Nolan Lawson, writing in a blogpost: Anyone who's worked in the tech industry for long enough, especially at larger organizations, has seen it before. A legacy system exists: it's big, it's complex, and no one fully understands how it works. Architects are brought in to "fix" the system. They might wheel out a big whiteboard showing a lot of boxes and arrows pointing at other boxes, and inevitably, their solution is... to add more boxes and arrows. Nobody can subtract from the system; everyone just adds. This might go on for several years. At some point, though, an organizational shakeup probably occurs -- a merger, a reorg, the polite release of some senior executive to go focus on their painting hobby for a while. A new band of architects is brought in, and their solution to the "big diagram of boxes and arrows" problem is much simpler: draw a big red X through the whole thing. The old system is sunset or deprecated, the haggard veterans who worked on it either leave or are reshuffled to other projects, and a fresh-faced team is brought in to, blessedly, design a new system from scratch.

As disappointing as it may be for those of us who might aspire to write the kind of software that is timeless and enduring, you have to admit that this system works. For all its wastefulness, inefficiency, and pure mendacity ("The old code works fine!" "No wait, the old code is terrible!"), this is the model that has sustained a lot of software companies over the past few decades. Will this cycle go on forever, though? I'm not so sure. Right now, the software industry has been in a nearly two-decade economic boom (with some fits and starts), but the one sure thing in economics is that booms eventually turn to busts. During the boom, software companies can keep hiring new headcount to manage their existing software (i.e. more engineers to understand more boxes and arrows), but if their labor force is forced to contract, then that same system may become unmaintainable. A rapid and permanent reduction in complexity may be the only long-term solution.

One thing working in complexity's favor, though, is that engineers like complexity. Admit it: as much as we complain about other people's complexity, we love our own. We love sitting around and dreaming up new architectural diagrams that can comfortably sit inside our own heads -- it's only when these diagrams leave our heads, take shape in the real world, and outgrow the size of any one person's head that the problems begin. It takes a lot of discipline to resist complexity, to say "no" to new boxes and arrows. To say, "No, we won't solve that problem, because that will just introduce 10 new problems that we haven't imagined yet." Or to say, "Let's go with a much simpler design, even if it seems amateurish, because at least we can understand it." Or to just say, "Let's do less instead of more."

At Silicon Valley's Computer History Museum, the senior curator just announced the results of a multi-year recovery and restoration process: making available 21 never-before-seen video recordings of a legendary 1976 conference: For five summer days in 1976, the first generation of computer rock stars had its own Woodstock. Coming from around the world, dozens of computing's top engineers, scientists, and software pioneers got together to reflect upon the first 25 years of their discipline in the warm, sunny (and perhaps a bit unsettling) climes of the Los Alamos National Laboratories, birthplace of the atomic bomb.
Among the speakers:

- A young Donald Knuth on the early history of programming languages

- FORTRAN designer John Backus on programming in America in the 1950s — some personal perspectives

- Harvard's Richard Milton Bloch (who worked with Grace Hopper in 1944)

- Mathematician/nuclear physicist Stanislaw M. Ulam on the interaction of mathematics and computing

- Edsger W. Dijkstra on "a programmer's early memories."


The Computer History Museum teases some highlights: Typical of computers of this generation, the 1946 ENIAC, the earliest American large-scale electronic computer, had to be left powered up 24 hours a day to keep its 18,000 vacuum tubes healthy. Turning them on and off, like a light bulb, shortened their life dramatically. ENIAC co-inventor John Mauchly discusses this serious issue....

The Los Alamos peak moment was the brilliant lecture on the British WW II Colossus computing engines by computer scientist and historian of computing Brian Randell. Colossus machines were special-purpose computers used to decipher messages of the German High Command in WW II. Based in southern England at Bletchley Park, these giant codebreaking machines regularly provided life-saving intelligence to the allies. Their existence was a closely-held secret during the war and for decades after. Randell's lecture was — excuse me — a bombshell, one which prompted an immediate re-assessment of the entire history of computing. Observes conference attendee (and inventor of ASCII) IBM's Bob Bemer, "On stage came Prof. Brian Randell, asking if anyone had ever wondered what Alan Turing had done during World War II? From there he went on to tell the story of Colossus — that day at Los Alamos was close to the first time the British Official Secrets Act had permitted any disclosures. I have heard the expression many times about jaws dropping, but I had really never seen it happen before."

