From Mike Melanson's "This Week in Programming" column: "The Rustening at Microsoft has begun," tweeted Microsoft distinguished engineer Miguel de Icaza.

What de Icaza is referring to is a newly-offered course by Microsoft on taking the first steps with Rust, which much of the Twitterverse of Rust devotees sees as a sign that the company is further increasing its favor for their crab-themed language of choice. Of course, this isn't the first we've heard of Microsoft looking to Rust to handle the 70% of Microsoft vulnerabilities that it says come from using the memory-unsafe C++ programming language in its software. A few years back now, Microsoft launched Project Verona, a research programming language that takes a bite from Rust in the realm of ownership and is said to be inspired by Rust, among others.

More recently, however, Microsoft announced the preview of Rust for Windows, which "lets you use any Windows API (past, present, and future) directly and seamlessly via the windows crate (crate is Rust's term for a binary or a library, and/or the source code that builds into one)." With Rust for Windows, developers can now not only use Rust on Windows, they can also write apps for Windows using Rust...

According to the project description, the Windows crate "lets you call any Windows API past, present, and future using code generated on the fly directly from the metadata describing the API and right into your Rust package where you can call them as if they were just another Rust module" and that, along with the introduction of a course for learning Rust, is precisely what has all those Rust devotees so excited.
InfoWorld has more information...

"Salon reports amateur-hour mistakes in the attempted rollout of FRANK, a social media site envisioned by Mike Lindell of MyPillow," writes Slashdot reader Tom239. "A Drupal expert described the code as 'not even student work.'" From the report: Speaking to Salon on Thursday afternoon about Lindell's site, one "Acquia Certified Drupal Grand Master," who oversees a technology firm that employs numerous other "grandmasters," said that Lindell's site was set up for failure from its inception, noting that its developers -- whom Lindell compared to Navy SEALs -- had failed to carry out basic "Drupal 101" tasks. One coder who spoke to Salon in great detail explained the potential shortcomings of the pillow maven's program code and the patchy work done by his developer team. "Drupal can power high powerful websites, sites with lots of traffic," the expert said, adding that it isn't the right software to build a social media site with, since it's not designed to handle a large amount of user-generated content. "Lindell's website was basically trying to make soup for scratch for everybody," said the expert, who claimed more than 25 years of experience in the IT field.

"In my professional opinion, it will be extremely unlikely, if not impossible, for Lindell to accomplish his vision with Drupal and his own servers," the expert told Salon. "Despite how much I love it, Drupal simply isn't the right tool for the number of users with the features that he wants to provide. It would take a massive effort of 12 to 18 months to build out the needed hosting setup and application architecture, and this would come with an enormous degree of risk. The idea that he could do this in just a couple of months is patently absurd, and I think the results speak for themselves."

"When I was looking at the code, in the browser, they basically launched the site while it was still in development mode," one expert told Salon, citing the fact that developers had failed to check a box to aggregate files on the platform as the first red flag he ran across. "Their files were not aggregated, and by the way, that's a check box in Drupal -- you literally check a box and click save, My jaw dropped when I saw that. I was like, 'They did not try to launch this thing without aggregation turned on!'" The second major red flag another Drupal expert found was that Lindell's site was spitting out coded error messages to users, which leaves the platform vulnerable to attacks. "This is a shit show," the expert said, calling this an "obvious" issue that coders learn how to prevent in "Drupal 101."
Elsewhere it was reported that Lindell's supposed free-speech haven will not allow swearing, pornography, or the use of 'god's name in vain'.

theodp writes: Code.org on Wednesday announced that dozens of industry, education, and state leaders are supporting a new Code.org AP CS A Java-focused curriculum for high school students, which will be available at no charge to all schools starting in the 2022-23 school year. "We are proud to have the following companies on our Industry Advisory Panel: Adobe, Amazon, Atlassian, Disney, Epic Games, Goldman Sachs, Google, IBM, Instagram, Microsoft, Riot Games, Roblox, Snapchat, Spotify, Tesla, Unity, Vista Equity," Code.org tweeted. "A big thank you to the following colleges and universities on our Education Advisory Panel: @BowieState @UBuffalo @CarnegieMellon @Harvard @montgomerycoll @NCWIT @thisisUIC @Illinois_Alma @unlv @UNOmaha @SpelmanCollege @UT_Dallas @UW @westminsterpa." In an accompanying Medium post, Code.org explained: "This work is all made possible through a generous [$15 million] gift from Amazon Future Engineer."

Despite having the support of some of the world's richest corporations and individuals whose goals the nonprofit helps advance, recently-released SBA records show that Code.org applied for and was approved for its second forgivable Federal Paycheck Protection Program loan in the amount of $1.9 million dollars on March 25, a month after Amazon and Code.org issued a joint press release announcing their $15 million plan to work on a new AP CS A curriculum and other initiatives. Amazon certainly has ambitious plans for influencing K-12 CS education. Last week, the company announced a 2021 goal to "reach 1.6 million underrepresented students globally through Amazon Future Engineer with real world-inspired virtual and hands-on computer science project learning." And an Amazon Future Engineer job listing for a U.S. Country Senior Manager notes the job will require working "with national and local educational non-profits and governmental entities such as BootUp, Project STEM, Code.org, and the US and State Departments of Education," as well as positioning Amazon "as subject matter experts on US computer science education, as well as the local education systems of our headquarter regions."

Stack Overflow blog: They say there's a kernel of truth behind every joke. In the case of our recent April Fools gag, it might be more like an entire cob, perhaps a bushel of truth. We wanted to embrace a classic Stack Overflow meme and tweak one of our core principles. Our company was inspired by the founders frustration with websites that kept answers to coding questions behind paywalls. What would the world look like if we suddenly decided to monetize the act of copying code from Stack Overflow? Ok, jokes over, hope everyone had a good laugh and no one got too freaked out. But wait, there's more. Once we set up a system to react every time someone typed Command+C, we realized there was also an opportunity to learn about how people use our site. We were able to catalog every copy command made on Stack Overflow over the course of two weeks, and here's what we found.

One out of every four users who visits a Stack Overflow question copies something within five minutes of hitting the page. That adds up to 40,623,987 copies across 7,305,042 posts and comments between March 26th and April 9th. People copy from answers about ten times as often as they do from questions and about 35 times as often as they do from comments. People copy from code blocks more than ten times as often as they do from the surrounding text, and surprisingly, we see more copies being made on questions without accepted answers than we do on questions which are accepted. So, if you've ever felt bad about copying code from our site instead of writing it from scratch, forgive yourself!

"Sydney university student Pablo Bonilla, 21, had his first academic paper published overnight and it might just change the shape of computing forever," writes Australia's national public broadcaster ABC: As a second-year physics student at the University of Sydney, Mr Bonilla was given some coding exercises as extra homework and what he returned with has helped to solve one of the most common problems in quantum computing. His code spiked the interest of researchers at Yale and Duke in the United States and the multi-billion-dollar tech giant Amazon plans to use it in the quantum computer it is trying to build for its cloud platform Amazon Web Services....

Assistant professor Shruti Puri of Yale's quantum research program said the new code solved a problem that had persisted for 20 years. "What amazes me about this new code is its sheer elegance," she said. "Its remarkable error-correcting properties are coming from a simple modification to a code that has been studied extensively for almost two decades...."

Co-author of the paper, the University of Sydney's Ben Brown, said the brilliance of Pablo Bonilla's code was in its simplicity... "We just made the smallest of changes to a chip that everybody is building, and all of a sudden it started doing a lot better. It's quite amazing to me that nobody spotted it in the 20-or-so years that people have been working on that model."

Google's Android team supports Rust for developing the Android operating system. Now they're also helping evaluate Rust for Linux kernel development. Their hopes, among other things, are that "New code written in Rust has a reduced risk of memory safety bugs, data races and logic bugs overall," that "abstractions that are easier to reason about," and "More people get involved overall in developing the kernel, thanks to the usage of a modern language."

