Tech News

Last week, GitHub announced that they have built a new integration to enable software teams to connect their code on GitHub.com to their projects on Jira Software Cloud. This integration updates Jira with data from GitHub, providing a better visibility into the current status of your project. What are the advantages of this new GitHub and Jira integration? No need to constantly switch between GitHub and Jira With your GitHub account linked to Jira, your team can see the branches, commit messages, and pull request in the context of the Jira tickets they’re working on. This integration provides a deeper connection by allowing you to view references to Jira in GitHub issues and pull requests. Source: GitHub Improved capabilities This new GitHub-managed app provides improved security, along with the following capabilities: Smart commits: You can use smart commits to update the status, leave a comment, or log time without having to leave your command line or GitHub View from within a Jira ticket: You can view associated pull requests, commits, and branches from within a Jira ticket Searching Jira issues: You can search for Jira issues based on related GitHub information, such as open pull requests. Check the status of development work: The status of development work can be seen from within Jira projects Keep Jira issues up to date: You can automatically keep your Jira issues up to date while working in GitHub Install the Jira Software and GitHub app to connect your GitHub repositories to your Jira instance. The previous version of the Jira integration will be deprecated in favor of this new GitHub-maintained integration. Once the migration is complete, the legacy integration (DVCS connector) is disabled automatically. Read the full announcement at the GitHub blog. 4 myths about Git and GitHub you should know about GitHub addresses technical debt, now runs on Rails 5.2.1 GitLab raises $100 million, Alphabet backs it to surpass Microsoft’s GitHub

On October 6, the release of Clojure 1.10.0-beta1 was announced. With this release, Clojure 1.10 will now be considered feature complete and only critical bug fixes will be addressed. Changes introduced in Clojure 1.10 Detecting error phase Clojure errors can occur in five distinct phases, which include read, macroexpand, compile, eval, and print. Clojure and the REPL can now identify these phases in the exception and/or the message. The read/macroexpand/compile phases produce a CompilerException and indicate the location in the caller source code where the problem occurred. CompilerException now implements IExceptionInfo and ex-data reports exception data including the optional keys: :clojure.error/source: Name of the source file :clojure.error/line: Line in source file :clojure.error/column: Column of line in source file :clojure.error/phase: This indicates the phase (:read, :macroexpand, :compile) :clojure.error/symbol - Symbol being macroexpanded or compiled Also, clojure.main now contains a new function called ex-str that can be used by external tools to get a repl message for a CompilerException to match the clojure.main repl behavior. Introducing tap tap, a shared and globally accessible system, is used for distributing a series of informational or diagnostic values to a set of handler functions. It acts as a better debug prn and can also be used for facilities like logging. Read string capture mode A new function, read+string is added that not only mimics read, but also captures the string that is read. It then returns both the read value and the (whitespace-trimmed) read string. prepl (alpha) This is a new stream-based REPL with a structured output. These are the new functions that are added in clojure.core.server: prepl: It is a REPL with structured output (for programs). io-prepl: A prepl bound to *in* and *out* suitable for use with the Clojure socket server. remote-prepl: A prepl that can be connected to a remote prepl over a socket. prepl is now alpha and subject to change. Java 8 or above required Clojure 1.10 now requires Java 8 or above. The following are few of the updates related to this change and Java compatibility fixes for Java 8, 9, 10, and 11: Java 8 is now the minimum requirement for Clojure 1.10 Embedded ASM is updated to 6.2 Reliance on jdk166 jar is removed ASM regression is fixed Invalid bytecode generation for static interface method calls in Java 9+ is now fixed Reflection fallback for --illegal-access warnings in Java 9+ is added Brittle test that fails on Java 10 build due to serialization drift is fixed Type hint is added to address reflection ambiguity in JDK 11 Other new functions in core To increase the portability of the error-handling code, the following functions have been added: ex-cause: To extract the cause exception ex-message: To extract the cause message To know more about the changes in Clojure 1.10, check out its GitHub repository. Vue.js 3.0 is ditching JavaScript for TypeScript. What else is new? Java 11 is here with TLS 1.3, Unicode 11, and more updates Rust 2018 RC1 now released with Raw identifiers, better path clarity, and other changes

