Apple will no longer bundle Python 2.7 with macOS 12.3, according to developer release notes for the upcoming software update. MacRumors reports: Python 2 has not been supported since January 1, 2020 and no longer receives any bug fixes, security patches, or other changes. Apple says that developers should use an alternative programming language instead, such as Python 3, but it's worth noting that Python 3 also does not come preinstalled on macOS. Developers can run the stub /usr/bin/python3 in Terminal, but it prompts users to install Xcode developer tools, which includes Python 3.

Two-thirds of technology firms are experiencing a shortage of skilled workers, reports the BBC (citing a recent report from recruitment firm Harvey Nash).

But what's the solution? In an article shared by Chrisq, the BBC's business technology reporter field-tested some computer programming training: I attended Teach the Nation to Code, a free one-day Python coding workshop run by UK training firm, QA... But when it works, there's not much pay-off — just some lines on a screen. I also took classes with Cypher Coders and Creator Academy to teach me Scratch — a coding language for children with a simple visual interface... [I] found the step change from learning Scratch to Python similarly jarring in the children's toys — you suddenly go from colourful blocks to an empty screen with no handholding. What could help bridge this gap from fun games for kids, to more professional level complex coding?

Garry Law, founder of Australian coding training firm, Creator Academy, says IT education needs to be better. "We need to teach kids coding with visual, auditory and kinesthetic learning styles, and we need to adapt this learning method for adults, to attract more people to science, technology, engineering and mathematics (STEM)," he says....

Cost is also a big problem. According to Anna Brailsford, chief executive of social enterprise Code First: Girls, it typically costs £10,000 to learn coding and often there isn't a clear link between what is taught and the jobs available.
Long-time Slashdot reader AmiMoJo remembers that "the way I got started was by borrowing books from the library that contained example programs." Back then there were loads of books that were nothing but little BASIC apps for various machines. That got me started with a program that worked and often did something quite interesting or useful, like a graphical effect. Then I could tinker with it and learn that way.
But is that enough of a reward to attract new programmers — or should beginning courses target more learning styles? Share your own thoughts and experiences in the comments.

Do we need better computer programming courses for visual learners?

The programming language of the year has been announced by the TIOBE Index: Python!

But noting that the TIOBE index is based on the number of search results for a programming language across popular search engines, a headline at The Next Web asks: "What does this title even mean?" [TIOBE] takes services such as Google, QQ, Sohu, Amazon, and Wikipedia to calculate the results. TIOBE uses "+" programming" query and a special formula to devise these ratings that change every month. You can read more about the whole process here. The programming language of the year title is decided by the jump in ratings year-on-year. Python overtook C# by a margin of 0.13% — almost a photo finish.

The index doesn't indicate the best or most efficient programming language, nor does it measure the amount of code written in a language across the internet. It simply gives us a high-level understanding of resources and pages available on the web related to them.

There's a huge amount of criticism towards the TIOBE index, especially as it uses one query and doesn't consider non-English languages. The organization said that it's trying to introduce more parameters to calculate the ratings.
TIOBE's annual award is being called "prestigious" — by the announcement at TIOBE.com: The award is given to the programming language that has gained the highest increase in ratings in one year. C# was on its way to get the title for the first time in history, but Python surpassed C# in the last month.

Python started at position #3 of the TIOBE index at the beginning of 2021 and left both Java and C behind to become the number one of the TIOBE index. But Python's popularity didn't stop there. It is currently more than 1 percent ahead of the rest [with a "rating" of 13.58%]. Java's all time record of 26.49% ratings in 2001 is still far away, but Python has it all to become the de facto standard programming language for many domains. There are no signs that Python's triumphal march will stop soon.
In fact, this makes the second year in a row Python has won TIOBE's annual award.

But it's as good a conversation-starter as any. ZDNet reminds us that Microsoft hired Python creator Guido van Rossum in 2020 to work on improving Python's efficiency, while the second most popular language on TIOBE's annual list, C#, "is a language designed by Microsoft technical fellow Anders Hejlsberg for the .NET Framework and Microsoft's developer editing tool Visual Studio."

And ZDNet also spottted a few other patterns in TIOBE's year-end look at programming language popularity: There were several movers and shakers this year. Rust, a systems programming language that deals with memory safety flaws, is now in 26th position, ahead of MIT's Julia, and Kotlin, a language endorsed by Google for Android app development. Rust was a stand out language in 2021, gaining backing from Facebook, Amazon Web Services, Microsoft Azure and Google Cloud.

