestingly, the AI-generated code maintenance worries are reminiscent of concerns cited in the past for 'Google programmers', Stack Overflow copy-and-pasters, and stitchers of not-quite-compatible libraries, as well as earlier iterations of code generators, including C++ and other 'Next-Next-Finish' code wizards of the 90's and COBOL and PL/I applications generators (PDF) of the 80's. Everything old is new again, including code maintenance challenges.

The tech site IT Brew looks at an open-source tool that "uses AI to offer efficiency-minded suggestions to Python coders." Known as "Scalene," the profiler — a kind of debugger for performance issues — has been downloaded more than 900,000 times on GitHub. "It's awesome in general, and amazing for an academic project," UMass professor Emery Berger, who worked with PhD students Sam Stern and Juan Altmayer Pizzorno on the open-source tool, told IT Brew...

Scalene measures how much time and memory is spent on each line of code — both on average and at peak, [and] how much time is spent in efficient libraries and how much is spent in Python... By selecting a lightning-bolt icon, a user can "leverage the engine that powers ChatGPT to get an optimization" suggestion, Berger said. In one demo he showed IT Brew, an output recommended a less-memory-intensive move to reduce a very large array created by the code...

"If your Python code already runs fast enough, then you don't need a profiler. But if it's running slow, I think it's a very convenient profiler to reach for," Berger said.
Link via Dev News .

"Oracle's plans to evolve Java in 2024 involve OpenJDK projects," writes InfoWorld, citing a recent video by Oracle Java developer relations representative Nicolai Parlog. (Though many improvements may not be usable until 2025 or later...) - For Project Babylon, Parlog cited plans for code reflection, expanding the reflection API, and allowing transformation of Java code inside a method. The goal is to allow developers to write Java code that libraries then can interpret as a mathematical function, for example. The Babylon team in coming weeks plans to publish work on use cases such as auto-differentiating, C# LINQ emulation, and GPU programming.

- In Project Leyden, which is aimed at improving startup times, plans for 2024 involve refining the concept of condensers and working toward the production-readiness of prototype condensers.

- In Project Amber, current features in preview include string templates, a simplified main method, and statements before this() and super(). "I expect all three to finalize in 2024," said Parlog. Under exploration are capabilities such as primitive types in patterns and with expressions.

- In Project Valhalla, work will focus on value classes and objects, which provide class instances that have only final instance fields and lack object identity [to] significantly reduce the run time overhead of boxed Integer, Double, and Byte objects...

- In Project Lilliput, aimed at downsizing Java object headers in the HotSpot JVM and reducing Java's memory footprint, work now centers on polishing a fast-locking scheme.

- Project Panama, for interconnecting JVM and native C code, "has three irons in the fire," Parlog said.

In response to new EU regulations, Apple on Thursday outlined plans to allow iOS developers to distribute apps outside the App Store starting in March, though developers must still submit apps for Apple's review and pay commissions. Now critics say the changes don't go far enough and Apple retains too much control.

Epic Games CEO Tim Sweeney: They are forcing developers to choose between App Store exclusivity and the store terms, which will be illegal under DMA (Digital Markets Act), or accept a new also-illegal anticompetitive scheme rife with new Junk Fees on downloads and new Apple taxes on payments they don't process. 37signals's David Heinemeier Hansson, who is also the creator of Ruby on Rails: Let's start with the extortion regime that'll befell any large developer who might be tempted to try hosting their app in one of these new alternative app stores that the EU forced Apple to allow. And let's take Meta as a good example. Their Instagram app alone is used by over 300 million people in Europe. Let's just say for easy math there's 250 million of those in the EU. In order to distribute Instagram on, say, a new Microsoft iOS App Store, Meta would have to pay Apple $11,277,174 PER MONTH(!!!) as a "Core Technology Fee." That's $135 MILLION DOLLARS per year. Just for the privilege of putting Instagram into a competing store. No fee if they stay in Apple's App Store exclusively.

Holy shakedown, batman! That might be the most blatant extortion attempt ever committed to public policy by any technology company ever. And Meta has many successful apps! WhatsApp is even more popular in Europe than Instagram, so that's another $135M+/year. Then they gotta pay for the Facebook app too. There's the Messenger app. You add a hundred million here and a hundred million there, and suddenly you're talking about real money! Even for a big corporation like Meta, it would be an insane expense to offer all their apps in these new alternative app stores.

