Digital rights activists want device manufacturers to disclose a "guaranteed minimum support time" for devices — and federal regulations ensuring a product's core functionality will work even after its software updates stop.

Influential groups including Consumer Reports, EFF, the Software Freedom Conservancy, iFixit, and U.S. Pirg have now signed a letter to the head of America's Consumer Protection bureau (at the Federal Trade Commision), reports The Register: In an eight-page letter to the Commission (FTC), the activists mentioned the Google/Levis collaboration on a denim jacket that contained sensors enabling it to control an Android device through a special app. When the app was discontinued in 2023, the jacket lost that functionality. The letter also mentions the "Car Thing," an automotive infotainment device created by Spotify, which bricked the device fewer than two years after launch and didn't offer a refund...

Environmental groups and computer repair shops also signed the letter... "Consumers need a clear standard for what to expect when purchasing a connected device," stated Justin Brookman, director of technology policy at Consumer Reports and a former policy director of the FTC's Office of Technology, Research, and Investigation. "Too often, consumers are left with devices that stop functioning because companies decide to end support without little to no warning. This leaves people stranded with devices they once relied on, unable to access features or updates...."

Brookman told The Register that he believes this is the first such policy request to the FTC that asks the agency to help consumers with this dilemma. "I'm not aware of a previous effort from public interest groups to get the FTC to take action on this issue — it's still a relatively new issue with no clear established norms," he wrote in an email. "But it has certainly become an issue" that comes up more and more with device makers as they change their rules about product updates and usage.
"Both switching features to a subscription and 'bricking' a connected device purchased by a consumer in many cases are unfair and deceptive practices," the groups write, arguing that the practices "infringe on a consumer's right to own the products they buy." They're requesting clear "guidance" for manufacturers from the U.S. government. The FTC has a number of tools at its disposal to help establish standards for IoT device support. While a formal rulemaking is one possibility, the FTC also has the ability to issue more informal guidance, such as its Endorsement Guides12 and Dot Com Disclosures.13 We believe the agency should set norms...
The groups are also urging the FTC to:

• Encourage tools and methods that enable reuse if software support ends.

• Conduct an educational program to encourage manufacturers to build longevity into the design of their products.

• Protect "adversarial interoperability"... when a competitor or third-party creates a reuse or modification tool [that] adds to or converts the old device.

Thanks to long-time Slashdot reader Z00L00K for sharing the article.

Long-time FOSS-watcher Bruce Byfield writes that while people "still dream of a completely free alternative, increasingly the emphasis in FOSS seems to be on accepting coexistence with proprietary software." Many, too, have always preferred the permissive BSD licenses, which permits combining FOSS and proprietary software. From some perspectives, Debian's newest [non-free firmware] repository or Nobara's popularity [a Fedora-based distro but with proprietary drivers and gaming applications] is simply an admission of the true state of affairs...

On the other hand, the FOSS philosophy may be weakened because it no longer has a strong advocate. Sixteen years ago, the FSF reached a peak of authority in the discussions of 2006-2007 about the structure of GPLv3 — then immediately lost that authority by not reaching a consensus. That was followed by the cancellation of Richard Stallman in 2017, which, deserved or not, had the side effect of silencing free software's most influential representative. Today the FSF that Stallman led continues to function, with Stallman returned to the board of directors, but its actions go unreported, and it seems to speak to a much smaller group of loyalists. The Linux Foundation, with its corporate emphasis, is not an adequate substitution. In these circumstances, there is reason to wonder whether FOSS has lost its way.

While the issue has yet to reach the mainstream, Bruce Perens, one of the coiners of the term "open source" in 1998, is already trying to describe what he calls the Post-Open Source era. Not only does Perens believe that FOSS licenses no longer fulfill their original purpose, but they no longer inform or benefit the average user. According to Perens,

"Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them."

As a remedy, Perens proposes that licenses should be replaced by contracts. He envisions that companies pay for the benefits they receive from using FOSS. Compliance for each contract would be checked, renewed, and paid for yearly, and the payments would go towards funding FOSS development. Individuals and nonprofits would continue to use FOSS for free. In March 2024, Perens posted a draft Post-Open license. The draft includes a description of the contract-related files to be shipped with FOSS software, a description of the status of derivative works, how revenue is collected, and conditions of termination. The draft has yet to be reviewed by a lawyer, but what is immediately noticeable is how it draws on both contract language and FOSS licenses to produce something different.
Byfield concludes that "free licenses are straining to respond to loopholes, and a discussion needs to be had about whether they are adequate to modern pressures."

