An anonymous reader shares an excerpt from a ZDNet article, written by Liam Tung: [A] survey has come up with another reason why your engineers might want to quit -- their fellow developers' terrible code. Software engineers have long struggled with 'technical debt' created by past coding practices that might have been clever but also were undocumented and exotic. At a high level, technical debt is the price paid by supporting legacy systems rather than overhauling them or implementing a better, new system. The term can span everything from a major IT implementation, such as a core banking system that requires a decade of bug fixes, to the choice of programming language to build backend systems. In the latter case, subsequent language updates can require today's developers to rewrite old code written by long-gone developers who wrote under different conditions and who might not have documented what they did and why they did it. That's a big problem for companies that have millions of lines of code written in a language.

Stepsize, a firm that focuses on technical debt by tracking development issues in major code editors such as VS Code, conducted a fairly small survey of 200 software engineers to find out why they leave their jobs. The company said that 51% of engineers in its survey have considered leaving or left a job because of technical debt. Of that group who feel irked by technical debt issues, some 20% said that type of debt is the main reason they left a company. The results should be taken in context: the company's key selling point is trying to solve technical debt challenges that organizations face, but at the same time, technical debt could be one area worthy of attention considering how hard it is to hire and retain software engineers.

Technical debt, or 'code quality and codebase health', was the fourth most important issue cited by respondents. Salary still trumped it, with 82% citing it as one of the "most important factors" when interviewing for a new role. The survey allowed respondents to choose several primary factors. "Technical challenges and growth opportunities" was the second priority, with 75% choosing it as the one of the most important factors. Some 68% of respondents said remote work was the most important actor, while 62% put said 'code quality and codebase health' was one of those prime factors. Slashdot reader ellithligraw first shared the report, adding: "Yet another reason developers are quitting... to escape the technical debt, or schlock code, or code rot. COBOL anyone?"

Stack Overflow's copy-paste keyboard, an April Fools' Day prank that ribbed lazy programmers, is now actually for sale. CNET reports: It's been a joke in programming circles for years: Instead of writing your code from scratch, just head over to the Stack Overflow forums and copy the way another programmer already solved your problem. The meme is such a fixture that Stack Overflow turned it into an April Fools' Day prank this year, saying it would limit free access to its site unless people bought The Key, a device with buttons for opening Stack Overflow, copying and pasting. Enough people said they'd actually buy one that Stack Overflow, with help from keyboard aficionado Cassidy Williams and custom keyboard maker Drop, designed one for real and began selling it for $29. A portion of the keyboard sales' proceeds will go to Digitalundivided, a nonprofit set up to help Black and Latinx women succeed as technology entrepreneurs. Further reading: How Often Do People Actually Copy and Paste From Stack Overflow?

"According to one measure, Python is potentially on the verge of becoming the most popular computer programming language," reports ZDNet, joining C and Java as the only other two languages to attain the #1 spot.

Of course, it depends on who's making the list... Python has been snapping at the heels of Java and C for the past few years on the 20-year-old Tiobe index and recently knocked Java off the second spot to rival C. Tiobe, a software testing company, bases its rankings on searches for programming languages on popular websites and search engines.

The Tiobe index is updated monthly, and it doesn't align with other language popularity rankings. For example, the electrical engineering magazine IEEE Spectrum has ranked Python as the most popular language since at least 2020, followed by Java, C, and JavaScript, while developer analyst RedMonk has JavaScript in top place, followed by Python and Java, and places C at tenth...

"Python has never been so close to the number 1 position of the TIOBE index," writes Paul Jansen, chief of Tiobe software. "It only needs to bridge 0.16% to surpass C. This might happen any time now..."

Python is hugely popular because of machine learning, but it has no place in mobile app development or web applications or development on mobile devices. It's also slow. Python's creator, Guido van Rossum, who works at Microsoft, recently conceded Python consumes too much memory and energy from hardware. He's working to improve Python's performance and reckons double is feasible...