In the Microsoft Surface event in New York last week, they announced a new application called Your Phone. It will work with Windows 10. The Windows phone has been dead for over two years now after Microsoft trying really hard to give it momentum. They had even acquired Nokia, a once market dominant phone maker to make Windows phones. But all of that did not work since there just weren’t enough apps to make it appealing for people to buy the handsets. The Android app mirroring feature will be available as a part of the Your Phone app for Windows 10. The app will be out with the Windows 10 October 2018 Update. https://twitter.com/Windows/status/1047224970403667969 The app mirroring is easier to achieve with Android because it is more open than iOS. After acknowledging the death of Windows Phone, Microsoft took steps to accept it and push their apps to other Mobile operating systems. This includes the release of MS Office apps like Word, Excel, and PowerPoint for both Android and iOS. They even launched a launcher for Android called the Microsoft Launcher which has over 10M downloads. Microsoft launcher brings Microsoft’s own services and Office apps connectivity to your Android phone’s home screen. It even supports the Windows 10 Timeline feature allowing you to resume Microsoft apps and sites across devices. Microsoft has now come to terms with the fact that people don’t need the Windows OS on a phone, there are better OSes already running on majority of the smartphones. Microsoft is trying to embrace other OSes as the ‘mobile version of Windows’. Android in particular, as it has less restrictions and allows incorporation of more features. https://www.youtube.com/watch?v=XO303V2bQsg The demo video displays the use of the app on an Android phone, it is not clear whether it will make it to iOS in the future. If you can access Android apps on Windows PC, you are less likely to use your phone while using a PC. Microsoft announces new Surface devices to enhance user productivity, with style and elegance A decade of Android: Slayer of Blackberry, challenger of iPhone, mother of the modern mobile ecosystem .NET Core 2.0 reaches end of life, no longer supported by Microsoft

MagicLeap has announced that they are acquiring Computes Inc to bring in advancements in the field of computing. Computess Inc had already been working in the field of decentralized mesh computing. With MagicLeap, they will now be bringing their platform to the world of spatial computing. “With over 27 billion connected devices in the world today (and growing), the Computes platform provides us with the necessary building blocks to make spatial computing available to everyone,” said Gus Pinto, VP of Product and Engineering. Computes Inc’s decentralized processing unit (DPU) orchestrates sophisticated machine learning algorithms, massively parallel computations, and large datasets in a peer-to-peer (P2P) fashion. Their services are available across datacenter, cloud, edge network, operating system, mobile or IoT device, and web browsers. With this new collaboration, Computes Inc will be working on developing a new set of computing services for developers, creators, enterprises, and end-users to help them leverage the power of spatial computing on any platform. MagicLeap will be using Computes Inc’s mesh computing to power their Computes heavy Mixed Reality and Augmented Reality services by grouping systems to push resources to the devices that need it most. With Computes Inc on board, Magic Leap may also expand its augmented reality technology to other devices. Chris Matthieu, one of the founders of Computes Inc talks about this collaboration stating, “As you know, Jade and I started Computes, Inc. based on the principle of enabling the next generation of computing, and we believe Magic Leap is the perfect home for us to achieve this vision.” Read more about the announcement on Magic Leap. Magic Leap teams with Andy Serkis’ Imaginarium Studios to enhance Augmented Reality. Understanding the hype behind Magic Leap’s New Augmented Reality Headsets. Magic Leap One, the first mixed reality headsets by Magic Leap, is now available at $2295.

