A new release of the Raspberry Pi OS arrived last week. As usual, the release announcement gives a general overview of the most important additions and improvements, and the release notes contain a lot more detail. In addition to the usual accumulation of updates since the previous release (August 2020), there has been some significant new hardware such as the Raspberry Pi 400 and the Raspberry Pi 4 Case Fan, which needed new support in the operating system: it was getting to the point where building a new Raspberry Pi SD card required more time on updates than it did for actually downloading the OS image and copying it to the card.

Also: Best Raspberry Pi alternatives in 2020: Banana Pi, Odroid, NanoPi, and more

You can update an existing system to the new level with just a few package management commands:

After these commands, reboot the system.

Creating a new SD card requires a bit more effort, and a bit of thought about content and size of the three different versions of Raspberry Pi OS currently available. The new images are available from the Raspberry Pi Downloads page, of course. As has always been the case, all of the images are compatible with all of the different Raspberry Pi systems, from the original Model A and Model B through to the latest Pi 400 keyboard, and including all of the Pi Zero variants.

If you are old and stubborn, as I am, and you have a Linux system with an SD card slot, you can download the image and then copy it to an SD card, using the pipeline I have given in several previous posts:

Be sure to very carefully replace "sdX" with the device name of the SD card on your system. The alternative is to use the Raspberry Pi Imager utility, which is available for Linux, Windows and macOS; it performs the steps I just described, with a GUI interface, and saves you the trouble (and danger) of figuring out the SD device name. I have installed it on a Debian 10 system, and the window is shown at the right. I ran into a bit of a problem while installing it; the web page says that to install on Raspberry Pi OS you type sudo apt install rpi-imager, but on the Debian system that just kept telling me that it couldn't find the rpi-imager package. I finally had to explicitly tell it to look in the package I had downloaded, with the command:

That makes sense to me, but maybe if you were actually running it on a Raspberry Pi, the simpler command would work. But then, if you are running on a Raspberry Pi that is booted from the SD card, what are you going to use for a destination SD card? Maybe you would have a USB SD card reader? Beats me, but anyway, that's why I didn't try it on a Pi.

The Choose OS button drops down a list of everything it knows how to install, including all three versions of the Raspberry Pi OS plus Ubuntu, LibreElec and RetroPie. The Choose SD Card button looks for a writeable SD card to use for the destination; remember, if your computer has an SD card slot, but there is no card inserted, you won't get anything here. Once you have made a choice on both buttons, you can click Write and the utility will download the file and write it to the SD card, without you having to worry about Linux utility program names, pipes, command line options or anything else. That sounds great, but personally I'm just a bit too old and set in my ways, thanks.

Anyway, when you boot a freshly prepared SD card, it will automatically extend the root filesystem to fill the free space on the card, and then reboot and start the Raspberry Pi installation wizard (aka piwiz). This will walk you through a few steps for the initial configuration of the Raspberry Pi operating system. There's nothing magic in this script (even if it is a wizard), it just keeps you from having to go through several steps in different places the first time you boot. It configures the Locale, display overscan, wireless network, and downloads and installs all outstanding updates.

SEE: Hands-On: Adventures with Ubuntu Linux on the Raspberry Pi 4

One warning about this for some reason, on a few of the systems I have installed over the past few days when the first-run setup wizard starts, it starts talking to you, saying something like, "To install the orca screen reader press control-alt-space". It doesn't happen very often, and it seems to be timing-related somehow, so it is more prone to happen on older/slower models. The first time it happened I just about jumped out of my chair in surprise. I looked everywhere for a button or option to shut it up, to no avail. I finally figured out that all I needed to do was hit Next on the introduction screen. A bit more information on the screen at this point would be very useful...

Oh, one other minor irritant. After finishing the first-run wizard and rebooting, my systems didn't have the right keyboard layout defined. That might be because I am doing an English installation with a Swiss German keyboard, but anyway if you are using a non-US Ascii keyboard, you should check this after rebooting, and go back to the Raspberry Pi Configuration utility to set it correctly if necessary.