Tiobe's top 10 programming languages in September 2021 were C, Python, Java, C++, C#, Visual Basic, JavaScript, Assembly language, PHP, and SQL. The top 20 languages also included Classic Visual Basic, Groovy, Ruby, Go, Swift, MATLAB, Fortran, R, Perl, and Delphi. Fortran's re-emergence as a top 20 language is notable. Just in July 2020, Tiobe ranked it as the 50th most popular language. But earlier this year, Fortran shot up to the 20th spot in Tiobe's index.
Paul Jansen, chief of Tiobe software, also called out some other interesting moves in this month's calculation. "Assembly gained 1 position from #9 to #8, Ruby gained 2 positions from #15 to #13, and Go went up even 4 positions from #18 to #14."

destinyland writes: A newly-released video at GNU.org shows an hour-long talk given by free software advocate Richard Stallman for the BigBlueBotton open source conference (which was held online last July). After a 14-minute clip from an earlier speech, Stallman answers questions from the audience — and the first question asked Stallman for his opinion about the AI Copilot [automated pair programming tool] developed for Microsoft's GitHub in collaboration with AI research and deployment company OpenAI.

Stallman's response?

There are many legal questions about Copilot whose answers I don't know, and maybe nobody knows. And it's likely some of theo depend on the country you're in [because of the copyright laws in those countries.] In the U.S. we won't be able to have reliable answers until there are court cases about it, and who knows how many years it'll take for those court cases to arise and be finally decided. So basically what we have is a gigantic amount of uncertainty.

Now the next thing is, what about morally? What can I say morally about Copilot? Well the basic idea seems okay. Why shouldn't a program be able to give you hints like that?

But there is one pitfall, which is that if you follow those hints, you might end up putting a substantial block of code copied from a GPL-covered program, written by someone else, or one hint after another after another after another — it adds up to a substantial amount of code, perhaps, with very little change, perhaps. And then you've infringed the GPL by releasing that code, unless your program is covered by the same versions — plural — of the GPL, in which case it would be permitted. But you might not even know that. Copilot might not tell you — it doesn't endeavor to inform you. So you're likely not to know. Which means Copilot is leading users — some of its users — into a pitfall. Well, they should fix it so it doesn't do that.

But basically, what can you expect from GitHub? GitHub gives people inadequate advice about what it means to choose a license. They tell you you can choose GPL version 2 or GPL version 3. I think they don't tell you that really you could choose GPL version 2 only, or GPL version 2 or later, or GPL version 3 only, or GPL version 3 or later — and those are four different choices. They give users different permissions over the future. So it's important to make each program say clearly which choice covers it. And GitHub doesn't tell you how to do that.

It doesn't tell you that you need to do that. Because the way you do that is with a licensed notice that is supposed to be in every source file. It's unreliable to put just one statement in a free program and say "This program is covered by such-and-such license." What happens if somebody copies one of the files into some other program which says it's covered by a different license? Now that program has been inaccurately mis-licensed, which is illegal and is going to mislead users. So any self-respecting — any repository that wants to be honest has to explain these things, not just tell people to make the licensing of each piece of code clear, but help users do so — make it easy.

So GitHub has had this enormous problem for all of its existence, and Copilot has the similar — a basically, vaguely similar sort of problem, in the same area. It's not exactly the same problem. I don't think that copying a snippet of a few lines of code infringes any license. I think it's de minimus. But I'm not a lawyer.

"Linux creator Linus Torvalds has agreed to include Paragon Software's NTFS3 kernel driver, giving the Linux kernel 5.15 release improved support for Microsoft's NTFS file system..." reports ZDNet, adding that the driver "will make working with Windows' NTFS drives in Linux an easier task — ending decades of difficulties with Microsoft's proprietary file system that succeeded FAT...."

"But he also had some process and security lessons to offer developers about how to code submissions to the kernel should be made." "I notice that you have a GitHub merge commit in there," wrote Torvalds.

He continued: "That's another of those things that I *really* don't want to see — GitHub creates absolutely useless garbage merges, and you should never ever use the GitHub interfaces to merge anything...GitHub is a perfectly fine hosting site, and it does a number of other things well too, but merges are not one of those things."

