Tech News

With the growing cybersecurity threats, Microsoft took over six internet domains acting on a court order, and introduced AccountGuard for emails. Microsoft AccountGuard is a move extending their Defending Democracy Program which will be applicable to both organizational and personal email accounts. Microsoft’s Digital Crimes Unit (DCU) executed a court order to take over six internet domains created by a group known as Strontium, or alternatively Fancy Bear or APT28. The group is widely associated with the Russian government. The six internet domains, my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email, office365-onedrive.com impersonated the real websites. Of late, there have been instances of foreign entities launching cyber strikes to disrupt elections. What is Microsoft AccountGuard? Microsoft AccountGuard will provide “state-of-the-art cybersecurity protection” without any additional cost. This applies to individuals, campaigns and related political institutions. Brad Smith, President at Microsoft stated: “To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.” The technology is free of charge to candidates, campaigns and related political institutions using Office 365. Microsoft AccountGuard will provide these features: Cross-account threat detection and notification: Microsoft’s Threat Intelligence Center will enable them to detect and notify of attacks in a unified way on both organizational and personal emails. When threats are verified, Microsoft will provide personal and expedited recommendations to affected political campaigns and their staff to secure the concerned systems. The unified notification system will provide a comprehensive view of attacks against the campaign/organization. Security guidance and ongoing education: Microsoft will provide guidance to make officials’, political campaigns and eligible organizations to further secure their network and email systems. This includes multi-factor authentication, installing latest security update to control access of data. AccountGuard will also show updated briefings and training to address evolving cyber-attack trends. Early adopter opportunities: There will be preview releases of the new security features which are used in large corporate and government accounts. If you are eligible for Microsoft AccountGuard you can request an invitation to enroll. A quick look at Microsoft’s Defending Democracy Program The Defending Democracy Program is a global effort as Microsoft tries to scale its efforts and reach other democratic countries to protect their processes in the coming years. Microsoft has identified 2018 as a critical year for governments and tech companies to work together towards making elections more secure. The Defending Democracy Program consist of some steps that include: Protecting campaigns from hacks by better account monitoring and increasing response measures to attacks. Supporting proposals like the Honest Ads Act to increase online political advertising transparency. In addition, adopting self-regulatory measures across Microsoft platforms. Exploring technological solutions to protect and preserve the electoral processes. And also interact with federal, state, and local officials to identify and fix cyber threats. Defending against disinformation, propaganda and fake news by partnering with institutions and think tanks who are dedicated to counter such activities. Microsoft will focus on the U.S. midterm elections of November 2018. They are piloting new cross-industry protections; this will also be done in the 2020 U.S. presidential elections. Tom Burt, Corporate Vice President, Customer Security & Trust stated: “Expect to hear more from us on what we’re doing, both on our own and in partnership with governments and our industry colleagues, to put our cybersecurity expertise to work for the defense of democracy.” Visit the Microsoft Blog for more details on AccountGuard and the defending democracy program. Google introduces Cloud HSM beta hardware security module for crypto key security Top 5 cybersecurity trends you should be aware of in 2018 Microsoft Edge introduces Web Authentication for passwordless web security

Yesterday, the Next.js researchers announced that the latest version--v7-- of its React Framework is now production-ready. The Next.js 7 has had 26 canary releases and 3.4 million downloads so far. Alongwith the 7th version release, they have also launched a completely redesigned nextjs.org. This version is power-packed with faster boot and re-compilation improvements, better error reporting, static CDN support and much more. Key highlights of the Next.js 7 DX Improvements The Next.js 7 includes many significant improvements to the build and debug pipelines. With the inclusion of webpack 4, Babel 7 and improvements and optimizations on the codebase, Next.js can now boot up to 57% faster during development. Also, due to the new incremental compilation cache, any changes made by the user into the code will build 40% faster. While developing and building users will now see a better real time feedback with the help of webpackbar. Better error reporting with react-error-overlay Until now, users would render the error message and its stack trace. From this version, react-error-overlay has been used to enrich the stack trace with: Accurate error locations for both server and client errors Highlights of the source to provide context A full rich stack trace react-error-overlay makes it easy to open the text editor by just clicking on a specific code block. Upgraded compilation pipeline: Webpack 4 and Babel 7 Webpack 4 This version of Next.js is now powered by the latest webpack 4, with numerous improvements and bugfixes including: Support for .mjs source files Code splitting improvements Better tree-shaking (removal of unused code) support Another new feature is WebAssembly support. Here’s an example of how Next.js can even server-render WebAssembly. With webpack 4, a new way of extracting CSS from bundles called mini-extract-css-plugin is introduced. @zeit/next-css, @zeit/next-less, @zeit/next-sass, and @zeit/next-stylus are now powered by mini-extract-css-plugin. Babel 7 Next.js 7 now uses the stable version of Babel (Babel 7). For a full list of changes in Babel 7, head over to its release notes. Some of the main features of Babel 7 are: Typescript support, for Next.js you can use @zeit/next-typescript Fragment syntax <> support babel.config.js support overrides property to apply presets/plugins only to a subset of files or directories Standardized Dynamic Imports Starting with Next.js 7, it no longer has the default import() behavior. This means users get full import() support out of the box. This change is fully backwards-compatible as well. Making use of a dynamic component remains as simple as: import dynamic from 'next/dynamic' const MyComponent = dynamic(import('../components/my-component')) export default () => {  return <div>    <MyComponent />  </div> } Static CDN support With Next.js 7 the directory structure of .next is changed to match the url structure: https://cdn.example.com/_next/static/<buildid>/pages/index.js // mapped to: .next/static/<buildid>/pages/index.js While researchers also recommend using the proxying type of CDN, this new structure allows users of a different type of CDN to upload the .next directory to their CDN. Smaller initial HTML payload As Next.js pre-renders HTML, it wraps pages into a default structure with <html>, <head>, <body> and the JavaScript files needed to render the page. This initial payload was previously around 1.62kB. With Next.js 7 the initial HTML payload has been optimized, it is now 1.5kB, a 7.4% reduction, making your pages leaner. React Context with SSR between App and Pages Starting from Next.js 7 there is support for the new React context API between pages/_app.js and page components. Previously it was not possible to use React context in between pages on the server side. The reason for this was that webpack kept an internal module cache instead of using require.cache. The Next.js developers have written a custom webpack plugin that changes this behavior to share module instances between pages. In doing so users can not only use the new React context but also reduce Next.js's memory footprint when sharing code between pages. To know more about these and other features in detail, visit the Next.js 7 blog. low.js, a Node.js port for embedded systems Browser-based Visualization made easy with the new P5.js Deno, an attempt to fix Node.js flaws, is rewritten in Rust  