So all of this will get you to the point where you have either an upgraded or freshly installed system. As I mentioned at the beginning, the release notes give a good list of the changes in this release. One of the big ones is improvement in Chromium integration with the Raspberry Pi OS. I used Chromium pretty extensively while I was monitoring the CPU temperature with the new Raspberry Pi 4 Case Fan, so I can say that in my opinion they really have made a noticeable improvement in this. It is faster than in previous releases, and it plays streaming audio and video noticeably better. There are a number of other changes and improvements mentioned which I haven't tried yet, or simply don't use. The other thing I was interested in was the additions made to support new hardware.

I mentioned a week or so ago in my post about the Raspberry Pi 400, that there is only one LED on the keyboard, and it is used as a simple "power" indicator, rather than a "disk activity" indicator, which I think would be much more useful. It turns out that they have added a selection for this in the Raspberry Pi Configuration utility. I hadn't even thought about the fact that the Pi Zero also has only one LED until I read the change note on this; the control applies to those models as well. I know this seems like a very small change, but it is one of my favorites in this release I really wanted that LED on the Pi 400 to tell me if the system was still actually doing something rather than just powered on.

Also related to my recent post on the Pi 4 Case Fan, the Pi Configuration utility includes controls for the fan operation; you can select which GPIO pin the control wire is connected to, and the temperature at which the fan should turn on (and off). This is one small difference that I noticed between the case fan and the fan SHIM; the controls for the shim allow you to set some hysteresis in the temperature, meaning that you could specify that it comes on and goes back off at different temperatures. This can help avoid having the fan constantly switching on and off in some cases for example, I usually have the shim fan set to come on at 70 degrees, and go off at 65.

That's about all I have to say about this new release. I have upgraded a couple of running systems to it without trouble, and I have installed it from scratch on at least one of every model (except the original Model A if anyone has one of these and would like to sell it, let me know), all with no trouble.

Follow this link:
Hands on with the new Raspberry Pi OS release: Here's what you need to know - ZDNet

MUNICH--(BUSINESS WIRE)--OneSpin Solutions, provider of certified IC integrity verification solutions for building functionally correct, safe, secure and trusted integrated circuits, announced that its 360 Design Verification (DV) solutions contributed to the speedy, successful, and bug-free delivery of the OpenHW CV32E40P RISC-V core. The OpenHW Verification Task Group recognizing that simulation would not be enough collaborated with OneSpin to develop a verification plan that included formal methods to verify the family of CORE-V open-source RISC-V cores. These processors are intended to be integrated into high-volume, commercial chip projects that will require strict integrity criteria be met with respect to functional correctness, safety, trust and security.

Working within the OpenHW Group ecosystem to verify the CORE-V family of RISC-V processors is an opportunity to demonstrate the power of our technology, said Raik Brinkmann, President and CEO of OneSpin. As these cores get released into the community, users can have confidence that they will be functionally correct, safe, trusted and secure. Of course, designs integrating any IP should still go through rigorous verification but using these exhaustively verified cores will help to reduce that overall effort.

RISC-V Opportunities and Verification Challenges

RISC-V offers the design community customization and flexibility but creates new challenges beyond the traditional SoC design verification flow. Processor verification is a new requirement that adopters of RISC-V will need to undertake. However, processors cores are difficult to verify. Complex microarchitectures for achieving power, performance, and area targets combined with a vast number of instruction combinations, cache, interrupts, exceptions, and a myriad of custom extensions, all need to be fully verified. Further complicating verification is ensuring that the core is correct with respect to the instruction set architecture (ISA) as well as making sure that the RTL matches the ISA.

The traditional simulation approach requires months of testbench set up, weeks of simulation runtime, and days of debugging a single problem. Even after simulation is implemented, critical corner case bugs can be missed, and designs are left with an incomplete function coverage. Simulation is also unable to detect the absence of hidden instructions. Any user optimization or addition of custom instructions requires a complete re-verification.

OneSpin Work on CORE-V

OneSpins unique technology was an ideal contribution to the OpenHW Verification Task Group helping to identify bugs that simulation alone would have missed, commented Rick OConnor, President and CEO of OpenHW Group. Their solution allowed the task group to achieve the coverage necessary to reach the Functional RTL Freeze signoff goals both in terms of speed and quality.