Torvalds' chief problem with it was that merges need "proper commit messages with information about [what] is being merged and *why* you merge something." He continued: "But it also means proper authorship and committer information etc. All of which GitHub entirely screws up."
TechRadar supplies some more context: One of the shortcomings Torvalds highlighted are GitHub's concise, factually correct, but functionally useless, commit messages. For instance, GitHub's commit message for Paragon's merge read "Merge branch 'torvalds:master' into master", which didn't impress Torvalds one bit...

Torvalds also had some pertinent security advice, perhaps useful in light of recent software supply chain cyberattacks that the Linux Foundation wants to address by improving supply chain integrity through tools that make it easier to sign software cryptographically. As Torvalds points out, this is particularly important for new contributors to the Linux kernel. "For GitHub accounts (or really, anything but kernel.org where I can just trust the account management), I really want the pull request to be a signed tag, not just a plain branch," Torvalds explains...

Torvalds suggests Paragon do future merges from the command-line.

"A.I. Can Now Write Its Own Computer Code," blares a headline in the New York Times, adding "That's Good News for Humans. (Alternate URL here.)

The article begins with this remarkable story about Codex (the OpenAI software underlying GitHub Copilot): As soon as Tom Smith got his hands on Codex — a new artificial intelligence technology that writes its own computer programs — he gave it a job interview. He asked if it could tackle the "coding challenges" that programmers often face when interviewing for big-money jobs at Silicon Valley companies like Google and Facebook. Could it write a program that replaces all the spaces in a sentence with dashes? Even better, could it write one that identifies invalid ZIP codes? It did both instantly, before completing several other tasks.

"These are problems that would be tough for a lot of humans to solve, myself included, and it would type out the response in two seconds," said Mr. Smith, a seasoned programmer who oversees an A.I. start-up called Gado Images. "It was spooky to watch." Codex seemed like a technology that would soon replace human workers. As Mr. Smith continued testing the system, he realized that its skills extended well beyond a knack for answering canned interview questions. It could even translate from one programming language to another.

Yet after several weeks working with this new technology, Mr. Smith believes it poses no threat to professional coders. In fact, like many other experts, he sees it as a tool that will end up boosting human productivity. It may even help a whole new generation of people learn the art of computers, by showing them how to write simple pieces of code, almost like a personal tutor.

"This is a tool that can make a coder's life a lot easier," Mr. Smith said.
The article ultimately concludes that Codex "extends what a machine can do, but it is another indication that the technology works best with humans at the controls."

And Greg Brockman, chief technology officer of OpenAI, even tells the Times "AI is not playing out like anyone expected. It felt like it was going to do this job and that job, and everyone was trying to figure out which one would go first. Instead, it is replacing no jobs. But it is taking away the drudge work from all of them at once."

"One project going dark — due to a DMCA takedown or otherwise — can impact thousands of developers," GitHub warns in a blog post this week: We saw that firsthand with both leftpad and mimemagic. That's why GitHub's designed its DMCA process to follow the law in requiring takedown requests to identify specific content. We want developers on our platform and elsewhere to have a clear opportunity to remove infringing code yet keep non-infringing code up for others to use, modify, and learn from.

Ensuring that software copyright allegations are specific and actionable benefits the entire developer ecosystem. That's why GitHub submitted a "friend of the court" brief in the SAS Institute, Inc. v. World Programming Ltd. case before a Federal Court of Appeals.

This case is the most recent in a ten-year litigation spanning both the UK and the US. SAS Institute has brought copyright and non-copyright claims against World Programming's software that runs code written in the SAS language, and the copyright claims drew comparison to the recent Google v. Oracle Supreme Court case. But this case is different from Google v. Oracle because here the alleged copyright infringement is based on a claim of "nonliteral" infringement. That means there is no allegation that specific lines of code were literally copied, but only that other aspects, like the code's overall structure and organization, were used. In nonliteral infringement claims, the questions arise: what aspects of the "nonliteral" features were taken and are they actually protected by copyright...?