Apple's Swift for iOS and macOS app development jumped from 13th to 10th place, while Google's Go inched up from 14 to 13, according to Tiobe. Kotlin moved from 40th to 29th. Google's Dart dropped from 25th to 37th position, Julia fell from 23rd to 28th position, while Microsoft TypeScript dropped from from 42 to 49.

The top 10 languages in Tiobe's list for January 2022 were Python, C, Java, C++,C#, Visual Basic, JavaScript, Assembly Language, SQL, and Swift.

Slashdot reader Tesseractic comes bearing gifts — specifically, news of "a new image format that is lossless, gives much faster encodes, faster decodes and roughly comparable compression compared to what's in use today."

Quite OK Image format (or QOI) is the brainchild of developer Dominic Szablewski, who complains current image formats like PNG, JPEG, MPEG, MOV and MP4 "burst with complexity at the seams," the Register reports: "Every tiny aspect screams 'design by consortium'," he added, going on to lament the fact that most common codecs are old, closed, and "require huge libraries, are compute hungry and difficult to work with." Szablewski thought he could do better and appears to have achieved that objective by cooking up some code, floating it on GitHub, and paying attention to the 500-plus comments it generated.

While Szablewski admits that QOI will not compress images as well as an optimized PNG encoder, he claims it "losslessy compresses images to a similar size of PNG, while offering 20x-50x faster encoding and 3x-4x faster decoding." Most importantly, to Szablewski, the reference en-/decoder fits in about 300 lines of C and the file format spec requires is just one page long.

"In the last few weeks QOI implementations for lot of different languages and libraries popped up," Szablewski wrote on his blog, with Zig, Rust,Go, TypeScript, Haskell, Ä, Python, C#, Elixir, Swift, Java, and Pascal among the options.

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.

All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

On Monday JetBrains (creators of the Kotlin programming language and makers of the integrated development environment IntelliJ IDEA) made an announcement: a preview for a lightweight new multi-language IDE called Fleet using IntelliJ's code-processing engine with a distributed IDE architecture and a reimagined UI.

By Friday they'd received an "overwhelming" number of requests, and announced the preview program had stopped accepting new requests. ("To subscribe for updates and the public preview announcement at jetbrains.com/fleet or follow @JetBrains_Fleet on Twitter.")

They'd received 80,000 requests in just the first 30 hours, reports Visual Studio magazine: Although JetBrains didn't even mention VS Code in its Nov. 28 announcement, many media pundits immediately characterized it along the lines of an "answer to Visual Studio Code," a "response to Visual Studio Code," a "competitor to Visual Studio Code" and so on...

"When you first launch Fleet, it starts up as a full-fledged editor that provides syntax highlighting, simple code completion, and all the things you'd expect from an editor," JetBrains said. "But wait, there's more! Fleet is also a fully functional IDE bringing smart completion, refactorings, navigation, debugging, and everything else that you're used to having in an IDE — all with a single button click."
"It starts up in an instant so you can begin working immediately..." boasts the Fleet web page, adding that Fleet "is designed to automatically detect your project configuration from the source code, maximizing the value you get from its smart code-processing engine while minimizing the need to configure the project in the IDE." And it also offers "project and context aware code completion, navigation to definitions and usages, on-the-fly code quality checks, and quick-fixes..."

Fleet also offers a collaborative environment allowing developers to work together — not just sharing the editor, but also terminals and debugging sessions. (There's even a diff view for reviewing changes.) "Others can connect to a collaboration session you initiate on your machine, or everyone can connect to a shared remote dev environment," explains Fleet's web page. "It supports a number of remote work scenarios and can be run locally on the developer's computer, in the cloud, or on a remote server," reports SD Times. (And Fleet's home page says soon it will even run in Docker containers configured with an appropriate environment for your project.)

SD Times adds that Fleet "currently supports Java, Kotlin, Go, Python, Rust, and JavaScript. The company plans to extend support to cover PHP, C++, C#, and HTML, which are the remaining languages that have IntelliJ IDEs." It's multi-platform — running on Linux, MacOS, or Windows — and Fleet's web page promises "a familiar and consistent user experience" offering one IDE for the many different technologies you might end up using.