OneSpins solutions augment the SystemVerilog / UVM based CORE-V Verification Test Bench simulation efforts to produce a robust verification environment to overcome RISC-V verification challenges resulting in zero bug escapes. Once the testbench was implemented, runtime was completed in a matter of days and debugging was finished in just minutes. Exhaustive and complete verification was achieved in a very short period of time. The use of the OneSpin Processor Integrity solution led to the detection of many critical bugs including eight related to regular and exception instructions as well as other aspects of the privileged specification. Simulation alone would have taken weeks and missed these important bugs.

Integrators of CORE-V may access a packaged processor integrity verification solution to verify custom instructions and code optimizations.

Silicon Labs, an integral member of the OpenHW Group helping to lead the verification task group, witnessed first-hand OneSpins involvement in the verification effort. The CV32E40P core, is the first open-source core for high-volume chips verified with the state-of-the-art process required for high-integrity, commercial SoCs. OneSpin is a key contributor. The OneSpin RISC-V integrity formal verification solution has systematically detected corner-case bugs in the exception logic and pipeline. These issues would only be triggered under rare conditions in the instruction sequence, memory stalls, and Control and Status Register programming. Constrained-random simulation tests to find these issues would require large investments in development and simulation time, stated Steve Richmond, verification manager at Silicon Labs and co-chair of the OpenHW Verification Task Group.

The pinpointing of the issues' root cause was impressive and a massive time-saver in debug time. The solution also showed almost zero noise in detecting real RTL bugs, as opposed to other approaches where the issues reported often lead to fixes in the verification environment, added Arjan Bink, principal architect at Silicon Labs and chair of the OpenHW Cores Task Group.

Customizing and Integrating the CV32E40P Core

Although the OpenHW CV32E40P core is fully verified, there are still some verification challenges when integrating the core or if customization of the core is done. Formal verification of the core should be done if any tailored updates to the cores functionality are made. This step will ensure that the changes do not introduce new bugs that adversely affect how the core operates. When the core is integrated into the design, verification of the complete design should be done to assure the integrity of the design.

To learn more about how OneSpin collaborated within the OpenHW Group ecosystem to verify the CORE-V CV32E40P processor, be sure to visit the OpenHW Pavilion at the RISC-V Virtual Summit, December 8-10, 2020. Sign up to attend the conference session conducted by OpenHW, Silicon Labs, and OneSpin titled, CORE-V-VERIF, an Industrial-Grade Verification Platform for RISC-V cores.

About OpenHW and Core-V

The charter of the OpenHW Group is to serve developers of processor cores and hardware and software engineers who design SoCs with greater awareness, understanding and availability of open-source processor implementations for use in high volume production. OpenHW provides an infrastructure for hosting high quality open-source HW developments in line with industry best practices. The cores task group within the organization has the mandate to develop feature and functionality roadmap and the open-source IP for the cores within the OpenHW Group such as the CORE-V Family of open-source RISC-V processors.

The Organizations Verification Task Group has the mandate to develop best-in-class verification test bench environments for the cores and IP blocks designed within the OpenHW Group. Originally known as the PULP RI5CY core, the CORE-V CV32E40P is a 32bit, 4-stage core that implements, RV32IMFCXpulp, has an optional 32-bit FPU supporting the F extension and instruction set extensions for DSP operations, including hardware loops, SIMD extensions, bit manipulation and post-increment instructions.

About OneSpin Solutions

OneSpin Solutions is a leading provider of certified IC integrity verification solutions for building functionally correct, safe, secure and trusted integrated circuits. These solutions are based on OneSpin's widely used formal verification technology and assure the integrity of SoCs, ASICs and FPGAs. Headquartered in Munich, Germany, OneSpin partners with leaders worldwide in automotive and industrial applications; defense; avionics; artificial intelligence and machine learning; consumer electronics; and communications. Its advanced solutions are well-suited for developing heterogeneous computing platforms, using programmable logic, and designing and integrating processor cores, such as RISC-V. OneSpin's customer-oriented commitment is fundamental to its growth and success. OneSpin: Assuring IC Integrity. Visit http://www.OneSpin.com to learn more.

OneSpin, OneSpin Solutions and the OneSpin logo are trademarks of OneSpin Solutions GmbH. All other trademarks are the property of their respective owners.