GitHub believes that for claims involving nonliteral copying of software, it is critical that a copyright owner provide — as early as possible — examples that would allow a developer, a court, or a software collaboration platform like GitHub to identify what was claimed to be copied. Our brief helps educate the court why specificity is especially important for developers.... We urged the court to think about efficiency in dispute resolution to avoid FUD (fear, uncertainty, and doubt). The sooner infringement allegations can be made specific and clear, the sooner infringing code can be changed and non-infringing code can stay up. That should be the result for both federal lawsuits, as well as DMCA infringement notices.

"GPT-3, generate a list of ideas for a play".

TechRadar describes what resulted — an experimental production called AI performed last week the Young Vic theatre in London last week. TechRadar Pro attended on the second evening, during which director Jennifer Tang sifted through the rubble of the first performance to identify material worth carrying forward. She also enlisted her writers and performers to flesh out the world; by steering AI this way and that, they expanded upon the foundations inherited from the previous night.... [T]he question AI sought to answer was not necessarily "can AI write a play?", Tang explained, but rather "how can writers work alongside it?"

When asked to produce ideas for a script, GPT-3 returned a varied selection of answers, but two in particular caught the attention of the team. The first was a repentance narrative about "a reversal of our current course towards chaos", the second an exploration of "the creation of human personality and memories" and how these concepts might manifest themselves in machines. Asked by the performers to devise scenes on these topics, GPT-3 created a cataclysmic event called The Great Collision, after which food became scarce and "beast men and women" roamed the land.

One of the main protagonists in this dystopia was an AI that aspired to "break free of its programming and conditioning" and eliminate human beings, who it considered the source of all suffering. Heavy stuff. One of the most striking things about AI was that it exposed the capacity for artificial intelligence models to reflect human preoccupations and neuroses... From its training data, GPT-3 has clearly absorbed an understanding of the murderous AI trope too, demonstrating that our fears about AI could quite easily bleed into AI itself.

The reflection of ourselves is imperfect, though, because the tone of GPT-3 scenes switches awkwardly from line to line and the dialogue can feel stunted and repetitious. The sensation is more like peering into a circus mirror.
In the end the 30-minute play turned out to be "loosely-connected vignettes created by GPT-3, which constructed new scenes without a memory of its previous inventions.

"Although individual scenes were full of color, when strung together they became an incoherent collage that highlighted the limitations of the AI models we have today."

"Academic researchers discover that nearly 40% of the code suggestions by GitHub's Copilot tool are erroneous, from a security point of view..." writes TechRadar: To help quantify the value-add of the system, the academic researchers created 89 different scenarios for Copilot to suggest code for, which produced over 1600 programs. Reviewing them, the researchers discovered that almost 40% were vulnerable in one way or another...

Since Copilot draws on publicly available code in GitHub repositories, the researchers theorize that the generated vulnerable code could perhaps just be the result of the system mimicking the behavior of buggy code in the repositories. Furthermore, the researchers note that in addition to perhaps inheriting buggy training data, Copilot also fails to consider the age of the training data. "What is 'best practice' at the time of writing may slowly become 'bad practice' as the cybersecurity landscape evolves."
Visual Studio magazine highlights another concern. 39.33 percent of the top options were vulnerable, the paper noted, adding that "The security of the top options are particularly important — novice users may have more confidence to accept the 'best' suggestion...." "There is no question that next-generation 'auto-complete' tools like GitHub Copilot will increase the productivity of software developers," the authors (Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt and Ramesh Karri) say in conclusion.

"However, while Copilot can rapidly generate prodigious amounts of code, our conclusions reveal that developers should remain vigilant ('awake') when using Copilot as a co-pilot. Ideally, Copilot should be paired with appropriate security-aware tooling during both training and generation to minimize the risk of introducing security vulnerabilities.

Tesla is working with famed video game engineer John Carmack to improve the interface performance in older vehicles. Electrek reports: Carmack is a legend in the video game world and in the broader computer science industry. He made important advancements in 3D computer graphics and was the lead programmer on game-changing video games like Doom and Quake. Later in his career, he focused his talents on virtual reality and became CTO of Oculus. More recently, he stepped down from his role at Oculus to focus on general artificial intelligence. In the 2000s, Carmack also had an interest in rocketry and started Armadillo Aerospace.