Yesterday, the Ember project announced the release of version 3.4 of the three core sub-projects: Ember.js, Ember Data, and Ember CLI. Ember is an open source JavaScript frontend framework, which is based on Model-View-Viewmodel (MVVM) pattern. It enables developers to create scalable single-page web applications by incorporating common idioms and best practices into the framework. Ember.js 3.4 Ember.js 3.4 is an incremental, backward compatible release of Ember with bug fixes, performance improvements, and minor deprecations. Angle bracket invocation You can now use angle bracket invocation instead of the classic invocation syntax. For example: Instead of using the following syntax: Source: Ember You can use: Source: Ember This release does not deprecate the classic invocation syntax, but using angle bracket invocation will provide more syntax clarity. As component invocation is often encapsulating important pieces of UI, a dedicated syntax would help visually distinguish them from other handlebars constructs, such as control flow and dynamic values. Custom Component Manager This version comes with the new Custom Component Manager feature enabled by default. This allows addon authors to access a low-level API for creating component bases classes which addon users can re-use and extend components from. Deprecations Use closure actions instead of sendAction When using sendAction, the developer passes the name of an action. When sendAction is called, Ember.js would look up that action in the parent context and invoke if it exists. This poses a few problems, such as: The action is looked up only when it is about to be invoked. This makes it easier for a typo in the action’s name to go undetected. When you use sendAction you cannot receive the return value of the invoked action. Closure actions solve these problems and are also more intuitive to use. Ember 2 Legacy This is the last version that will work with the polyfill addon for features that were deprecated in 2.x. If you have been using ember-2-legacy, it's time to upgrade. Ember Data 3.4 Ember Data is the data-persistence library that provides many of the facilities of an object-relational mapping (ORM). Ember Data 3.4 is the first Ember Data LTS release. This release has received a ton of bug fixes to address many known issues that have been reported over the last several months. Some of them are listed here: TrackableRequests for when async leakage is detected. This feature enables app developers to better use async... await while simultaneously detecting asynchronous test leaks in their data layer. External partner testing is now enabled to run the tests of external apps and addons against commits in ember-data. Transpilation issues with @ember/ordered-set are fixed. Tests are added for createRecord+unloadRecord. ember-inflector is upgraded to v3.3.0. Added module-unification adapter and adapter-test blueprints. Ember CLI 3.4 Ember CLI is the command line interface to create, develop, and build Ember.js applications. Ember CLI 3.4 is an LTS release candidate. It will receive critical bug fixes for the upcoming 6 release cycles, as well as security patches for the next 10 release cycles. Added support for Node 10 Support has been added for Node 10 and support for Node 4 has been dropped from Ember CLI's support matrix. When upgrading to Ember CLI 3.4, make sure to use it together with Node 6 and above. Template linting Automatic template linting is added to your application via ember-template-lint according to the recommended list of rules. Ember CLI will generate a TemplateLint test file for each of your templates to your test suite automatically to be run via ember test. To run the linter you can also use the new command npm run lint:hbs or yarn run lint:hbs respectively. Read the full list of changes on Ember’s official website and also check out its GitHub repository. Ember project releases v3.2.0 of Ember.js, Ember Data, and Ember CLI Getting started with Ember.js – Part 1 Getting started with Ember.js – Part 2

Last week, the Git Project revealed a vulnerability, CVE-2018-17456, which can cause arbitrary code to be executed when a user clones a malicious repository. The new Git v2.19.1 has been released with a fix to this vulnerability. Also, backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 have been added. Users have been advised to update their clients in order to protect themselves. For those who have not yet updated, they can protect by simply avoiding submodules from untrusted repositories. This includes commands such as git clone --recurse-submodules and git submodule update. The community, in their post, mentions that neither GitHub.com nor GitHub Enterprise is directly affected by the vulnerability. However, as with previously discovered vulnerabilities, GitHub.com will detect malicious repositories and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will be shipped on October 9th. About the CVE-2018-17456 vulnerability This vulnerability is similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the previous attack, a malicious repository would ship a .gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (-). The ssh program—spawned by Git—would then interpret that as an option. The new attack works in a similar way, except that the option-injection is against the child git clone itself. Learning from the previous attack, the researchers have audited all of the .gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. They also implemented detection of potentially malicious submodules as part of Git’s object quality checks, which was made much easier by the infrastructure added during the last submodule-related vulnerability. Products affected by the CVE-2018-17456 vulnerability GitHub Desktop GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability.  All GitHub Desktop users are encouraged to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app. Atom Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch. Users should ensure they have the latest Atom release by completing any of the following: Windows: From the toolbar, click “Help” -> “Check for updates” MacOS: From the menu bar, click “Atom” -> “Check for Update” Linux: Update manually by downloading the latest release from atom.io Git on the command line and other clients In order to be protected from the vulnerability, users must update their command-line version of Git and any other application that may include an embedded version of Git, as they are independent of each other. 4 myths about Git and GitHub you should know about 7 tips for using Git and GitHub the right way GitHub addresses technical debt, now runs on Rails 5.2.1