Linus Torvalds responded in a new interview with IT Wire (shared by Slashdot reader juul_advocate): The first patches for Rust support in the Linux kernel have been posted and the man behind the kernel says the fact that these are being discussed is much more important than a long post by Google about the language. Linus Torvalds told iTWire in response to queries that Rust support was "not there yet", adding that things were "getting to the point where maybe it might be mergeable for 5.14 or something like that..." Torvalds said that it was still early days for Rust support, "but at least it's in a 'this kind of works, there's an example, we can build on it'."

Asked about a suggestion by a commenter on the Linux Weekly News website, who said, during a discussion on the Google post, "The solution here is simple: just use C++ instead of Rust", Torvalds could not restrain himself from chortling. "LOL," was his response. "C++ solves _none_ of the C issues, and only makes things worse. It really is a crap language.

"For people who don't like C, go to a language that actually offers you something worthwhile. Like languages with memory safety and [which] can avoid some of the dangers of C, or languages that have internal GC [garbage collection] support and make memory management easier. C++ solves all the wrong problems, and anybody who says 'rewrite the kernel in C++' is too ignorant to even know that."

He said that when one spoke of the dangers of C, one was also speaking about part of what made C so powerful, "and allows you to implement all those low-level things efficiently".
Torvalds added that, while garbage collection is "a very good thing in most other situations," it's "generally not necessarily something you can do in a low-level system programming."

Inside.com's developer newsletter reports: The PHP team no longer believes the git.php.net server was compromised in a recent attack, which prompted PHP to move servers to GitHub and caused the team to temporarily put releases on hold until mid-April...

In an update offering further insight into the root cause of the late March attack, the team says because it's possible the master.php.net user database was exposed, master.php.net has been moved to main.php.net. The team also reset php.net passwords, and you can visit https://main.php.net/forgot.php to set a new password. In addition, git.php.net and svn.php.net are both read-only now.

Two malicious commits were pushed to the php-src repo from PHP founder Rasmus Lerdorf and PHP core developer Nikita Popov, Popov announced March 28. After an investigation, the PHP team reassured users these malicious commits never reached end-users. However, the team decided to move to GitHub after determining maintaining its own git infrastructure is "an unnecessary security risk."
"In 2019, the PHP team temporarily shut down its Git server after discovering that an attacker had maliciously replaced the official PHP Extension and Application Repository with a malicious one," reports CPO magazine. But this newer supply chain attack "targeted any server that uses PHP ZLib compression when sending data. Most servers use this functionality on almost all content except images and archives that are already size optimized." The supply chain attack would have turned PHP into a remote web shell through which the attackers could execute any command without authentication. This is because the malicious attackers would have the same privileges as the web server running PHP. The backdoor is triggered at the start of a request by checking if the request contains the word "zerodium." If this condition was met, PHP executes the code in the "User-Agentt" request header. The header closely resembles the PHP "User-Agent" request for checking for browser properties.

The rest of the request would thus be treated as a command that could be executed on a PHP server using the server's privileges. This would allow the hackers to run any arbitrary command without the need for further privileges...

PHP powers 80% of all websites. Thus, a successful supply chain attack exploiting the language could prove catastrophic.

Mark Wilson writes: Microsoft has launched a preview version of its own distribution of Java, making it available for Windows, macOS and Linux. The company has named the release Microsoft Build of OpenJDK, and describes it as its "new way to collaborate and contribute to the Java ecosystem". The company has made available Microsoft Build of OpenJDK binaries for Java 11, which are based on OpenJDK source code. Microsoft says it is looking to broaden and deepen its support for Java, "one of the most important programming languages used today".

For the past few years, Google has been encouraging developers to write Android apps with Kotlin. The underlying OS still uses C and C++, though Google today announced Android Open Source Project (AOSP) support for Rust. From a report: This is part of Google's work to address memory safety bugs in the operating system: "We invest a great deal of effort and resources into detecting, fixing, and mitigating this class of bugs, and these efforts are effective in preventing a large number of bugs from making it into Android releases. Yet in spite of these efforts, memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android's high severity security vulnerabilities."

The company believes that memory-safe languages, like Rust, are the "most cost-effective means for preventing memory bugs" in the bootloader, fastboot, kernel, and other low-level parts of the OS. Unlike C and C++, where developers manage memory lifetime, Rust "provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid." Google has been working to add this support to AOSP for the past 18 months. Performance is equivalent to the existing languages, while increasing the effectiveness of current sandboxing and reducing the overall need for it. This allows for "new features that are both safer and lighter on resources." Other improvements include data concurrency, a more expressive type system, and safer integer handling.

An anonymous reader quotes a report from The Intercept: The popular legal research and data brokerage firm LexisNexis signed a $16.8 million contract to sell information to U.S. Immigration and Customs Enforcement, according to documents shared with The Intercept. The deal is already drawing fire from critics and comes less than two years after the company downplayed its ties to ICE, claiming it was "not working with them to build data infrastructure to assist their efforts." Though LexisNexis is perhaps best known for its role as a powerful scholarly and legal research tool, the company also caters to the immensely lucrative "risk" industry, providing, it says, 10,000 different data points on hundreds of millions of people to companies like financial institutions and insurance companies who want to, say, flag individuals with a history of fraud. LexisNexis Risk Solutions is also marketed to law enforcement agencies, offering "advanced analytics to generate quality investigative leads, produce actionable intelligence and drive informed decisions" -- in other words, to find and arrest people.

The LexisNexis ICE deal appears to be providing a replacement for CLEAR, a risk industry service operated by Thomson Reuters that has been crucial to ICE's deportation efforts. In February, the Washington Post noted that the CLEAR contract was expiring and that it was "unclear whether the Biden administration will renew the deal or award a new contract." LexisNexis's February 25 ICE contract was shared with The Intercept by Mijente, a Latinx advocacy organization that has criticized links between ICE and tech companies it says are profiting from human rights abuses, including LexisNexis and Thomson Reuters. The contract shows LexisNexis will provide Homeland Security investigators access to billions of different records containing personal data aggregated from a wide array of public and private sources, including credit history, bankruptcy records, license plate images, and cellular subscriber information. The company will also provide analytical tools that can help police connect these vast stores of data to the right person. In a statement to The Intercept, a LexisNexis Risk Solutions spokesperson said: "Our tool contains data primarily from public government records. The principal non-public data is authorized by Congress for such uses in the Drivers Privacy Protection Act and Gramm-Leach-Bliley Act statutes." They declined to say exactly what categories of data the company would provide ICE under the new contract, or what policies, if any, will govern how agency agency uses it.

The U.S. Supreme Court ruled that Alphabet's Google didn't commit copyright infringement when it used Oracle's programming code in the Android operating system, sparing Google from what could have been a multibillion-dollar award. From a report: The 6-2 ruling, which overturns a victory for Oracle, marks a climax to a decade-old case that divided Silicon Valley and promised to reshape the rules for the software industry. Oracle was seeking as much as $9 billion. The court said Google engaged in legitimate "fair use" when it put key aspects of Oracle's Java programming language in the Android operating system. Writing for the court, Justice Stephen Breyer said Google used "only what was needed to allow users to put their accrued talents to work in a new and transformative program." Each side contended the other's position would undercut innovation. Oracle said that without strong copyright protection, companies would have less incentive to invest the large sums needed to create groundbreaking products. Google said Oracle's approach would discourage the development of new software that builds on legacy products.

An anonymous Slashdot reader shared this report from The Record: Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company's servers for illicit crypto-mining operations, a spokesperson told The Record today.

The attacks have been going on since the fall of 2020 and have abused a GitHub feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories. In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where GitHub Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.

But the attack doesn't rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said. The Dutch security engineer told us attackers specifically target GitHub project owners that have automated workflows that test incoming pull requests via automated jobs. Once one of these malicious Pull Requests is filed, GitHub's systems will read the attacker's code and spin up a virtual machine that downloads and runs cryptocurrency-mining software on GitHub's infrastructure.

Perdok, who's had projects abused this way, said he's seen attackers spin up to 100 crypto-miners via one attack alone, creating huge computational loads for GitHub's infrastructure. The attackers appear to be happening at random and at scale. Perdok said he identified at least one account creating hundreds of Pull Requests containing malicious code.