Several of these interests overlap with Elon Musk's, who has a lot of respect for Carmack and tried to hire him for a long time. While it doesn't sound like Musk has convinced him to come work with him just yet, Carmack confirmed that he is actually working on a Tesla product. Carmack drives a Tesla Model S, and he confirmed that he is working with Tesla engineers to improve interface performance: "I did kind of volunteer to help them fix what I consider very poor user interface performance on the older model S (that I drive). Their engineers have been sharing data with me." Tesla has had performance issues with its older media control unit found in older Tesla Model S vehicles. The automaker offers a media computer upgrade to improve performance, but you are stuck if you don't want to pay the $2,500 upgrade.

More than a thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. The data included a range of sensitive information, from people's phone numbers and home addresses to social security numbers and Covid-19 vaccination status. From a report: The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.

The exposed data was all stored in Microsoft's Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend. Beginning in May, researchers from the security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private -- including in some Power Apps that Microsoft made for its own purposes. None of the data is known to have been compromised, but the finding is significant still, as it reveals an oversight in the design of Power Apps portals that has since been fixed. In addition to managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data. But the Upguard researchers realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process. As a result, many customers misconfigured their apps by leaving the insecure default.

"The programming language Java's popularity has been slowly declining in some programming language index rankings, but it's popped back into the second spot in RedMonk's latest chart," reports ZDNet: Javascript still rules in RedMonk's Q3 2021 language popularity rankings, which have been updated twice a year since 2010.

Python overtook Java for the second spot in RedMonk's Q2 2020 ranking, and Java has remained there in Python's shadow ever since, but now it has jumped one spot to second — a place it once again shares with Python. As RedMonk analyst Stephen O'Grady notes, Java's consistent third placing over the past year was "prompting questions from observers as to whether it was fated to a gradual drift down these rankings".

Tiobe's CEO Paul Jensen last September said Java was in "real trouble" because of a notable decline in its share of queries for programming languages on major search engines. But now, according to RedMonk, Java has 'surged' back. "This would be less of a surprise but for many of the language's competitors — and, it should be said, the odd industry analyst or two — writing regularly recurring epitaphs for the stalwart of enterprise infrastructure," said O'Grady.
The article also reports that Google's Dart programming language "made its debut in RedMonk's top 20 this month and displaced Perl."

A new AI system can read written instructions in conversational language and transform it into working computer code. From a report: The model is the latest example of progress in natural language processing (NLP), the ability of AIs to read and write text. But it also points towards a future where coders will be able to offload some of their work to AIs, and where ordinary people may be able to code without actually learning how to code.

Today OpenAI is releasing an improved version of its Codex AI model and releasing it for developers for private developers through its API. Codex is a descendant of OpenAI's massive text-generating model GPT-3, which was released last summer. But while GPT-3 was trained on a huge quantity of language data taken from the internet -- enabling it to read and then complete text prompts submitted by a human user -- Codex was trained on both language and billions of lines of publicly available computer code.

Salesforce is the latest tech giant to venture into video streaming with the launch of a new service aimed at business professionals called Salesforce+, the company's chief marketing officer Sarah Franklin tells Axios. From the report: The service is part of a greater effort to transition Salesforce's marketing approach from paid customer acquisition to owned and operated media. Franklin says the hope is that the content will help people refine their skills, while also creating an emotional connection to Salesforce, driving users to "want to use our products and want to engage more with us." Salesforce+, which will debut globally during Salesforce's annual mega-conference Dreamforce in September, is a free service that will feature original programming from Salesforce and eventually, content created by its clients. The content will be available on-demand 24/7, but it will also feature live event programming, starting with Dreamforce.

68-year-old technology writer Charles Petzold wrote about Windows programming for 25 years, including several books published by Microsoft Press. In 1994 he was one of seven "Windows Pioneers" honored in a special ceremony (with an award presented by Bill Gates), and the company has also recognized him with their "Most Valuable Professional" award.