Yesterday, a shocking report by The New York Times shared its investigation on sexual misconduct at Google. It alleged that Google had protected at least four senior executives over the past decade after they were accused of sexual misconduct. They obtained corporate and court documents and spoke to more than three dozen current and former Google executives and employees about these episodes. Here is a summary of the three incidents that the New York Times article reported on.. The controversy with Andy Rubin, Creator of Android Andy Rubin, the creator of Android, often exhibited unprofessional behavior towards his co-workers. He was involved in a consensual relationship with a woman employee from 2011, who reported to one of his direct reports on the Android team. Google’s human resources department was not informed about this relationship despite a policy in place to do so. In 2013 when she wanted to cool things off, she agreed to meet Rubin at a hotel, where she was pressured to perform a non-consensual sexual activity. The woman filed a complaint to Google’s human resources department in 2014 and informed officials about the relationship. Amidst Google’s investigation, in September 2014, Mr. Rubin was awarded a stock grant worth $150 million approved by Google board’s leadership development and compensation committee. Google’s inquiry found the claims to be credible and the relationship inappropriate.   Mr. Page, the then CEO of Google, decided Mr. Rubin should leave and Google paid him $90 million as an exit package with an agreement to not work with Google’s rival companies. The company then proceeded to give Mr. Rubin’s a high profile well-respected farewell in October 2014. A civil suit filed later this month by Mr. Rubin’s ex-wife, Rie Rubin, includes a screenshot on an email (dated August 2015) that Mr. Rubin sent to a woman which said: “You will be happy being taken care of, Being owned is kinda like you are my property, and I can loan you to other people.” Mr. Rubin released a statement calling the allegations “false” and “part of a smear campaign by my ex-wife to disparage me during a divorce and custody battle.” The controversy with Richard DeVaul, Director at Google X In 2013, Richard DeVaul, director at Google X, interviewed Star Simpson, a hardware engineer. After the job interview, he invited her to an annual festival in the Nevada desert, the following week. On getting back to his encampment, he asked her to remove her shirt and offered a back rub. When she refused, he insisted and she relented to a neck rub. Why you ask? “I didn’t have enough spine or backbone to shut that down as a 24-year-old” -Ms. Simpson Later she was informed by Google that she did not land the job, without any explanation. After finally reporting the episode to Google after 2 years, human resources told her that her account was “more likely than not” true and that “appropriate action” was taken. She was asked to stay quiet about the whole incident. Chelsea Bailey, the head of human resources at X, declined Simpson's allegations in a statement, adding that officials investigated and “took appropriate corrective action.” declining to say what the action was, owing to employee confidentiality. The controversy with Amit Singhal, former SVP of Search In 2005, an employee alleged that Amit Singhal, a senior vice president who headed search, groped her at an off-site event attended by dozens of colleagues. Google investigated and found that Mr. Singhal was inebriated and there were no witnesses to corroborate the incident. Google did not fire Mr. Singhal. They accepted his resignation and negotiated an exit package that paid him millions and prevented him from working for a competitor. The controversy with Drummond, Chief Legal Officer, Alphabet, and Chairman, CapitalG “Google felt like I was the liability.” - Jennifer Blakely, ex- senior contract manager David C. Drummond, joined as general counsel in 2002, started dating Jennifer Blakely (senior contract manager) in 2004. They had a son in 2007, after which Mr. Drummond disclosed their relationship to the company. Soon after, Google took action and Ms. Blakely had to leave the legal department as only one of them could work there and transferred to sales in 2007. She eventually left Google in 2008. While resigning, she was asked to sign paperwork saying she had departed voluntarily. Drummond left her in late 2008. Since the affair, Mr. Drummond’s has moved up the rungs within Alphabet. As Alphabet’s chief legal officer and chairman of CapitalG, he has reaped about $190 million from stock options and awards since 2011. Google’s response to the New York Times story Following the report by the New York Times, Google CEO Sundar Pichai sent an email to all Google employees on Thursday clarifying that the company has fired 48 people over the last two years for sexual harassment 13 of them were "senior managers and above". None of them received any exit packages. The email opened “We are dead serious about making sure we provide a safe and inclusive workplace. We want to assure you that we review every single complaint about sexual harassment or inappropriate conduct, we investigate and we take action.” It also stated that there are “confidential channels” available for employees to report incidents of sexual harassment. He further informed they have updated their policies to demand all VPs and SVPs to disclose any relationship with a co-worker irrespective of whether they work on the same projects or not.  You can head over to CNBC to read the entire email. Our take on this story The email seems to have deliberately excluded the timelines during which the incidents reported in the New York Times article took place. Also, it neither denies nor confirms those incidents which hints at them being true, in most likelihood. While Mr. Pichai assures his people that Google is doing everything to ensure it is a safe place to work, he does not address any of the red flags satisfactorily the NYT article raised such as: All the above incidents point to weak policy implementation by HR and Google leadership. Just amending policies is clearly not enough. The ‘hard line on inappropriate conduct by people in positions of authority’ that Pichai references in his response seem to vary based on how valuable the perpetrator is to Google or its board. What measures are they taking to ensure an impartial assessment happens? The incidents also highlight that executives brazenly misbehave with their victims. There is no mention of how that aspect of Google is being tackled. Specifically, for example, would Mr. Page take a different decision today if had a chance to go back in time or if Mr. Pichai, as Google CEO personally taken a public stance on specific incidents of sexual misconduct without hiding behind aggregate numbers and figures. The report throws light on the pervasive sexist culture in male-dominated Silicon Valley and the growing chorus denouncing it.  It is traumatic enough to experience such harassment, imagine the pressure that one has to deal with when such incidents go public. It is also sad that the tech giant that everyone looks up to- Google- decided to sweep matters under the carpet to save itself from public attention. These recurring stories seem to have led to the release of Brotopia: Breaking Up The Boys Club of Silicon Valley, a book by Emily Chang, Bloomberg reporter, that dives into the stories of women who say they have been sexually harassed at tech companies and venture capital firms. You can head over to The New York Times for the entire news coverage as well as similar incidents documented. NIPS Foundation decides against name change as poll finds it an unpopular superficial move; instead increases ‘focus on diversity and inclusivity initiatives’ Python founder resigns – Guido van Rossum goes ‘on a permanent vacation from being BDFL’ Ex-googler who quit Google on moral grounds writes to Senate about company’s “Unethical” China censorship plan