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.
Thanks to Slashdot reader snydeq for sharing the article.

Kaspersky has reached an agreement to transfer its U.S. customers to UltraAV, a Boston-based antivirus provider. The move comes in the wake of a White House ban on Kaspersky products. Under the deal, U.S. users will maintain their existing subscriptions and receive "reliable anti-virus protection" through UltraAV, which will offer additional features such as VPN and identity theft protection. Kaspersky will contact customers in the coming days with instructions for activating their new accounts.

An anonymous reader shares a report: It's been a rough week for OSOM Products. The company has been embroiled in legal controversy stemming from a lawsuit filed by a former executive. Now, Android Authority has learned that the company is effectively shutting down later this week. OSOM Products was formed in 2020 following the disbanding of Essential, a smartphone startup led by Andy Rubin, the founder of Android.

Essential collapsed following the poor sales of its first smartphone, the Essential Phone, as well as a loss of confidence in Rubin due to allegations of sexual misconduct at his previous stint at Google. Although Essential as a company was on its way out after Rubin's departure, many of its most talented hardware designers and software engineers remained at the company, looking for another opportunity to build something new. In 2020, the former head of R&D at Essential, Jason Keats, along with several other former executives and employees came together to form OSOM, which stands for "Out of Sight, Out of Mind." The name reflected their desire to create privacy-focused products such as the OSOM Privacy Cable, a USB-C cable with a switch to disable data signaling, and the OSOM OV1, an Android smartphone with lots of privacy and security-focused features.

Google's Android Earthquake Alerts System, initially launched in 2020, is now available in all 50 U.S. states and 6 territories. Droid Life reports: For users in California, Oregon and Washington, users will continue to have their alerts powered by the ShakeAlert system, utilizing traditional seismometers to detect earthquakes. For all out states and supported territories, "this expansion uses the built-in accelerometers in Android phones to bring another layer of preparedness and potentially life-saving information to people across every state," the company explained in a blog post.

Using the accelerometer to sense vibrations and an apparent earthquake, the system quickly analyzes the crowdsourced data to determine if an earthquake is occurring. Google says it has been working with many experts to continue the system's improvement. Depending on the severity of the earthquake, you'll get two types of notifications. A little pop up on your screen if it's pretty weak with light shaking or a complete screen takeover for moderate to extreme shaking. These are called Take Action alerts, complete with the classic drop, cover, and hold instructions.

AT&T has filed a lawsuit against Broadcom, alleging that Broadcom is refusing to honor an extended support agreement for VMware software unless AT&T purchases additional subscriptions it doesn't need. The company warns the consequences could risk massive outages for AT&T's customer support operations and critical federal services, including the U.S. President's office. The Register reports: A complaint [PDF] filed last week in the Supreme Court of New York State explains that AT&T holds perpetual licenses for VMware software and paid for support services under a contract that ends on September 8. The complaint also alleges that AT&T has an option to extend that support deal for two years -- provided it activates the option before the end of the current deal. AT&T's filing claims it exercised that option, but that Broadcom "is refusing to honor" the contract. Broadcom has apparently told AT&T it will continue to provide support if the comms giant "agrees to purchase scores of subscription services and software." AT&T counters that it "does not want or need" those subscriptions, because they:

- Would impose significant additional contractual and technological obligations on AT
- Would require AT&T to invest potentially millions to develop its network to accommodate the new software;
- May violate certain rights of first refusal that AT&T has granted to third parties;
- Would cost AT&T tens of millions more than the price of the support services alone.

[...] The complaint also suggests Broadcom's refusal to extend support creates enormous risk for US national security -- some of the ~8,600 servers that host AT&T's ~75,000 VMs "are dedicated to various national security and public safety agencies within the federal government as well as the Office of the President." Other VMs are relied upon by emergency responders, and still more "deliver services to millions of AT&T customers worldwide" according to the suit. Without support from Broadcom, AT&T claims it fears "widespread network outages that could cripple the operations of millions of AT&T customers worldwide" because it may not be able to fix VMware's software.