Connect with OneSpin:

Twitter: @OneSpinSolutionLinkedIn: https://www.linkedin.com/company/onespin-solutions Facebook: https://www.facebook.com/OneSpinSolutions

View original post here:
OneSpin Contributes to the OpenHW Ecosystem to Achieve Processor Integrity for the CORE-V CVE4 Open-Source RISC-V Cores - Business Wire

LEUVEN, Belgium--(BUSINESS WIRE)--Guardsquare, the mobile application security platform, today announced the release of the companys second Global Contact Tracing App Analysis, which reassesses the levels of security protections and privacy risks of COVID-19 contact tracing apps. The report found that of the 95 mobile apps analyzed, 60% use the official application programming interface (API) for secure exposure notifications. For the remaining 40% of the contact tracing apps, the majority of which gather GPS location data, security is paramount yet lags.

It is always important to follow security best practices during the development of any application which handles sensitive user data, and that is even more true when that app is a vital tool in the worldwide fight against the pandemic. Contact tracing apps gathering user location data and personally identifiable information are especially attractive targets for exploitation, further reinforcing the need for developers to implement essential security protections, said Grant Goodes, Chief Scientist at Guardsquare.

Contact tracing apps have been commissioned and distributed by governments around the world to track and notify individuals of exposure to COVID-19 so they can take appropriate action in order to prevent the spread of the virus. Guardsquare first analyzed government-sponsored COVID-19 contact tracing Android mobile apps in June 2020, uncovering that the vast majority lacked even basic security protections. For this report, Guardsquare reanalyzed the original Android apps (with the exception of those no longer in use), added new apps that have since emerged, and included iOS mobile apps to derive insights into the two market-leading mobile operating systems.

In the updated analysis, Guardsquare found use of the Exposure Notification API developed by Apple and Google to be much more prevalent than in the June report. Notably, of the apps Guardsquare analyzed, 62% of the Android apps and 58% of the iOS apps are using the API. However, contact tracing apps not using the Exposure Notification API have applied either a minimal level of fundamental security protection techniques or no security protection techniques.

The research reveals that although progress has been made, security and privacy issues among contact tracing apps persist. In particular, the analysis found that apps using GPS, Bluetooth, or a combination of the two, to collect sensitive data are operating in a manner endangering the security and privacy of users.

Key Findings of COVID-19 Contact Tracing Apps (Exposure Notification API Not Used):

According to Guardsquares assessment, the apps based on the Exposure Notification API have minimal security concerns. Alternate routes to detecting exposure via proximity to infected individualsemploying GPS, building custom Bluetooth proximity detection, or bothraise significant security and privacy concerns. Unprotected mobile applications that gather GPS data and require sensitive identity credentials risk exploitation and potentially flagrant violations of user data privacy.

Apps, especially applications downloaded by users on mobile devices requiring personal or location data, should always incorporate proper security protections and code hardening techniques to ensure that the privacy of the data they are collecting is sufficiently protected, Goodes said. To successfully combat the spread of COVID-19, contact tracing app security should be at the forefront for developers, public health authorities, and governments.

Methodology:

In this report, Guardsquare analyzed 52 Android apps and 43 iOS apps based on six key features to determine which security protections apps are applying, or lacking, to safeguard code and user data. Researchers conducted analysis on contact tracing apps on Android and iOS mobile app platforms worldwide and across 13 U.S. states and 2 US territories.

For further information about mobile application protection and to download the contact tracing report, please visit: https://insights.guardsquare.com/mobile-application-contract-tracing-report

About Guardsquare

Guardsquare is the global leader in mobile application protection. More than 650 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications hardening them against both on-device and off-device attacks. With the addition of ThreatCast, its mobile application security console, Guardsquare offers the most complete mobile security solution on the market today. Guardsquare is based in Leuven, Belgium with a US office in Boston, MA.

Read more from the original source:
Report: Guardsquare Reveals Security and Privacy Risks Persist in Global COVID-19 Contact Tracing Apps - Business Wire

A survey of nearly 1,200 FOSS contributors found security to be low on developers' list of priorities.

One respondent called security "an insufferably boring procedural hindrance."

Image: monstArrr_, Getty Images/iStockphoto

A new survey of the free and open source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than three percent of their time on security issues and have little desire to increase this.

A report based on the answers of nearly 1,200 FOSS contributors carried out by the Linux Foundation and Laboratory for Innovation Science at Harvard (LISH) highlighted a "clear need" for developers to dedicate more time to the security of FOSS projects as businesses and economies become increasingly reliant on open-source software.