NeuVector has released a new Security Policy as code capability for Kubernetes workloads. This release will automate container security for DevOps teams by using Kubernetes Custom Resource Definitions (CRDs). As security policies can be defined, managed, and automated during the DevOps process, teams will be able to quickly deliver secure cloud-native apps. These security policies can be implemented using CRDs to deploy customized resource configurations via YAML files. As these security policies are defined as code, they are version-tracked and built for easy automation. Teams can easily migrate security policies across Kubernetes clusters (or from staging to production environments) and manage versions of security policies tied to specific application versions. “By introducing our industry-first Security Policy as Code for Kubernetes workloads, we’re excited to provide DevOps and DevSecOps teams with even more control to automate safe behaviors and ensure their applications remain secure from ever-increasing threat vectors,” explains Gary Duan, CTO, NeuVector. “We continue to build out new capabilities sought by customers – such as DLP, multi-cluster management, and, with today’s release, CRD support. Our mission is acutely focused on raising the bar for container security by offering a complete cloud-native solution for the entire application lifecycle.” Features of NeuVector’s Security Policy as code Captures network rules, protocols, processes, and file activities that are allowed for the application. Permits allowed network connections between services enforced by application protocol (layer 7) inspection. Allows or prevents external or ingress connections as warranted. Sets the “protection mode” of the application to either Monitor mode (alerting only) or Protect mode (blocking all suspicious activity). Supports integration with Open Policy Agent (OPA) and other security policy management tools. Allows DevOps and security teams to define application policies at different hierarchies such as per-service rules defined by DevOps and global rules defined by centralized security teams. It is extensible so as to support future expansion of security policy as code to admission control rules, DLP rules, response rules, and other NeuVector enforcement policies. Head on to Neuvector’s blog for more details on Security Policy as Code feature. Further details about this release will be shared at KubeCon + CloudNativeCon North America 2019. Chaos engineering comes to Kubernetes thanks to Gremlin CNCF announces Helm 3, a Kubernetes package manager and tool to manage charts and libraries. StackRox Kubernetes Security Platform 3.0 releases with advanced configuration and vulnerability management capabilities.