Publishing these original primary sources for the first time is part of CHM's mission to not only preserve computing history but to make it come alive. We hope you will enjoy seeing and hearing from these early pioneers of computing.

Hirrolot's blog: When you use Rust, it is sometimes outright preposterous how much knowledge of language, and how much of programming ingenuity and curiosity you need in order to accomplish the most trivial things. When you feel particularly desperate, you go to rust/issues and search for a solution for your problem. Suddenly, you find an issue with an explanation that it is theoretically impossible to design your API in this way, owing to some subtle language bug. The issue is Open and dated Apr 5, 2017.

I entered Rust four years ago. To this moment, I co-authored teloxide and dptree, wrote several publications and translated a number of language release announcements. I also managed to write some production code in Rust, and had a chance to speak at one online meetup dedicated to Rust. Still, from time to time I find myself disputing with Rust's borrow checker and type system for no practical reason. Yes, I am no longer stupefied by such errors as cannot return reference to temporary value - over time, I developed multiple heuristic strategies to cope with lifetimes...

But one recent situation has made me to fail ignominiously. [...]

"C++ allows for writing high-performance applications but this comes at a price, security..." So says Google's Chrome security team in a recent blog post, adding that in general, "While there is appetite for different languages than C++ with stronger memory safety guarantees, large codebases such as Chromium will use C++ for the foreseeable future."

So the post discusses "our journey of using heap scanning technologies to improve memory safety of C++." The basic idea is to put explicitly freed memory into quarantine and only make it available when a certain safety condition is reached. Microsoft has shipped versions of this mitigation in its browsers: MemoryProtector in Internet Explorer in 2014 and its successor MemGC in (pre-Chromium) Edge in 2015. In the Linux kernel a probabilistic approach was used where memory was eventually just recycled. And this approach has seen attention in academia in recent years with the MarkUs paper. The rest of this article summarizes our journey of experimenting with quarantines and heap scanning in Chrome.
In essence the C++ memory allocator (used by new and delete) is "intercepted." There are various hardening options which come with a performance cost:


- Overwrite the quarantined memory with special values (e.g. zero);

- Stop all application threads when the scan is running or scan the heap concurrently;

- Intercept memory writes (e.g. by page protection) to catch pointer updates;

- Scan memory word by word for possible pointers (conservative handling) or provide descriptors for objects (precise handling);

- Segregation of application memory in safe and unsafe partitions to opt-out certain objects which are either performance sensitive or can be statically proven as being safe to skip;

- Scan the execution stack in addition to just scanning heap memory...


Running our basic version on Speedometer2 regresses the total score by 8%. Bummer...

To reduce the regression we implemented various optimizations that improve the raw scanning speed. Naturally, the fastest way to scan memory is to not scan it at all and so we partitioned the heap into two classes: memory that can contain pointers and memory that we can statically prove to not contain pointers, e.g. strings. We avoid scanning memory that cannot contain any pointers. Note that such memory is still part of the quarantine, it is just not scanned....

[That and other] optimizations helped to reduce the Speedometer2 regression from 8% down to 2%.
Thanks to Slashdot reader Hari Pota for sharing the link

Sad news from long-time Slashdot reader NormalVisual: Synthtopia reports that Dave Smith, founder of the legendary synthesizer manufacturer Sequential Circuits and creator of the MIDI (Musical Instrument Digital Interface) standard, died this past Wednesday.

Some of Smith's notable creations include the Prophet 5, one of the first commercially available digitally-controlled polyphonic analog synthesizers, and the Prophet-600, the first available device to offer MIDI...

Smith, who held degrees in both computer science and electronic engineering from UC Berkeley, was scheduled to appear at this year's National Association of Music Merchant (NAMM), but died suddenly. No cause of death has yet been released.
Smith's Wikipedia entry calls his 1977 Prophet 5 "the world's first microprocessor-based musical instrument" and a crucial step forward as a programmable synthesizer.