An anonymous reader quotes a report from 404 Media, written by Jason Koebler: I've been videochatting with Mixael Swan Laufer for about 30 minutes about an exciting discovery when he points out that to date, the best way he's been able to bring attention to his organization is "the old school method of me performing a bunch of federal felonies on stage in front of a bunch of people." I stop him and ask: "In this case, what are the felonies?" "Well, the list is pretty long," he said. Laufer is the chief spokesperson of Four Thieves Vinegar Collective, an anarchist collective that has spent the last few years teaching people how to make DIY versions of expensive pharmaceuticals at a tiny fraction of the cost.

Four Thieves Vinegar Collective call what they do "right to repair for your body." Laufer has become well known for handing out DIY pills and medicines at hacking conferences, which include, for example, courses of the abortion drug misoprostol that can be manufactured for 89 cents (normal cost: $160) and which has become increasingly difficult to obtain in some states following the Supreme Court decision in Dobbs. In our call, Laufer had just explained that Four Thieves' had made some miscalculations as part of its latest project, to create instructions for replicating sofosbuvir (Sovaldi), a miracle drug that cures hepatitis C, which he planned to explain and reveal at the DEF CON hacking conference. Unlike many other drugs that treat viruses, Sovaldi does not suppress hepatitis C, a virus that kills roughly 250,000 people around the world each year. It cures it. [...]

Crucially, unlike other medical freedom organizations, Four Thieves isn't suggesting people treat COVID with Ivermectin, isn't shilling random supplements, and doesn't have any sort of commercial arm at all. Instead, they are helping people to make their own, identical pirated versions of proven and tested pharmaceuticals by taking the precursor ingredients and performing the chemical reactions to make the medication themselves. "We don't invent anything, really," Laufer said. "We take things that are on the shelf and hijack them. We like to take something established, and be like 'This works, but you can't get it.' Well, here's a way to get it." A slide at his talk reads "Isn't this illegal? Yeah. Grow up." Four Thieves has developed a suite of open-source tools to help achieve its goal. The core tool, Chemhacktica, is a software platform that uses machine learning to map chemical pathways for synthesizing desired molecules. It suggests potential chemical reactions, identifies precursor materials, and checks their availability for purchase.

The other is Microlab, an open-source controlled lab reactor built from affordable, off-the-shelf components costing between $300 and $500. It uses Chemhacktica's suggested pathways to create medications, and detailed instructions for building and operating the Microlab are provided. Additionally, the company developed a drag-and-drop recipe system called Apothecarium that generates executable files for the Microlab, offering step-by-step guidance on producing specific medications.

Laufer told 404 Media: "I am of the firm belief that we are hitting a watershed where economics and morality are coming to a head, like, 'Look: intellectual property law is based off some ideas that came out of 1400s Venice. They're not applicable and they're being abused and people are dying every day because of it, and it's not OK.'"

Further reading: Meet the Anarchists Making Their Own Medicine (Motherboard; 2018)

An anonymous reader quotes a report from Wired: Jazmin Jones knowswhat she did. "If you're online, there's this idea of trolling," Jones, the director behindSeeking Mavis Beacon, said during a recent panel for her new documentary. "For this project, some things we're taking incredibly seriously ... and other things we're trolling. We're trolling this idea of a detective because we're also, like,ACAB." Her trolling, though, was for a good reason. Jones and fellow filmmaker Olivia Mckayla Ross did it in hopes of finding the woman behind Mavis Beacon Teaches Typing. The popular teaching tool was released in 1987 by The Software Toolworks, a video game and software company based in California that produced educational chess, reading, and math games. Mavis, essentially the "mascot" of the game, is a Black woman donned in professional clothes and a slicked-back bun. Though Mavis Beacon was not an actual person, Jones and Ross say that she is one of the first examples of Black representation they witnessed in tech. Seeking Mavis Beacon, which opened in New York City on August 30 and is rolling out to other cities in September, is their attempt to uncover the story behind the face, which appeared on the tool's packaging and later as part of its interface.

The film shows the duo setting up a detective room, conversing over FaceTime, running up to people on the street, and even tracking down a relative connected to the ever-elusive Mavis. But the journey of their search turned up a different question they didn't initially expect: What are the impacts of sexism, racism, privacy, and exploitation in a world where you can present yourself any way you want to? Using shots from computer screens, deep dives through archival footage, and sit-down interviews, the noir-style documentary reveals that Mavis Beacon is actually Renee L'Esperance, a Black model from Haiti who was paid $500 for her likeness with no royalties, despite the program selling millions of copies. [...]