Parrot, a Debian-based platform, announced the release of its latest version, Parrot 4.0. This release puts an end to all the development and testing processes of many new features, which were experimented in the previous releases since the release of Parrot 3.9. It also consists of all the updated packages and bug fixes announced since its previous version, Parrot 3.11. So, What’s new in Parrot 4.0? Netinstall Images Introduced Netinstall images are a powerful tool, which enables one to install just the necessary software components. One can even use them to install other desktop environments and to build a system of choice. With the provision of netinstall images in Parrot 4.0,  one can use Parrot as a pentest distribution, and also as a framework to build their very own working environment with ease. Docker images This version includes a release of Parrot’s own Docker templates. Docker is a powerful container technology that allows Parrot users to quickly download a Parrot template and immediately spawn unlimited and completely isolated Parrot instances on top of any host OS. Linux Kernel 4.16 The introduction of the new Linux 4.16 kernel is a very important step forward for Linux distributions. The Linux Kernel 4.16 version includes important updates, such as AMDGPU multi-display fixes, optimized in-kernel filesystem operations and so on. Sandbox Parrot system is secure and sandboxed. This is because of its custom firejail profiles with the underlying AppArmor support. This 4.0 version includes sandboxed applications that are stable and reliable. MATE 1.20 The MATE Desktop Environment is updated to its 1.20 release. This includes many graphic bug fixes and new features, such as HiDPI support, and the ability to auto-resize windows by simply dragging them to the screen corner and can also divide them into new layouts. Nginx This version introduces Nginx as Parrot’s new default web server daemon replacing Apache 2. Apache2 is the most famous web server out there, but it is heavy and complex to configure and maintain. On the other hand, Nginx is very lightweight and easy to use. It is not only a fast and secure web server but also a powerful proxy, cache, load-balancer and general purpose forwarder. And its configuration syntax is very easy to use. Apache2 will be available in the repository or pre-installed as a dependency of some security tools that rely on it. LibreOffice 6 LibreOffice 6 is now included as default in Parrot 4.0, with better documents support, memory efficiency and stability. MD Raid Support The Parrot 4.0 now includes a default MD raid support, which was absent in the previous versions. This is because parrot is also used for forensic analysis, and to open software, raids can be crucial while reading disks in a server environment. Mdadm is also introduced, which can be used as a pre-installed tool. This means that parrot can be installed in a software raid for better reliability. To know more about the new changes in detail, read the release notes. Pentest tool in focus: Metasploit 5 pen testing rules of engagement: What to consider while performing Penetration testing Top 5 penetration testing tools for ethical hackers

With 600 commits and 992 files changed, React Native 0.57 was released yesterday. In this release, major improvements are done in the accessibility APIs, and WKWebView-backed implementation is added just as they announced in August, along with several tooling updates. What is new in React Native 0.57? New features Accessibility APIs, used for making apps accessible to people with disabilities, now support accessibility hints, inverted colors, and easier usage of defining the element's role and states. On iOS, WebView can now use WKWebView internally by passing useWebKit={true}. Loosen platform check to improve support for out-of-tree platforms. An implementation of YogaNodeProperties is added, which accesses style and layout properties using a ByteBuffer rather than JNI calls. FlatList and SectionList are now added to Animated exports. Changes Android tooling has been updated to match newer configuration requirements (SDK 27, gradle 4.4, and support library 27) unbundle is renamed to ram-bundle (a breaking change for OSS) Minimum Node version is changed from 8 to 8.3 Flow is upgraded to v0.76.0 ESLint is upgraded to 5.1.0 Babel is upgraded to v7.0.0 The “loading from pre-bundled file” notification won’t show up anymore when not on dev mode StyleSheet.compose is refined so that subtypes of DangerouslyImpreciseStyleProp can flow through the function call without losing their type The use of new Metro configuration is supported in the public react-native CLI react-native-dom is whitelisted in haste/cli config defaults Bug fixes debugger-ui path of react-native CLI was wrong earlier, which is now fixed. Extreme slowness of <TextInput> is fixed Placeholder of TextInput not completely visible on Android is fixed Horizontal <ScrollView> overflow issue is fixed Added support for connecting to the Packager when running the iOS app on device when using custom Debug configuration Fix crash in RCTImagePicker on iOS Removed features ScrollView.propTypes is removed. It is recommended to use flow or typescript for verifying correct prop usage instead. (Breaking change) ReactInstancePackage is now deprecated. It is recommended to use @link ReactPackage or @link LazyReactPackage. To know more about the improvements in React Native 0.57 release, head over to their GitHub repository. React Native 0.57 coming soon with new iOS WebViews React Native announces re-architecture of the framework for better performance Introducing Watermelon DB: A new relational database to make your React and React Native apps highly scalable

The American Federation of Labor and Congress of Industrial Organizations (AFL-CIO), the largest labour organization in the United States, published an open letter on Kotaku, a video game website and blog, last week. The letter urges the video game industry workers to unionize and voice their support for better treatment within the workplace. The letter is from secretary-treasurer Liz Shuler and this is the first time when AFL-CIO has made a public statement about unionizing game developers. Shuler talks about the struggles of game developers and the unfair treatment that they go through in terms of work conditions, job instability, and inadequate pay in the letter.  Shuler mentions that although U.S. video game sales reached $43 billion in 2018 ( which is 3.6 times larger than the film industry’s record-breaking box office) and is a “stunning accomplishment” for the game developers, they are still not getting the respect that they deserve.   “You’ve built new worlds, designed new challenges and ushered in a new era of entertainment. Now it’s time for industry bosses to start treating you with hard-earned dignity and respect”, writes Shuler. She mentions that game developers often work for outrageous hours in a stressful and toxic work condition, unable to ask for better due to the fear of losing their jobs. She gives an example of developers at Rockstar Games who shared their experiences of  “crunch time” (when the pressure to succeed is extreme) lasting months and sometimes even years to meet the unreal demands from management and deliver a game that made their bosses earn $725 million in its first three days. “They get rich. They get notoriety. They get to be crowned visionaries and regarded as pioneers. What do you get?”, writes Shuler. According to Shuler, this is a moment for change and change will come when developers come together as a strong union by using their “collective voice” to ask for a “fair share of wealth” that the game developers create every day. She writes that the CEOs and the bosses would treat the developers right only when they stand together and demand it. “You have the power to demand a stake in your industry and a say in your economic future. Whether we’re mainlining caffeine in Santa Monica, clearing tables in Chicago or mining coal in West Virginia, we deserve to collect nothing less than the full value of our work”, states Shuler. Public reaction to the news is mostly positive, with some people calling out for a better and stronger alternative than unions: https://twitter.com/kwertzy/status/1096471380357349376 https://twitter.com/getglitched/status/1096499209719685120 https://twitter.com/moesidegaming/status/1096666233011871744 https://twitter.com/legend500/status/1096571646805188608 https://twitter.com/turnageb/status/1096481116763107328 Check out the complete letter here. Open letter from Mozilla Foundation and other companies to Facebook urging transparency in political ads Google TVCs write an open letter to Google’s CEO; demands for equal benefits and treatment The cruelty of algorithms: Heartbreaking open letter criticizes tech companies for showing baby ads after stillbirth