The survey, which included questions designed to help researchers understand how contributors allocated their time to FOSS, revealed that respondents spent an average of just 2.27% of their total contribution time to responding to security issues.

Moreover, responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they "find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks," while another said: "I find security an insufferably boring procedural hindrance."

The researchers concluded that a new approach to the security and auditing of FOSS would be needed to improve security practices, while limiting the burden on contributors.

Some of the most requested tools from contributors were bug and security fixes, free security audits, and simplified ways to add security-related tools to their continuous integration (CI) pipelines.

"There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors," read the report.

"Developers generally do not want to become security auditors; they want to receive the results of audits."

SEE:Linux commands for user management(TechRepublic Premium)

Other proposed solutions by the researchers included encouraging organizations to redirect efforts into identifying and addressing security issues in projects themselves. Alternatively, developers "could rewrite portions or entire components of FOSS projects that are prone to vulnerabilities," as opposed to trying to mend existing code.

The researchers continued: "One way to improve a rewrite's security is to switch from memory-unsafe languages (such as C or C++ ) into memory-safe languages (such as nearly all other languages)," researchers said.

"This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees."

Gender diversity or rather, lack thereof was another key finding of the report.

Of the 1,196 survey respondents, 91% reported being male and between 25 and 44 years old. The researchers noted that the findings "emphasizes the continuing concerns about a lack of female representation in FOSS communities," and pointed out that that the lack of female representation in the report suggested that the results were "biased towards male contributors' FOSS activities and are not fully representative of female contributions to FOSS."

Most of the respondents to the survey were from North America or Europe, with the majority in full-time employment. Nearly half (48.7%) said they were paid by their employer for time spent on open source contributions, while 44.02% said they were not paid for any other reason.

SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)

Interestingly, the results indicated that the COVID-19 pandemic had had little impact on contributors working status, with very few respondents reporting being out of the workforce. Again, the researchers noted that due to the lack of female representation in the survey, "these findings may not reflect the experiences of women who contribute to FOSS, particularly those impacted by increased family responsibilities during the pandemic."

While the overwhelming majority of respondents (74.8% were employed full-time and more than half (51.6% percent) were specifically paid to develop FOSS, money scored very low in developers' motivations for contributing to open-source projects, as did a desire for recognition amongst peers.

Instead, developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used.

"The modern economy both digital and physical is increasingly reliant on free and open source software," said Frank Nagle, assistant professor at Harvard Business School.

"Understanding FOSS contributor motivations and behavior is a key piece of ensuring the future security and sustainability of this critical infrastructure."

From the hottest programming languages to the jobs with the highest salaries, get the developer news and tips you need to know. Weekly

View original post here:

Open source developers say securing their code is a soul-withering waste of time - TechRepublic

The myth of the open-source developer is they're unemployed young men coding away in basements. The truth is different. The Linux Foundation's Open Source Security Foundation (OSSF)and the Laboratory for Innovation Science at Harvard (LISH) new survey, Report on the 2020 FOSS Contributor Survey, found a significant number of women developers, with the plurality of programmers in their 30s, and the majority are working full-time jobs with an annual average pay rate of $123,000.

Of those surveyed, over half surveyed reported they receive payment for free and open-source software (FOSS) contributions -- from either their employer or a third party. More than half of those surveyed, 51.65%, are specifically paid to develop open-source programs.

That said, while open-source jobs are in high demand and the pay is great, it's not money that brings programmers to open-source. Indeed, even those people paid for working on a FOSS project also contributed to other open-source programs without being compensated.

The survey of almost 1,200 developers found the top reason was adding a needed feature or fix to a program they already use. Or, as Eric S. Raymond put it in his seminal open-source work, The Cathedral and the Bazaar, "Every good work of software starts by scratching a developer's personal itch."

The other top two reasons were the enjoyment of learning and fulfilling a need for creative or enjoyable work. At the bottom? Getting paid.

It's not that programmers dislike making money from their open-source work. Far from it! But money alone isn't that important to them. This can be seen by their answer to another question, which showed that no matter "how many hours they spent on FOSS during paid work time, nearly all respondents also spend some of their free time working on FOSS."

That said, one vital area of software development is being neglected: Security.

On average, programmers use just 2.27% of their total contribution time on security. Worst still, there's little desire to spend more time and work on security.