"The creators of Deno have formed the Deno Company, a business venture around the JavaScript/TypeScript runtime and rival to Node.js," reports InfoWorld: In a bulletin on March 29, Deno creator Ryan Dahl and Bert Belder, both of whom also led the development of Node.js, announced the formation of the company and said they had $4.9 million in seed capital, enough to pay for a staff of full-time engineers working to improve Deno...

Dahl and Belder said that, while they planned to pursue commercial applications of Demo, Deno itself would remain MIT-licensed, adding that for Deno to be maximally useful it must remain permissively free. "Our business will build on the open source project, not attempt to monetize it directly," they Deno authors said.
From their announcement: We find server-side JavaScript hopelessly fragmented, deeply tied to bad infrastructure, and irrevocably ruled by committees without the incentive to innovate. As the browser platform moves forward at a rapid pace, server-side JavaScript has stagnated. Deno is our attempt to breathe new life into this ecosystem...

Not every use-case of server-side JavaScript needs to access the file system; our infrastructure makes it possible to compile out unnecessary bindings. This allows us to create custom runtimes for different applications: Electron-style GUIs, Cloudflare Worker-style Serverless Functions, embedded scripting for databases, etc.

Jeffrey Ullman and Alfred Aho developed many of the fundamental concepts that researchers use when they build new software. From a report: When Alfred Aho and Jeffrey Ullman met while waiting in the registration line on their first day of graduate school at Princeton University in 1963, computer science was still a strange new world. Using a computer required a set of esoteric skills typically reserved for trained engineers and mathematicians. But today, thanks in part to the work of Dr. Aho and Dr. Ullman, practically anyone can use a computer and program it to perform new tasks. On Wednesday, the Association for Computing Machinery, the world's largest society of computing professionals, said Dr. Aho and Dr. Ullman would receive this year's Turing Award for their work on the fundamental concepts that underpin computer programming languages. Given since 1966 and often called the Nobel Prize of computing, the Turing Award comes with a $1 million prize, which the two academics and longtime friends will split. Dr. Aho and Dr. Ullman helped refine one of the key components of a computer: the "compiler" that takes in software programs written by humans and turns them into something computers can understand.

Over the past five decades, computer scientists have built increasingly intuitive programming languages, making it easier and easier for people to create software for desktops, laptops, smartphones, cars and even supercomputers. Compilers ensure that these languages are efficiently translated into the ones and zeros that computers understand. Without their work, "we would not be able to write an app for our phones," said Krysta Svore, a researcher at Microsoft who studied with Mr. Aho at Columbia University, where he was chairman of the computer science department. "We would not have the cars we drive these days." The researchers also wrote many textbooks and taught generations of students as they defined how computer software development was different from electrical engineering or mathematics. "Their fingerprints are all over the field," said Graydon Hoare, the creator of a programming language called Rust. He added that two of Dr. Ullman's books were sitting on the shelf beside him. After leaving Princeton, both Dr. Aho, a Canadian by birth who is 79, and Dr. Ullman, a native New Yorker who is 78, joined the New Jersey headquarters of Bell Labs, which was then one of the world's leading research labs.

An anonymous reader quotes a report from TorrentFreak: The popular and entirely legal Steam Database has found itself in a precarious position following two erroneous DMCA notices from SEGA. Steam Database's host is being asked to suspend the platform due to a claimed lack of response to the first notice. This prompted the site to take down entirely legal content in an effort to address the problem. [...]

TorrentFreak was able to review the notice sent by SEGA to SteamDB's host and it pulls no punches. SEGA doubles down by stating that SteamDB is illegally distributing the game Yakuza: Like a Dragon, noting that it has tried to inform SteamDB but was "not able" to resolve the issue. Worryingly, it then implies that legal action might be taken against SteamDB for non-compliance, adding that the host should "immediately suspend" SteamDB due to the alleged ongoing infringement. Which, of course, is not taking place.

This puts SteamDB's host in a tough position. Failure to act against an allegedly infringing customer can put the host at risk in terms of liability but disabling a customer's website can cause a whole new set of problems, especially when that customer has not infringed anyone's rights. In an effort to sort the problem out, SteamDB's host asked for additional input from the operators of SteamDB but nevertheless warned that if that information was not received, it may still block the SteamDB server within 24 hours, as demanded in the SEGA takedown notice. In order to defuse the situation, SteamDB took down the allegedly-infringing page which as far as SEGA goes (and at least in theory) should solve the disconnection threat problem. However, the entire situation has proven counterproductive for SEGA too.

Apple this morning announced that it will be returning to an all-virtual format for a second year. The company went online-only for the first time in 2020, as Covid-19 ground in-person events to a halt. From a report: While vaccine rollouts have begun in much of the world, the return of the in-person event industry still seems iffy for most of the rest of the year. The event will run June 7-11. "We are working to make WWDC21 our biggest and best yet, and are excited to offer Apple developers new tools to support them as they create apps that change the way we live, work, and play," Developer Relations VP Susan Prescott said in a release tied to the news. The virtual format certainly has its advantage -- accessibility being at the top of the list. Apple said last year's was its "biggest ever," and expects roughly 28 million developers from around the world at this one. In addition to not having to deal with traveling -- not to mention the South Bay hotel crunch -- the company offers up free access to the event for all qualified developers.

dotancohen writes: Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src Git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. "The incident is alarming considering PHP remains the server-side programming language to power over 79% of the websites on the Internet," adds BleepingComputer.

"In the malicious commits [1, 2] the attackers published a mysterious change upstream, 'fix typo' under the pretense this was a minor typographical correction. However, taking a look at the added line 370 where zend_eval_string function is called, the code actually plants a backdoor for obtaining easy Remote Code Execution (RCE) on a website running this hijacked version of PHP."

According to Popov, the first commit was detected a couple hours after it was made, and the changes were reverted right away. "Although a complete investigation of the incident is ongoing, according to PHP maintainers, this malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account," reports BleepingComputer. "As a precaution following this incident, PHP maintainers have decided to migrate the official PHP source code repository to GitHub."

An anonymous reader writes: The New Zealand Ministry of Health has launched a "sweeping review" of the nation's COVID vaccine-booking system, after a data breach led to exposure of personal information for more than 700 patients. A whistleblower reported over the weekend that they could access information about other patients, which was "readily accessible within the public-facing code of the website" -- apparently hard coded.

As a response, the Ministry of Health has ordered a review of all systems made by the developer, Valentia Technologies, which also makes software used by the Ambulance service, many GP practices, and the managed isolation and quarantine system. "It is not a coding error. It is incompetence. The developer who developed this is incompetent ... This is basic stuff," said the man who spotted the booking system problem.

"The source code of the website, flagged a few concerning features, including someone's name, and an NHI number hard coded into the website, for what reason? I don't know," he said. "We could see everyone's details. We skimmed through, we didn't look at names, but their names, dates of birth, NHI numbers for those who entered them, contact details, where they were getting their vaccinations, what time they were vaccinated."

He said it appeared that Canterbury DHB had used a modified internal system to create the booking system. "You can tell by the source code, this was never meant to be a public facing website. This was only for people to use on like iPads, in doctors' surgeries, it was not supposed to be for this."

This week Swedish developer Daniel Stenberg posted a remarkable reflection on the 23rd anniversary of his command-line data tool, cURL: curl was adopted in Red Hat Linux in late 1998, became a Debian package in May 1999, shipped in Mac OS X 10.1 in August 2001. Today, it is also shipped by default in Windows 10 and in iOS and Android devices. Not to mention the game consoles, Nintendo Switch, Xbox and Sony PS5.

Amusingly, libcurl is used by the two major mobile OSes but not provided as an API by them, so lots of apps, including many extremely large volume apps bundle their own libcurl build: YouTube, Skype, Instagram, Spotify, Google Photos, Netflix etc. Meaning that most smartphone users today have many separate curl installations in their phones.