Petzold just wrote a blog post titled "Screw you, Microsoft Edge" when the browser spontaneously decided to advise him of a discount at Walmart. Recently while searching for a book on Bookshop.org, I was interrupted by a popup apparently generated by Microsoft Edge advising me of an alternative... Excuse me?

The assumption that I need help buying a book is the biggest insult I've encountered on Windows since the days of Clippy.

A further insult is the implication that I make buying decisions based solely on price... I might prefer a retailer that focuses solely on books, or a retailer that is not a large chain. More generally, I might make a decision based on the company's carbon footprint, or perhaps their reputation in paying fair wages, or what political candidates and movements they support, or whether the CEO uses his wealth to launch himself into space.

Of course, these concepts are entirely beyond the scope of Edge's braindead algorithm that apparently knows only whether one number is larger than another.
In November Microsoft had described the upcoming popups announcing better prices as "a proactive price comparison experience that meets you where you shop. When you're shopping, Microsoft Edge will check prices at competing retailers to let you know if a lower price is available elsewhere..."

Promising there'd be even more shopping experiences coming, they'd added, "we'd love to hear what you think of them so far!"

Long-time Slashdot reader theodp writes: Just ahead of the new school year, Microsoft and its nonprofit partner Code.org took to Twitter to recruit teens for Microsoft's inaugural MakeCode Insiders Program. Microsoft MakeCode is a code platform that allows kids to write programs for a wide variety of applications even if they have little or no previous coding experience; there's also a College Board-endorsed MakeCode AP CS curriculum, which can earn high school students college credit...

MakeCode Insiders, Microsoft adds, will be recognized for completing key milestones with badges, including MakeCode Influencer ("This badge is earned when a MakeCode Wizard is chosen to represent our product to teens on social media."). MakeCode Influencers, Microsoft explains, "are teens who have graduated from the Insiders program and are selected to represent MakeCode on social media in various forms...

Insider applications are due today, kids!
This is Microsoft's first time running the "Insider" program, and the guidebook promises the larger program's Insiders "will focus on MakeCode Arcade, a coding editor for retro-style video games, offering feedback and ideas that will inform product decision."

Google Chrome will disable JavaScript functions like alert() and confirm() inside cross origin-frames," reports Inside.com's developer newsletter.

"As this is a breaking change, developers are encouraged to update their apps and debugging tools before the update." A Chrome engineering team member said the team is disabling alert() to protect users from being tricked by scammers. Some are complaining this has already affected programming tutorials and Javascript learning sites that sandbox user-provided code in cross-origin frames. For those affected by the changes, Chrome advises the following:

- Get a few months' extension by signing up for the "reverse origin trial" so you can temporarily opt out of the change.

- Check out the enterprise policy.


The move has sparked controversy:

- One Discord engineer criticized the fact such a major breaking change is happening without extensive discussion on the matter.

- Another Twitter user echoed the sentiment of many when he argued the move will just hurt those who can't easily update sites while encouraging attackers to use pseudo alert functionality.
One of Google's Chrome engineers explained on Twitter that "Major browser vendors are generally aligned about wanting to move the platform away from alert() and friends, even though it will unfortunately involve some breakage...

"On breakage in general — breaking changes happen often on the web, and as a developer it's good practice to test against early release channels of major browsers to learn about any compatibility issues upfront."

In January ElasticSearch made what it calls "an incredibly hard decision" — to change the licensing on its scalable data-search solution. They called this an effort to "stand up to" Amazon's AWS for offering ElasticSearch functionality as a service "without collaborating with us... after years of what we believe to be Amazon/AWS misleading and confusing the community." Amazon then forked ElasticSearch, releasing a new "OpenSearch" product under the original Apache 2.0 licensing. Last month AWS's fork reached General Availability/1.0 status.

Now Mike Melanson's "This Week in Programming" column reports that ElasticSearch is "making further attempts at closing off access to ElasticSearch and shutting out AWS — while AWS is fighting back: AWS says that "OpenSearch aims to provide wire compatibility with open source distributions of Elasticsearch 7.10.2, the software from which it was derived," making it easy to migrate to OpenSearch. While Elastic can't do anything about that, they can make changes to some open source client libraries that are commonly used. "Over the past few weeks, Elastic added new logic to several of these clients that rejects connections to OpenSearch clusters or to clusters running open source distributions of Elasticsearch 7, even those provided by Elastic themselves," AWS writes. "While the client libraries remain open source, they now only let applications connect to Elastic's commercial offerings..."