And yes, there's a dark theme.

ZDNet reports: JavaScript is now used by more than 16.4 million developers globally, says a survey of more than 19,000 coders — making it the world's most popular programming language "by a wide margin".

SlashData's 21st State of the Developer Nation Report examined global software developer trends across 160 countries during Q3 2021, covering programming languages, tools, APIs, apps and technology segments, as well as attitudes of developers themselves... While not necessarily a surprise in itself — JavaScript has, after all, been the world's most-used language for a number of years now — SlashData found that upwards of 2.5 million developers had joined the JavaScript community in the past six months alone. That's the same as the entire user base of Swift; or, the combined communities of Rust and Ruby.

The data for JavaScript also included language derivatives TypeScript and CoffeeScript.

Python might not be a close second, but its popularity is impressive nonetheless: according to SlashData, the language is now used by some 11.3 million coders, primarily within data science and machine learning, and IoT applications. The brainchild of Guido van Rossum, Python's popularity has exploded in recent years, overtaking that of Java, which is currently used by 9.6m developers. Java remains a go-to for mobile and desktop apps, SlashData's survey found. According to SlashData, Python added 2.3m developers to its community in the past 12 months. "That's a 25% growth rate, one of the highest across all the large programming language communities of more than 7M users," the report noted.

"The rise of data science and machine learning (ML) is a clear factor in Python's popularity. More than 70% of ML developers and data scientists report using Python. For perspective, only 17% use R, the other language often associated with data science."
The survey concluded these are, in order, the 10 most popular programming languages:

1. JavaScript
2. Python
3. Java
4. C/C++ [Yes, it lumps them together]
5. PHP
6. C#
7. "Visual development tools"
8. Kotlin
9. Swift
10. Go

The report also found that Rust, although coming in at #14, grew faster than any other language in the past 24 months, "nearly tripling in size from just 0.4M developers in Q3 2019 to 1.1M."

"Bringing VS Code to the browser is the realization of the original vision for the product," Microsoft said in a blog post. "It is also the start of a completely new one. An ephemeral editor that is available to anyone with a browser and an internet connection is the foundation for a future where we can truly edit anything from anywhere."

Or, as Mike Melanson describes it in his "This Week in Programming" column, "Microsoft continued its march toward developer dominance this week with the launch of Visual Studio Code for the Web, a lightweight version of the company's highly popular (mostly) open source code editor..." Now, before you go getting too excited, VS Code for the Web isn't really a fully-functional version of VS Code running in the browser, as it has no backend to back it up, which means its primary purpose is for client-side HTML, JavaScript, and CSS applications... VS Code for the Web is able to provide syntax colorization, text-based completions and other such features for popular languages such as C/C++, C#, Java, PHP, Rust, and Go, while TypeScript, JavaScript, and Python are "all powered by language services that run natively in the browser" and therefore provide a "better" experience, while those aforementioned Web languages, such as JSON, HTML, CSS, and LESS, will provide the best experience. Extensions, meanwhile — which are among the top reasons for using VS Code — generally work for user interface customizations (and can be synced with your other environments), but, again, not so much for those back-end features.

Caveats aside, VS Code for the Web does, indeed, offer a lightweight, available-anywhere code editor for things like your tablet, your Chromebook, and heck, even your XBOX...

While companies like Amazon and Google seem to be sitting idly by in this arena, Microsoft is not the only company focused on providing remote developer experiences. The Eclipse Foundation, for example, last year offered what it said was "a true open source alternative to Visual Studio Code" with Eclipse Theia, and Eclipse Foundation executive director Mike Milinkovich said he expects this to be just the beginning. "We have been saying for years that the future of developer tools is the browser. Developers already use their browsers for the vast majority of their day-to-day tasks, with code editing being amongst the last to move," Milinkovich wrote in an email. "Microsoft's recent vscode.dev announcement is a recognition of this trend. I expect that every serious cloud vendor will be following suit over the next few quarters."

GitPod, meanwhile, has been hard at work in this very same arena, with its own launch just last month of the open source OpenVSCode Server, which also lets developers run upstream Visual Studio Code in the browser.
Gitpod co-founder Johannes Landgraf calls it "yet another validation that we reached a tipping point of how and where we develop software" — but also more. "Think orchestration and provisioning of compute, operating system, language servers and all other tools you require for professional software development in the cloud."

