Tech News - Web Development

This year's F8 Conference is one of the most closely watched ever, but not necessarily for the right reasons. Thanks to the Cambridge Analytica scandal and Mark Zuckerberg getting flustered in front of Congress, the spotlight is shining brightly over Facebook and its CEO. Zuckerberg's keynote speech was a focal point. Would he apologize? What would the big announcements be? In truth, the keynote was actually pretty interesting. There were some big surprises and interesting developments. Notably absent, however, was any form of apology from Zuckerberg. The MIT Technology Review were particularly incisive on this: '“Safety,” yes; “sorry,” no' runs the headline on their F8 Conference analysis. So while the F8 keynote speech may have lacked an apology, it was an interesting exercise in avoiding the issue. There was plenty of positivity, and lots of new initiatives that indicate that Facebook remains an optimistic and forward thinking organization. Either that, or labouring under considerable seld-deception - that depends on your viewpoint. 5 announcements from Facebook's F8 Conference you need to know So, let's take a look at 5 of the biggest announcements from Facebook's F8 Conference and what they might mean. Facebook is going to launch a dating app What's the best way to say sorry? Build a dating app! That way you can detract attention from the problems your product may or may not be causing civic society as people begin to get distracted by ill-advised crushes and unnecessary flirting. There are a number of ways you could view this announcement. On the one hand it looks a lot like Hubris, trying to beat established dating apps like Tinder at their own game. From this angle, it certainly looks like a feint to distract people from some of the thornier issues around the platform. But on the other hand it might just be a genius move from Zuckerberg. Literally billions of people live their lives on Facebook; why shouldn't their love lives be a part of that too? When you consider that the share value of Match Group - the organization that owns Tinder and OKCupid - took a tumble, Facebook might just be on to a winner to get itself out of a hole. Facebook is going to let you clear your history Although much of the commentary on Zuckerberg's F8 Conference keynote speech has been critical of the Facebook chief, one announcement did indicate that perhaps Facebook is actually learning its lessons. "Clear History" is a feature that does exactly what you think it does. It allows you to wipe any data that has been collected by sites and third party applications. Zuckerberg was keen to warn that this feature might make the experience 'worse' for users. This is what he said: "When you clear your cookies in a browser, you may have to sign back into dozens of websites... The same is going to be true here. Your Facebook won’t be quite as good as it relearns your preferences. But after going through our systems, this is the kind of control we think people should have.” It will be interesting to see whether users actually do want this level of control, or whether they're happy to give up some degree of privacy for greater personalization and convenience. The Facebook app review process is coming back By contrast, this announcement from Zuckerberg looks a lot more like an attempt to draw a line under the problems have been facing over the last few months. After closing the app review process following the Cambridge Analytica scandal, it was revealed that third party apps and chatbots would be able to go through the process once again. It's not clear how much this process will have changed and whether any other forms of governance will be in place - that remains to be seen. However, Zuckerberg didn't reveal a date as to when this might happen. Whether that means they need more time to refine the process or they're simply delaying it, it suggests that this announcement was as much to strike a tone of positivity with the developers in attendance. Facebook is simplifying the messenger app Anyone who has used Facebook messenger will know how irritating it can be too use. It certainly isn't minimal, and it would be hard to describe it as slick. This is something Zuckerberg seemed to appreciate, saying "when you’re messaging, you really want a simple and fast experience." This announcement was a nice counterpoint to news around the dating app. Just as it looks like Facebook has finally thrown the kitchen sink and everything else into the user experience, Zuckerberg takes a step back with a clear acknowledgement of user needs. A clean and slick application might not make you forgive him for undermining the foundations of western democracy, but it does make the bitter pill of reality in 2018 a little easier to swallow. Oculus Go is now available for $199 The VR headset market has been quietly growing. With the Oculus Go, Facebook have a product that might just capture the attention of millions of people who haven't yet felt comfortable with the options out there. Not only is it relatively cheap at $199, it's been described as a "game-changer" by TechCrunch. The reviewer writes that the headset "minimizes friction and promotes a surprisingly capable baseline for bringing new consumers into VR for the first time." With VR memories also touted to soon hit news feeds, Facebook might just be on course to make VR mainstream. Despite the hype, no one has been able to do that yet. F8 Conference: was Zuckerberg papering over the cracks? Clearly, there was plenty to get excited about in Zuckerberg's keynote speech. Whether you're a Facebook user or developer, there's enough to make you think there's still plenty of life and confidence in the platform yet. Perhaps rumours of its slow death have been exaggerated. But you can't deny there are problems at Facebook. A dating app isn't going to fix them. Oculus Go isn't going to transform the fortunes of the company overnight. What Facebook really needs is a frank conversation about what it does well. And that, really, is about delivering a platform users can't help but use. Once this year's F8 Conference is over, maybe that conversation can happen. Until then, let's just watch what happens over the next few days.