Which, of course, is the entire point. Apple doesn't want Meta, or anyone, to actually use these alternative app stores. They want everything to stay exactly as it is, so they can continue with the rake undisturbed. This poison pill is therefore explicitly designed to ensure that no second-party app store ever takes off. Without any of the big apps, there will be no draw, and there'll be no stores. All of the EU's efforts to create competition in the digital markets will be for nothing. And Apple gets to send a clear signal: If you interrupt our tool-booth operation, we'll make you regret it, and we'll make you pay. Don't resist, just let it be. Let's hope the EU doesn't just let it be. Coalition of App Fairness, an industry body that represents over 70 firms including Tinder, Spotify, Proton, Tile, and News Media Europe: "Apple clearly has no intention to comply with the DMA. Apple is introducing new fees on direct downloads and payments they do nothing to process, which violates the law. This plan does not achieve the DMA's goal to increase competition and fairness in the digital market -- it is not fair, reasonable, nor non-discriminatory," said Rick VanMeter, Executive Director of the Coalition for App Fairness.

"Apple's proposal forces developers to choose between two anticompetitive and illegal options. Either stick with the terrible status quo or opt into a new convoluted set of terms that are bad for developers and consumers alike. This is yet another attempt to circumvent regulation, the likes of which we've seen in the United States, the Netherlands and South Korea. Apple's 'plan' is a shameless insult to the European Commission and the millions of European consumers they represent -- it must not stand and should be rejected by the Commission."

Starting today Apple is opening up its App Store to allow game streaming apps and services. From a report: This means that services like Xbox Cloud Streaming and GeForce Now, which previously were only accessible on iOS via a web browser, will be able to offer full-featured apps. "Developers can now submit a single app with the capability to stream all of the games offered in their catalog," Apple wrote in a blog post. These changes apply "worldwide," according to the company.

In 2020, Apple appeared to have carved out a space for these cloud gaming services in the App Store. But that turned out not to be the case, as all games available through each service had to be submitted and reviewed as a standalone app. So the shift to allow one app with a large catalog of games marks a major change. As part of today's announcement, Apple said that "each experience made available in an app on the App Store will be required to adhere to all App Store Review Guidelines and its host app will need to maintain an age rating of the highest age-rated content included in the app." Apple also says that developers will now "be able to provide enhanced discovery opportunities for streaming games, mini-apps, mini-games, chatbots, and plug-ins that are found within their apps," and that "mini-apps, mini-games, chatbots, and plug-ins will be able to incorporate Apple's In-App Purchase system to offer their users paid digital content or services for the first time, such as a subscription for an individual chatbot."

The iPhone's app ecosystem is about to go through its biggest shake-up since the App Store launched in 2008. Today, Apple announced how it plans to change the rules for developers releasing iOS software in the European Union in response to the bloc's Digital Markets Act (DMA) coming into force in March. The big news is that third-party app stores will be allowed on iOS for the first time, breaking the Apple App Store's position as the sole distributor of iPhone apps. The changes will arrive with iOS 17.4 in March. From a report: Here's how the new "alternative app marketplaces," as Apple called them, will work. Users in the EU and on iOS 17.4 will be able to download a marketplace from that marketplace's website. In order to be used on an iPhone, those marketplaces have to go through Apple's approval process, and once you download one, you have to explicitly give it permission to download apps to your device. But once the marketplace is approved and on your device, you can download anything you want -- including apps that violate App Store guidelines. You can even set a non-App Store marketplace as the default on your device.

Developers, meanwhile, can choose whether to use Apple's payment services and in-app purchases or integrate a third-party system for payments without paying an additional fee to Apple. If the developer wants to stick with Apple's existing in-app payment system, there's an additional 3 percent processing fee. Apple still plans to keep a close eye on the app distribution process. All apps must be "notarized" by Apple, and distribution through third-party marketplaces is still managed by Apple's systems. Developers will only be allowed to distribute a single version of their app across different app stores, and they'll still have to abide by some basic platform requirements, like getting scanned for malware. Apple says that anyone looking to develop an alternative app marketplace will have to provide evidence that it can financially "guarantee support for developers and customers." Apple wants "a stand-by letter of credit from an A-rated (or equivalent by S&P, Fitch, or Moody's) financial Institution of 1 million Euro prior to receiving the entitlement. It will need to be auto-renewed on a yearly basis."