Last week, Nick Craver, Architecture Lead for Stack Overflow, announced that Stack Exchange is migrating to .NET Entity Framework Core (EF Core) and seek help from users to test the EF Core. The Stack Exchange community has deployed a major migration from its previous Linq-2-SQL to EF Core. Following this, Stack Overflow may also get a partial tier to deploy later today. In his post, Nick said, “Along the way we have to swap out parts that existed in the old .NET world but don't in the new.” Some changes in Stack Exchange and Stack Overflow post migration to .NET EF Core The Stack community said that they have safely diverged their Enterprise Q3 release. This means they work on one codebase for easier maintenance and the latest features will also be reflected in the .NET Entity Framework Core. Stack Overflow was written on top of a data layer called Linq-2-SQL. This worked well but had scaling issues following which the community replaced the performance critical paths with a library named as Dapper. However, the community said that until today, some old paths, mainly where they insert entries, remained on Linq-2-SQL. The community also stated that as a part of the migration, a few code paths went to Dapper instead of EF Core. This means Dapper wasn’t removed and still exists post migration. This migration may affect posts, comments, users, and other ‘primary’ object types in Q&A. Nick also added, “We're not asking for a lot of test data to be created on meta here, but if you see something, please say something!”. He further added, “The biggest fear with a change like this is any chance of bad data entering the database, so while we've tested this extensively and have done a few tests deploys already, we're still being extra cautious with such a central & critical change.” To know more about this in detail, head over to Nick Craver’s discussion thread on Stack Exchange. .NET Core 3.0 and .NET Framework 4.8 more details announced .NET Core 2.0 reaches end of life, no longer supported by Microsoft Stack Overflow celebrates its 10th birthday as the most trusted developer community

On the 5th of October, the Amazon team announced the general availability of ‘The AWS Service Operator’. This is an open source project in an alpha state which allows users to manage their AWS resources directly from Kubernetes using the standard Kubernetes CLI, kubectl. What is an Operator? Kubernetes is built on top of a 'controller pattern'. This allows applications and tools to listen to a central state manager (etcd), and take action when something happens. The controller pattern allows users to create decoupled experiences without having to worry about how other components are integrated. An operator is a purpose-built application that manages a specific type of component using this same pattern. You can check the entire list of operators at Awesome Operators. All about the AWS Service Operator Generally, users that need to integrate Amazon DynamoDB with an application running in Kubernetes or deploy an S3 Bucket for their application to use, would need to use tools such as AWS CloudFormation or Hashicorp Terraform. They then have to create a way to deploy those resources. This requires the user to behave as an operator to manage and maintain the entire service lifecycle. Users can now skip all of the above steps and deploy Kubernetes’ built-in control loop. This stores a desired state within the API server for both the Kubernetes components and the AWS services needed. The AWS Service Operator models the AWS Services as Custom Resource Definitions (CRDs) in Kubernetes and applies those definitions to a user’s cluster. A developer can model their entire application architecture from the container to ingress to AWS services, backing it from a single YAML manifest. This will reduce the time it takes to create new applications, and assist in keeping applications in the desired state. The AWS Service Operator exposes a way to manage DynamoDB Tables, S3 Buckets, Amazon Elastic Container Registry (Amazon ECR) Repositories, SNS Topics, SQS Queues, and SNS Subscriptions, with many more integrations coming soon. Looks like users are pretty excited about this update! Source: Hacker News You can learn more about this announcement on the AWS Service Operator project on GitHub. Head over to the official blog to explore how to use AWS Service Operator to create a DynamoDB table and deploy an application that uses the table after it has been created. Limited Availability of DigitalOcean Kubernetes announced! Google Cloud hands over Kubernetes project operations to CNCF, grants $9M in GCP credits Kubernetes 1.12 released with general availability of Kubelet TLS Bootstrap, support for Azure VMSS  

Today, Amazon released Smoke Framework, a lightweight server-side service framework written in the Swift programming language. The Smoke Framework uses SwiftNIO for its networking layer by default. This framework can be used for REST-like or RPC-like services and in conjunction with code generators from service models such as Swagger/OpenAPI. The framework also has a built-in support for a JSON-encoded request and response payloads. Working of Swift-based Smoke Framework The Smoke Framework provides the ability to specify handlers for operations the service application needs to perform. When a request is received, the framework will decode the request into the operation's input. When the handler returns, its response (if any) will be encoded and sent in the response. Each invocation of a handler is also passed an application-specific context, allowing application-scope entities such as other service clients to be passed to operation handlers. Using the context allows operation handlers to remain pure functions (where its return value is determined by the function's logic and input values) and hence easily testable. Parts of the Smoke framework The Operation Delegate The Operation Delegate handles specifics such as encoding and decoding requests to the handler's input and output. The Smoke Framework provides the JSONPayloadHTTP1OperationDelegate implementation that expects a JSON encoded request body as the handler's input and returns the output as the JSON encoded response body. The Operation Function By default, the Smoke framework provides four function signatures that this function can conform to ((InputType, ContextType) throws -> ()): Synchronous method with no output. ((InputType, ContextType) throws -> OutputType): Synchronous method with output. ((InputType, ContextType, (Swift.Error?) -> ()) throws -> ()): Asynchronous method with no output. ((InputType, ContextType, (SmokeResult<OutputType>) -> ()) throws -> ()): Asynchronous method with output. Error handling By default, any errors thrown from an operation handler will fail the operation and the framework will return a 500 Internal Server Error to the caller (the framework also logs this event at Error level). This behavior prevents any unintentional leakage of internal error information. Testing The Smoke Framework has been designed to make testing of operation handlers straightforward. It is recommended that operation handlers are pure functions (where its return value is determined by the function's logic and input values). In this case, the function can be called in unit tests with appropriately constructed input and context instances. To know more about this in detail, visit Smoke framework’s official GitHub page. ABI stability may finally come in Swift 5.0 Swift 4.2 releases with language, library and package manager updates! What’s new in Vapor 3, the popular Swift based web framework