And this week Billboad magazine hailed Smith as "a key figure in the development of synth technology in the 1970s and 1980s." With Sequential (originally known as Sequential Circuits), Smith released various sequencers and programmers to be used with the Moog and ARP synthesizers prevalent at the time, before designing his own release: the Prophet-5, first polyphonic synth with programmable memory, to allow sounds to be stored and re-accessed at any time. The Prophet-5 quickly became the gold standard in its field, used in the recording both of epochal '80s blockbuster LPs like Michael Jackson's Thriller and Madonna's Like a Virgin and envelope-pushing scores for era composers like John Carpenter and Vangelis....

Smith's greatest legacy might be the introduction of MIDI to synth technology... Smith's invention (along with Roland pioneer Ikutaro Kakehashi and Sequential engineer Chet Wood) of MIDI allowed unprecedented levels of synchronization and communication between different instruments, computers and other recording equipment, which was previously incredibly difficult to achieve — particularly between equipment designed by separate manufacturers. The innovation of MIDI helped facilitate the explosion of forward-thinking programming and creativity throughout the industry of the '80s, essentially making the future of pop music accessible to all.

Smith would also develop the world's first computer synthesizer as president of Seer Systems in the '90s, and launched the company Dave Smith Instruments, an instruments manufacturer, in 2002. He has won many lifetime awards for his work in the field of musical technology, including a Technical Grammy for MIDI's creation in 2013 (an honor he shared with Kakehashi).

Denmark-based Poul-Henning Kamp describes himself as the "author of a lot of FreeBSD, most of Varnish and tons of other Open Source Software." And he shares this message in June's Communications of the ACM.

"The software industry is still the problem." If any science fiction author, famous or obscure, had submitted a story where the plot was "modern IT is a bunch of crap that organized crime exploits for extortion," it would have gotten nowhere, because (A) that is just not credible, and (B) yawn!

And yet, here we are.... As I write this, 200-plus corporations, including many retail chains, have inoperative IT because extortionists found a hole in some niche, third-party software product most of us have never heard of.
But he's also proposing a solution. In Denmark, 129 jobs are regulated by law. There are good and obvious reasons why it is illegal for any random Ken, Brian, or Dennis to install toilets or natural-gas furnaces, perform brain surgery, or certify a building is strong enough to be left outside during winter. It may be less obvious why the state cares who runs pet shops, inseminates cattle, or performs zoological taxidermy, but if you read the applicable laws, you will learn that animal welfare and protection of endangered species have many and obscure corner cases.

Notably absent, as in totally absent, on that list are any and all jobs related to IT; IT architecture, computers, computer networks, computer security, or protection of privacy in computer systems. People who have been legally barred and delicensed from every other possible trade — be it for incompetence, fraud, or both — are entirely free to enter the IT profession and become responsible for the IT architecture or cybersecurity of the IT system that controls nearly half the hydrocarbons to the Eastern Seaboard of the U.S....

With respect to gas, water, electricity, sewers, or building stability, the regulations do not care if a company is hundreds of years old or just started this morning, the rules are always the same: Stuff should just work, and only people who are licensed — because they know how to — are allowed to make it work, and they can be sued if they fail to do so.

The time is way overdue for IT engineers to be subject to professional liability, like almost every other engineering profession. Before you tell me that is impossible, please study how the very same thing happened with electricity, planes, cranes, trains, ships, automobiles, lifts, food processing, buildings, and, for that matter, driving a car.

As with software product liability, the astute reader is apt to exclaim, "This will be the end of IT as we know it!" Again, my considered response is, "Yes, please, that is precisely my point!"

joshuark writes: NASA programmer/scientist, Ron Garret shares his experience debugging LISP code from 150-million miles away on the robotic Mars rover Sojourner. Garret describes his experience in a recent episode of Adam Gordon Bell's Corecursive podcast. Garret later explains, "And it didn't work..." for the next project NASA's New Millennium project using LISP.

Like a professor said in LISP programming class, LISP -- getting it done is half DEFUN. Garret had written an essay in 2006 , titled, "How knowing LISP destroyed my programming career." Available on the web archive. So much for LISPcraft, or the Little LISPer.

Charlotte Web writes: A recent survey of 20,000 developers found a third (34%) were learning about cryptocurrencies, ZDNet reports — and 16% even said they were actively working on crypto-related projects. (And 11% said they were actively working on NFT technology, while 32% said they were learning more about NFTs.)

30% also said they were learning about blockchain technologies other than cryptocurrencies (with just 12% currently working on blockchain projects — just 1% higher than in a 2021 survey).