In a world where anyone can create images of folks of any race, gender, or sexual orientation without having to fully compensate the real people who inspired them, Jones and Ross are working to preserve not only the data behind Mavis Beacon but also the humanity behind the software. On the panel, hosted by Black Girls in Media, Ross stated that the film's social media has a form where users of Mavis Beacon can share what the game has meant to them, for archival purposes. "On some level, Olivia and I are trolling ideas of worlds that we never felt safe in or protected by," Jones said during the panel. "And in other ways, we are honoring this legacy of cyber feminism, historians, and care workers that we are very seriously indebted to." You can watch the trailer for "Seeking Mavis Beacon" on YouTube.

The Register's Brandon Vigliarolo reports: Microsoft's "acquihire" of Inflection AI was today cleared by UK authorities on the grounds that the startup isn't big enough for its absorption by Microsoft to affect competition in the enterprise AI space. The Competition and Markets Authority (CMA) confirmed the conclusion of its investigation by publishing a summary of its decision. While the CMA found that Microsoft's recruitment of Inflection co-founders Mustafa Suleyman and Karen Simonyan, along with other Inflection employees, in March 2024 to lead Microsoft's new AI division did create a relevant merger situation, a bit of digging indicated everything was above board.

As we explained when the CMA kicked off its investigation in July, the agency's definition of relevant merger situations includes instances where two or more enterprises have ceased to be distinct, and when the deal either exceeds 70 million pounds or 25 percent of the national supply of a good or service. In both cases, the CMA determined [PDF], the Microsoft/Inflection deal met the criteria. As to whether the matter could lead to a substantial lessening of competition, that's where the CMA decided everything was OK.

"Prior to the transaction, Inflection had a very small share of UK domain visits for chatbots and conversational AI tools and ... had not been able to materially increase or sustain its chatbot user numbers," the CMA said. "Competitors did not regard Inflection's capabilities with regard to EQ [emotional intelligence, which was an Inflection selling point] or other product innovation as a material competitive constraint." In addition, the CMA said Inflection's foundational model offering wouldn't exert any "material competitive constraint" on Microsoft or other enterprise foundational model suppliers as none of the potential Inflection customers the CMA spoke with during its probe identified any features that made Inflection's software more attractive than other brands. Ouch.

The latest Windows personal computers with AI features have "the best specs" on "all the benchmarks," Microsoft Chief Executive Satya Nadella recently said. There is one problem: The chips inside current models are incompatible with many leading videogames. From a report: Microsoft and its partners this spring rolled out Copilot+ PCs that include functions such as creating AI-generated pictures and video. Under the hood of the new laptops is a hardware change. Instead of the Intel chips that have powered Microsoft Windows PCs for nearly four decades, the initial Copilot+ PCs to hit the market use Qualcomm chips, which in turn rely on designs from U.K.-based Arm.

Most PC games, including popular multiplayer games such as "League of Legends" and "Fortnite," are made to work with Intel's x86, a chip architecture that has been the standard for many personal computers for decades. To make some of these programs function on the Qualcomm-Arm system, they must be run through a layer of software that translates Intel-speak into Arm-speak. Chip experts say the approach isn't perfect and can result in bugs, glitches or games simply not working. The problem is widespread. About 1,300 PC games have been independently tested to see if they work on Microsoft's new Arm-powered PCs and only about half ran smoothly, said James McWhirter, an analyst with research firm Omdia.

Firefox 130 introduces several enhancements, including improved local translation handling, better Android page load performance, and the WebCodecs API for low-level audio/video processing on desktop platforms. Notably, it also supports third-party AI chatbots like ChatGPT and Google Gemini via the new Firefox Labs feature. Phoronix reports: The WebCodecs API is particularly useful for web-based apps like video/audio editors and video conferencing that may want control over individual frames of a video stream or audio chunks. For any web software interested in that low-level audio/video encode/decode handling there is now WebCodecs API working on the Firefox desktop builds. As for the third-party AI chatbots, here's what Mozilla's Ian Carmichael said back in June: "If you want to use AI, we think you should have the freedom to use (or not use) the tools that best suit your needs. Instead of juggling between tabs or apps for assistance, those who opt-in will have the option to access their preferred AI service from the Firefox sidebar to summarize information, simplify language, or test their knowledge, all without leaving their current web page."

You can learn more about Firefox 130 via developer.mozilla.org. Binaries for Linux can be found at Mozilla.org.