Apple made its personal assistant, Siri more powerful in iOS 12 by launching Siri Shortcuts and the Shortcuts app on September 17. You can now choose from existing or create custom shortcuts for your device to accomplish everyday tasks. A shortcut is nothing but a quick way to get things done with your apps, with just a tap or by asking Siri. Siri Shortcuts Siri now learns from your phone usage and based on that suggests, simple and useful shortcuts. You can then add these shortcuts to Siri, and the next time you want to do that task, just ask Siri to do it for you by saying the phrase to run the shortcut. Shortcuts app Along with shortcuts suggested by Siri, you can use the Shortcuts app to automate your daily tasks. You can choose from several ready-made shortcuts or create custom shortcuts. It enables you to create personal shortcuts with multiple steps, also called actions from your favorite apps. Shortcuts that you create or choose from the Gallery are stored in the Library section of the app. Once you have added the shortcuts from the app Gallery or created your own, you can launch them in the app, from iOS Today View, from your iOS Home screen, or by asking Siri. Some of the things you can do with Shortcuts You can make animated GIFs Create PDFs from Safari or any app with a share sheet Get directions to the nearest coffee shop in one tap Tweet the song you're listening to Get all of the images on a web page Send a message including the last screenshot you took Moving text from one app to another Generating expense reports Shortcuts are getting very popular, so much so that there is a subreddit dedicated to sharing different ideas for creating shortcuts. You can get the Shortcuts app from the App Store. Read more about Shortcuts on Apple’s official website. Apple buys Shazam, and will soon make the app ad-free iPhone XS and Apple Watch details leaked hours before product launch Apple announces a Special Event to reportedly launch new products including “iPhone XS” and OS updates

Popular Quantum Computing Canadian startup D-Wave Systems Inc. launched a free, and real-time online Quantum Application Environment (QAE), called Leap, yesterday. What makes Leap so unique is the fact that it virtualizes quantum computing for almost anyone who has a computer and a broadband connection. Leap is the first cloud-based QAE that offers real-time access to a live quantum computer. It comes with open-source development tools, interactive demos, coding examples, educational resources, and knowledge base articles. Leap is designed for developers, researchers, and businesses. Its online community enables collaboration, thereby, helping Leap users write and run quantum applications. This accelerates the development of real-world applications. Major features of Leap Leap QAE provides free access to a D-Wave 2000Q quantum computer which lets you submit and run applications, helping receive solutions in seconds. It comes with an open-source Ocean software development kit (SDK). This comprises built-in templates for algorithms, along with an ability to develop new code using a familiar programming language, Python. Leap also provides Hands-on coding option. This consists of interactive examples in the form of Jupyter notebooks with live code, equations, visualizations, and narrative text to jumpstart the process of quantum application development. Apart from that, it offers learning resources, which includes comprehensive live demos and educational resources. This helps developers in writing applications for a quantum computer, quickly. It also offers Community support which includes community and technical forums enabling easy developer collaboration. Leap is an outcome of D-Wave’s continuous efforts to drive the real-world quantum application development forward. D‑Wave customers have built 100 early applications so far for problems such as airline schedules, election modeling, quantum chemistry simulation, automotive design, logistics, and more. A lot of them have built software tools that make it easy to develop new applications. These existing applications and tools, along with an access to a growing community, provide developers with a wealth of examples to learn from and build upon. “Our job is to sift through the sands of data to find the gold—information that will help our manufacturing customers increase equipment efficiency and reduce defects. With D‑Wave Leap, we are showing we can solve computationally difficult problems today, while also learning and preparing for new approaches to AI and machine learning that quantum computing will allow,” said Abhi Rampal, CEO of Solid State AI. Apart from D-Wave, Rigetti Computing, a California-based developer of quantum integrated circuits also launched Quantum Cloud Services last month, to bring together the best of classical and quantum computing on a single cloud platform. For more information, check out the official D-Wave blog post. Did quantum computing just take a quantum leap? A two-qubit chip by UK researchers makes controlled quantum entanglements possible Quantum Computing is poised to take a quantum leap with industries and governments on its side “The future is quantum” — Are you excited to write your first quantum computing code using Microsoft’s Q#?