Further, libcurl is used by some of the most played computer games of all times: GTA V, Fortnite, PUBG mobile, Red Dead Redemption 2 etc.

libcurl powers media players and set-top boxes such as Roku, Apple TV by maybe half a billion TVs.

curl and libcurl ships in virtually every Internet server and is the default transfer engine in PHP, which is found in almost 80% of the world's almost two billion websites.

Cars are Internet-connected now. libcurl is used in virtually every modern car these days to transfer data to and from the vehicles.

Then add media players, kitchen and medical devices, printers, smart watches and lots of "smart"; IoT things. Practically speaking, just about every Internet-connected device in existence runs curl.

I'm convinced I'm not exaggerating when I claim that curl exists in over ten billion installations world-wide...

Those 300 lines of code in late 1996 have grown to 172,000 lines in March 2021.
Stenberg attributes cURL's success to persistence. "We hold out. We endure and keep polishing. We're here for the long run. It took me two years (counting from the precursors) to reach 300 downloads. It took another ten or so until it was really widely available and used." But he adds that 22 different CPU architectures and 86 different operating systems are now known to have run curl.

In a later blog post titled "GitHub Steel," Stenberg also reveals that GitHub gave him a 3D-printed steel version of his 2020 GitHub contribution matrix — accompanied by a friendly note. "Please accept this small gift as a token of appreciation on behalf of all of us here at GitHub, and everyone who benefits from your work."

Two software engineers with injuries or chronic pain conditions have both started voice-coding platforms, reports IEEE Spectrum. "Programmers utter commands to manipulate code and create custom commands that cater to and automate their workflows." The voice-coding app Serenade, for instance, has a speech-to-text engine developed specifically for code, unlike Google's speech-to-text API, which is designed for conversational speech. Once a software engineer speaks the code, Serenade's engine feeds that into its natural-language processing layer, whose machine-learning models are trained to identify and translate common programming constructs to syntactically valid code...

Talon has several components to it: speech recognition, eye tracking, and noise recognition. Talon's speech-recognition engine is based on Facebook's Wav2letter automatic speech-recognition system, which [founder Ryan] Hileman extended to accommodate commands for voice coding. Meanwhile, Talon's eye tracking and noise-recognition capabilities simulate navigating with a mouse, moving a cursor around the screen based on eye movements and making clicks based on mouth pops. "That sound is easy to make. It's low effort and takes low latency to recognize, so it's a much faster, nonverbal way of clicking the mouse that doesn't cause vocal strain," Hileman says...

Open-source voice-coding platforms such as Aenea and Caster are free, but both rely on the Dragon speech-recognition engine, which users will have to purchase themselves. That said, Caster offers support for Kaldi, an open-source speech-recognition tool kit, and Windows Speech Recognition, which comes preinstalled in Windows.

"40,000 lines of flawed code almost made it into FreeBSD's kernel," writes Ars Technica, reporting on what happened when the CEO of Netgate, which makes FreeBSD-powered routers, decided it was time for FreeBSD to enjoy the same level of in-kernel WireGuard support that Linux does. The issue arose after Netgate offered a burned-out developer a contract to port WireGuard into the FreeBSD kernel (where Netgate could then use it in the company's popular pfSense router distribution): [The developer] committed his port — largely unreviewed and inadequately tested — directly into the HEAD section of FreeBSD's code repository, where it was scheduled for incorporation into FreeBSD 13.0-RELEASE. This unexpected commit raised the stakes for WireGuard founding developer Jason Donenfeld, whose project would ultimately be judged on the quality of any production release under the WireGuard name. Donenfeld identified numerous problems...but rather than object to the port's release, Donenfeld decided to fix the issues. He collaborated with FreeBSD developer Kyle Evans and with Matt Dunwoodie, an OpenBSD developer who had worked on WireGuard for that operating system...

How did so much sub-par code make it so far into a major open source operating system? Where was the code review which should have stopped it? And why did both the FreeBSD core team and Netgate seem more focused on the fact that the code was being disparaged than its actual quality?
There's more to the story, but ultimately Ars Technica confirmed the presences of multiple buffer overflows, printf statements that are still being triggered in production, and even empty validation function which always "return true" rather than actually validating the data. The original developer argued the real issue is an absence of quality reviewers, but Ars Technica sees a larger problem. "There seems to be an absence of process to ensure quality code review." Several FreeBSD community members would only speak off the record. In essence, most seem to agree, you either have a commit bit (enabling you to commit code to FreeBSD's repositories) or you don't. It's hard to find code reviews, and there generally isn't a fixed process ensuring that vitally important code gets reviewed prior to inclusion. This system thus relies heavily on the ability and collegiality of individual code creators.
Ars Technica published this statement from the FreeBSD Core Team: Core unconditionally values the work of all contributors, and seeks a culture of cooperation, respect, and collaboration. The public discourse over WireGuard in the past week does not meet these standards and is damaging to our community if not checked. As such, WireGuard development for FreeBSD will now proceed outside of the base system. For those who wish to evaluate, test, or experiment with WireGuard, snapshots will be available via the ports and package systems.

As a project, we remain committed to continually improving our development process. We'll also continue to refine our tooling to make code reviews and continuous integration easier and more effective. The Core Team asks that the community use these tools and work together to improve FreeBSD.
Ars Technica applauds the efforts — while remaining concerned about the need for them. "FreeBSD is an important project that deserves to be taken seriously. Its downstream consumers include industry giants such as Cisco, Juniper, NetApp, Netflix, Sony, Sophos, and more. The difference in licensing between FreeBSD and Linux gives FreeBSD a reach into many projects and spaces where the Linux kernel would be a difficult or impossible fit."

Long-time Slashdot reader RockDoctor writes: A project to create a working example of [english mathematician and computer pioneer Charles Babbage's] original "steampunk computer," referred to by Babbage as the "Analytical Engine 30," is continuing. The update comes via a "Spring 2021 report" to the Computer Conservation Society.

The main news is that a new series of plans, dating from about 1857 have been found and are being examined for incorporation into the final design. "One remarkable feature is the extension of the Store to 1000 registers, and most intriguingly various methods of mechanically addressing the store contents," reads the update. This would compare well with electronic processor design... not that anyone is expecting this machine, when built, to be blisteringly fast.

Could a steam-powered Analytical Engine support backup DNS services in a post-apocalyptic world? Is this Cloudflare's ultimate plan?

As it faces a barrage of probes and investigations regarding the App Store and the distribution of apps on its devices, Apple has told Australia's consumer watchdog that developers have "multiple" ways to reach iOS users and claims that they are "far from limited" to simply using the App Store. From a report: In a new filing responding to concerns from the Australian Competition & Consumer Commission that it exploits "alleged market power in its role as a distributor of apps," Apple highlights multiple avenues that developers can take to reach customers. Specifically, Apple points out that the "whole web" exists as an alternative means of distribution, arguing that the web has become a platform unto itself. Apple supports this claim by noting that iOS devices have "unrestricted and uncontrolled" access to the web, allowing users to download web apps. Apple says: Web browsers are used not only as a distribution portal but also as platforms themselves, hosting "progressive web applications" (PWAs) that eliminate the need to download a developer's app through the App Store (or other means) at all. PWAs are increasingly available for and through mobile-based browsers and devices, including on iOS. [...] As explained further below, Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third-party apps and use them on their iOS devices) and outside iOS. Prominent iOS developer Marco Arment commented on Apple's argument, saying: LOL

In his This Week in Programming column, Mike Melanson writes: Rustaceans' dreams of Rust's inclusion in the Linux kernel are one tiny, ever so slight step closer to becoming a reality, with this week's "intentionally bare-bones" inclusion in Linux-next, the development branch of the Linux kernel... Curb your enthusiasm, however, as this remains a rather tentative first step of many necessary steps before Rust fully lands in the Linux kernel.

A rather brief post on LWN.net summarizes where we are rather succinctly:

Followers of the linux-next integration tree may have noticed a significant addition: initial support for writing device drivers in the Rust language. There is some documentation in Documentation/rust, while the code itself is in the rust top-level directory. Appearance in linux-next generally implies readiness for the upcoming merge window, but it is not clear if that is the case here; this code has not seen a lot of wider review yet. It is, regardless, an important step toward the ability to write drivers in a safer language.

