The Linux Foundation has endorsed Microsoft's acquisition of GitHub. In a blog post, Jim Zemlin, the executive director at the Linux Foundation, said: "This is pretty good news for the world of Open Source and we should celebrate Microsoft's smart move." The Verge reports: 10 years ago, Zemlin was calling for Microsoft to stop secretly attacking Linux by selling patents that targeted the operating system, and he also poked fun at Microsoft multiple times over the years. "I will own responsibility for some of that as I spent a good part of my career at the Linux Foundation poking fun at Microsoft (which, at times, prior management made way too easy)," explains Zemlin. "But times have changed and it's time to recognize that we have all grown up -- the industry, the open source community, even me." Nat Friedman, the future CEO of GitHub (once the deal closes), took to Reddit to answer questions on the company's plans. "We are not buying GitHub to turn it into Microsoft; we are buying GitHub because we believe in the importance of developers, and in GitHub's unique role in the developer community," explains Friedman. "Our goal is to help GitHub be better at being GitHub, and if anything, to help Microsoft be a little more like GitHub."

Facebook granted a select group of companies special access to its users' records even after the point in 2015 that the company has claimed it stopped sharing such data with app developers. USA Today reports: According to the Wall Street Journal, which cited court documents, unnamed Facebook officials and other unnamed sources, Facebook made special agreements with certain companies called "whitelists," which gave them access to extra information about a user's friends. This includes data such as phone numbers and "friend links," which measure the degree of closeness between users and their friends. These deals were made separately from the company's data-sharing agreements with device manufacturers such as Huawei, which Facebook disclosed earlier this week after a New York Times report on the arrangement. Facebook said following the WSJ report it inked deals with a small number of developers that gave them access to users' friends after the more restrictive policy went into effect.

New submitter Fatalis writes: Substack is a venture capital funded startup for subscription-based newsletters, and it admittedly chose its name following the advice from a Paul Graham (co-founder of Y Combinator) article to prefer names not registered in the .com zone. The same name has also been the user handle for a prolific open-source developer who now finds themselves competing for recognition in the tech space with a capital backed company. The lesson seems to be for developers to protect their personal brand by registering a domain name with the .com extension due to it being perceived as the default.

DuroSoft writes: Earlier this week an article ran about how Microsoft's multi-year refusal to rename its terabyte-scale Git extension "GVFS" (Git Virtual File System) had drawn the ire and dismay of the GNOME GVfs project (Gnome Virtual File System) which predates the Microsoft project by years. Thanks to Slashdot coverage and community pressure, Microsoft has now officially promised to rename GVFS to something else, and is asking the community for suggestions for a new name. Is this an official sign that MIcrosoft is finally listening to developers (albeit with a Slashdot-level of negative attention), or are they simply trying to appease the crowd while they are still in the news due to their acquisition of GitHub?

Kesha Williams, reporting for InfoQ (shared by numerous readers): The Java Mission Control suite of tools, also known as JMC, was open sourced by Oracle on May 3rd to much applause and excitement from the Java development community. The excitement was replaced with unease as sources reported that the entire JMC development team had been laid off. JMC is a well-known profiling and diagnostics tools suite for the Java Virtual Machine (JVM) primarily targeting systems running in production. It is used by developers to gather detailed low-level information about how the JVM and the Java application are behaving. The official open source announcement came on May 5th from Marcus Hirt, a member of the Java Platform Group at Oracle. "Just wanted to say thank you to everyone who helped open source Java Mission Control in the relatively short period of time it was done in." According to Hirt, the intent behind open sourcing JMC was to provide the community with the opportunity to add new features and capabilities to the tools suite.