Yesterday, the Linux Foundation announced that the Node.js Foundation and JS Foundation have agreed to possibly create a joint organization. Currently, they have not made any formal decisions regarding the organizational structure. They clarified that joining forces will not change the technical independence or autonomy for Node.js or any of the 28 JS Foundation projects such as Appium, ESLint, or jQuery. A Q&A session will be held at Node+JS Interactive from 7:30 am to 8:30 am PT, October 10 at West Ballroom A to answer questions and get community input on the possible structure of a new Foundation. Why are Node.js and JS Foundations considering merging? The idea of this possible merger came from a need for a tighter integration between both foundations to provide greater support for Node.js and a broader range of JavaScript projects. JavaScript is continuously evolving and being used for creating applications ranging from web, desktops, and mobile. This calls for increased collaboration in the JavaScript ecosystem to sustain continued and healthy growth. What are the goals of this merger? Following are few of the goals of this merge aimed at benefiting the broad Node.js and JavaScript communities: To provide enhanced operational excellence Streamlined member engagement Increased collaboration across the JavaScript ecosystem and affiliated standards bodies This “umbrella” project structure will bring stronger collaboration across all JavaScript projects With a single, clear home available for any project in the JavaScript ecosystem, projects won’t have to choose between the JS and Node.js ecosystems. Todd Moore, Node.js Board Chairperson and IBM VP Opentech, believes this merger will provide improved support to contributors: “The possibility of a combined Foundation and the synergistic enhancements this can bring to end users is exciting. Our ecosystem can only grow stronger and the Foundations ability to support the contributors to the many great projects involved improve as a result.” How are developers feeling about this potential move? Not many developers are happy about this merger, which led to a discussion on Hacker News yesterday. One of the developers feels that the JS Foundation has been neglecting their responsibility towards many open source projects. They have also seen a reduction in funding and alienated many long-time contributors. According to him, this step could be “a last-ditch effort to retain some sort of relevancy.” On the other hand, one of the developers feels positive about this merge: “The JS Foundation is already hosting a lot of popular projects that run in back-end and build/CI environments -- webpack, ESLint, Esprima, Grunt, Intern, JerryScript, Mocha, QUnit, NodeRed, webhint, WebDriverIO, etc. Adding Node.JS itself to the mix would seem to make a lot of sense.” What we think of this move? This merger, if it happens, could unify the fragmented Javascript ecosystem bringing some much-needed relief to developers. It could also bring together sponsor members of the likes Google, IBM, Intel, and others to support the huge number of JavaScript open source projects. We must add that we find this move as a reaction to the growing popularity of Python, Rust, and WebAssembly, all invading and challenging JavaScript as the preferred web development ecosystem. If you have any questions regarding the merger, you can submit them through this Google Form provided by the two foundations. Read the full announcement at the official website of The Linux Foundation and also check out the announcement by Node.js on Medium. Node.js announces security updates for all their active release lines for August 2018 Why use JavaScript for machine learning? The top 5 reasons why Node.js could topple Java