The cybersecurity site SC Media reports that NPM registry users "download deprecated packages an estimated 2.1 billion times weekly, according to a statistical analysis of the top 50,000 most-downloaded packages in the registry." Deprecated, archived and "orphaned" NPM packages can contain unpatched and/or unreported vulnerabilities that pose a risk to the projects that depend on them, warned the researchers from Aqua Security's Team Nautilus, who published their findings in a blog post on Sunday... In conjunction with their research, Aqua Nautilus has released an open-source tool that can help developers identify deprecated dependencies in their projects.

Open-source software may stop receiving updates for a variety of reasons, and it is up to developers/maintainers to communicate this maintenance status to users. As the researchers pointed out, not all developers are transparent about potential risks to users who download or depend on their outdated NPM packages. Aqua Nautilus researchers kicked off their analysis after finding that one open-source software maintainer responded to a report about a vulnerability Nautilus discovered by archiving the vulnerable repository the same day. By archiving the repository without fixing the security flaw or assigning it a CVE, the owner leaves developers of dependent projects in the dark about the risks, the researchers said...

Taking into consideration both deprecated packages and active packages that have a direct dependency on deprecated projects, the researchers found about 4,100 (8.2%) of the top 50,000 most-downloaded NPM packages fell under the category of "official" deprecation. However, adding archived repositories to the definition of "deprecated" increased the number of packages affected by deprecation and deprecated dependencies to 6,400 (12.8%)... Including packages with linked repositories that are shown as unavailable (404 error) on GitHub increases the deprecation rate to 15% (7,500 packages), according to the Nautilus analysis. Encompassing packages without any linked repository brings the final number of deprecated packages to 10,600, or 21.2% of the top 50,000. Team Nautilus estimated that under this broader understanding of package deprecation, about 2.1 billion downloads of deprecated packages are made on the NPM registry weekly.

"A Canonical engineer has been experimenting with implementing a Linux scheduler within the Rust programming language..." Phoronix reported Monday, "that works via sched_ext for implementing a scheduler using eBPF that can be loaded during run-time."

The project was started "just for fun" over Christmas, according to a post on X by Canonical-based Linux kernel engineer Andrea Righi, adding "I'm pretty shocked to see that it doesn't just work, but it can even outperform the default Linux scheduler (EEVDF) with certain workloads (i.e., gaming)." Phoronix notes the a YouTube video accompanying the tweet shows "a game with the scx_rustland scheduler outperforming the default Linux kernel scheduler while running a parallel kernel build in the background."

"For sure the build takes longer," Righi acknowledged in a later post. "This scheduler doesn't magically makes everything run faster, it simply prioritizes more the interactive workloads vs CPU-intensive background jobs." Righi followed up by adding "And the whole point of this demo was to prove that, despite the overhead of running a scheduler in user-space, we can still achieve interesting performance, while having the advantages of being in user-space (ease of experimentation/testing, reboot-less updates, etc.)"

Wednesday Righi added some improvements, posting that "Only 19 lines of code (comments included) for ~2x performance improvement on SMT isn't bad... and I spent my lunch break playing Counter Strike 2 to test this patch..."

And work seems to be continuing, judging by a fresh post from Righi on Thursday. "I fixed virtme-ng to run inside Docker and used it to create a github CI workflow for sched-ext that clones the latest kernel, builds it and runs multiple VMs to test all the scx schedulers. And it does that in only ~20min. I'm pretty happy about virtme-ng now."

Apple has announced changes to its U.S. App Store, allowing developers to link to alternative payment methods, "provided that the app also offer purchases through Apple's own In-App Purchase system," reports 9to5Mac. The change comes in light of the Supreme Court declining to hear Apple's appeal in its legal battle with Epic Games. From the report: The guideline says that developers can apply for an entitlement that allows them to include buttons or links directing users to out-of-app purchasing mechanisms: "Developers may apply for an entitlement to provide a link in their app to a website the developer owns or maintains responsibility for in order to purchase such items. Learn more about the entitlement. In accordance with the entitlement agreement, the link may inform users about where and how to purchase those in-app purchase items, and the fact that such items may be available for a comparatively lower price. The entitlement is limited to use only in the iOS or iPadOS App Store on the United States storefront. In all other storefronts, apps and their metadata may not include buttons, external links, or other calls to action that direct customers to purchasing mechanisms other than in-app purchase."