Yesterday, the team behind D3.js rolled out D3.js 5.8.0. Data-Driven Documents or D3 is a JavaScript library using which you can create dynamic, interactive data visualizations in web browsers. Updates are introduced in the following modules: d3-force The iterations argument is added to simulation.tick. A bug is fixed when initializing nodes with fixed positions. d3-scale The following new features are added: The domain and range convenience constructors for all scale types Default constructors for sequential and diverging scales The d3.tickFormatReturns function, a number format function for displaying a tick value The d3.scaleSymlog function, which constructs a new continuous scale with the specified domain and range Transformed sequential scales, for example, d3.scaleSquentialLog Transformed diverging scales, for example, d3.scaleDivergingLog d3.scaleSequentialQuantile for p-quantiles scale.unknown for all scale types Unlimited band.paddingOuter and point.padding d3-selection The selection.join method is added, a convenient alternative to the more explicit selection.enter, selection.exit, selection.append, and selection.remove. selection.order is updated to enforce relative position, rather than exact siblings. Vendor fallback for element.matches in selection.filter and d3.matcher is removed. d3-transition The transition.end is added, which returns a promise that resolves when every selected element finishes transitioning. A cancel event is added to transition.on. Performance of transition.style and transition.attr is improved To read the full list of updates on the GitHub repository of D3.js. Introducing Cycle.js, a functional and reactive JavaScript framework Introducing Howler.js, a Javascript audio library with full cross-browser support 16 JavaScript frameworks developers should learn in 2019

Yesterday, the team behind Brave, a privacy-focused browser, announced that they are previewing their upcoming digital advertising model, Brave Ads, in Brave’s Developer channel. Brave Ads will feature in the upcoming Brave 1.0 release through which users will receive 70% of the gross ad revenue. This advertising model is opt-in and does not replace ads on websites. Users can decide how many ads they would like to see. Currently, the Brave Beta version does not include advertiser confirmation or user payment for ad views. In the coming weeks, the team will be rolling out updates to allow users to earn BAT (Basic Attention Tokens) for viewing ads. How Brave Ads work? Those users who choose to see Brave Ads are notified about the offers as they browse the web. Once they agree to engage with these notifications, they are presented with a full-page ad in a private ad tab. The Brave team mentions that this feature will ensure that user privacy is not compromised and does not leak user’s personal data from their device, “Unlike conventional digital ads, ad matching happens directly on the user’s device, so a user’s data is never sent to anyone, including Brave. Accessing user attention no longer entails large scale user data collection.” Users will get the reward in the form of BAT via the integrated Brave Rewards in their browser. They can donate their earned BAT on a monthly basis to their favorite sites or use it as a tip for content creators. This model will be extended to allow BAT’s usage for premium content, services, or withdraw it from their wallets. Once the confirmations become available, users will be paid at the end of each calendar month. Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart Chrome 72 Beta releases with public class fields, user activation, and more Google’s V8 7.2 and Chrome 72 gets public class fields syntax; private class fields to come soon

Uber has revamped their monolithic framework design with a brand new Fusion.js web framework. This plugin-based open source web framework makes it easy to develop lightweight and high-performing apps. Fusion.js is a JavaScript framework that comes with modern features like hot module reloading, data-aware server-side rendering, and bundle splitting support. It also supports popular libraries like React and Redux. Why was Fusion.js required? Uber has been in the app-development business for quite some time now. With the quickly changing web technologies, they wanted to build a high quality framework with modern features which also kept up with the dynamic nature of their web platform. Specifically, they wanted their new framework to address the following pain points: Complex configuration and required boilerplate of multiple tools needed for server-side rendering, code splitting, and hot module reloading Lack of good abstractions for implementing and sharing features that involve different aspects of server-rendered React applications Tight coupling of code located in different places Testing difficulties arising from side effects and singletons Lack of flexibility of a monolithic framework Fusion.js addresses all of these problems. What are the benefits of using Fusion.js? On top of the benefits of a pre-configured, optimized boilerplate, Fusion.js also provides a flexible plugin-based architecture which makes it appropriate for building single-page applications and web apps that depend on complex service layers to meet quality requirements. Fusion.js applications allow apps to have a single entry point file and it’s possible to reuse code on both the server and browser. The single entry point architecture allows plugin developers to co-locate snippets of code based on the library the code pertains to. Plugins use dependency injection so they can expose well-defined APIs as services to other plugins, and a plugin’s dependencies can easily be mocked during tests. For middleware management, Uber uses Koa, which provides a unit-test friendly context-based API. It has a lightweight abstraction for request lifetime management based on the concept of downstreams and upstreams. Fusion.js provides testing tools for developers to test plugins in addition to supporting modern testing tools such as Jest, Enzyme, and Puppeter. The fusion-test-utils package allows mocking the server itself, making it possible to quickly run integration tests between plugins and mocks. For now, over 60 repositories of Uber are using Fusion.js since its internal release. Next in the roadmap are the addition of more performance optimizations, test-oriented tooling, and better flow support. You can checkout the documentation and Github for further information. Masonite 2.0 released, a Python web development framework Is web development dying? Meet Sapper, a military grade PWA framework inspired by Next.js