Melanson's column also argues VS Code for the Web is meant to entice geeks further into the Microsoft development universe. "The next thing you know, you've spent $100 on other things...like GitHub Codespaces, which is, after all, pretty much the same exact thing, except it provides all those back-end services and, more importantly for Microsoft, is not free to use. And more important still, once you've got all those developers fully hooked on VS Code, Codespaces, GitHub, and the rest of it, Azure isn't too far down the line now, is it?"

"One of Python's long-standing weaknesses, its inability to scale well in multithreaded environments, is the target of a new proposal among the core developers of the popular programming language," reports InfoWorld: Developer Sam Gross has proposed a major change to the Global Interpreter Lock, or GIL — a key component in CPython, the reference implementation of Python. If accepted, Gross's proposal would rewrite the way Python serializes access to objects in its runtime from multiple threads, and would boost multithreaded performance significantly... The new proposal makes changes to the way reference counting works for Python objects, so that references from the thread that owns an object are handled differently from those coming from other threads.

The overall effect of this change, and a number of others with it, actually boosts single-threaded performance slightly — by around 10%, according to some benchmarks performed on a forked version of the interpreter versus the mainline CPython 3.9 interpreter. Multithreaded performance, on some benchmarks, scales almost linearly with each new thread in the best case — e.g., when using 20 threads, an 18.1x speedup on one benchmark and a 19.8x speedup on another.

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.
The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."

ZDNet reports: "Python 3.10.0 is the newest major release of the Python programming language, and it contains many new features and optimizations," CPython maintainers announced in a blogpost...

One of the headline features is "structural pattern matching" in Python 3.10 -- a technique for handling data that's already available in C, Java, JavaScript, Scala and Elixir. "Structural pattern matching has been added in the form of a match statement and case statements of patterns with associated actions. Patterns consist of sequences, mappings, primitive data types as well as class instances. Pattern matching enables programs to extract information from complex data types, branch on the structure of data, and apply specific actions based on different forms of data," the project explains in release 3.10 notes. "While structural pattern matching can be used in its simplest form comparing a variable to a literal in a case statement, its true value for Python lies in its handling of the subject's type and shape," it adds.

Python core contributors presented the update in a meeting this week. Pablo Galindo Salgado, a physicist and core Python contributor, explained how the project is using Microsoft's GitHub Actions DevOps (CI/CD) tools to test Python changes on Windows, Linux and macOS systems. "When you merge something to Python, there is a CI in GitHub Actions, and we have other providers, although we are mainly using GitHub Actions now. It tests your commits on every single commit on Linux, Windows, and macOS," said Salgado.
Besides better error messages (including more precise and reliable line numbers for debugging), other changes to the language include overloading the pipe operator to allow a new syntax for writing union types, and type aliases (a kind of user-specified type, offering a way to explicitly declare an assignment as a type alias).

ZDNet reports that Python "is now the most popular language, according to one popularity ranking."

"For the first time in more than 20 years we have a new leader of the pack..." the TIOBE Index announced this month. "The long-standing hegemony of Java and C is over."

When Slashdot reached out to Guido van Rossum for a comment, he replied "I honestly don't know what the appropriate response is...! I am honored, and I want to thank the entire Python community for making Python so successful."

ZDNet reports: [I]t seems that Python is winning these days, in part because of the rise of data science and its ecosystem of machine-learning software libraries like NumPy, Pandas, Google's TensorFlow, and Facebook's PyTorch. Python is also an easy-to-learn language that has found a niche in high-end hardware, although less so mobile devices and the web — an issue that Python creator Guido van Rossum hopes to address through performance upgrades he's working on at Microsoft.

Tiobe, a Dutch software quality assurance company, has been tracking the popularity of programming languages for the past 20 years. Its rankings are based on search terms related to programming and is one measure of languages that developers should consider learning, along with IEEE Spectrum's list and a ranking produced by developer analyst RedMonk. JavaScript, the default for front-end web development, is always at the top of RedMonk's list. For Tiobe, its enterprise focus, has seen Java and C dominate in recent years, but Python has been snapping at the heels of Java, and has now overtaken it...

Python's move to top spot on the Tiobe index was a result of other languages falling in searches rather than Python rising. With an 11.27% share of searches, it was flat, while second place language C fell 5.79% percentage points compared to October last year down to 11.16%. Java made way for Python with a 2.11 percentage point drop to 10.46%.