The Free and Open source Software Developers' European Meeting (FOSDEM) is no longer the home of OpenJDK committers and other regular contributors. Traditionally the OpenJDK community used to meet at FOSDEM every February in Brussels, but since the OpenJDK team is now shipping a release every six months they agreed that it was time to meet more frequently. To fill this need the team decided to hold a Committer's workshop on the first two days of August at Oracle’s campus in Santa Clara, California, USA. Mark Reinhold, the Chief Architect of the Java Platform Group at Oracle was the conductor of the orchestra here. He shed some light on the recent developments to the OpenJDK ecosystem and shared some future plans in yesterday’s sessions. OpenJDK’s new release model is a blessing in disguise It’s probably old news for developers who have been tracking the Java release cycle for some time now, but nonetheless, it’s very important for how things are going to change for OpenJDK. 2018 marked a new dawn for the Java platform. After endless discussions in the community about the new release being a repeat telecast of the same old Java 9 movie—a historic feature driven update to the platform with no head or tail on the release date—Mark put all the rumors to bed. He suggested to replace this feature driven update to a strict, time-based model with a new feature release every six months, update releases every quarter, and a long-term support release every three years. Image Source: OpenJDK Community Update For example, JDK 10 which was a new feature release was made available in March this year. The next release in six months would be JDK 11, which automatically becomes a candidate for a Long term support which would last till 2021, i.e three years as mentioned above. The biggest advantage of this release schedule is the simplified release process; takes off the pressure of adhering to strict deadlines from the developers. It also means that every feature would have to be completed before it makes the final cut, this way there are no multiple minor versions of the same release which confuses the users and developers alike. To what extent will Oracle contribute to the OpenJDK community? In the Committer's workshop Mark Reinhold cleared some questions about Oracle’s contribution to the OpenJDK ecosystem. He mentioned that Oracle engineers would be leading and be contributing only to the current feature releases and first two updates on the quarterly release. The non-Oracle folks can have the opportunity of taking the ownership of long-term release projects. This decision is taken mainly due to the fact that Oracle developers and engineers can focus on the future releases and their functionalities rather than working on support for long-term releases. An important clause which was discussed during this session was Oracle’s smooth transition of leadership whenever the engineers feel that they need to dial down their contribution to a particular release line they would hand over the leadership of that project with relative ease. Oracle finally embraces the Open Source Culture Now the biggest announcement that came in this workshop was Oracle open sourcing the elements of it proprietary JDK. Now before discussing this, it is important for us to understand what exactly is the difference between OpenJDK and Oracle’s proprietary JDK. Sun Microsystems, who originally created Java, announced in the JavaOne conference of 2006, that Java is going to be open sourced. OpenJDK was a result of a free implementation of the Standard Edition (SE) of the Java Platform. When Oracle bought Sun in 2009, they created their own proprietary version of the JDK which catered to the enterprise users who valued stability; and unlike OpenJDK, it has releases planned every three years. Now coming back to the point of open sourcing Oracle’s proprietary JDK, for a long time developers questioned Oracle’s intentions on how they plan to shape the future of Java, especially after their feud with Google over Android that began back in 2010. The open source community felt largely alienated from Oracle as they believed that Oracle was wrong in going after an open source friendly company like Google. Fast forward to 2018 and in this day and age, companies are embracing more and more open source technologies. Oracle has finally decided to open source their JDK which includes elements like Java flight recorder, Java Mission Control, and ZGC which is Oracle’s very own garbage collector. There will still be an Oracle JDK for the purposes of offering commercial support, but it will have the same functionalities as OpenJDK. Finally, Oracle is going to release all the builds for the current releases under the GPL license for developers who prefer non-commercial licensing. To know more about the different sessions that took place at the Committer's Workshop you can visit their Official webpage. Mark Reinhold on the evolution of Java platform and OpenJDK Oracle announces a new pricing structure for Java The top 5 reasons why Node.js could topple Java

Kotlin, the JetBrains-developed, statically typed language for JVM, Android, and web development, is due for a compiler rewrite, multiplatform mobile improvements, and a Kotlin-to-WebAssembly compiler back end, according to a public roadmap for the platform. Unveiled October 5, the roadmap covers priorities for the language, which received a strategic boost in 2017 when Google backed it for building Android mobile apps, alongside Java and C++. To read this article in full, please click here