On Monday, Google announced that it has partnered with Automattic Inc., the parent company of WordPress.com, to develop an advanced open-source publishing and revenue-generating platform for news organizations named Newspack. Under the Google News Initiative, they have invested $1.2 million towards their efforts in building this platform. The purpose of this platform is to help journalists put their full energy in covering stories instead of worrying about designing websites, configuring CMSes, or building commerce systems. Google mentioned in the post, “It is trying to help small publishers succeed by building best practices into the product while removing distractions that may divert scarce resources. We like to call it "an opinionated CMS:” it knows the right thing to do, even when you don’t.” It will also provide publishers full access to all the plugins created by the WordPress developer community. Automattic, in an announcement, called for small and medium-sized digital news organizations to become charter participants in the development of Newspack. If you want to become one of the partners, you can fill in the form issued by Automattic, which is due by 11:59 p.m. Eastern Time (UTC -5:00) on February 1. The platform’s beta version is estimated to be released near the end of July and will be made available to publishers globally later this year. To get a better idea of the features and capabilities needed by publishers and their business impact, Automattic will be working with Spirited Media and News Revenue Hub. Spirited Media operates local digital news sites in Denver, Philadelphia, and Pittsburgh, and News Revenue Hub provides revenue solutions for digital publishers. In addition to Google, other funding organizations for this platform include The Lenfest Institute for Journalism, ConsenSys, the organization backing Civil Media, and The John S. and James L. Knight Foundation. WordPress 5.0 (Bebo) released with improvements in design, theme and more Introduction to WordPress Plugin Google and Waze share their best practices for canary deployment using Spinnaker

Yesterday, the Fedora team announced the release of Fedora 31. This release brings in a few visual changes and performance improvements for Fedora users. Key changes and features in Fedora 31 Let us take a look at the key changes and new features added in this release. Latest GNOME 3.34 release brings in performance improvement With the latest GNOME 3.34 update, Fedora Workstation users will find certain visual changes and performance improvements. It will be easier to change the background or lock screen wallpaper with GNOME 3.34. In addition to this, users can create application folders in the overview to organize app drawer. Basically, new features included in GNOME 3.34 directly reflects in this release. You can check out the official blog post by GNOME.org that covers important changes with GNOME 3.34 for Fedora 31. Dropping 32-bit support In this release, users will no longer find 32-bit bootable images. The team has completely dropped the support for 32-bit i686 kernel. However some of the most popular 32-bit packages like Steam and Wine will continue to work. Docker package removed If you are using Docker, it is worth noting that this release has enabled CGroups V2 by default and removed Docker package. The official Fedora wiki page highlights this particular change as follows: “The Docker package has been removed from Fedora 31. It has been replaced by the upstream package moby-engine, which includes the Docker CLI as well as the Docker Engine. However, we recommend instead that you use podman, which is a Cgroups v2-compatible container engine whose CLI is compatible with Docker’s. Fedora 31 uses Cgroups v2 by default.” Updated packages in Fedora 31 Several packages are updated, some of the notable upgrades are: Glibc 2.30 NodeJS 12 Python 3 Updated Fedora flavors & improved hardware support For desktop users, Fedora Workstation matters, but this release will have a significant impact on other Fedora editions like Fedora Astronomy, Fedora IoT and so on. The team has improved support for certain SoCs like Rock64, RockPro 64 and several other chips. If you want more details on this news, you can take a look at the official Fedora changelog page. Fedora announces the first preview release of Fedora CoreOS as an automatically updating Linux OS for containerized workloads Fedora Workstation 31 to come with Wayland support, improved core features of PipeWire, and more Fedora 30 releases with GCC 9.0, GNOME 3.32, performance improvements, and much more!