Citing the survey, ZDNet adds that "The next most popular technologies were the metaverse and AI-assisted software development: 28% of developers are learning about these technologies."

Created at Google in late 2007, the Go programming language was open sourced in late 2009, remember its creators, and "since then, it has operated as a public project, with contributions from thousands of individuals and dozens of companies."

In a joint essay in Communications of the ACM, five of the language's five original creators explore what brought growing popularity to this "garbage-collected, statically compiled language for building systems" (with its self-contained binaries and easy cross-compilation). "The most important decisions made in the language's design...were the ones that made Go better for large-scale software engineering and helped us attract like-minded developers...." Although the design of most languages concentrates on innovations in syntax, semantics, or typing, Go is focused on the software development process itself. Go is efficient, easy to learn, and freely available, but we believe that what made it successful was the approach it took toward writing programs, particularly with multiple programmers working on a shared codebase. The principal unusual property of the language itself — concurrency — addressed problems that arose with the proliferation of multicore CPUs in the 2010s. But more significant was the early work that established fundamentals for packaging, dependencies, build, test, deployment, and other workaday tasks of the software development world, aspects that are not usually foremost in language design.

These ideas attracted like-minded developers who valued the result: easy concurrency, clear dependencies, scalable development and production, secure programs, simple deployment, automatic code formatting, tool-aided development, and more. Those early developers helped popularize Go and seeded the initial Go package ecosystem. They also drove the early growth of the language by, for example, porting the compiler and libraries to Windows and other operating systems (the original release supported only Linux and MacOS X). Not everyone was a fan — for instance, some people objected to the way the language omitted common features such as inheritance and generic types. But Go's development-focused philosophy was intriguing and effective enough that the community thrived while maintaining the core principles that drove Go's existence in the first place. Thanks in large part to that community and the technology it has built, Go is now a significant component of the modern cloud computing environment.

Since Go version 1 was released, the language has been all but frozen. The tooling, however, has expanded dramatically, with better compilers, more powerful build and testing tools, and improved dependency management, not to mention a huge collection of open source tools that support Go. Still, change is coming: Go 1.18, released in March 2022, includes the first version of a true change to the language, one that has been widely requested — the first cut at parametric polymorphism.... We considered a handful of designs during Go's first decade but only recently found one that we feel fits Go well. Making such a large language change while staying true to the principles of consistency, completeness, and community will be a severe test of the approach.

SlashData's "State of the Developer Nation" surveyed more than 20,000 developers in 166 countries, taken from December 2021 to February 2022, reports InfoWorld.

It found the most popular programming language is JavaScript — followed by Python (which apparently added 3.3 million new net developers in just the last six months). And Rust adoption nearly quadrupled over the last two years to 2.2 million developers.

InfoWorld summarizes other findings from the survey: Java continues to experience strong and steady growth. Nearly 5 million developers have joined the Java community since the beginning of 2021.

PHP has grown the least in the past six month, with an increase of 600,000 net new developers between Q3 2021 and Q1 2022. But PHP is the second-most-commonly used language in web applications after JavaScript.

Go and Ruby are important languages in back-end development, but Go has grown more than twice as fast in the past year. The Go community now numbers 3.3 million developers.

The Kotlin community has grown from 2.4 million developers in Q1 2021 to 5 million in Q1 2022. This is largely attributed to Google making Kotlin its preferred language for Android development.

Munich-based developer Aaron Ardiri is Slashdot reader #245,358, with a profile that still identifies him as a Palm OS developer. Which surprised me, because Palm OS's last update was in 2007. (Then again, ardiri's Slashdot profile also still includes his screen name on AOL Instant Messenger.)

So, a long-time Slashdot reader. And this week he stopped by to share a little history — in more ways than one. ardiri writes: Before the iOS and Android entered the scene — heck, even before the smartphone concept — was the handheld personal digital assistant, with the likes of Newton, Palm OS, Windows Mobile and Symbian.

Palm OS had a thriving gaming scene; with the likes of emulators and implementations/clones of classics such as LodeRunner, Lemmings, and the classic Game and Watch.
But the real news of ardiri's original submission is hidden in its headline. "Palm OS developer releases source to classic games, 20+ years after release." Written mainly in C and optimizations in assembler — maybe these games will make their way to the various Arduino like micro-controllers out there; designed for low memory, low processing power environments they would port perfectly.