Bokeh has released their first stable version. Bokeh is an interactive visualization library that targets modern web browsers for presentation. Bokeh 1.0 marks the progress of making Bokeh a truly independent project in the context of a wider OSS community. Bokeh 1.0 comes with new features and other fixes and improvements. These include fixing patches with holes, a new scatter, JSON export and embed etc. Patches With Holes Patches with holes are often useful for working with GIS data or maps, and support all the usual and expected hover and hit-testing interactions. They are also helpful in filling contour plots. The Patches with holes approach adds a new glyph type MultiPolygons, inspired by GeoJSON format of sub-polygons. The GeoJSON specifies an "exterior ring" followed by optional "holes" inside the exterior ring. Source: Bokeh Github A New Scatter Scatter marker type is now parameterizable in the Bokeh 1.0 release. The scatter glyph method creates a new Scatter object, that can specify the marker type of each data point individually. This approach with a parameterized scatter is useful to keep all the data inside a single ColumnDataSource. This capability is especially useful together with a new factor_marker transform that can map categorical values to marker types. A new function to bokeh.embed Bokeh 1.0 adds a new function to bokeh.embed. This function can be called on any Bokeh object, e.g plots or layouts, and the output of the call is a block of JSON that represents a Bokeh Document for obj. This JSON output can be used in any HTML document by calling a single function from JavaScript: Bokeh.embed.embed_item(item, "myplot") The first parameter is the JSON output and the second parameter is the id of the div to embed the content into. Testing improvements Bokeh unit tests can now run continuously on Windows. Their Selenium integration testing machinery has also been rebuilt and expanded. Almost 200 Selenium tests can run continuously to explicitly exercise various Bokeh features and behaviors. These are just a select few updates. For full details, see the CHANGELOG and Release Notes. If you are using Anaconda, Bokeh can easily be installed by executing the command conda install -c bokeh bokeh. Otherwise, use pip install bokeh. How to create a web designer resume that lands you a Job. Is your web design responsive? “Be objective, fight for the user, and test with real users on the go!” – Interview with design purist, Will Grant

On Monday, Neil Williams a software developer from Linux CodeHelp raised severity issues for Python 2 leaf packages in Debian which do not support Python 3. Neil has urged Debian maintainers to remove Python 2 from all the Debian packages. He specifically mentions one of the packages, Calibre, an e-book management software which is completely open source and licensed under the GNU GPL v3. Calibre is written primarily in Python with some C/C++ code for speed and system interfacing. But it is not yet compatible with Python 3 as it requires at least Python 2.7.9. In 2017, an issue was raised on the Calibre platform by a user, “Python 2 is retiring in thirty months. Calibre needs to convert to Python 3.” Kovid Goyal, author of the Calibre platform responded saying, “No, it doesn't. I am perfectly capable of maintaining python 2 myself. Far less work than migrating the entire calibre codebase.” Now the latest Calibre version requires Python modules which are no longer available for Python 2. Gregor Riepl, a systems engineer in response to Neil says, “As of now, calibre is not of sufficient quality to be part of a Debian release and until it drops all Python2 requirements, it must be considered RC buggy.” This means that Calibre >= 4.0 for the foreseeable future will not be available in Debian. Calibre version 3.48 will be the last version that can run on Debian until the upstream Calibre switches to Python 3. Riepl further asked Neil if his quality argument is due to the Calibre authors resistance to migrate to Python 3. Neil responded, “No, it is based just on the removal of Python2 from Debian and avoiding special cases. Right now, any and every package in Debian testing which requires Python2 and has no Python3 alternative in Debian or ready for upload is of poor quality for no other reason than that. All such packages are of such poor quality that the package should be removed from testing - in an orderly manner, leaf packages first. That is in the best interests of all users, despite what may or may not happen to any particular subset(s) of users.  The decision flow is easy - if the answer in each case is "no", then move on to the next and if you get to the bottom, the bug should be RC. * Has the package already been removed from testing? * Is a Python3-only version already in Debian? * Is a Python3-only version available upstream? * Does the package have any reverse dependencies? * If you get here, it is already too late, there have already been   enough warnings. Upgrade the bug to RC and get the package   auto-removed from testing.” Neil said he was aware of the history of Calibre and understood what would happen if it is no longer a part of Debian. But that did not matter as removal of Python 2 is more important for the next Debian release. He also believes that Calibre has a relatively large user base that doesn't know much or care about the Python 2 deprecation. User will simply perceive dropping Calibre as a bad move on Debian's side and rush towards other packages of significantly lower quality. He further concluded, “Calibre is nothing special - it's a Python2 leaf package like vland and tftpy and any one of far too many others. Calibre can stay in unstable - it will go FTBFS, of course, but that isn't a problem either, IMHO. It's calibre's problem - not Debian's problem. There's always the option of users installing the old Python2 stuff from Buster to keep calibre hobbling along. Debian is the higher priority here. Calibre would be nice to have but it does not deserve to cause delays on anybody else's voluntary effort. No package has that right.” Community feels Python 2 will result in unmaintained runtime and libraries in packages On Hacker News, users are discussing how Python foundation is pushing in packages to migrate to Python 3 that will result in Python 2 having an entire set of unmaintained runtime and libraries in the package repository. One user comments, “Historically, Debian hasn't particularly objected to packaging obsolete versions of programming languages without upstream support. I doubt anyone is checking for potential security problems in Algol 68 and Fortran 77 implementations that Debian ships, and I don't think the people using those packages are particularly inconvenienced by that. It seems a shame that the social pressure to persuade people to port their code to Python 3 means that Debian is going to have weaker support for 10-year-old Python than 40-year-old Fortran. In particular, there are ongoing efforts to try to make it the normal thing for scientists to make the programs they ran on their data available so that their results can be reproduced; aggressively dropping older programming language implementations rather gets in the way of that.” Another user responded, “This isn't about "languages". It's about software! Algol 68 and Fortran 77 may have stale (but maintained) compilers or interpreters in the package repository. Starting very soon - Python 2 will have an entire set of unmaintained runtime and libraries in the package repository. You know - actual, officially, unmaintained software! Unmaintained software that other packages, including Calibre in this example, further build on. Of course they're throwing this out.” Python 3.8 is now available with walrus operator, positional-only parameters support for Vectorcall, and more Core Python team confirms sunsetting Python 2 on January 1, 2020 PyPy will continue to support Python 2.7, even as major Python projects migrate to Python 3