David A. Wheeler, The Linux Foundation's director of open-source supply chain security, said: "It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors."

The solution, the report authors suggest, is to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.

Specifically, they suggest:

The survey also found that companies are continuing to do better about supporting their people working on open-source projects. Today, over 45.45% of respondents are free to contribute to open-source programs without asking permission, compared to 35.84% 10 years ago. However, 17.48% of respondents say their companies have unclear policies on whether they can contribute and 5.59% were unaware of what policies -- if any -- their employer had.The Linux Foundation plans on refreshing The FOSS Contributor Report and Survey. If you're an open-source developer and you'd like to participate, please sign up here.

View post:

For the love of open source: Why developers work on Linux and open-source software - ZDNet

Microsoft-owned GitHub, the world's largest platform for open-source software, has found that 17% of all vulnerabilities in software were planted for malicious purposes.

GitHub reported that almost a fifth of all software bugs were intentionally placed in code by malicious actors in its 2020 Octoverse report, released yesterday.

Proprietary software makers over the years have been regularly criticized for 'security through obscurity' or not making source code available for review by experts outside the company. Open source, on the other hand, is seen as a more transparent manner of development because, in theory, it can be vetted by anyone.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

But the reality is that it's often not vetted due to a lack of funding and human resource constraints.

A good example of the potential impact of bugs in open source is Heartbleed, the bug in OpenSSL that a Google researcher revealed in 2014, which put a spotlight on how poorly funded many open-source software projects are.

Affecting a core piece of internet infrastructure, Heartbleed prompted Amazon, IBM, Intel, Microsoft, Cisco and VMware to pour cash into The Linux Foundation to form the Core Infrastructure Initiative (CII).

For the past few years, GitHub has been investing heavily in tools to help open-source projects remediate security flaws via its Dependency Graph, a feature that works with its Security Alerts feature.

The security alerts service scans software dependencies (software libraries) used in open-source projects and automatically alerts project owners if it detects known vulnerabilities. The service supports projects written in Java, JavaScript, .NET, Python, Ruby and PHP.

GitHub's 2020 Octoverse report fond that the most frequent use of open-source dependencies were JavaScript (94%), Ruby (90%), and .NET (90%).

While almost a fifth of vulnerabilities in open-source software were intentionally planted backdoors, GitHub highlights that most vulnerabilities were just plain old errors.

"These malicious vulnerabilities were generally in seldom-used packages, but triggered just 0.2% of alerts. While malicious attacks are more likely to get attention in security circles, most vulnerabilities are caused by mistakes," GitHub notes.

As ZDNet's Charlie Osborne reported, vulnerabilities in open-source projects remain undetected for four years on average before they're revealed to the public. Then it takes about a month to issue a patch, according to GitHub. In other words, there's still room for improvement despite GitHub's efforts to automate bug fixing in open-source projects.

GitHub notes in its report that the "the vast majority" of the intentional backdoors come from the npm ecosystem. ZDNet'sCatalin Cimpanu reported this week that the npm security team had to remove a malicious JavaScript library from the npm website that contained malware for opening backdoors on programmers' computers. Using this venue to distribute malware to developers makes sense given that JavaScript is the most popular programming language on GitHub.

SEE: Google: Here's how much we give to open source through our GitHub activity

GitHub notes that only 0.2% of its security alerts were related to explicitly malicious activity.

"A big part of the challenge of maintaining trust in open source is assuring downstream consumers of code integrity and contitinuity in an ecosystem where volunteer commit access is the norm," GitHub explains.

"This requires better understanding of a project's contribution graph, consistent peer review, commit and release signing, and enforced account security through multi-factor authentiticatition (MFA)."

GibHub notes that flaws can include 'backdoors', which are software vulnerabilities that are intentionally planted in software to facilitate exploitation, and 'bugdoors', which are a specific type of backdoor that disguise themselves as conveniently exploitable yet hard-to-spot bugs, as opposed to introducing explicitly malicious behavior.

The most blatant indicator of a backdoor is an attacker gaining commit access to a package's source-code repository, usually via an account hijack, such as 2018's ESLint attack, which used a compromised package to steal a user's credentials for the npm package registry, GitHub said.