The head of the UK government's digital transformation unit recently announced a change to the nation's government services site gov.uk: they've "removed jQuery as a dependency for all frontend apps, meaning 32 KB of minified and compressed JavaScript was removed" for everything from selecting elements to attaching event listeners....

Nearly 84% of mobile pages used jQuery in 2021, points out a new essay at Gov.UK — before explaining why they decided not to: jQuery was an instrumental tool in a time when we really needed a way to script interactivity in a way that smoothed over the differing implementations of stuff like event handling, selecting elements, animating elements, and so on.

The web is better because of jQuery — not just because it has such incredible utility, but because its ubiquity led to making what it provided part of the web platform itself. Nowadays, we can do just about anything jQuery can do in vanilla JavaScript... It really begs the question: Do we really need jQuery today? That's a question that GOV.UK has answered with a resounding "no"....

This is a big deal when it comes to the user experience, because GOV.UK provides services and information online for The United Kingdom at scale. Not everyone is tapping away on their 2022 MacBook Pro on a rip-roarin' broadband connection. GOV.UK has to be accessible to everyone, and that means keepin' it lean.... dependencies matter when it comes to performance. Don't shortchange your users if the web platform can easily do the job a framework can.

This level of commitment to the user experience from a institution that works at the scale GOV.UK does is commendable. I can only hope others follow in their footsteps.

Mike Bouma (Slashdot reader #85,252) writes: With the release of the A500 mini (which also supports A1200 games) and its side loading feature you may be interested to get started with Amiga Retro games development. This is why I collected some recent Amiga games development tutorials and added some additional information.

A popular game programming language on the Amiga is Blitz BASIC or AmiBlitz as the freely available and open source version is called now. The latest version (v 3.9.2) was recently released. The best known game developed with Blitz Basic is Team 17's original Worms game for the Amiga 500 in 1995. Meanwhile the Worms franchise has sold over 75 million game units across many different platforms. Daedalus2097 has just started an AmiBlitz video tutorial series on Twitch.tv: Part 1, Part 2 and Part 3. An example AmiBlitz game currently under development is Super Metal Hero (A1200) and here's a shooter level in the game.

REDPILL is a 2D game creation tool written in AmiBlitz by Carlos Peris and is designed to empower people to create many games for Amiga without programming knowledge. It's still early days but the first games are already being designed using this tool. An example game designed with this tool is Guardian — The legend of flaming sword.

The "Scorpion Engine" developed by Erik 'Earok' Hogan is a closed source game engine with all software developed for it open source. It offers a modern Windows IDE for development. In this video, Erik Hogan guides Micheal Parent from Bitbeam Cannon step by step as they create a legit retro video game from scratch. Various new games have and are being developed using this engine. An already released game is Amigo the Fox and an example game under development is Rick Dangerous (A1200 version).

If you want to dig deeper into Amiga coding then here's a series of Assembly game development tutorials by Phaze101. An example game currently being written in assembler is RESHOOT PROXIMA 3 (A1200).

If you are unexperienced with coding but would like to then here are some Amos (BASIC) tutorials for you: Rob Smith's How to program Wordle in AMOS on the AMIGA and Lets Code Santa's Present Drop Game.

Long-time Slashdot reader destinyland writes: Today sees an event celebrating the 50th anniversary of 1970s children's programming giants Sid & Marty Krofft. (Born in 1929, Sid Krofft will turn 93 in July). And reportedly Marty Krofft has now partnered with NFT producer Orange Comet "in a multiyear contract to release NFTs based on the often enigmatic and much-beloved television shows they have brought to us since 1969."

The first one commemorates Land of the Lost — dropping sometime after September.

Today I learned their big break in America came from making puppets for Dean Martin's show, followed by designing and directing the Banana Splits and a string of successful children's shows on Saturday mornings. ( Land of the Lost, H.R. Pufunstuf, Lidsville, Sigmund and the Sea Monsters...) Looking back, Krofft muses that even today somewhere in New York City, "some guy 50 years old, remembers the damn theme songs. Because there were only three networks, so basically every kid in America saw our shows." In the article Marty Krofft describes their style as "a nightmare and bizarre" — or, more pragmatically, as "Disney without a budget" (while crediting future Disney CEO Michael Eisner for being their mentor).