According to Bloomberg (paywalled), Nvidia has received a subpoena from the U.S. Department of Justice as the regulator seeks evidence that the AI computing company violated antitrust laws. "The antitrust watchdog had previously delivered questionnaires to companies, and is now sending legally binding requests," notes Reuters. "Officials are concerned that the chipmaker is making it harder to switch to other suppliers and penalizes buyers that do not exclusively use its artificial intelligence chips."

The development follows a push by progressive groups last month, who criticized Nvidia's bundling of software and hardware, claiming it stifles innovation and locks in customers. In July, French antitrust regulators announced plans to charge the company for alleged anti-competitive practices.

Developing...

Nvidia dominates the chips at the center of the AI boom. It wants to conquer almost everything else that makes those chips tick, too. From a report: Chief Executive Jensen Huang is increasingly broadening his company's focus -- and seeking to widen its advantage over competitors -- by offering software, data-center design services and networking technology in addition to its powerful silicon brains. More than a supplier of a valuable hardware component, he is trying to build Nvidia into a one-stop shop for all the key elements in the data centers where tools like OpenAI's ChatGPT are created and deployed -- or what he calls "AI factories."

Huang emphasized Nvidia's growing prowess at data-center design following an earnings report Wednesday that exceeded Wall Street forecasts. The report came days after rival AMD agreed to pay nearly $5 billion to buy data-center design and manufacturing company ZT Systems to try to gain ground on Nvidia. "We have the ability fairly uniquely to integrate to design an AI factory because we have all the parts," Huang said in a call with analysts. "It's not possible to come up with a new AI factory every year unless you have all the parts." It is a strategy designed to extend the business success that has made Nvidia one of the world's most valuable companies -- and to insulate it from rivals eager to eat into its AI-chip market share, estimated at more than 80%. Gobbling up more of the value in AI data centers both adds revenue and makes its offerings stickier for customers.

[...] Nvidia is building on the effectiveness of its 17-year-old proprietary software, called CUDA, which enables programmers to use its chips. More recently, Huang has been pushing resources into a superfast networking protocol called InfiniBand, after acquiring the technology's main equipment maker, Mellanox Technologies, five years ago for nearly $7 billion. Analysts estimate that InfiniBand is used in most AI-training deployments. Nvidia is also building a business that supplies AI-optimized Ethernet, a form of networking widely used in traditional data centers. The Ethernet business is expected to generate billions of dollars in revenue within a year, Chief Financial Officer Colette Kress said Wednesday. More broadly, Nvidia sells products including central processors and networking chips for a range of other data-center equipment that is fine-tuned to work seamlessly together.

Hewlett Packard Enterprise has confirmed it will push ahead with a high court lawsuit against the estate of the deceased tech tycoon Mike Lynch in which it is seeking damages of up to $4 billion. From a report: The US company said in a statement it would follow the legal proceedings "through to their conclusion" despite Lynch's death last month when his yacht sank off the coast of Italy. HPE won a civil claim against Lynch in the English high court in 2022, after accusing him and his former finance director Sushovan Hussain of fraud over its $11 billion takeover of his software company Autonomy in 2011.

A ruling on damages is expected soon, although the judge presiding over the case, Mr Justice Hildyard, wrote in 2022 that he expected final damages to be "substantially less than is claimed." Lynch, 59, who was cleared in a separate criminal fraud trial over the Autonomy deal in the US in June, and his 18-year-old daughter Hannah, were among seven people who died after the Bayesian superyacht sank off the coast of Sicily last month.

Efforts to add Rust code to the Linux kernel has suffered a setback as one of the maintainers of the Rust for Linux project has stepped down -- citing frustration with "nontechnical nonsense," according to The Register: Wedson Almeida Filho, a software engineer at Microsoft who has overseen the Rust for Linux project, announced his resignation in a message to the Linux kernel development mailing list. "I am retiring from the project," Filho declared. "After almost four years, I find myself lacking the energy and enthusiasm I once had to respond to some of the nontechnical nonsense, so it's best to leave it up to those who still have it in them."

[...] Memory safety bugs are regularly cited as the major source of serious software vulnerabilities by organizations overseeing large projects written in C and C++. So in recent years there's been a concerted push from large developers like Microsoft and Google, as well as from government entities like the US Cybersecurity and Infrastructure Security Agency, to use memory-safe programming languages -- among them Rust. Discussions about adding Rust to Linux date back to 2020 and were realized in late 2022 with the release of Linux 6.1. "I truly believe the future of kernels is with memory-safe languages," Filho's note continued. "I am no visionary but if Linux doesn't internalize this, I'm afraid some other kernel will do to it what it did to Unix."