It's been a year since the Project zero team published the results of their research about the resilience of modern browsers against DOM fuzzing. They also published Domato, their DOM fuzzing tool that was used to find those bugs. The results of the research were astonishing since Apple Safari, or more specifically, WebKit (its DOM engine) did not fare well in this test. The team decided to revisit the project again using exactly the same methodology and exactly the same tools to see whether the browsers have managed to implement better security mechanisms. The Test Setup In the previous research, the fuzzing was initially done against WebKitGTK+ and then all the crashes were tested against Apple Safari running on a Mac. In this research, WebKitGTK+ version 2.20.2 was used. To improve the fuzzing process, a couple of custom changes were made to WebKitGTK+ . For instance: Building WebKitGTK+ with ASan (Address Sanitizer) is now possible Changed window.alert() implementation to immediately call the garbage collector instead of displaying a message window. Generally, when a DOM bug causes a crash, due to the multi-process nature of WebKit, only the web process would crash, but the main process would continue running. Code was added to crash the main process when the web process crashes The team created a custom target binary. Results Obtained After running the fuzzer for 100.000.000 iterations, the team discovered 9 unique bugs that were reported to Apple. The bugs are summarized in the table below. All of these bugs have been fixed at the time of release of this blog post.   Project Zero bug ID CVE Type Affected Safari 11.1.2 Older than 6 months Older than 1 year 1593 CVE-2018-4197 UAF YES YES NO 1594 CVE-2018-4318 UAF NO NO NO 1595 CVE-2018-4317 UAF NO YES NO 1596 CVE-2018-4314 UAF YES YES NO 1602 CVE-2018-4306 UAF YES YES NO 1603 CVE-2018-4312 UAF NO NO NO 1604 CVE-2018-4315 UAF YES YES NO 1609 CVE-2018-4323 UAF YES YES NO 1610 CVE-2018-4328 OOB read YES YES YES UAF = use-after-free. OOB = out-of-bounds Out of the 9 bugs found, 6 affected the release version of Apple Safari, directly affecting Safari users. While this is significantly less than the 17 bugs found a year ago, it is still a notable number, especially since the fuzzer has been public for a long time now. After the results were in, the team found that most of the bugs were sitting in the WebKit codebase for longer than 6 months, however, only 1 of them is older than 1 year. Also, the team notes that throughout the past year, their fuzzing process came up with 14 bugs but they cannot surely say if these bugs have been resolved or are still live. The Exploit performed on the bugs To prove that bugs like this can lead to a browser compromise, an exploit was written for one of them. Out of the 6 issues affecting the release version of Safari, the researchers selected the use-after-free issue to exploit. The details of this issue are well explained in Project Zero’s Blog post. The exploit was successfully tested on Mac OS 10.13.6 (build version 17G65). All the details of the exploit can be seen at bugs.chromium.org. An interesting aspect of this exploit is that, on Safari for Mac OS it could be written in a very "old-school' way due to lack of control flow mitigations on the platform. That being said, on the latest mobile hardware and in iOS 12, which was published after the exploit was already written, Apple introduced control flow mitigations by using Pointer Authentication Codes (PAC). The issues were reported to Apple between June 15 and July 2nd, 2018. On September 17th 2018, Apple published security advisories for iOS 12, tvOS 12 and Safari 12 which fixed all of the issues. Although the bugs were fixed at that time, the corresponding advisories did not initially mention them. The issues described in the blog post were only added to the advisories one week later, on September 24, 2018, when the security advisories for macOS Mojave 10.14 were also published. The researchers affirm that there were clear improvements in WebKit DOM when tested with Domato. However, the public fuzzer was still able to find a large number of bugs. This is worrying because if a public tool was able to find that many bugs, private tools can be even more effective in exploiting these bugs. To know more about this experiment, head over to Google Project Zero’s official Blog. Google Project Zero discovers a cache invalidation bug in Linux memory management, Ubuntu and Debian remain vulnerable Google, Amazon, AT&T met the U.S Senate Committee to discuss consumer data privacy, yesterday Ex-googler who quit Google on moral grounds writes to Senate about company’s “Unethical” China censorship plan