Go, the popular programming language is adding an internal language server protocol (LSP). This is expected to bring features like code autocompletion and diagnostics available in Golang. LSP is used between a user and a server to integrate features such as autocomplete, go to definition, find all references and alike into the tool. It was created by Microsoft to define a common language for enabling programming language analyzers to communicate. It is growing in popularity with adoption from companies like Codenvy, Red Hat, and Sourcegraph. There is also a rapidly growing list of editor and language communities supporting LSP. Golang already has a language server available on GitHub. This version has support for Hover jump to def, workspace symbols, and find references. But, it does not support code completion and diagnostics. Sourcegraph CEO Quinn Slack stated in a comment on Hacker News: “The idea is that with a Go language server becoming a core part of Go, it will have a lot more resources invested into it and it will surpass where the current implementation is now.” The Go language server made by Sourcegraph available currently on GitHub is not a core part of Golang. It uses tools and custom extensions not maintained by the Go team. The hope is that the core LSP implementation will be good enough and that SourceGraph can re-use this implementation in the future to bring down the number of implementations to just one. Slack said in a comment that they are very happy with this implementation: “We are 10,000% supportive of this, as we've discussed openly in the golang-tools group and with the Go team. The Go team was commendably empathetic about the optics here, and we urged them very, very, very directly to do this.” This core implementation of LSP by the Golang team is also beneficial for Sourcegraph from a business perspective. Sourcegraph sells a product that lets you search and browse all your code, which involves using language servers for certain features like hovers, definitions and references. Since the core work will be done by the Golang team, Sourcegraph won’t have to invest more time into building their implementation of Go language server. For more information, visit the Googlesource website. Golang 1.11 is here with modules and experimental WebAssembly port among other updates Why Golang is the fastest growing language on GitHub Go 2 design drafts include plans for better error handling and generics

Yesterday the team at Microsoft released Cascadia Code version 1909.16, the latest monospaced font for command-line applications like Windows Terminal and code editors like Visual Studio Code. This year in May, the team announced about this font at the Microsoft Build conference. Cascadia Code version 1909.16 is now publicly available on GitHub and developers can contribute to the font on GitHub. This code is licensed under the SIL Open Font license on GitHub. Cascadia Code supports programming ligatures that are used while writing codes as they can create new glyphs by combining characters. These ligatures make the code more readable and user-friendly. The name “Cascadia Code” comes from the Windows Terminal project. The codename for Windows Terminal was Cascadia before it was released. https://twitter.com/cinnamon_msft/status/1130864977185632256 The official post reads, “As an homage to the Terminal, we liked the idea of naming the font after its codename. We added Code to the end of the font name to help indicate that this font was intended for programming. Specifically, it helps identify that it includes programming ligatures.” Users can install Cascadia Code font from the GitHub repository’s releases page or receive it in the next update of Windows Terminal. Users are overall excited about this news and they are liking the fact that even the official announcement blog post is using the Cascadia Code font. They are also appreciating the team for adding support for programming ligatures. https://twitter.com/bitbruder/status/1174432721038389253 https://twitter.com/singhkays/status/1174541216261652482 https://twitter.com/FiraCode/status/1174608467442720768 A user commented on HackerNews, “I really like this. Feels easy on the eyes (at least to me). I've used Fira Code for as long as I can remember, but going to give this a go!” Other interesting news in programming DevOps platform for coding, GitLab reached more than double valuation of $2.75 billion than its last funding and way ahead of its IPO in 2020 Microsoft open-sources its C++ Standard Library (STL) used by MSVC tool-chain and Visual Studio Linux 5.3 releases with support for AMD Navi GPUs, Zhaoxin x86 CPUs and power usage improvements    