In macOS 10.14 Mojave, which Apple unveiled on Monday, the company is deprecating OpenGL and OpenCL technologies in its desktop operating system. In an announcement post to developers, the company wrote: Apps built using OpenGL and OpenCL will continue to run in macOS 10.14, but these legacy technologies are deprecated in macOS 10.14. Games and graphics-intensive apps that use OpenGL should now adopt Metal. Similarly, apps that use OpenCL for computational tasks should now adopt Metal and Metal Performance Shaders. PCGamer reports that several developers have expressed disappointment over the decision. AnandTech reports that the company is doing away with OpenGL and OpenCL in iOS and its other operating systems as well.

Stephen Shankland, writing for CNET: With its next-generation MacOS Mojave software, Macs will be able to run some apps written for iPhones and iPads, a big new step in bringing the two technology platforms closer together. Craig Federighi, Apple's senior vice president of software engineering, announced the change Monday at Apple's Worldwide Developer Conference in San Jose. And he said Mojave will include four apps Apple itself brought from its iOS mobile software to MacOS: Home, Stocks, News and Voice Memo. "There are millions of iOS apps out there, and we think some of them would look great on the Mac," Federighi said. For now, it's only Apple that has the ability to move iOS apps to MacOS. But that'll change in 2019.

Catalin Cimpanu, writing for BleepingComputer: Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents. But while mobile devs have learned to filter user input for dangerous strings, some of these devs have not learned their lesson very well.

In a research paper published earlier this year, Abner Mendoza and Guofei Gu, two academics from Texas A&M University, have highlighted the problem of current-day mobile apps that still include business logic (such as user input validation, user authentication, and authorization) inside the client-side component of their code, instead of its server-side section. This regretable situation leaves the users of these mobile applications vulnerable to simple HTTP request parameter injection attacks that could have been easily mitigated if an application's business logic would have been embedded inside its server-side component, where most of these operations belong.

As rumored, Microsoft said Monday that it has acquired code repository website GitHub for a whopping sum of $7.5B in Microsoft stock. Microsoft Corporate Vice President Nat Friedman, founder of Xamarin and an open source veteran, will assume the role of GitHub CEO. GitHub's current CEO, Chris Wanstrath, will become a Microsoft technical fellow, reporting to Executive Vice President Scott Guthrie, to work on strategic software initiatives. From the blog post: "Microsoft is a developer-first company, and by joining forces with GitHub we strengthen our commitment to developer freedom, openness and innovation," said Satya Nadella, CEO, Microsoft. "We recognize the community responsibility we take on with this agreement and will do our best work to empower every developer to build, innovate and solve the world's most pressing challenges." Under the terms of the agreement, Microsoft will acquire GitHub for $7.5 billion in Microsoft stock. Subject to customary closing conditions and completion of regulatory review, the acquisition is expected to close by the end of the calendar year. GitHub will retain its developer-first ethos and will operate independently to provide an open platform for all developers in all industries. Developers will continue to be able to use the programming languages, tools and operating systems of their choice for their projects -- and will still be able to deploy their code to any operating system, any cloud and any device. The two companies, together, will "empower developers to achieve more at every stage of the development lifecycle, accelerate enterprise use of GitHub, and bring Microsoft's developer tools and services to new audiences," Microsoft said. A portion of the developer community has opposed the move, with some already leaving the platform for alternative services.

Update: In a conference call with reporters, Mr. Nadella said today the company is "all in with open source," and requested people to judge the company's commitment to the open source community with its actions in the recent past, today, and in the coming future. GitHub will remain open and independent, Mr. Nadella said.

The supposed acquisition of popular code repository GitHub by Microsoft has drawn an unprecedented backlash from the developer community. Over the weekend, after Bloomberg reported that the two companies could make the announcement as soon as Monday, hundreds of developers took to forums and social media to express their disappointment, with many saying that they would be leaving the platform if the deal goes through.