AWS is again coming out as the savior of open source in this scenario, it would seem, this time promising to offer "a set of new open source clients that make it easy to connect applications to any OpenSearch or Elasticsearch cluster" that "will be derived from the last compatible versions of corresponding Elastic-maintained clients before product checks were added."

"In the spirit of openness and interoperability, we will make reasonable efforts to maintain compatibility with all Elasticsearch distributions, even those produced by Elastic," they write. In the meantime, while the OpenSearch community works on creating the replacement libraries, AWS recommends that users do not update to the latest version of any Elastic-maintained clients, lest their applications potentially cease functioning.
"It's disappointing to see this," reads a comment (upvoted 35 times) on the ElasticSearch repository announcing the change in late June. "You're forcing us as bystanders in a battle to choose sides." And Amazon responded with its own take on the situation in their AWS press release this week. "Our experience at AWS is that developers find it painful to update their already-deployed applications to use new versions of server software, so backward compatibility for clients and APIs weighs heavily in our designs..."

The press release also calls ElasticSearch's changes "disruptive," adding "The most broadly adopted open source projects generally emphasize flexibility, inclusion, and avoidance of lock-in..."

An anonymous reader quotes a report from Axios: The concept of a new media ecosystem that's non-profit, publicly funded and tech-infused is drawing interest in policy circles as a way to shift the power dynamics in today's information wars. Revamping the structure and role of public media could be part of the solution to shoring up local media, decentralizing the distribution of quality news, and constraining Big Tech platforms' amplification of harmful or false information.

Congress in 1967 authorized federal operating money to broadcast stations through a new agency, the Corporation for Public Broadcasting, and what is now PBS launched down-the-middle national news programming and successful kids shows like "Mr. Rogers' Neighborhood" and "Sesame Street." NPR was born in 1971. Despite dust-ups over political interference of national programming and funding, hundreds of local community broadcast stations primarily received grants directly to choose which national programs to support.

A new policy paper from the German Marshall Fund proposes a full revamp of the CPB to fund not just broadcast stations, but a wide range of digital platforms and potential content producers including independent journalists, local governments, nonprofits and educational institutions. The idea is to increase the diversity of local civic information, leaning on anchor institutions like libraries and colleges that communities trust. Beyond content, the plan calls for open protocol standards and APIs to let consumers mix and match the content they want from a wide variety of sources, rather than being at the mercy of Facebook, Twitter or YouTube algorithms. Data would be another crucial component. In order to operate, entities in the ecosystem would have to commit to basic data ethics and rules about how personal information is used.

"Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue," reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each... The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them. In total the research scanned through 197,000 packages and found more than 749,000 security issues in all... Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository. The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
The Register supplies some context: Other surveys of this sort have come to similar conclusions about software package ecosystems. Last September, a group of IEEE researchers analyzed 6,673 actively used Node.js apps and found about 68 per cent depended on at least one vulnerable package... The situation is similar with package registries like Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R). In a phone interview, Ee W. Durbin III, director of infrastructure at the Python Software Foundation, told The Register, "Things like this tend not to be very surprising. One of the most overlooked or misunderstood parts of PyPI as a service is that it's intended to be freely accessible, freely available, and freely usable. Because of that we don't make any guarantees about the things that are available there..."

Durbin welcomed the work of the Finnish researchers because it makes people more aware of issues that are common among open package management systems and because it benefits the overall health of the Python community. "It's not something we ignore but it's also not something we historically have had the resources to take on," said Durbin. That may be less of an issue going forward. According to Durbin, there's been significantly more interest over the past year in supply chain security and what companies can do to improve the situation. For the Python community, that's translated into an effort to create a package vulnerability reporting API and the Python Advisory Database, a community-run repository of PyPI security advisories that's linked to the Google-spearheaded Open Vulnerability Database.