WebAssembly is changing the way we use develop applications for the web. Graphics heavy applications, browser based games, and interactive data visualizations seem to have found a better way to our UI - the WebAssembly way. The latest Blazor 0.6 experimental release from Microsoft is an indication that Microsoft has identified WebAssembly as one of the upcoming trends and extended support to their bevy of developers. Blazor is an experimental web UI framework based on C#, Razor, and HTML that runs in the browser via WebAssembly. Blazor promises to greatly simplify the task of building, fast and beautiful single-page applications that run in any browser. The following image shows the architecture of Blazor. Source: MSDN Blazor has its own JavaScript format - Blazor.js. It uses mono, an open source implementation of Microsoft’s .NET Framework based on the ECMA standards for C# and the Common Language Runtime (CLR). It also uses Razor, a template engine that combines C# with HTML to create dynamic web content. Together, Blazor is promising to create dynamic and fast web apps without using the popular JavaScript frontend frameworks. This reduces the learning curve requirement for the existing C# developers. Microsoft has released the 0.6 experimental version of Blazor on October 2nd. This release includes new features for authoring templated components and enables using server-side Blazor with the Azure SignalR Service. Another important news from this release is that the server side Blazor model will be included as Razor components in the .Net core 3.0 release. The major highlights of this release are: Templated components Define components with one or more template parameters Specify template arguments using child elements Generic typed components with type inference Razor templates Refactored server-side Blazor startup code to support the Azure SignalR Service Now the important question is how is this release going to fuel the growth of WebAssembly based web development? The answer is that probably it will take some time for WebAssembly to become mainstream because this is just the alpha release which means that there will be plenty of changes before the final release comes. But why Blazor is the right step ahead can be explained by the fact that unlike former Microsoft platforms like Silverlight, it does not have its own rendering engine. Hence pixel rendering in the browser is not its responsibility. That’s what makes it lightweight. Blazor uses the browser’s DOM to display data. However, the C# code running in WebAssembly cannot access the DOM directly. It has to go through JavaScript. The process looks like this presently. Source: Learn Blazor The way this process happens, might change with the beta and subsequent releases of Blazor. Just so that the intermediate JavaScript layer can be avoided. But that’s what WebAssembly is at present. It is a bridge between your code and the browser - which evidently runs on JavaScript. Blazor can prove to be a very good supportive tool to fuel the growth of WebAssembly based apps. Why is everyone going crazy over WebAssembly? Introducing Wasmjit: A kernel mode WebAssembly runtime for Linux Unity Benchmark report approves WebAssembly load times and performance in popular web browsers

.NET Core 3.0 was announced in May this year, it adds support for building desktop applications using WinForms, WPF, and Entity Framework 6. Updates to .NET Framework were also announced which enable use of new modern controls from UWP in existing WinForms and WPF applications. Now, more details are out on both of them. .NET Core 3.0 .NET Core 3.0 addresses three scenarios asked by the .NET framework developer community. Multiple versions of .NET on the same machine As of now, only one version of .NET Framework can be installed on a machine. An update to the .NET Framework poses a risk of a security fix, bug fix, or new API breaking applications on the machine. Now Microsoft aims to solve this problem by allowing multiple versions of .NET Core  to reside on one machine. The applications that need to be stable can be locked to one of the stable versions then later on be moved to use the newer version as it is ready. Embedding .NET directly into an application Since there can only be one version of .NET Framework on a machine, to take advantage of the latest framework or language features, the newer version needs to be installed. With .NET Core, you can now ship the framework as a part of an application. This enables developers to take advantage of the new features of the latest version without having to wait for the framework to install. Taking advantage of .NET Core features The side-by-side nature of .NET enables introduction of new innovative APIs and Base Class Library (BCL) improvements without the risk of breaking compatibility. WinForms and WPF applications on Windows can now take advantage of the latest .NET Core features. These features include more fundamental fixes for a better high-DPI support. .NET Framework 4.8 .NET Framework 4.8 also addresses three scenarios asked for by the .NET Framework developer community. Modern browser and media controls .NET desktop applications use the Internet Explorer and Windows Media Player for displaying HTML and playing media files. These legacy controls don’t show the latest HTML or play the latest media files. Hence, Microsoft is adding new controls to advantage of Microsoft Edge and newer media players thereby supporting the latest standards. Access to touch and UWP Controls The Universal Windows Platform (UWP) contains new controls to take advantage of the latest Windows features and the devices with touch displays. The code in your application does not have to be rewritten to use these new features and controls. Microsoft is going to make them available to WinForms and WPF enabling the developers to take advantage of these new features in the existing code of applications created. Improvements for high DPI The standard resolution of computer displays is steadily becoming 4K and now even 8K resolutions are available. WIth the newer versions WinForms and WPF applications will look great on these high resolution displays. The future of .NET .NET Framework is installed over one billion machines, hence even a security fix introducing a bug will affect a lot of devices. .NET Core is a fast-moving version of .NET. Because of its side-by-side nature it can take changes that can prove very risky in .NET Framework. Meaning, .NET Core is bound to get new APIs and language features over time that .NET Framework cannot. If your existing applications are on .NET Framework, there is no immediate need to move to .NET Core. For more details, visit the Microsoft Blog. .NET Core 2.0 reaches end of life, no longer supported by Microsoft .NET announcements: Preview 2 of .NET Core 2.2 and Entity Framework Core 2.2, C# 7.3, and ML.NET 0.5 Microsoft’s .NET Core 2.1 now powers Bing.com