Yet the article adds that "They were nearly unstoppable with styrofoam, paint and cloth. In a digital universe of truly endless possibilities, there is no telling where they could take their stories."

Sentinel Labs provides malware/threat intelligence analysis for the enterprise cybersecurity platform SentinelOne.

Thursday they reported on "a supply-chain attack against the Rust development community that we refer to as 'CrateDepression'." On May 10th, 2022, the Rust Security Response Working Group released an advisory announcing the discovery of a malicious crate hosted on the Rust dependency community repository. The malicious dependency checks for environment variables that suggest a singular interest in GitLab Continuous Integration (CI) pipelines.

Infected CI pipelines are served a second-stage payload. We have identified these payloads as Go binaries built on the red-teaming framework, Mythic. Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected. We suspect that the campaign includes the impersonation of a known Rust developer to poison the well with source code that relies on the typosquatted malicious dependency and sets off the infection chain.... In an attempt to fool rust developers, the malicious crate typosquats against the well known rust_decimal package used for fractional financial calculations....

The malicious package was initially spotted by an avid observer and reported to the legitimate rust_decimal github account.... Both [Linux and macOs] variants serve as an all-purpose backdoor, rife with functionality for an attacker to hijack an infected host, persist, log keystrokes, inject further stages, screencapture, or simply remotely administer in a variety of ways....

Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once. In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks.

"Python 3.11 will bear the fruits of CPython's multi-year effort to make Python a faster programming language," reports ZDNet.

"Core Python (CPython) developer Mark Shannon shared details about the project to make Python faster at the PyCon 2022 conference this week..." Last year, Microsoft funded a project for the Python Software Foundation (PSF), led by Python creator Guido van Rossum and Shannon, to make Python twice as fast as the current stable 3.10 series. The vision is to nudge Python towards the performance of C. Microsoft hired van Rossum in 2020 and gave him a free hand to pick any project. At last year's PyCon 2021 conference, he said he "chose to go back to my roots" and would work on Python's famed lack of performance....

The Faster CPython Project provided some updates about CPython 3.11 performance over the past year. Ahead of PyCon 2022, the project published more results comparing the 3.11 beta preview to 3.10 on dozens of performance metrics, showing that 3.11 was overall 1.25 times faster than 3.10. Shannon is realistic about the project's ability to improve Python performance, but believes the improvements can extend Python's viable use to more virtual machines. "Python is widely acknowledged as slow. Whilst Python will never attain the performance of low-level languages like C, Fortran, or even Java, we would like it to be competitive with fast implementations of scripting languages, like V8 for Javascript or luajit for lua," he wrote last year in the Python Enhancement Proposal (PEP) 659.

"Specifically, we want to achieve these performance goals with CPython to benefit all users of Python including those unable to use PyPy or other alternative virtual machines...."

On the question of a just-in-time (JIT) compiler for Python's performance, Shannon suggested it was not a priority and would likely not arrive until Python 3.13, according to the Python Software Foundation's coverage of the event.... According to the Faster Python implementation plan, CPython 3.12 might gain a "simple JIT compiler for small regions" that compiles small regions of specialized code, while 3.13 would enhance the compiler to extend the regions for compilation.

ZDNet reports news from PyCon 2022 ("the first in-person meet-up for Python contributors since 2019 due to the pandemic")

"Developers revisited the idea of running Python code in the browser...." CPython developer Christian Heimes and fellow contributor Ethan Smith detailed how they enabled the CPython main branch to compile to WebAssembly. CPython, short for Core Python, is the reference implementation that other Python distributions are derived from. CPython now cross-compiles to Wasm using Emscripten, a toolchain that compiles projects written in C or C++ to Node.js or Wasm runtimes. The Python Software Foundation highlighted the work in a blog post: "Python can be run on many platforms: Linux, Windows, Apple Macs, microcomputers, and even Android devices. But it's a widely known fact that, if you want code to run in a browser, Python is simply no good — you'll just have to turn to JavaScript," it notes.

"Now, however, that may be about to change."

While the Foundation notes cross-compiling to WebAssembly is still "highly experimental" due to missing modules in the Python standard library, nonetheless, PyCon 2022 demonstrated growing community interest in making Python a better language for the browser.
The article notes additional news from Anaconda (makers of the a Python distribution for data science): the announcement of PyScript, "a system for interleaving Python in HTML (like PHP)." It allows developers to write and run Python code in HTML, and call Javascript libraries in PyScript. This system allows a website to be written entirely in Python.