Google executive James Manyika has warned that AI's impact on productivity is not guaranteed [Editor's note: the link may be paywalled], despite predictions of trillion-dollar economic potential. From the report: "Right now, everyone from my old colleagues at McKinsey Global Institute to Goldman Sachs are putting out these extraordinary economic potential numbers -- in the trillions -- [but] it's going to take a whole bunch of actions, innovations, investments, even enabling policy ...The productivity gains are not guaranteed. They're going to take a lot of work." In 1987 economist Robert Solow remarked that the computer age was visible everywhere except in the productivity statistics. "We could have a version of that -- where we see this technology everywhere, on our phones, in all these chatbots, but it's done nothing to transform the economy in that real fundamental way."

The use of generative AI to draft software code is not enough. "In the US, the tech sector is about 4 per cent of the labour force. Even if the entire tech sector adopted it 100 per cent, it doesn't matter from a labour productivity standpoint." Instead the answer lies with "very large sectors" such as healthcare and retail. Former British prime minister Sir Tony Blair has said that people "will have an AI nurse, probably an AI doctor, just as you'll have an AI tutor." Manyika is less dramatic: "In most of those cases, those professions will be assisted by AI. I don't think any of those occupations are going to be replaced by AI, not in any conceivable future."

Slashdot covered shrinkwrap licenses on software back in 2000 and 2002. But now ewhac (Slashdot reader #5,844) writes: The user Wraithe on the Mastodon network is reporting that a bottle of Vital Proteins(TM) collagen peptides purchased at Costco came with a shrinkwrap contract. Collagen peptides are often used as an anti-aging nutritional supplement. The top of the Vital Proteins bottle has a pull-to-open seal. Printed on the seal is the following: "Read This: By opening and using this product, you agree to be bound by our Terms and Conditions, fully set forth at vitalproteins.com/tc, which includes a mandatory arbitration agreement. If you do not agree to be bound, please return this product immediately."

So-called "shrinkwrap contracts" have been the subject of controversy and derision for decades since their first widespread appearance in the 1970's, attempting to alter the terms of sale after the fact, impose unethical and onerous restrictions on the purchaser, and absolving the vendor of all liability. Most such contracts appear on items involving copyrighted works (computer software, or any item containing computer software). The alleged "validity" of such contracts supposedly proceeds from the (alleged) need that the item requires a copyright license from the vendor to use (because the right to use/read/listen/view/execute is somehow not concomitant with purchase), and that the shrinkwrap contract furnishes such license.

The application of such a contract to a good where copyright has no scope, however, is something new. The alleged contract itself governs consumers' use of, "the VitalProteins.com website and any other applications, content, products, and services (collectively, the "Service")...," contains the usual we're-not-responsible-for-anything indemnification paragraph, and unilaterally removes your right to seek redress in court of law and imposes binding arbitration involving any disputes that may arise between the consumer and the company. Indeed, the arbitration clause is the first numbered section in the alleged contract.
The same contract has been spotted by numerous others — including someone who posted about it on Reddit two years ago. ("When I opened it, encountered a vacuum seal with the following 'READ THIS: by opening and using this product, you agree to...'") But the same verbiage still appears in online listings today for the product from Albertsons, Walgreens, and CVS.

Shrinkwrap contracts. They're not just for software any more...

Politico reports U.S. states have no uniform way of policing the use of overseas subcontractors in election technology, "let alone to understand which individual software components make up a piece of code."

For example, to replace New Hampshire's old voter registration database, state election officials "turned to one of the best — and only — choices on the market," Politico: "a small, Connecticut-based IT firm that was just getting into election software." But last fall, as the new company, WSD Digital, raced to complete the project, New Hampshire officials made an unsettling discovery: The firm had offshored part of the work. That meant unknown coders outside the U.S. had access to the software that would determine which New Hampshirites would be welcome at the polls this November.

The revelation prompted the state to take a precaution that is rare among election officials: It hired a forensic firm to scour the technology for signs that hackers had hidden malware deep inside the coding supply chain. The probe unearthed some unwelcome surprises: software misconfigured to connect to servers in Russia ["probably by accident," they write later] and the use of open-source code — which is freely available online — overseen by a Russian computer engineer convicted of manslaughter, according to a person familiar with the examination and granted anonymity because they were not authorized to speak about it... New Hampshire officials say the scan revealed another issue: A programmer had hard-coded the Ukrainian national anthem into the database, in an apparent gesture of solidarity with Kyiv.