Yesterday, the team behind Django released Django 2.2 alpha 1.0. Django 2.2 is designated as LTS, which means it will receive security updates for at least three years after its expected release in April 2019. This version will come with two new constraints classes, some minor features, and deprecates Meta.ordering. It is compatible with Python 3.5, 3.6, and 3.7. Here are some of the updates that Django 2.2 will come with: Constraints: Two new constraint classes are defined in django.db.models.constraints for adding custom database constraints, namely, CheckConstraint and UniqueConstraint. These classes are also imported into django.db.models for convenience. django.contrib.auth: A request argument is added to the RemoteUserBackend.configure_user() method as the first positional argument, if it accepts it. django.contrib.gis: Oracle support is added for the Envelope function and SpatiaLite support for the coveredby and covers lookups. django.contrib.postgres: A new ordering argument is added to the ArrayAgg and StringAgg classes for determining the ordering of aggregated elements. With new BTreeIndex, HashIndex, and SpGistIndex classes, you can now create B-Tree, hash, and SP-GiST indexes in the database. Internationalization: Support and translations are added for the Armenian language. Backward incompatible updates Database backend API: These are some of the changes that will be needed in third-party database backends: They must support table check constraints or set DatabaseFeatures.supports_table_check_constraints to False. Support for ignoring constraints or uniqueness errors while inserting is needed or you can set DatabaseFeatures.supports_ignore_conflicts to False. Support for partial indexes is needed or you can set DatabaseFeatures.supports_partial_indexes to False. DatabaseIntrospection.table_name_converter() and column_name_converter() are now removed. Third-party database backends will may have to implement DatabaseIntrospection.identifier_converter() instead. Other changes Admin actions: In this version, admin actions now follow standard Python inheritance and are no longer collected from the base ModelAdmin classes. TransactionTestCase serialized data loading: At the end of the test, initial data migrations are now loaded in TransactionTestCase after the flush. Earlier, this data was loaded at the beginning of the test, which prevented the test --keepdb option from working properly. sqlparse: The sqlparse module will be automatically installed with Django as it is now a required dependency. This change is done to simplify a few parts of Django’s database handling. Permissions for proxy models: You can now create permissions for proxy models using the content type of the proxy model rather than the content type of the concrete model. Django 2.1.2 fixes major security flaw that reveals password hash to “view only” admin users Django 2.1 released with new model view permission and more Python web development: Django vs Flask in 2018

Yesterday, the team at Redox released Redox OS 0.5.0, a Unix like operating system written in Rust. The team has added important programs and libraries to this release. What’s new in Redox OS 0.50? Cairo This release comes with Cairo, a 2D graphics library that supports multiple output devices. It produces consistent output on all output media and takes advantage of display hardware acceleration when available. It is implemented as a library which is written in the C programming language, while the bindings are available for various programming languages. relibc Redox OS 0.50 features relibc, a portable POSIX C standard library which is written in Rust and supports Redox and Linux. It reduces the issues with newlib and further creates a safer alternative to a C standard library. It has been designed to be used under redox, as an alternative to newlib. Event system The event system has been redesigned for providing support for select and poll. This release comes with new packages added to the Cookbook as well as for memory mapping support implemented in it. Standard images This release comes with new images based on new bootloaders for coreboot and EFI. The team has worked towards providing libraries for EFI Rust development and for developing coreboot payloads in Rust. LLVM This release also features the LLVM Project which is a collection of modular and reusable compiler and toolchain technologies. The LLVM Core libraries come with a target-independent optimizer and a code generation support for popular CPUs.          GLib This version of Redox OS comes with GLib which is the low-level core library that forms the basis for projects such as GTK+ and GNOME.                   Pixman Redox OS 0.50 comes with Pixman that is a low-level software library for pixel manipulation that features image compositing and trapezoid rasterization. Orbital widget toolkit This release comes with Orbital Widget Toolkit which is a multi-platform GUI toolkit for building user interfaces with Rust. This toolkit is based on the entity component system pattern which provides a functional-reactive API. It provides fast performance and ease over cross-platform development. Few users are happy and excited about this release and are appreciating the Redox team. A user commented on HackerNews, “Congrats on getting another release out the door! I was beginning to fear that momentum was stalling in lieu of PopOS. Keep up the great work!” The developer of Redox OS shared that there are still security concerns in the kernel with regards to memory management. He commented, “There are a couple known security issues in the kernel regarding memory management. One is that memory is granted in pages, so buffers passed to a scheme are over-mapped for the process handling it. You have to be root to handle a scheme, so it was not a high severity issue.” He further added that there are concerns with the grants which can be dropped by owning process and highlighted that more kernel work is needed. He commented, “Another is that grants can be dropped by the owning process while in use by another process. This can lead to the re-allocation of said grants in the owning process, making memory accessible to the other users of the grant. More kernel work is needed to prevent schemes from leaking data in this manner.” To know more about this news in detail, check out Redox’s official announcement. Fedora 31 will now come with Mono 5 to offer open-source .NET support LLVM 8.0.0 releases! JUnit 5.4 released with an aggregate artifact for reducing your Maven and Gradle files  