So why so much outrage? In a conversation with Slashdot, software developer and student Sean said that he believes a deal of such capacity would be bad for the open source community. "They've shown time and time again that they can't be trusted," he said. Sean and many other believe that Microsoft would eventually start telemetry program on the code repository. "Aside from Microsoft not being trustworthy to the open source community, I'm sure they'll add tracking and possibly even ads to all the sites within GitHub. As well as possibly use it to push LinkedIn (which they own)," he said. Ryan Hoover, the founder of ProductHunt, wrote on Sunday, "Anecdotally, the developer community is very unapproving of this move. I'm curious how Microsoft manages this and how GitHub changes (or doesn't change)." Even as Microsoft has "embraced" the open source community in the recent years (under the leadership of Mr. Nadella), for many developers, it will take time -- if at all -- to forget the company's past closed-ecosystem approach. Just this weekend, a developer accused Microsoft of stealing his code.

A petition that seeks to "stop Microsoft from buying Github" had garnered support from more than 400 developers. Prominent developer Andre Staltz said, "If you're still optimistic about the Microsoft-GitHub acquisition, consider this: They didn't ask your opinion not even a single bit, even though it was primarily your commits, stars, and repositories which made GH become a valuable platform." More importantly, if the comments left on Slashdot, Reddit, and HackerNews, places that overwhelmingly count developers and other IT industry experts among their audience, are anything to go by, Microsoft better has a good plan on how it intends to operate GitHub after the buyout. Security reporter Catalin Cimpanu said, "LinkedIn has turned into a slow-loading junk after the Microsoft acquisition. I can only imagine what awaits GitHub." On his part, Mat Velloso, who is technical advisor to CTO at Microsoft, said, "I don't think people understand how many of us at Microsoft love GitHub to the bottom of our hearts. If anybody decided to mess with that community, there would be a riot to say the least."

Jacques Mattheij: Companies that are too big to fail and that lose money are a dangerous combination, people have warned about GitHub becoming as large as it did as problematic because it concentrates too much of the power to make or break the open source world in a single entity, moreso because there were valid questions about GitHubs financial viability. The model that GitHub has -- sell their services to closed source companies but provide the service for free for open source groups -- is only a good one if the closed source companies bring in enough funds to sustain the model. Some sort of solution should have been found -- preferably in collaboration with the community -- not an 'exit' to one of the biggest sharks in the tank. So, here is what is wrong with this deal and why anybody active in the open source community should be upset that Microsoft is going to be the steward of this large body of code. For starters, Microsoft has a very long history of abusing its position vis-a-vis open source and other companies. I'm sure you'll be able to tell I'm a cranky old guy by looking up the dates to some of these references, but 'new boss, same as the old boss' applies as far as I'm concerned. Yes, the new boss is a nicer guy but it's the same corporate entity. Update: It's official. Microsoft has acquired GitHub for a whopping sum of $7.5B.

Programmer Mat Kelsey created a bee counter to see exactly how many bees are hanging out in his hives. "His system, which uses a Raspberry Pi and a machine learning algorithm that recognizes the number of individual bees entering a hive, is used to see bee trends over time and see just how the bees are faring," reports TechCrunch. From the report: The system looks at sets of pictures of the hive door taken every 10 seconds. It then extrapolates out the background, assesses the objects that have moved in the frame, and then counts the things that are likely to be bees. It's a fascinating problem to solve since the bees are constantly moving and because it can also ignore bees that are coming out of the hive. You can download the source on Github and check out his detailed blog post here. Given the need for bee protection as we enter an era of colony collapses, tools like this one are wildly important. Plus it's cool to see a Raspberry Pi do something so complex.

Bloomberg reports:
Microsoft Corp. has agreed to acquire GitHub Inc., the code repository company popular with many software developers, and could announce the deal as soon as Monday, according to people familiar with the matter. GitHub preferred selling the company to going public and chose Microsoft partially because it was impressed by Chief Executive Officer Satya Nadella, said one of the people, who asked not to be identified discussing private information. Terms of the agreement weren't known on Sunday. GitHub was last valued at $2 billion in 2015.