PyScript is built on Pyodide, a port of CPython, or a Python distribution for the browser and Node.js that's based on WebAssembly and Emscripten.... "Pyodide makes it possible to install and run Python packages in the browser with micropip. Any pure Python package with a wheel available on PyPI is supported," the Pyodide project states. Essentially, it compiles Python code and scientific libraries to WebAssembly using Emscripten.

"Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package," reports the Register, "to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security." "I just noticed 'foreach' on NPM is controlled by a single maintainer," wrote Vick in a Twitter post on Monday. "I also noticed they let their domain expire, so I bought it before someone else did. I now control 'foreach' on npm, and the 36,826 projects that depend on it."

That's not quite the full story — he probably could have taken control but didn't. Vick acquired the lapsed domain that had been used by the maintainer to create an NPM account and is associated with the "foreach" package on NPM. But he said he didn't follow through with resetting the password on the email account tied to the "foreach" package, which is fetched nearly six million times a week. In an email to the Register, Vick explained... "I did not log into the account, as again, that crosses a line. I just sent a password reset email and bailed.

"Regardless of how much control I have over this particular package, which is unclear, NPM admits this particular expired domain problem is a known issue, citing this 2021 [research paper] which says, 'We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.' In other words, anyone poking around is going to find accounts easy to take over in this way. I was not lucky or special." His point, which he has been trying for several years to communicate to those overseeing NPM — a part of GitHub since March 2020 — is that taking over the NPM account of a popular project to conduct a software supply chain attack continues to be too easy.

Part of the problem is that JavaScript developers often use packages that implement simple functions that are either already built into the language, like forEach, or ought to be crafted manually to avoid yet another dependency, like left-pad (now built-in as padStart). These trivial packages get incorporated into other packages, which may in turn become dependencies in different packages, thereby making the compromise of something like "foreach" a potentially far-reaching security incident.
But Vick argues that with so many upstream attack vectors, "We are all just trusting strangers on the internet to give us good candy from their truck," according to the Register. Their article points out that on Tuesday GitHub launched a beta test of improved 2FA security for all its NPM accounts — which Vick calls "a huge win... [T]hat is the best way to protect accounts. We in the security community have been demanding this for years."

But he's still worried about the possibility of email addresses with weak two-factor authentication or compromised NPM employees, and would like to see NPM implement cryptographic signatures for code. "I am talking with a member of their team tomorrow and we will see where this goes."

schwit1 shares a report: The House of Representatives [...] will provide taxpayer-funded Peloton memberships to all of its staff, costing taxpayers roughly $100,000 per month. The move comes one year after the fitness company set up a lobbying shop in Washington. Memberships to the exercise service, which offers workout classes, will be available to House staff in Washington, D.C., and in district offices, as well as to Capitol police officers, Fox Business reported. The number of people eligible for the fully taxpayer-funded memberships totals roughly 12,300.

Under the contract with Peloton, which takes effect May 18, the government will pay the company $10,000 up front and $10 per month for each staffer who chooses to enroll, according to Fox Business. With high participation among House staffers, the monthly cost of the contract for taxpayers could exceed $100,000 per month. [...] In March 2021, Peloton hired an in-house lobbyist and two lobbying firms to influence Congress on issues including "government programming to support health and wellness of Americans."

Sen. Sheldon Whitehouse (D-R.I.) and Rep. Anna Eshoo (D-Calif.) on Tuesday introduced a bill to regulate the volume of commercials shown on streaming platforms. The Hill reports: The bill is known as the Commercial Advertisement Loudness Mitigation (CALM) Modernization Act. It would modernize policies regarding ads on streaming services, saying that "the volume of commercials on streaming services cannot be louder than regular programming," according to Eshoo. It would also ramp up the Federal Communications Commission's ability to investigate and enforce violations of the original CALM Act and require a study into its effectiveness.

Eshoo added that since she and Whitehouse created the original CALM Act, streaming service providers have "recreated the problem of loud ads because the old law doesn't apply to them." "Today, we're updating the legislation for the benefit of consumers who are tired of diving for the mute button at every commercial break," Eshoo added.