Indeed, Miguel Ojeda, a software developer and maintainer of the Rust for Linux project writes that the proposed inclusion "does not mean we will make it into mainline, of course, but it is a nice step to make things as smooth as possible," with some changes expected before any decision as to Rust's inclusion are made.

For those of you less familiar with Rust, part of the appeal here comes with Rust's memory safety features, especially in comparison to C, which the Linux kernel is currently coded in. Part of the problem, however, is that Rust is compiled based on LLVM, as opposed to GCC, and subsequently supports fewer architectures. This is a problem we've seen play out recently, as the Python cryptography library has replaced some old C code with Rust, leading to a situation where certain architectures will not be supported. Presently, the proposal to include Rust in the Linux kernel limits this issue by saying that Rust would be used, at least initially, for writing drivers that, as noted in another LWN.net article on the topic, "would never be used on the more obscure architectures anyway."

Mobile app developer Kosta Eleftheriou, who publicly called out Apple earlier this year for negligence with regard to policing iOS scams and copycat apps on the App Store, has filed a lawsuit against the iPhone maker in California. From a report: He's accusing the company of exploiting its monopoly power over iOS apps "to make billions of dollars in profits at the expense of small application developers and consumers." Eleftheriou's company KPAW LLC, which he co-owns with his partner Ashley Eleftheriou, filed its complaint in Santa Clara County on Wednesday. It details the development and release timeline of Eleftheriou's Apple Watch keyboard app FlickType. At the time he began accusing Apple of abetting App Store scams early last month, Eleftheriou revealed that his FlickType app had been targeted by competing software he says either didn't work well or didn't work at all, and yet nonetheless chipped away at this sales and App Store rankings through false advertising and the purchase of fake reviews. After he complained, he said Apple did not do enough to combat the scams, though Apple did later remove some of the apps he called attention to.

Google will lower its Play commissions globally for developers that sell in-app digital goods and services on its marquee store, the company said, following a similar move by rival Apple late last year. From a report: The Android-maker said on Tuesday that starting July 1, it is reducing the service fee for Google Play to 15% -- down from 30% -- for the first $1 million of revenue developers earn using Play billing system each year. The company will levy a 30% cut on every dollar developers generate through Google Play beyond the first $1 million in a year, it said. Citing its own estimates, Google said 99% of developers that sell goods and services with Play will see a 50% reduction in fees, and that 97% of apps globally do not sell digital goods or pay any service fee.

Google's new approach is slightly different from Apple, which last year said it would collect 15% rather than 30% of App Store sales from companies that generate no more than $1 million in revenue through the company's platform. That drop doesn't apply to iOS apps if a developer's revenue on Apple platform exceeds $1 million. "We've heard from our partners making $2 million, $5 million and even $10 million a year that their services are still on a path to self-sustaining orbit," wrote Sameer Samat, VP of Android and Google Play, in a blog post.

A lapsed domain registration tied to WeLeakInfo, a wildly popular service that sold access to more than 12 billion usernames and passwords from thousands of hacked websites, "let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card," reports Krebs on Security. This comes after the service was seized a little over a year ago by the FBI and law enforcement partners overseas. From the report: In a post on the database leaking forum Raidforums, a regular contributor using the handle "pompompurin" said he stole the WeLeakInfo payment logs and other data after noticing the domain wli[.]design was no longer listed as registered. "Long story short: FBI let one of weleakinfo's domains expire that they used for the emails/payments," pompompurin wrote. "I registered that domain, & was able to [password] reset the stripe.com account & get all the Data. [It's] only from people that used stripe.com to checkout. If you used paypal or [bitcoin] ur all good."

Cyber threat intelligence firm Flashpoint obtained a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid. One forum member commented that they found their own payment data in the logs.

Tinder and Match have announced a new partnership with Garbo, a non-profit, female-founded background check platform. In theory, it should allow Tinder (and Match Group's other sites) to ping Garbo's database and proactively show users when it finds something they might want to be aware of. Engadget reports: If you're not familiar with Garbo, it was founded by Kathryn Kosmides, a "survivor of gender-based violence" who wanted to make it easier to find information about people you may connect with online. Garbo's platform aggregates numerous data sources to provide details on an individual, including "arrests, convictions, restraining orders, harassment, and other violent crimes." The organization's site says that often times, you don't even need a last time to find some details on an individual -- a first name and phone number will work.

As part of the deal, Garbo's platform will be available to people using Match Group apps, starting with Tinder later this year. [...] Garbo cites making ridesharing services safer as another core initiative for the non-profit in addition to working with dating services, so it wouldn't surprise us to see a similar partnership appear between Garbo and companies like Uber or Lyft -- but for now, it's starting with Tinder.

"We are uncovering better ways of developing software by doing it and helping others do it," declared the Agile Manifesto, nearly 20 years ago. "Through this work we have come to value..."

* Individuals and interactions over processes and tools
* Working software over comprehensive documentation
* Customer collaboration over contract negotiation
* Responding to change over following a plan

Today a new ZDNet article asks how far the tech industry has come in achieving the vision of its 12 principles — and why Agile is often "still just a buzzword." The challenge arises "because many come to agile as a solution or prescription, rather than starting with the philosophy that the Agile Manifesto focused on," says Bob Ritchie, VP of Software at SAIC. "Many best practices such as automated test-driven development, automated builds, deployments, and rapid feedback loops are prevalent in the industry. However, they are frequently still unmoored from the business and mission objectives due to that failure to start with why."

Still, others feel we're still nowhere near achieving the vision of the original Agile Manifesto. "Absolutely not at a large scale across enterprises," , says Brian Dawson, DevOps evangelist with CloudBees. "We are closer and more aware, but we are turning a tanker and it is slow and incremental. In start-ups, we are seeing much more of this; that is promising because they are the enterprises of the future." Agile initiatives "all too often are rolled out from, and limited to, project planning or the project management office. To support agile and DevOps transformation, agile needs to be implemented with all stakeholders."

Some organizations turn to agile "as a panacea to increase margins by cutting cost with a better, shinier development process," Ritchie cautions. "Others go even further by weaponizing popular metrics associated with agile capacity planning such as velocity and misclassifying it as a performance metric for an individual or team. In these circumstances, the promises of the manifesto are almost certainly missed as opportunities to engage and collaborate give way to finger pointing, blame, and burnout." What's missing from many agile initiatives is "ways to manage what you do based on value and outcomes, rather than on measuring effort and tasks," says Morris. "We've seen the rise of formulaic 'enterprise agile' frameworks that try to help you to manage teams in a top-down way, in ways that are based on everything on the right of the values of the Agile Manifesto. The manifesto says we value 'responding to change over following a plan,' but these frameworks give you a formula for managing plans that don't really encourage you to respond to change once you get going."

An official version of the popular 7-zip archiving program has been released for Linux for the first time. Bleeping Computer reports: Linux already had support for the 7-zip archive file format through a POSIX port called p7zip but it was maintained by a different developer. As the p7zip developer has not maintained their project for 4-5 years, 7-Zip developer Igor Pavlov decided to create a new official Linux version based on the latest 7-Zip source code. Pavlov has released 7-Zip for Linux in AMD64, ARM64, x86, and armhf versions, which users can download [via their respective links].

"These new 7-Zip binaries for Linux were linked (compiled) by GCC without -static switch. And compiled 32-bit executables (x86 and armhf) didn't work on some arm64 and amd64 systems, probably because of missing of some required .so files." "Please write here, if you have some advices how to compile and link binaries that will work in most Linux systems," Pavlov stated on his release page.

Uber and Lyft will work together to share information on US drivers and delivery people accused of physical and sexual assault to ensure those individuals are banned on both platforms, the two companies announced on Thursday in separate blog posts. Engadget reports: HireRight, a company that specializes in conducting background checks, will oversee the Industry Sharing Safety Program database. Other transportation and delivery companies in the US will have the chance to contribute and access the database as long as they adhere to the same data accuracy and privacy policies that Uber and Lyft must follow.

