Feb 21, 2020 newsletter

Pinpointing weaknesses in the open source ecosystem

Open source census

The Linux Foundation—in partnership with the Laboratory for Innovation Science at Harvard University—released a new census of open source software, dubbed Vulnerabilities in the Core.

With data collected from actual production environments—compiled through automated scans of companies’ tech stacks—the report reveals serious potential weaknesses in the open source ecosystem.

First, individual developers are a major weakness. The report found that seven of the top ten most popular packages in the world were hosted under individual developer accounts. That exposes much of today’s most important software to possible backdoor attacks and simple account takeovers.

Worse, developers have the power to simply choose to remove or delete these packages. Take, for example, how in 2016 a sole developer removed his npm package left-pad in protest, breaking Node, Babel, and thousands of other projects in the process.

Second, open source has not escaped the problem of legacy technology. The report highlights how minimist, a library to parse argument options that reigns as the sixth most popular package in the world, outranks yargs, a newer and better alternative. Disturbingly, minimist—whose last commit dates back to 2015—rakes in more than 35 million downloads each week from the npm registry.

A way forward: The Linux Foundations hopes identifying these issues is the first step in helping the community better focus its resources on tackling the most severe vulnerabilities in open source software.


Uncovering the dark side of coding bootcamps

Lambda School

Last week, Lambda School—a popular and fast growing coding bootcamp—came under fire for its poor curriculum and haphazard administration. New revelations now highlight how the school may have also deceived students about job opportunities after graduation.

How it works: Students attend Lambda School for free, but agree to Income Sharing Agreements (ISAs). Upon graduation, any students that land a tech job that pays $50k or more will have to pay 17% of their income to Lambda for two years, or pay back $30k, whichever comes first.

For people hoping to change careers who are unable to finance their own education, ISAs open up new opportunities that otherwise would not be possible.

The success: Founded just three years ago, Lambda has raised $48M in venture funding from firms such as Y Combinator and Google Ventures. It claims that 86% of its graduates are hired within six months and now make over $50k a year.

The problem: That number is likely inflated. Leaked documents showed a mere 50% placement rate for cohorts that are six months graduated. Facing growing uproar from the development community, Lambda was forced to admit that some placement rates are far lower than what it advertised.

What’s next: Despite the backlash, Lambda intends to enroll 10,000 students in 2020. Internal documents revealed that it can be profitable if just 25% of its students find a tech job.


Google starts cleaning up its developer ecosystem

Cleaning up Android

Google is fighting back against Samsung’s custom changes to Android that the company claims exposes mobile users to serious security vulnerabilities.

What's the fuss? Samsung made changes to Android’s core kernel to improve security on one of its devices, the Galaxy A50. Google, however, claims that these code changes actually make users more vulnerable by exposing them to new attacks via arbitrary code execution.

Google suggests that "device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers." In other words, don’t touch code in the Android kernel.

It’s part of a broader clean up of Android. Google’s attack on Samsung comes on the heels of its crackdown on permission requests for apps in the Google Play Store—where it penalized developers for requesting excessive data from Android users.

Earlier this year, Google also announced it was increasing its top reward for hacking Android to $1M. Google even encourages developers to find security issues in popular third-party apps in the Play Store.

Zoom out: Google’s efforts go far beyond Android. Google recently required developers of Chrome extensions to collect only the least amount of data possible from users necessary to work. Even Gmail integrations were audited and restricted last year.

Google’s is doubling down on fixing its privacy and security reputation. That—for better or for worse—means more restrictions on developers within its ecosystem.


Small bytes

  • The first public release of JustPy, a new high-level Python web framework, was announced. With the new library, developers can create interactive websites without any JavaScript [JUSTPY]
  • A team of researchers announced SOIL (Single Open Intermediate Language), a new initiative to extend WebAssembly and build "a single open intermediate language that all major languages can compile to." The group hopes that it will be implemented on all major backends, including web, mobile, and embedded devices [SOIL]
  • A new report from Gartner suggests that low-code and no-code application development will drive more than 65% of application development activity by 2024. The rise of citizen developers could change how companies manage and refocus their engineering teams [GIGABIT]
  • OpenAI, a leading AI research lab, came under renewed scrutiny this week. In its pursuit to build the world’s first artificial general intelligence—a machine with the reasoning powers of a human mind—many feel OpenAI has failed to uphold its promises to be transparent and ethical [MIT TECHNOLOGY REVIEW]
  • Red Hat released its State of Enterprise Open Source report, detailing how open source is used at large companies around the world. Roughly 75% of firms said that open source software was very or extremely important. Moreover, 77% of companies planned to increase their usage of open source technology in the next 12 months [RED HAT]
  • GitHub Enterprise is now included in Microsoft Startups, a free program that provides startups with popular development tools. Startups will receive $1,000 of monthly credit for up to two years of GitHub Enterprise Cloud [GITHUB]
  • The US Department of Homeland Security issued an advisory revealing that a natural gas compression facility suffered a serious ransomware attack. The intrusion forced the facility to initiate a precautionary shutdown [ZDNET]

Tools

  • Codepile is a real-time, cooperative code sharing hub that lets you quickly send and edit code snippets in more than 130 programming languages [CODEPILE]
  • Shipped helps you organize and prioritize work by syncing Slack threads with kanban boards [SHIPPED]
  • Beluga is open-source software for creating your own ecommerce site with React, NodeJS, and Stripe [BELUGA]
  • Disappearing-People removes people video in real time using JavaScript and TensorFlow.js in the web browser [GITHUB]
  • Battery-wallpaper is a simple bash script to set an animated battery as your desktop wallpaper [GITHUB]
Never miss the big news

Every week, our team will send you three of the most important stories for developers, including our analysis of why they matter. Software development changes fast, but src is your secret weapon to stay up to date in the developer world.

Featured articles
Made with by Software. Read more about our mission.