Yesterday, Mozilla announced the release of Firefox 68, which brings new updates like support for BigInts, Contrast Checks, dark mode in reader view, and a reimplemented URL bar. They have also added Enhanced Tracking Protection which blocks known “third-party tracking cookies” by default. Improved extension security and discovery Firefox 68 comes with a new reporting feature in ‘about:addons’ using which you can report any security and performance issues with extensions and themes. The team has also redesigned the extensions dashboard in ‘about:addons’ where you can find all the information about your extensions including data and settings access required by each extension. You can get high quality, secure extensions from Mozilla’s Recommended Extensions program present in ‘about:addons’. These recommended extensions are indicated by special badging on addons.mozilla.org (AMO): Source: Mozilla Additionally, to provide users improved protection from threats and annoyances on the web, Firefox 68 comes with cryptomining and fingerprinting protections added to strict content blocking settings in Privacy & Security preferences. Read also: Mozilla adds protection against fingerprinting and Cryptomining scripts in Firefox Nightly and Beta Support for JavaScript BigInt Firefox 68 comes with support for JavaScript’s new BigInt numeric type, which is currently in stage 3 of the ECMAScript specification. Previously, JavaScript only had the Number numeric type. As JavaScript considers numbers as floating-point, they can represent both integers and decimal fractions. Source: Mozilla However, the limitation is that 64-bits floats fail to reliably represent integers larger than 2 ** 53. To make working with large number easier, a new primitive is introduced, BigInt. It provides a way to represent whole numbers larger than 2 ** 53. Updates in DevTools In addition to enhancing the already smart debugging tools, Firefox 68 brings more improvements in DevTools: Accessibility checks in DevTools: This release ships with a new capability for DevTools that check for basic accessibility issues in your web pages. The Accessibility Inspector now comes with a new ‘Check’ that currently reports any color contrast issue with text on a page. The Firefox team plans to add a number of audit tools to highlight accessibility problems on your website in future releases. A way to emulate print media from DevTools: A button is added to the Page inspector using which you can enable “print media emulation”. This makes it easy to see what elements of a page will be visible when printed. Improved CSS warnings: The Web console will show you more information about CSS warnings and include a link to related nodes. A Web console filter: You can now filter content in the Web console using a valid regular expression. Here’s a video showing how this works: https://youtu.be/E6bGOe2fvW0 Web compatibility This release fixes a few web compatibility issues to ensure that every user will be able to access a website regardless of their choice of device or browser: Internet Explorer’s legacy rules property and addRule() and removeRule() CSS methods are added to the CSSStyleSheet interface. Safari’s ‘-webkit-line-clamp’ CSS property is also added. Support for CSS scroll snapping Firefox 68 comes with support for CSS scroll snapping that gives you a standardized way to control the behavior of scrolling inside a container. It works in a very similar fashion to how native apps work on phones and tablets. Now that this update has landed in Firefox, developers will have the same version of the specification as Chrome and Safari. Developers who have used the old Firefox implementation of the Scroll Snap specification are required to update their code, otherwise scroll snapping will no longer work in Firefox 68 and up. The reimplemented URL bar, QuantumBar Firefox’s URL bar, which is also known as the AwesomeBar, has been completely reimplemented using HTML, CSS, and JavaScript web technologies. This overhauled version is named ”QuantumBar”. Though not much will change appearance-wise, its updated architecture behind the scenes will make it easier to maintain and extend in the future. Access to cameras and other media devices now require HTTPS Starting from Firefox 68, camera and microphone will require an HTTPS connection to work. The getUserMedia method will throw NotAllowedError if you try to access the media devices from an insecure HTTP connection, similar to how Chrome works. Many developers are happy with this update. A user on Hacker News commented, “It's fantastic that it works with localhost (and I assume 127.0.0.1?), and it's fantastic that it doesn't work with anything else. This is the best middle ground.” However, some are also worried considering that this will affect the current working of their apps or websites. “This sucks, my community[1] has a local offline-first video/audio call app that we run on a physical mesh network. This will make it impossible for people to talk to each other, without first needing to be connected online to some certificate authority, or without some extraordinarily difficult pre-installation process, which is often not even possible on a phone. HTTPS was important, but now it's being used to shoehorn dependency on a centralized online-only authority. Perfectly ripe to censor anyone.”, wrote a Hacker News user To know more in detail, check out the official announcement by Mozilla. Mozilla launches Firefox Preview, an early version of a GeckoView-based Firefox for Android Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features