"We want to share this information with each other and hopefully in the near future with other companies, so that our peers in this space can be informed and make decisions for their own platforms to keep those platforms safe," Jennifer Brandenburger, Lyft's head of policy development, told NBC News. The database won't include information on victims. Additionally, the incident that landed a driver in the database will fall in broad categories.

"iCloud has had the occasional service issue, but its latest problem appears to be highly... specific," writes Engadget: Actor and author Rachel True claims iCloud has effectively locked her out of her account due to the way her last name was written. Reportedly, her Mac thought lower-case "true" was a Boolean (true or false) flag, leading the iCloud software on the computer to seize up. The problem has persisted for over six months, she said.

True said she'd spent hours talking to customer service, and that Apple hadn't stopped charging her for service. She could switch to the free tier, although she'd also lose most of her online storage if she did.
True has apparently resorted to imploring desperately in tweets to both @Apple and @AppleSupport. "Now that I a layman have explained problem to you a giant computer company, could u fix...?"

"A thing I've learned about life so far is I hate being the test case."

"When I get a dog I'm naming it Boolean Bobby Drop Tables True"

ArghBlarg (Slashdot reader #79,067) shares some research from a senior application security engineer at GitLab: Michael Henrikson describes his investigations into Go package manager "supply chain" attacks and found at least one very suspicious package, typosquatting on one of the most popular logging libraries. The imposter package phones home to an IP he alleges belongs to the Chinese company Tencent, a good case for always going over your package imports, in any language, and ensuring you're either a) auditing them regularly, or b) keeping frozen vendored copies which you can trust.
From the article: I honestly expected the list to be bigger, but I was of course happy to see that the Go ecosystem isn't completely infested (yet) with malicious typosquat packages...

It looks like the author utfave wants to know the hostname, operating system, and architecture of all the machines using their version of urfave/cli. The function extracts the system information and then calls out to the IP address 122.51.124.140 belonging to the Chinese company Shenzhen Tencent Computer Systems via HTTP with the system information added as URL parameters. While this code won't give them any access to systems, it's highly suspicious that they collect this information and the actor can quickly change this code to call back with a reverse shell if they identify a system to be valuable or interesting...

I think Go is in a better situation than other programming languages because the source of packages is always explicitly written every time they are used, but code editor automation could make typosquat attacks more likely to happen as the developer doesn't write the import paths manually as often.

InfoQ reports: Deno 1.8 recently shipped with plenty of new features, including WebGPU support, internationalization APIs, stabilized import maps, support for fetching private modules, and more. The Deno permissions API is now stable. Deno 1.8 additionally ships with TypeScript 4.2.

The release note explained the motivation behind the support for the WebGPU APIs as follows:

These days, most neural networks are defined in Python with the computation offloaded to GPUs. We believe JavaScript, instead of Python, could act as an ideal language for expressing mathematical ideas if the proper infrastructure existed. Providing WebGPU support out-of-the-box in Deno is a step in this direction. Our goal is to run Tensorflow.js on Deno, with GPU acceleration. We expect this to be achieved in the coming weeks or months.

WebGPU is an API originally proposed by Apple that exposes the GPU computation functionality available on many devices. WebGPU may provide better performance than WebGL in tasks that benefit from parallel processing — as often occurs in scientific computing, machine learning, graphics and games development...

Deno users can upgrade by running deno upgrade in a terminal.

"For a week we lost control of the Perl.com domain," a long-running site offering news and articles about the programming language, writes the site's senior editor, brian d foy.

"Now that the incident has died down, we can explain some of what happened and how we handled it." This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers...

Recovering the domain wasn't the end of the response though. While the domain was compromised, various security products had blacklisted Perl.com and some DNS servers had sinkholed it. We figured that would naturally work itself out, so we didn't immediately celebrate the return of Perl.com. We wanted it to be back for everyone. And, I think we're fully back. However, if you have problems with the domain, please raise an issue so we at least know it's not working for part of the internet.

What we think happened

This part veers into some speculation, and Perl.com wasn't the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There's no reason for Network Solutions to reveal anything to me (again, I'm not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported. John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder...

Once transferred to Key Systems in late January, the new, fraudulent registrant listed the domain (along with others), on Afternic (a domain marketplace). If you had $190,000, you could have bought Perl.com. This was quickly de-listed after the The Register made inquiries.
"I think we were very fortunate here and that many people with a soft spot in their hearts for Perl did a lot of good work for us," the article notes. "All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it. A relatively unknown domain name might not fare as well in proving they own it..."

But again, the incident ended happily, foy writes, and "The Perl.com domain is back in the hands of Tom Christiansen and we're working on the various security updates so this doesn't happen again. The website is back to how it was and slightly shinier for the help we received."

An anonymous reader quotes a report from Ars Technica: Microsoft has released a new version of source-code editor Visual Studio Code that runs natively on Apple Silicon Macs like the MacBook Air, MacBook Pro, and Mac mini models with Apple M1 chips. The change came in Visual Studio Code 1.54 (now 1.54.1, thanks to a bug fix update), which is available as a universal 64-bit binary, as is standard for apps with Apple Silicon support. That said, Microsoft also offers downloads for x86-64 and Arm64 versions specifically, if desired.

There are no differences in features between the two versions, of course. And the non-Apple Silicon version worked just fine on M1 Macs previously via Rosetta, but Microsoft says M1 users can expect a few optimizations with the new binaries: "We are happy to announce our first release of stable Apple Silicon builds this iteration. Users on Macs with M1 chips can now use VS Code without emulation with Rosetta, and will notice better performance and longer battery life when running VS Code. Thanks to the community for self-hosting with the Insiders build and reporting issues early in the iteration." Other key features in Visual Studio Code 1.54 include the ability to retain terminal processes on window reload, performance improvements in the Windows version, product icon themes, improvements when viewing Git history timeline entries, and various accessibility improvements.

An anonymous reader quotes a report from ZDNet: Google has announced Flutter 2, a major upgrade to its framework for building user interfaces for mobile, the web and desktop. Flutter promises to allow developers to use the same codebase to build native apps for iOS, Android, Windows 10, macOS, and Linux and for the web on browsers including Chrome, Firefox, Safari or Edge. It can also be embedded in an IoT device with a screen, such as cars, TVs, and home appliances.

The move to Flutter 2 promises to benefit the over 150,000 Flutter Android apps already available on the Play Store. Every app will get a free upgrade with Flutter 2 allowing developers to target desktop and web without rewriting them. Google apps now built with Flutter include Google Pay, Stadia and Google Nest Hub among others. Flutter 2 also brings production quality support for the web, with a focus on progressive web apps (PWAs) that behave like desktop apps, single page apps, and mobile apps on the web. Google has added a new CanvasKit-powered rendering engine built with WebAssembly. For mobile web apps, in recent months it's added autofill, control over address bar URLs and routing, and PWA manifests.

For desktop browsers, it has added interactive scrollbars and keyboard shortcuts, increased the default content density in desktop modes, and added screen reader support for accessibility on Windows, macOS and ChromeOS. Google has been working with Ubuntu maker Canonical to bring Flutter to the desktop. Canonical will make Flutter the default choice for future desktop and mobile apps it creates. Microsoft is also releasing contributions to the Flutter engine that supports foldable Android devices, such as the Microsoft Surface Duo.

An anonymous reader quotes a report from Ars Technica: Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab's open source code shows that the critical vulnerability -- or at least one very much like it -- was introduced by the company's chief technology officer. The change, which in the parlance of software development is known as a "git commit," was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab's CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of "reject" and "filter," which are API functions that implement a programming idiom that protects against SQL injection attacks. This idiom allows programmers to compose an SQL query in a safe way that "sanitizes" the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the "find_by_sql" method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

"Sadly Rails documentation doesn't warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you'd have heard of SQL injection, and it's not hard to come across warnings that find_by_sql method is not safe," Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention wrote in an email. "It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline." Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities.