None of the findings amounted to evidence of wrongdoing, the officials said, and the company resolved the issues before the new database came into use ahead of the presidential vote this spring. This was "a disaster averted," said the person familiar with the probe, citing the risk that hackers could have exploited the first two issues to surreptitiously edit the state's voter rolls, or use them and the presence of the Ukrainian national anthem to stoke election conspiracies. [Though WSD only maintains one other state's voter registration database — Vermont] the supply-chain scare in New Hampshire — which has not been reported before — underscores a broader vulnerability in the U.S. election system, POLITICO found during a six-month-long investigation: There is little oversight of the supply chain that produces crucial election software, leaving financially strapped state and county offices to do the best they can with scant resources and expertise.

The technology vendors who build software used on Election Day face razor-thin profit margins in a market that is unforgiving commercially and toxic politically. That provides little room for needed investments in security, POLITICO found. It also leaves states with minimal leverage over underperforming vendors, who provide them with everything from software to check in Americans at their polling stations to voting machines and election night reporting systems. Many states lack a uniform or rigorous system to verify what goes into software used on Election Day and whether it is secure.
The article also points out that many state and federal election officials "insist there has been significant progress" since 2016, with more regular state-federal communication. "The Cybersecurity and Infrastructure Security Agency, now the lead federal agency on election security, didn't even exist back then.

"Perhaps most importantly, more than 95% of U.S. voters now vote by hand or on machines that leave some type of paper trail, which officials can audit after Election Day."

More than 25,000 Python developers from nearly 200 countries took the 7th annual Python Developers Survey between November 2023 and February 2024, with 85% saying Python was their main language.

Some interesting findings:

• Though Python 2 reached "end-of-life" status in April of 2020, last year's survey found 7% of respondents were still using Python 2. This year's survey found that number has finally dropped... to 6%.
  
  "Almost half of Python 2 holdouts are under 21 years old," the survey results point out, "and a third are students. Perhaps courses are still using Python 2?"

• Meanwhile, 73% are using one of the last three versions of Python (3.10, 3.11, or 3.12)

• "The share of developers using Linux as their development environment has decreased through the years: compared with 2021, it's dropped by 8 percentage points." [The graphic is a little confusing, showing 55% using Linux, 55% using Windows, 29% on MacOS, 2% on BSD, and 1% on "Other."]

• Visual Studio Code is the most popular IDE (22%), followed by Jupyter Notebook (20%) and Vim (17%). The next-most popular IDEs were PyCharm Community Edition (13%), JupyterLab (12%), NotePad++ (11%) and Sublime Text (9%). Interestingly, just 23% of the 25,000 respondents said they only used one IDE, with 38% saying they used two, 21% using three, and 19% using four or more. [The annual survey is a collaboration between the Python Software Foundation and JetBrains.]

• 37% said they'd contributed to open-source projects within the last year. (77% of those contributed code, while 38% contributed documentation, 35% contributed governance/leadership/maintainer duties, and 33% contributed tests...)

• For "age range," nearly one-third (32%) said 21-29 (with another 8% choosing 18-20). Another 33% said 30-39, while 16% said 40-49, 7% said 50-59, and 3% chose "60 or older."
  
  49% of respondents said they had less than two years of programming experience, with 33% saying "less than 1 year" and 16% saying "1-2 years." (34% of developers also said they practiced collaborative development.)

And here's how the 25,000 developers answered the question: how long have you been programming in Python?

• Less than 1 year: 25%
• 1-2 years: 16%
• 3-5 years: 26%
• 6-10 years: 19%
• 11+ years: 13%

So what are they doing with Python? Among those who'd said Python was their main language:

• Data analysis: 44%
• Web development: 44%
• Machine learning: 34%
• Data engineering: 28%
• Academic research: 26%
• DevOps / Systems administration / Writing automation scripts 26%
• Programming of web parsers / scrapers / crawlers: 25%

62% were "fully employed by a company," while the next-largest category was "student" (12%) with another 5% in "working student". There were also categories for "self-employed" (6%), "freelancer" (another 6%), and "partially employed by a company" (4%). Another 4% said they were unemployed.

In other news, the Python Software Foundation board has also "decided to invest more in connecting and serving the global Python community" by hosting monthly "office hours" on their Discord channel.