Last week, a bug was reported to the VLC bug tracker that all the connections to the update server are still done in HTTP instead of HTTPS. One of the VLC developers replied back asking the bug reporter for a threat model, and when he did not submit it, the VLC developer closed the bug and marked it as “invalid”. This is not the first time this bug has been reported. In a bug reported in 2017, a user said, “It appears that VLC's updating mechanism downloads a new VLC executable over HTTP (ie, in clear-text). Please modify the update mechanism to happen over TLS (preferably with Forward Secrecy enabled).” What are some of the implications of using HTTP over HTTPS? One of the Hacker News users said, “As a trivial example, this is a privacy leak - anyone on the network path can see what version you're upgrading to. It doesn't sound like a huge deal but we are moving to a 100% encrypted world, and it is a one character change to fix the issue. If VLC wants to keep the update over plaintext then they should justify why they want to do that, not have users justify why it should be over https. Instead, it feels like the VLC devs are having a kneejerk defensive reaction.” Along with this, there are several security threats related to software that updates over HTTP, some of which are described here: An attacker can see the contents of software update requests. They can then modify these update requests or responses to change the update behavior or outcome. They can also intercept and redirect software update requests to a malicious server. Attackers can respond to the client request with a huge amount of data that will interfere with the client’s system resulting in endless data attacks. Clients can be prevented by the attackers from being aware of interference with receiving updates by responding to client requests so slowly that automated updates never complete resulting in endless data attacks. Attackers can trick a client into installing software that is older, which is known to have critical bugs. Why VideoLAN does not see it as a big problem? Jean-Baptiste Kempf, the President, and lead VLC developer, said that some of these attacks described above are the case for nearly all download systems, “I'm sorry, but some described attacks (Slow retrieval attacks, Endless data attacks) are issues that are the case for all download system like most Linux Distributions, and that will not be fixed. Mirrors are HTTP and will stay HTTP for a few obvious reasons. Moreover, they will install binaries, so there is no security issue. Moreover, downloads are never done automatically, without user intervention.” As Kempf said, this is not just the case with VLC. A Hacker News user said, “it seems to be a common practice for highly-loaded services to outsource as many cryptographies to clients as possible.” A general-purpose package manager like Pacman uses HTTP because there is not much value in using transport-level security when the payload is cryptographically signed. Even Tesla’s firmware updates are not encrypted in transit as their updates are cryptographically signed. Oracle also followed the same policy with VirtualBox distributions and that's been fine because they signed packages. You can read more in detail on the VLC bug tracker website. dav1d 0.1.0, the AV1 decoder by VideoLAN, is here Presenting dav1d, a new lightweight AV1 decoder, by VideoLAN and FFmpeg dav1d to release soon with all features of AV1, and better performance than libaom

Last week, the community behind Apache Flink announced the release of Apache Flink 1.8.0. This release comes with the finalized state evolution support, lazy cleanup strategies for state TTL, improved pattern matching support in SQL, and more. Finalized state schema evolution support This release marks the completion of the community-driven effort to provide a schema evolution story for user state managed by Flink. The following changes are made to finalize the state schema evolution support: The list of data types that support state schema evolution is now extended to include POJOs (Plain Old Java Objects). All Flink built-in serializers are upgraded to use the new serialization compatibility abstractions. Implementing abstractions using custom state serializers is now easy for advanced users. Continuous cleanup of old state based on TTL In Apache Flink 1.6, TTL (time-to-live) was introduced for the keyed state. TTL enables cleanup and makes keyed state entries inaccessible after a given timeout. The state can also be cleaned when writing a savepoint or checkpoint. With this release, continuous cleanup of old entries is also allowed for both the RocksDB state backend and the heap backend. Improved pattern-matching support in SQL This release extends the MATCH_RECOGNIZE clause by adding two new updates: user-defined functions and aggregations. User-defined functions are added for custom logic during pattern detection and aggregations are added for complex CEP definitions. New KafkaDeserializationSchema for direct access to ConsumerRecord A new KafkaDeserializationSchema is introduced to give direct access to the Kafka ConsumerRecord. This will give users access to all data that Kafka provides for a record including the headers. Hadoop-specific distributions will not be released Starting from this release Hadoop-specific distributions will not be released. If a deployment relies on ‘flink-shaded-hadoop2’ being included in ‘flink-dist’, then it must be manually downloaded and copied into the /lib directory. Updates in the Maven modules of Table API Users who have a ‘flink-table’ dependency are required to update their dependencies to ‘flink-table-planner’. If you want to implement a pure table program in Scala or Java, add  ‘flink-table-api-scala’ or ‘flink-table-api-java’ respectively to your project. To know more in detail, check out the official announcement by Apache Flink. Apache Maven Javadoc Plugin version 3.1.0 released LLVM officially migrating to GitHub from Apache SVN Apache NetBeans IDE 10.0 released with support for JDK 11, JUnit 5 and more!