Microsoft today announced Power Fx, a new low-code language that "will become the standard for writing logic customization across Microsoft's own low-code Power Platform," reports TechCrunch. "[S]ince the company is open-sourcing the language, Microsoft also hopes others will implement it as well and that it will become the de facto standard for these kinds of use cases." From the report: Microsoft says the language was developed by a team led by Vijay Mital, Robin Abraham, Shon Katzenberger and Darryl Rubin. Beyond Excel, the team also took inspiration from tools and languages like Pascal, Mathematica and Miranda, a functional programming language developed in the 1980s. Microsoft plans to bring Power Fx to all of its low-code platforms, but given the focus on community, it'll start making appearances in Power Automate, Power Virtual Agents and elsewhere soon.

But the team clearly hopes that others will adopt it as well. Low-code developers will see it pop up in the formula bars of products like Power Apps Studio, but more sophisticated users will also be able to use it to go to Visual Studio Code and build more complex applications with it. As the team noted, it focused on not just making the language Excel-like but also having it behave like Excel -- or like a REPL, for you high-code programmers out there. That means formulas are declarative and instantly recalculate as developers update their code.

Results were announced this week for the fourth "official annual Python Developers Survey" of over 28,000 developers (in nearly 200 countries) conducted by the Python Software Foundation and JetBrains.

85% of the survey respondents use Python as their main programming language, InfoWorld reports: Python developers cite simplicity and ease of use as principal reasons for using the language, but they still want capabilities such as static typing and performance improvements, based on survey results released this week. Python's simple syntax, syntactic sugar, and ease of learning were the most-favored features, capturing 37% of respondents, who were asked which three features they liked the most...

Which three features would Python developers most like to see added to the language? Static typing and strict type hinting proved to be the most-desired features, with 21% of respondents, closely followed by performance improvements, with 20%. Better concurrency and parallelism came in third, with 15% saying they were their most-desired capabilities.
InfoWorld also describes some other interesting results:

• "JavaScript was the most popular language used in conjunction with Python, with about 42% of respondents using both together. 75% of web developers said they were using both Python and JavaScript."

• "Just 8% of Python developers performing data-related tasks do not use any additional languages while only 3% of web developers use only Python."

• "Use of Python 3 has grown from 75% in 2017 to 94% in 2020."

A US magistrate judge has ordered Valve to provide sales data to Apple in response to a subpoena issued amid Apple's continuing legal fight with Epic Games. From a report: In addition to some aggregate sales data for the entirety of Steam, Valve will only have to provide specific, per-title pricing and sales data for "436 specific apps that are available on both Steam and the Epic Games Store," according to the order. That's a significant decrease from the 30,000+ titles Apple for which Apple originally requested data. In resisting the subpoena, Valve argued that its Steam sales data was irrelevant to questions about the purely mobile app marketplaces at issue in the case. Refocusing the request only on games available on both Steam and the Epic Games Store makes it more directly relevant to the questions of mobile competition in the case, Judge Thomas Hixson writes in his order.

"Recall that in these related cases, [Epic] allege that Apple's 30% commission on sales through its App Store is anti-competitive and that allowing iOS apps to be sold through other stores would force Apple to reduce its commission to a more competitive level," Hixson writes in the order. "By focusing... on 436 specific games that are sold in both Steam and Epic's store, Apple seeks to take discovery into whether the availability of other stores does in fact affect commissions in the way [Epic] allege." The California judge overseeing Apple's attempts to drag Valve into an ongoing beef with Epic Games admitted that Apple "salted the Earth with subpoenas, so don't worry, it's not just you."

theodp writes: Amazon on Wednesday announced it has lined up the support of Governors and State School Superintendents from five 'key states' for a pilot that aims to reimagine the Java-based Advanced Placement Computer Science A (AP CS A) course taken by high school students for college credit. By doing so, Amazon indicated it hopes to address "the diversity gaps in today's technology workforce."

From the press release: "Amazon's signature computer science education program, Amazon Future Engineer, is trying to help close those gaps by donating $15 million to Code.org over three years. The money will support the creation of the new equity-minded curriculum and other initiatives designed to reach more students from underrepresented groups. The initiatives aim to increase student awareness of academic and career pathways in computer science as well as equip them to be successful in college-level computer science and beyond. Working together, we have our eyes set on an ambitious goal of doubling the participation of students from underrepresented groups in AP CSA within five years of the course's launch."

After CEO Jeff Bezos came under fire [PDF] last summer for the company's continued resistance to making its EEO-1 diversity regulatory filing public, Amazon finally agreed to publicly disclose its race, gender and ethnicity workforce data sometime in 2021.

RoccamOccam writes: The developers at Discord have seen success with Rust on their video encoding pipeline for Go Live and on their Elixir NIFs' server. Recently, they penned a post explaining how they have drastically improved the performance of a service by switching its implementation from Go to Rust.

From the post, "Remarkably, we had only put very basic thought into optimization as the Rust version was written. Even with just basic optimization, Rust was able to outperform the hyper hand-tuned Go version. This is a huge testament to how easy it is to write efficient programs with Rust compared to the deep dive we had to do with Go."

Ryan Dahl, creator of Node.js and Deno, gave a new interview this week to the IT outsourcing company Evrone: Evrone: You have hands-on experience with lots of programming languages: C, Rust, Ruby, JavaScript, TypeScript. Which one do you enjoy the most to work with?

Ryan: I have the most fun writing Rust these days. It has a steep learning curve and is not appropriate for many problems; but for the stuff I'm working on now it's perfect. It's a much better C++. I'm convinced that I will never start a new C++ project. Rust is beautiful in its ability to express low-level machinery with such simplicity.

JavaScript has never been my favorite language — it's just the most common language — and for that reason it is a useful way to express many ideas. I don't consider TypeScript a separate language; its beauty is that it's just marked up JavaScript. TypeScript allows one to build larger, more robust systems in JavaScript, and I'd say it's my go-to language for small everyday tasks.

With Deno we are trying to remove a lot of the complexity inherent in transpiling TypeScript code down to JavaScript with the hope this will enable more people to utilize it.

Evrone: Gradual typing was successfully added into core Python, PHP, and Ruby. What, in your opinion, is the main showstopper for adding types into JavaScript?

Ryan: Types were added to JavaScript (with TypeScript) far more successfully than has been accomplished in Python, PHP, or Ruby. TypeScript is JavaScript with types. The better question is: what is blocking the JavaScript standardization organization (TC39) from adopting TypeScript? Standardization, by design, moves slowly and carefully. They are first looking into proposing Types-As-Comments, which would allow the JavaScript runtimes to execute TypeScript syntax by ignoring the types. I think eventually TypeScript (or something like it) will be proposed as part of the JavaScript standard, but that will take time.

Evrone: As a respectable VIM user, what do you think of modern programmer editors like Visual Studio Code? Are they good enough for the old guard?

Ryan: Everyone I work with uses vscode and they love it. Probably most people should use that.

I continue to use VIM for two reasons. 1) I'm just very familiar and fast with it, I like being able to work over ssh and tmux and I enjoy the serenity of a full screen terminal. 2) It's important for software infrastructure to be text-based and accessible with simple tools. In the Java world they made the mistake of tying the IDEs too much into the worldflows of the language, creating a situation where practically one was forced to use an IDE to program Java. By using simple tooling myself, I ensure that the software I develop does not become unnecessarily reliant on IDEs. If you use grep instead of jump-to-definition too much indirection becomes intolerable. For what I do, I think this results in better software.

Today is the 30th anniversary of the Python programming language, "which has never been more popular, arguably thanks to the rise of data science and AI projects in the enterprise," writes Venture Beat.

To celebrate the historical releases file has been updated to include Guido van Rossum's original 0.9.1 beta release from 1991. (Its ReadMe file advises that Python 0.9 "can be used instead of shell, Awk or Perl scripts, to write prototypes of real applications, or as an extension language of large systems, you name it.")

And meanwhile, VentureBeat interviewed Pablo Galindo, one of the five members of the 2021 Python Steering Council and a software engineer at Bloomberg: VentureBeat: What's your current assessment of Python?