GitHub is an essential tool for coders. Many corporations, including Microsoft and Alphabet Inc.'s Google, use GitHub to store their corporate code and to collaborate. It's also a social network of sorts for developers. While GitHub's losses have been significant -- it lost $66 million over three quarters in 2016 -- it had revenue of $98 million in nine months of that year.
On Friday, it was reported that Microsoft was in talks with GitHub about an acquisition. Now it seems like it's actually happening.

Update: Our sister site, SourceForge, has weighed in. Here is a tool that will import your GitHub project to SourceForge.
Update #2: Already, we are seeing plenty of backlash over this news. One user has started a petition to stop Microsoft from buying GitHub.
Update #3: It's official. Microsoft has acquired GitHub for a whopping sum of $7.5B.

Artem Tashkinov shares a report from The Register: DeepMind has taught artificially intelligent programs to play classic Atari computer games by making them watch YouTube videos. Exploration games like 1984's Montezuma's Revenge are particularly difficult for AI to crack, because it's not obvious where you should go, which items you need and in which order, and where you should use them. That makes defining rewards difficult without spelling out exactly how to play the thing, and thus defeating the point of the exercise. For example, Montezuma's Revenge requires the agent to direct a cowboy-hat-wearing character, known as Panama Joe, through a series of rooms and scenarios to reach a treasure chamber in a temple, where all the goodies are hidden. Pocketing a golden key, your first crucial item, takes about 100 steps, and is equivalent to 100^18 possible action sequences.

To educate their code, the researchers chose three YouTube gameplay videos for each of the three titles: Montezuma's Revenge, Pitfall, and Private Eye. Each game had its own agent, which had to map the actions and features of the title into a form it could understand. The team used two methods: temporal distance classification (TDC), and cross-modal temporal distance classification (CDC). The DeepMind code still relies on lots of small rewards, of a kind, although they are referred to as checkpoints. While playing the game, every sixteenth video frame of the agent's session is taken as a snapshot and compared to a frame in a fourth video of a human playing the same game. If the agent's game frame is close or matches the one in the human's video, it is rewarded. Over time, it imitates the way the game is played in the videos by carrying out a similar sequence of moves to match the checkpoint frame. In the end, the agent was able to exceed average human players and other RL algorithms: Rainbow, ApeX, and DQfD. The researchers documented their method in a paper this week. You can view the agent in action here.

An anonymous reader writes: A new feature proposal for the Python programming language wants to add "transparency" to the runtime and let security and auditing tools view when Python may be running potentially dangerous operations. In its current form, Python does not allow security tools to see what operations the runtime is performing. Unless one of those operations generates particular errors that may raise a sign of alarm, security and auditing tools are blind that an attacker may be using Python to carry out malicious operations on a system.

But in Python Enhancement Proposal 551 (PEP-551), Steve Dower, a core Python developer, has proposed the addition of two new APIs that will let security tools detect when Python is executing potentially dangerous operations. The first, the Audit Hook API, will raise warning messages about certain type of Python operations; while the second, the Verified Open Hook API, is a mechanism to let the Python runtime know what files it is permitted to execute or tamper with.

Initial plans were to have PEP-551 ship with Python 3.7, scheduled for release in mid-June 2018, but the proposal did not make the final cut, according to a list of new features added for next month's release. This doesn't mean PEP-551 won't ship with a future version of Python. This is the second major scripting engine to open its runtime to security tools, after PowerShell.

Chinese smartphone maker Huawei has long made it easier for users to unlock the bootloader on its phones. But that is changing now. Android Authority: Earlier this month a support page, which detailed ways to unlock a bootloader, disappeared without any explanation from the company's websites. In a statement, the company said, "In order to deliver the best user experience and prevent users from experiencing possible issues that could arise from ROM flashing, including system failure, stuttering, worsened battery performance, and risk of data being compromised, Huawei will cease providing bootloader unlock codes for devices launched after May 25, 2018." It added, "For devices launched prior to the aforementioned date, the termination of the bootloader code application service will come into effect 60 days after today's announcement. Moving forward, Huawei remains committed to providing quality services and experiences to its customers. Thank you for your continued support."