Vapor, the popular web framework written in Swift has released its next major update. Vapor 3 is a complete rewrite of the existing versions and all of its related packages. The release is centered around three new features. Async: Vapor 3 is all ready to handle high levels of concurrency as it is completely non-blocking and runs on Apple’s SwiftNIO. Services: With Vapor’s new Dependency Injection framework Services, all JSON configuration files are replaced by Swift. Codable: Codable integration throughout all of Vapor brings type safety and better performance to Parsing and serializing content from HTTP messages, creating database models, and rendering views. The main focus of this release is on building a foundation for developers to work on based on the growth of Vapor and server-side Swift over the past two years. The release is updated across four major categories. Packages Vapor 3 offers a couple of new packages this release. Most notable are the MySQL and PostgreSQL packages which are now non-blocking and built on SwiftNIO. Some of these packages include: SQLite: SQLite 3 wrapper for Swift. PostgreSQL: Non-blocking, event-driven Swift client for PostgreSQL. MySQL: Pure Swift MySQL client built on non-blocking, event-driven sockets. Fluent: Swift ORM framework (queries, models, and relations) for building NoSQL and SQL database integrations. FluentSQLite: Swift ORM (queries, models, relations, etc) built on SQLite 3. Auth: Authentication and Authorization layer for Fluent. JWT: JSON Web Token signing and verification. Leaf: An expressive, performant, and extensible templating language built for Swift. A complete list of packages is available in the vapor documentation. Better updated Documentation A large part of the release focuses on better documentation. Subsequently, Vapor 3 improves API docs with 100% docblock coverage including: Helpful code samples where possible. Method parameter descriptions. MARK and code re-org to help make things readable in API doc form. Also, the main docs are moving more toward a guide / tutorial feel. These guide docs cover broad use cases and practices, in contrast to the API docs which heavily focus on particular methods and protocols. Moving to Discord and introducing Books Vapor’s official team chat is now moved to Discord. The team has also announced two books (Server Side Swift with Vapor and Server-side Swift (Vapor Edition)) written specifically for Vapor 3. Benchmarks Vapor 3 introduces certain benchmarks for this release available on GitHub. The benchmarks were run on two identical Digital Ocean droplets. One for hosting the frameworks and one for running the benchmark. The benchmarker program is a small script written in Swift that runs wrk and captures the results. It is capable of doing multiple runs and averaging the results. Vapor achieved state-of-the-art results on both the plaintext benchmarks. To know further updates and other minor changes, be sure to Check out the updated website. Your First Swift Program [tutorial] Swift for TensorFlow is now open source [news] RxSwift Part 1: Where to Start? Beginning with Hot and Cold Observables [tutorial]

Yesterday, James Bennett, a software developer and an active contributor to the Django web framework issued the summary of a proposal on dissolving the Django Core team and revoking commit bits. Re-forming or reorganizing the Django core team has been a topic of discussion from the last couple of years, and this proposal aims to take this discussion to real action. What are the reasons behind the proposal of dissolving the Django Core team? Unable to bring in new contributors Django, the open source project has been facing some difficulty in recruiting and retaining contributors to keep the project alive. Typically, open source projects avoid this situation by having corporate sponsorship of contributions. Companies which rely on the software also have employees who are responsible to maintain it. This was true in the case of Django as well but it hasn’t really worked out as a long-term plan. As compared to the growth of this web framework, it has hardly been able to draw contributors from across its entire user base. The project has not been able to bring new committers at a sufficient rate to replace those who have become less active or even completely inactive. This essentially means that Django is dependent on the goodwill of the contributors who mostly don’t get paid to work on it and are very few in number. This poses a risk on the future of the Django web framework. Django Committer is seen as a high-prestige title Currently, the decisions are made by consensus, involving input from committers and non-committers on the django-developers list and the commits to the main Django repository are made by the Django Fellows. Even people who have commit bits of their own, and therefore have the right to just push their changes straight into Django, typically use pull requests and start a discussion. The actual governance rarely relies on the committers, but still, Django committer is seen as a high-prestige title, and committers are given a lot of respect by the wider community. This creates an impression among potential contributors that they’re not “good enough” to match up to those “awe-inspiring titanic beings”. What is this proposal about? Given the reasons above, this proposal is being made to dissolve the Django core team and also revoke the commit bits. Instead, this proposal will introduce two roles called Mergers and Releasers. Mergers would merge pull requests into Django and Releasers would package/publish releases. Rather than being all-powered decision-makers, these would be bureaucratic roles. The current set of Fellows will act as the initial set of Mergers, and something similar will happen for Releasers. As opposed to allowing the committers making decisions, governance would take place entirely in public, on the django-developers mailing list. But as a final tie-breaker, the technical board would be retained and would get some extra decision-making power. These powers will be mostly related to the selection of the Merger/Releaser roles and confirming that new versions of Django are ready for release. The technical board will be elected very less often than it currently is and the voting would also be open to public. The Django Software Foundation (DSF) will act as a neutral  administrator of the technical board elections. What are the goals this proposal aims to achieve? Mr. Bennett believes that eliminating the distinction between the committers and the “ordinary contributors” will open doors for more contributors: “Removing the distinction between godlike “committers” and plebeian ordinary contributors will, I hope, help to make the project feel more open to contributions from anyone, especially by making the act of committing code to Django into a bureaucratic task, and making all voices equal on the django-developers mailing list.” The technical board remains as a backstop for resolving dead-locked decisions. This proposal will provide additional authority to the board such as issuing the final go-ahead on releases. Retaining the technical board will ensure that Django is not going to descend into some sort of “chaotic mob rule”. Also, with this proposal the formal description of Django’s governance becomes much more in line with the reality of how the project actually works and has worked for the past several years. To know more in detail, read the post by James Bannett: Django Core no more. Django 2.1.2 fixes major security flaw that reveals password hash to “view only” admin users Django 2.1 released with new model view permission and more Getting started with Django and Django REST frameworks to build a RESTful app