Galindo: Python is a very mature language, and it has evolved. It also has a bunch of things that it carries over. Python has some baggage that nowadays feels a bit old, but the community and the ecosystem has to be preserved. It's similar to how C and C++ are evolving right now. When you make changes to the language, it's quite dangerous [because you can] break things. That's what people are scared of the most.

But even though Python is quite old, there are big changes. The Python 3.1 release for this October will include pattern matching, which is one of the biggest syntax changes that Python has seen in a long time. We can learn from other languages. I think we're happy to say that we are still evolving and adapting. We have a good experience with respecting the importance of backwards compatibility.

VentureBeat: If you could be Python king for a day, what would you change?

Galindo: I would be a horrible King for a day. The first order of business would be to fix all these things that we have acquired over the years in the language. That would require breaking a bunch of things. Obviously, I will not do that, but I think one of the things I really would like to see in the future is for Python to become faster than it is. I think Python still has a lot of potential to become faster. I'm thinking this will be impossible. But one can dream.

VentureBeat: What do you know now about Python today that you wish you knew when you first began using it?

Galindo: I think the most important thing I learned is how many different uses there are for Python. It's important to listen to all these sorts of users when considering the evolution of the language. It's quite surprising and quite revealing to consider how changes or improvements will conflict or will interact with other users of the language.

That's something that when I started I didn't even consider. It would be good if people could be empathetic to us changing the language when we have to balance these things.

Almost exactly a year after Google announced the first developer preview of Android 11, the company today released the first developer preview of Android 12. From a report: Google delayed the roll-out of Android 11 a bit as the teams and the company's partners adjusted to working during a pandemic, but it looks like that didn't stop it from keeping Android 12 on schedule. As you would expect from an early developer preview, most of the changes here are under the hood and there's no over-the-air update yet for intrepid non-developers who want to give it a spin. Among the highlights of the release so far -- and it's important to note that Google tends to add more user-facing changes and UI updates throughout the preview cycle -- are the ability to transcode media into higher-quality formats like the AV1 image format, faster and more responsive notifications and a new feature for developers that now makes individual changes in the platform togglable so they can more easily test the compatibility of their apps. Google also promises that just like with Android 11, it'll add a Platform Stability milestone to Android 12 to give developers advance notice when final app-facing changes will occur in the development cycle of the operating system. Last year, the team hit that milestone in July when it launched its second beta release. Developers who want to get started with bringing their apps to Android 12 can do so today by flashing a device image to a Pixel device. For now, Android 12 supports the Pixel 3/3 XL, Pixel 3a/3a XL, Pixel 4/4 XL, Pixel 4a/4a 5G and Pixel 5. You can also use the system image in the Android Emulator in Google's Android Studio.

In its bid for TikTok, Oracle was supposed to prevent data from being passed to Chinese police. Instead, it's been marketing its own software for their surveillance work. From a report: Police in China's Liaoning province were sitting on mounds of data collected through invasive means: financial records, travel information, vehicle registrations, social media, and surveillance camera footage. To make sense of it all, they needed sophisticated analytic software. Enter American business computing giant Oracle, whose products could find relevant data in the police department's disparate feeds and merge it with information from ongoing investigations. So explained a China-based Oracle engineer at a developer conference at the company's California headquarters in 2018. Slides from the presentation, hosted on Oracle's website, begin with a "case outline" listing four Oracle "product[s] used" by Liaoning police to "do criminal analysis and prediction." One slide shows Oracle software enabling Liaoning police to create network graphs based on hotel registrations and track down anyone who might be linked to a given suspect.

Another shows the software being used to build a police dashboard and create "security case heat map[s]." Apparent pictures of the software interface show a blurred face and various Chinese names. The concluding slide states that the software helped police, whose datasets had been "incomprehensible," more easily "trace the key people/objects/events" and "identify potential suspect[s]" -- which in China often means dissidents. Oracle representatives have marketed the company's data analytics for use by police and security industry contractors across China, according to dozens of company documents hosted on its website. In at least two cases, the documents imply that provincial departments used the software in their operations. One is the slideshow story about Liaoning province. The other is an Oracle document describing police in Shanxi province as a "client" in need of an intelligence platform. Oracle also boasted that its data security services were used by other Chinese police entities, according to the documents -- including police in Xinjiang, the site of a genocide against Muslim Uyghurs and other ethnic groups. In marketing materials, Oracle said that its software could help police leverage information from online comments, investigation records, hotel registrations, license plate information, DNA databases, and images for facial recognition. Oracle presentations even suggested that police could use its products to combine social media activity with dedicated Chinese government databases tracking drug users and people in the entertainment industry, a group that includes sex workers. Oracle employees also promoted company technology for China's "Police Cloud," a big data platform implemented as part of the emerging surveillance state.

In its ongoing attempt to gauge the popularity of programming languages, "C is at the top of the list of TIOBE'S Index for February 2021 with Java in second place," reports TechRepublic: Those two languages swapped positions on the list as compared to 2020, but the rest of the list is almost exactly the same as a year ago. Python is in the No. 3 spot followed by C++, C#, Visual Basic, JavaScript, PHP, and SQL.

Assembly Language rounds out the top 10 list, up from spot 12 in 2020. R moved up two spots over the last year from 13 to 11. Groovy jumped to the 12h spot, up from 26 a year ago. Classic Visual Basic is on the rise also moving up four spots to 18.
For what it's worth, in the last year Go has dropped to #13 on the list — overtaken by assembly language, R, and Groovy.

And Swift dropped from #10 to #15, also being overtaken in the last year by Ruby.

From today's "This Week in Programming" column: Rejoice, long at last, all you Gophers, for the question of whether or not the Go programming language will adopt generics has finally, after many years of debate, been answered this week with the acceptance of a proposal made last month.

In this most recent proposal, Golang team member Ian Lance Taylor writes that generics have been "one of the most commonly requested language features" since the language was first released in 2009, but even then, it's adoption doesn't come without concerns. Taylor explains the idea of generics in the intro of his proposal:

"Generics can give us powerful building blocks that let us share code and build programs more easily. Generic programming means writing functions and data structures where some types are left to be specified later. For example, you can write a function that operates on a slice of some arbitrary data type, where the actual data type is only specified when the function is called. Or, you can define a data structure that stores values of any type, where the actual type to be stored is specified when you create an instance of the data structure."

It is precisely this value proposition — being able to write reusable code — that excites some developers and has been behind the push all along...

Generics wasn't the only controversial programming language addition this week, with the Python Steering Council making the decision to accept a number of Python Enhancement Proposals (PEPs) collectively known as the Pattern Matching PEPs. "We acknowledge that Pattern Matching is an extensive change to Python and that reaching consensus across the entire community is close to impossible," the council writes, saying that, nonetheless, they "are confident that Pattern Matching as specified in PEP 634, et al, will be a great addition to the Python language."

One dissenter to the addition found their way to the pages of iProgrammer, with the snarky headline "Python Adopts Pattern Matching — Kitchen Sink Next."
In other news, Google increased its support for the Python Software Foundation with a donation of more than $350,000 to support three specific projects, and also says it will continue its donation of Google Cloud infrastructure to the foundation.

New submitter Pibroch(CiH) writes: Andrew Spinks, the creator of Terraria and lead developer for Re-Logic, has been trying to find out why his Google account (which encompasses YouTube, Gmail, and many other important services) was suddenly banned and locked with no warning.

According to Ars Technica: "Spinks says his entire Google account has been down for three weeks now, and Google has 'done nothing but given me the runaround.' You can view the quality of Google's support on Twitter for yourself. After the tweet from the official Terrarria account, YouTube support declined Re-logic's request to try to solve the problem privately, choosing instead to publicly offer irrelevant suggestions to the game developer with over 30 million customers. First, YouTube asked if Re-Logic could access its banned email account, which the developer already explained was banned. Then, YouTube suggested trying Google's account recovery system, which is only for users who have forgotten their Google password. Finally, YouTube shared instructions for how to recover a voluntarily deleted Google account, which is in no way relevant to an account ban."

Spinks has moved to cancel the release of the popular game Terraria on Google's Stadia game streaming platform.