Last week, the team behind Git released Git 2.23 that comes with experimental commands, backward compatibility and much more. This release has received contributions from over 77 contributors out of which 26 were new. What’s new in Git 2.23? Experimental commands This release comes with a new pair of experimental commands, git switch and git restore for providing a better interface for the git checkout.  “Two new commands "git switch" and "git restore" are introduced to split "checking out a branch to work on advancing its history" and "checking out paths out of the index and/or a tree-ish to work on advancing the current history" out of the single "git checkout" command,” the official mail thread reads.  Git checkout can be used to change branches with git checkout <branch>. In case if the user doesn’t want to switch branches, git checkout can be used to change individual files, too. These new commands aim to separate the responsibilities of git checkout into two narrower categories that is operations, which change branches and operations that change files.  Backward compatibility  The "--base" option of "format-patch" is now compatible with "git patch-id --stable".  Git fast-export/import pair The "git fast-export/import" pair will be now used to handle commits with log messages in encoding other than UTF-8. git clone --recurse-submodules "git clone --recurse-submodules" has now learned to set up the submodules for ignoring commit object names that are recorded in the superproject gitlink. git diff/grep The pattern "git diff/grep" that is used for extracting funcname and words boundary for Rust has now been added. git fetch" and "git pull The commands "git fetch" and "git pull" are used to report when a fetch results in non-fast-forward updates that lets the user notice unusual situation.    git status With this release, the extra blank lines in "git status" output have been reduced. Developer support This release comes with developer support for emulating unsatisfied prerequisites in tests for ensuring that the remainder of the tests succeeds when tests with prerequisites are skipped. A new tutorial for git-core developers This release comes with a new tutorial that target aspiring git-core developers. This tutorial demonstrates end-to-end workflow of creating a change to the Git tree, for sending it for review, as well as making changes that are based on comments. Bug fixes in Git 2.23 In the earlier version, "git worktree add" used to fail when another worktree that was connected to the same repository was corrupt. This issue has been corrected in this release. An issue with the file descriptor has been fixed. This release comes with an updated parameter validation. The code for parsing scaled numbers out of configuration files has been made more robust and easier to follow with this release. Few users seem to be happy about the new changes made, a user commented on HackerNews, “It's nice to hear that there appears to be progress being made in making git's tooling nicer and more consistent. Git's model itself is pretty simple, but the command line tools for working with it aren't and I feel that this fuels most of the "Git is hard" complaints.” Few others are still skeptical about the new commands, another user commented, “On the one hand I'm happy on the new "switch" and "restore" commands. On the other hand, I wonder if they truly add any value other than the semantic distinction of functions otherwise present in checkout.” To know more about this news in detail, read the official blog post on GitHub. GitHub has blocked an Iranian software developer’s account GitHub services experienced a 41-minute disruption yesterday iPhone can be hacked via a legit-looking malicious lightning USB cable worth $200, DefCon 27 demo shows

Today, StackRox, a Kubernetes-native container security platform provider announced StackRox Kubernetes Security Platform 3.0. This release includes industry-first features for configuration and vulnerability management that enable businesses to achieve stronger protection of cloud-native, containerized applications. In a press release, Wei Lien Dang, StackRox’s vice president of product, and co-founder said, “When it comes to Kubernetes security, new challenges related to vulnerabilities and misconfigurations continue to emerge.” “DevOps and Security teams need solutions that quickly and easily solve these issues. StackRox 3.0 is the first container security platform with the capabilities orgs need to effectively deal with Kubernetes configurations and vulnerabilities, so they can reduce risk to what matters most – their applications and their customer’s data,” he added. What’s new in StackRox Kubernetes Security Platform 3.0 Features for configuration management Interactive dashboards: This will enable users to view risk-prioritized misconfigurations, easily drill-down to critical information about the misconfiguration, and determine relevant context required for effective remediation. Kubernetes role-based access control (RBAC) assessment: StackRox will continuously monitor permission for users and service accounts to help mitigate against excessive privileges being granted. Kubernetes secrets access monitoring: The platform will discover secrets in Kubernetes and monitor which deployments can use them to limit unnecessary access. Kubernetes-specific policy enforcement: StackRox will identify configurations in Kubernetes related to network exposures, privileged containers, root processes, and other factors to determine policy violations. Advanced vulnerability management capabilities Interactive dashboards: StackRox Kubernetes Security Platform 3.0 has interactive views that provide risk prioritized snapshots across your environment, highlighting vulnerabilities in both, images and Kubernetes. Discovery of Kubernetes vulnerabilities: The platform gives you visibility into critical vulnerabilities that exist in the Kubernetes platform including the ones related to the Kubernetes API server disclosed by the Kubernetes product security team. Language-specific vulnerabilities: StackRox scans container images for additional vulnerabilities that are language-dependent, providing greater coverage across containerized applications.  Along with the aforementioned features, StackRox Kubernetes Security Platform 3.0 adds support for various ecosystem platforms. These include CRI-O, the Open Container Initiative (OCI)-compliant implementation of the Kubernetes Container Runtime Interface (CRI), Google Anthos, Microsoft Teams integration, and more. These were a few latest capabilities shipped in StackRox Kubernetes Security Platform 3.0. To know more, you can check out live demos and Q&A by the StackRox team at KubeCon 2019, which will be happening from November 18-21 in San Diego, California. It brings together adopters and technologists from leading open source and cloud-native communities. Kubernetes 1.16 releases with Endpoint Slices, general availability of Custom Resources, and other enhancements StackRox App integrates into the Sumo Logic Dashboard  for improved Kubernetes security Microsoft launches Open Application Model (OAM) and Dapr to ease developments in Kubernetes and microservices