An anonymous reader shares a report: Oracle's aggressive sales tactics are turning off customers, setting a roadblock in the company's race to catch up with Amazon Web Services in the cloud, according to a report on The Information. [Editor's note: the link may be paywalled; alternative source]. Oracle is threatening customers of its on-premises software with potentially expensive usage audits and strongly suggesting those customers could solve their problems by moving to the cloud, The Information says. But the tactic is backfiring. "Several big Oracle customers, including oil and gas exploration company Halliburton, toy maker Mattel and electricity provider Edison Southern California, have recently rejected big cloud services deals proposed by Oracle, according to an Oracle employee with knowledge of the situation," the publication reported. "Oracle representatives had suggested the customers strike the deals to avoid expensive audits of how they were using Oracle software, according to the employee. Instead, that approach to selling cloud is irritating customers," it added.

An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

OpenSourceAllTheWay writes: The Economist's 1843 magazine details one middle-aged writer's (Andrew Smith) quest to learn to code for the first time, after becoming interested in the "alien" logic mechanisms that power completely new phenomena like crypto-currency and effectively make the modern world function in the 21st Century. The writer discovers that there are over 1,700 actively used computer programming languages to choose from, and that every programmer that he asks "Where should someone like me start with coding?" contradicts the next in his or her recommendation. One seasoned programmer tells him that programmers discussing what language is best is the equivalent of watching "religious wars." The writer is stunned by how many of these languages were created by unpaid individuals who often built them for "glory and the hell of it." He is also amazed by how many people help each other with coding problems on the internet every day, and the computer programmer culture that non-technical people are oblivious of.

Eventually the writer finds a chart of the most popular programming languages online, and discovers that these are Python, Javascript, and C++. The syntax of each of these languages looks indecipherable to him. The writer, with some help from online tutorials, then learns how to write a basic Python program that looks for keywords in a Twitter feed. The article is interesting in that it shows what the "alien world of coding" looks like to people who are not already computer nerds and in fact know very little about how computer software works. There are many interesting observations on coding/computing culture in the article, seen through the lens of someone who is not a computer nerd and who has not spent the last two decades hanging out on Slashdot or Stackoverflow.

An anonymous reader quotes a report from SFGate: The American Civil Liberties Union on Wednesday sued U.S. Immigration and Customs Enforcement for records about the agency's use of license plate reader technology, after ICE apparently failed to turn over records following multiple requests. In December, ICE purchased access to two databases of ALPR data, the complaint reads. One of those databases is managed by Vigilant Solutions, which has contracts with more than two dozen Bay Area law enforcement agencies. "We believe the other is managed by Thomson Reuters," ACLU laywer Vasudha Talla said. The ACLU and other privacy advocates have expressed concern about how this data will be stored and used for civil immigration enforcement. The ACLU filed two requests under the Freedom of Information Act in March seeking records from ICE, including contracts, memos, associated communications, training materials and audit logs. Since then, ICE has not provided any records, the ACLU said in the complaint, which was filed Tuesday morning in the Northern District Court for the Northern District of California. "The excessive collection and storing of this data in databases -- which is then pooled and shared nationally -- results in a systemic monitoring that chills the exercise of constitutional rights to free speech and association, as well as essential tasks such as driving to work, picking children up from school, and grocery shopping," the complaint said. "We have essentially two concerns: one that is general to ALPR databases, and one that's specific to this situation with ICE," Talla said. "The ACLU has done a lot of work around surveillance technology and ALPR, and we're generally concerned about the aggregation of all this data about license plates paired with a time and location, stretching back for so many months and years."

Zeljka Zorz, writing for Help Net Security: The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed two interesting findings:

96 percent of the scanned applications contain open source components, with an average 257 components per application. The average percentage of open source in the codebases of the applications scanned grew from 36% last year to 57%, suggesting that a large number of applications now contain much more open source than proprietary code.