The last line of defense against these backdoor attempts is careful peer review in the development pipeline, especially of changes from new committers. Many mature projects have this careful peer review in place. Attackers are aware of that, so they often attempt to subvert the software outside of version control at its distribution points or by tricking people into grabbing malicious versions of the code through, for example, typosquatting a package name.

See more here:

Open source: Almost one in five bugs are planted for malicious purposes - ZDNet

December 9, 2020Alex Woodie

IBM i shops that are looking for an alternative to IBMs Rational Developer for IBM i (RDi) may want to check out a lightweight code editor from Microsoft called Visual Studio Code (VS Code). Thanks to extensions for IBM i languages developed by the opensource community, VS Code can support native development in RPG, CL, and SQL.

First released by Microsoft in 2015, VS Code provides a basic environment for writing and editing code. It features debugging, syntax highlighting, intelligent code completion, snippets, and code refactoring, as well as embedded Git. It runs on Windows, Linux, and Mac, and while it shares a name with the full-featured Visual Studio integrated development environment (IDE), VS Code is really its own thing.

VS Code was primarily designed to work with mainstream languages, like Java, JavaScript, Go, Node.js., C++, and Python. But thanks to its support for extensions and themes, the open source community added support for other languages, including those that are most commonly used to develop applications on the IBM i server.

For starters, there is Niels Liisbergs RPG extension, which supports reading and writing free format ILE RPG. There is also the IBM i Languages extension, which brings additional versions of RPG (including RPGIII, RPG/400, RPGLE, free format RPG), as well as CL, DDS, and SQL, to the VS Code party (although the author, Barret Otte, states it is intended only for reading, not writing, code). Both extensions have received positive reviews.

Anand Khekale is an IBM i consultant based in Pune, India, who has found VS Code quite useful for working on IBM i. Khekale says he started using VS Code to work on open source languages like Node.JS and Python, but when he stumbled upon a few extensions like SSH-FS, he realized he could write code directly on the IBM i.

This led me to search extensions for native IBM i languages such as CL, RPG, RPGLE, COBOL and from there I fell in love with how easy it is to work in VS Code, even if I want to work on native languages, Khekale tells IT Jungle via email. Because of the vast ecosystem that this editor brings (extensions, themes, fonts, etc.), it becomes easy to write code for both open-source and native languages.

In particular, Khekale is particularly smitten with snippets, which is a VS Code feature that allows a developer to create a shortcut for blocks of code that are frequently written. With just a couple of keystrokes, a developer can quickly call up pre-written chunks of code and have them automatically populated on the screen.

With snippets, it becomes fast and joyful to write code, he recently wrote in a blog post. You just have to use the shortcut and press the Tab key or the Enter key, and the code gets generated for you.

Git integration is another positive for VS Code. Its integration with version management tools like Git with extensions like GitLense gives you real-time information on which line of code was changed by whom and when, Khekale writes.

In his blog post, Khekale details how he works with VS Code in an IBM i environment. A key element of enabling VS Code to work with IBM i is getting SSH-FS up and running on the IBM i server. A 2014 IT Jungle tutorial by Aaron Bartell (who also contributed to Liisbergs RPG extension but, alas, is out of the IBM i racket, last we heard) proved helpful to Khekale for getting SSH up and running on IBM i.

VS Code will be another tool in his toolbelt, Khekale says. I will be using it for consulting engagements and have partially started in my current projects, he writes. I use it to go through code while I am analyzing it. The syntax highlighting, variable highlighting (when you click on a variable, it displays each occurrence of it in the whole program) helps speed up debug and analysis of old programs.

His current consulting client has not moved into free form RPG yet. Otherwise, he adds, this is the tool to go, given they dont use RDi.

While languages like Node.js and Python seem to be rising in popularity among IBM i developers, for many, there is no replacing native languages like RPG. For those organizations that cant, or refuse, to use IBMs full-featured RDi, products like VS Code can certainly play a role.

The code editor is so lightweight, very easy to customize to your liking (themes, fonts, etc), Khekale writes. There are still many IBM i shops which cannot afford other editors and are thinking about modernizing their applications. For bringing new talent on the platform, the familiarity and comfort they feel while working with the editor, and the integration this editor brings, gives it an advantage.

IBM Delivered An RDi Update, Too

Bash Is Not A Shell Game

Read the original:

VS Code Provides Another Coding Option for IBM i - IT Jungle