According to Apple, the link to an alternative payment platform can only be displayed on "one app page the end user navigates to (not an interstitial, modal, or pop-up), in a single, dedicated location on such page, and may not persist beyond that page." Apple has provided templates that developers can use for communicating with customers about alternative in-app payment systems [...]. Apple has also confirmed that it will charge a commission on purchases made through alternative payment platforms. This commission will be 12% for developers who are a member of the App Store Small Business Program and 27% for other apps. The commission will apply to "purchases made within seven days after a user taps on an External Purchase Link and continues from the system disclosure sheet to an external website." Apple says developers will be required to provide accounting of qualifying out-of-app purchases and remit the appropriate commissions. [...] However, Apple also says that collecting this commission will be "exceedingly difficult and, in many cases, impossible." [...]

The other anti-steering change that Apple is required to make is to allow developers to communicate with customers outside of their apps about alternative purchasing options, such as via email. Apple made this change in 2021 as part of its settlement of a class-action lawsuit brought on by small developers.

Last April the Python Software Foundation warned that Europe's proposed Cyber Resilience Act jeopardized their organization and "the health of the open-source software community" with overly broad policies that "will unintentionally harm the users they are intended to protect."

They'd worried that the Python Software Foundation could incur financial liabilities just for hosting Python and its PyPI package repository due to the proposed law's attempts to penalize cybersecurity lapses all the way upstream. But a new blog post this week cites some improvements: We asked for increased clarity, specifically:

"Language that specifically exempts public software repositories that are offered as a public good for the purpose of facilitating collaboration would make things much clearer. We'd also like to see our community, especially the hobbyists, individuals and other under-resourced entities who host packages on free public repositories like PyPI be exempt."


The good news is that CRA text changed a lot between the time the open source community — including the PSF — started expressing our concerns and the Act's final text which was cemented on December 1st. That text introduces the idea of an "open source steward."

"'open-source software steward' means any legal person, other than a manufacturer, which has the purpose or objective to systematically provide support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source software that are intended for commercial activities, and ensures the viability of those products;" (p. 76)


[...] So are we totally done paying attention to European legislation? Ah, while it would be nice for the Python community to be able to cross a few things off our to-do list, that's not quite how it works. Firstly, the concept of an "open source steward" is a brand new idea in European law. So, we will be monitoring the conversation as this new concept is implemented or interacts with other bits of European law to make sure that the understanding continues to reflect the intent and the realities of open source development. Secondly, there are some other pieces of legislation in the works that may also impact the Python ecosystem so we will be watching the Product Liability Directive and keeping up with the discussion around standard-essential patents to make sure that the effects on Python and open source development are intentional (and hopefully benevolent, or at least benign.)

serviscope_minor shares a Phoronix post: A six year old Linux kernel mailing list discussion has been reignited over the prospects of converting the Linux kernel to supporting modern C++ code. The Linux kernel is predominantly made up of C code with various hand-written Assembly plus the growing work around supporting Rust within the Linux kernel. While it's not clear yet if there's sufficient weight to make it a reality, a Linux kernel mailing list discussion has been restarted over potentially seeing the Linux kernel C code converted to C++ in the future.

Back on 1 April 2018 was a set of 45 patches by Red Hat engineer David Howells to begin converting the kernel to C++. This would allow the mainline kernel to make use of inline template functions, inline overloaded functions, class inheritance, and other features not currently supported by the Linux kernel with its C code. A bit hard to make serious discussions that day and ultimately the patches resided on the Linux kernel mailing list for six years without much discussion. serviscope_minor adds: It is notable that the current discussion is somewhat different from the infamous discussions in the past.

Brave has introduced CodeLLM, an AI-powered tool integrated into its search engine that offers results for programming queries. TechCrunch reports: The new AI-powered CodeLLM provides code snippets with step-by-step explanations and citations. CodeLLM is free and now integrated into Brave Search so users don't have to switch apps to access it. CodeLLM is available to all Brave Search users on desktop and mobile. If Brave Search is your default search engine then all you need to do to access CodeLLM is start a search in your browser's address bar. If Brave Search isn't your default search engine, then you need to head to search.brave.com to conduct your search. "CodeLLM automatically detects programming-related queries, so there's no need to generate a special search," Brave explained in the blog post. "On top of the search results, if an answer is possible there will be a widget to trigger the CodeLLM response. The detection of programming queries happens outside of the LLM, by other search components (similar to the ones able to detect queries about the weather, queries that lend themselves well to be summarized, queries about stock prices, etc)."

An anonymous reader shared this report from The Hacker News: Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.

The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down...

The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ("unmi.sh") that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab. The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run even after exiting the session. "Echoing the approach of the earlier 'culturestreak' package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL," said Fortinet FortiGuard Labs researcher Gabby Xiong. "The payload is then incrementally released in various stages to execute its malicious activities."