VueConf Toronto 2018 commenced on November 14th. This a three-day event starting from November 14 to 16. One of the speakers at the event was Evan You, the creator of Vue.js who shared what to expect from the yet to be released Vue 3.0. https://twitter.com/Ionicframework/status/1063244741343629313 Following are some of the updates that were announced at the conference: Faster and maintainable code architecture Vue 3.0 is re-written from the ground up to make its architecture cleaner and more maintainable. To provide better speed some internal functionalities are broken into individual packages in order to isolate the scope of complexity. We can expect 100% faster mounting and patching with this release. Improved slots mechanism Now all compiler-generated slots are functions and invoked during the child component’s render call. The dependencies in slots are collected as dependencies of the child instead of the parent. When slot content changes, only the child is re-rendered. And if the parent re-renders, the child does not have to if its slot content did not change. This change prevents useless re-renders by offering even more precise change detection at the component tree level. Proxy-based observation mechanism Vue 3.0 will come with a Proxy-based observer implementation that provides reactivity tracking with full language coverage. This will eliminate a number of limitations in the current implementation of Vue 2, which is based on Object.defineProperty: Detection of property addition / deletion Detection of Array index mutation / .length mutation Support for Map, Set, WeakMap and WeakSet Tree-shaking friendly The new codebase is tree-shaking friendly. Features such as built-in components and directive runtime helpers can be imported on-demand and tree-shakable. Tree-shakable features also allow the Vue developers to offer more built-in features in future without incurring payload penalties for users that don’t use them. Easily render-to-native with the Custom Renderer API Developers will be able to create custom renderers with the Custom Renderer API. They no longer need to fork the Vue codebase with custom modifications. This will allow easily keeping the render-to-native projects like Weex and NativeScript Vue to stay up-to-date with upstream changes. This API will also make it trivially easy to create custom renderers for various other purposes. In addition to these improvements, it will come with an experimental Hooks API, better warning traces, experimental time slicing support, supports IE11 and improved TypeScript with TSX. Read more about Vue 3.0 updates from the presentation shared by Evan You. Vue.js 3.0 is ditching JavaScript for TypeScript. What else is new? Vue CLI 3.0 is here as the standard build toolchain behind Vue applications React vs. Vue: JavaScript framework wars

Microsoft Edge mobile browser is now flagging untrustworthy news sites with the help of a plugin named NewsGuard. Microsoft partnered with NewsGuard in August 2018 under its Defending Democracy Program. It was first supported as a downloadable plugin, but now Microsoft has started automatically installing this functionality on mobile version of Edge. Currently, it is an opt-in feature, which you can enable by going to the Settings menu . NewsGuard was founded by journalists Steven Brill and Gordon Crovitz. It evaluates a news site based on 9 specific criteria including their use of deceptive headlines, transparency regarding ownership and financing and gives users a color coded rating in green or red. Its business model is basically licensing its product to tech companies that aim to fight fake news. According to The Guardian, NewsGuard was warning users when they visited the Mail Online, “Proceed with caution: this website generally fails to maintain basic standards of accuracy and accountability.” Steve Brill says that NewsGuard takes complete responsibility for its verdicts and all complaints should be directed at his company rather than Microsoft. “They can blame us. And we’re happy to be blamed. Unlike the platforms we’re happy to be accountable. We want people to game our system. We are totally transparent. We are not an algorithm.” A spokesperson for Mail Online said to The Guardian, “We have only very recently become aware of the NewsGuard startup and are in discussions with them to have this egregiously erroneous classification resolved as soon as possible.” Though NewsGuard says that its verdict are taken by experienced journalists, there are still some issues that users have pointed out. One of the Hacker News user said that the very concern related to NewsGuard is that it flags unreliable content at the site level instead of the article level. Sharing what consequences this could impose he wrote, “It's obvious why that's necessary, but the result is a complete failure to deal with any source where quality varies widely. Fox's written reporting is sometimes quite good, but Glenn Beck's old videos are still posted under the same domain. The result is that NewsGuard happily puts a big green check-mark above a video declaring that the US is the only country in the world with birthright citizenship.” Though an opt-in feature is not a big deal, but with time this could become a default mode. We can’t deny that with time users could just see the green or red icon and based on that rating follow the website. Another Hacker News user says this could lead to something called “Truth as a service”, which means you are not using your own critical thinking and just take what the machine says. This fact is also supported by a study done by Gallup and the Knight Foundation, which surveyed 2,000 adults in U.S. They showed articles with and without the ratings and the result revealed that readers are more likely to trust articles that included the green icon in the address bar. Read the full story at The Guardian website. Microsoft confirms replacing EdgeHTML with Chromium in Edge Microsoft reportedly ditching EdgeHTML for Chromium in the Windows 10 default browser Microsoft announces container support for Azure Cognitive Services to build intelligent applications that span the cloud and the edge