Other languages that made the top 10 in Tiobe's October 2021 index: C++, C#, Visual Basic, JavaScript,. SQL, PHP, and Assemblyy Language. Also rising on a year-on-year basis and in the top 20 were Google-designed Go, number-crunching favorite MATLAB, and Fortran.
"Python, which started as a simple scripting language, as an alternative to Perl, has become mature," TIOBE says in announcing its new rankings.

"Its ease of learning, its huge amount of libraries, and its widespread use in all kinds of domains, has made it the most popular programming language of today. Congratulations Guido van Rossum!"

"According to one measure, Python is potentially on the verge of becoming the most popular computer programming language," reports ZDNet, joining C and Java as the only other two languages to attain the #1 spot.

Of course, it depends on who's making the list... Python has been snapping at the heels of Java and C for the past few years on the 20-year-old Tiobe index and recently knocked Java off the second spot to rival C. Tiobe, a software testing company, bases its rankings on searches for programming languages on popular websites and search engines.

The Tiobe index is updated monthly, and it doesn't align with other language popularity rankings. For example, the electrical engineering magazine IEEE Spectrum has ranked Python as the most popular language since at least 2020, followed by Java, C, and JavaScript, while developer analyst RedMonk has JavaScript in top place, followed by Python and Java, and places C at tenth...

"Python has never been so close to the number 1 position of the TIOBE index," writes Paul Jansen, chief of Tiobe software. "It only needs to bridge 0.16% to surpass C. This might happen any time now..."

Python is hugely popular because of machine learning, but it has no place in mobile app development or web applications or development on mobile devices. It's also slow. Python's creator, Guido van Rossum, who works at Microsoft, recently conceded Python consumes too much memory and energy from hardware. He's working to improve Python's performance and reckons double is feasible...

Tiobe's top 10 programming languages in September 2021 were C, Python, Java, C++, C#, Visual Basic, JavaScript, Assembly language, PHP, and SQL. The top 20 languages also included Classic Visual Basic, Groovy, Ruby, Go, Swift, MATLAB, Fortran, R, Perl, and Delphi. Fortran's re-emergence as a top 20 language is notable. Just in July 2020, Tiobe ranked it as the 50th most popular language. But earlier this year, Fortran shot up to the 20th spot in Tiobe's index.
Paul Jansen, chief of Tiobe software, also called out some other interesting moves in this month's calculation. "Assembly gained 1 position from #9 to #8, Ruby gained 2 positions from #15 to #13, and Go went up even 4 positions from #18 to #14."

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.

Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.

In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.

"The programming language Java's popularity has been slowly declining in some programming language index rankings, but it's popped back into the second spot in RedMonk's latest chart," reports ZDNet: Javascript still rules in RedMonk's Q3 2021 language popularity rankings, which have been updated twice a year since 2010.

Python overtook Java for the second spot in RedMonk's Q2 2020 ranking, and Java has remained there in Python's shadow ever since, but now it has jumped one spot to second — a place it once again shares with Python. As RedMonk analyst Stephen O'Grady notes, Java's consistent third placing over the past year was "prompting questions from observers as to whether it was fated to a gradual drift down these rankings".

Tiobe's CEO Paul Jensen last September said Java was in "real trouble" because of a notable decline in its share of queries for programming languages on major search engines. But now, according to RedMonk, Java has 'surged' back. "This would be less of a surprise but for many of the language's competitors — and, it should be said, the odd industry analyst or two — writing regularly recurring epitaphs for the stalwart of enterprise infrastructure," said O'Grady.
The article also reports that Google's Dart programming language "made its debut in RedMonk's top 20 this month and displaced Perl."

RoccamOccam writes: For the sixth-year, Rust is the most loved language, while Python is the most wanted language for its fifth-year in Stack Overflow's 2021 survey of 80,000 developers.

"Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue," reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each... The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them. In total the research scanned through 197,000 packages and found more than 749,000 security issues in all... Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository. The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
The Register supplies some context: Other surveys of this sort have come to similar conclusions about software package ecosystems. Last September, a group of IEEE researchers analyzed 6,673 actively used Node.js apps and found about 68 per cent depended on at least one vulnerable package... The situation is similar with package registries like Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R). In a phone interview, Ee W. Durbin III, director of infrastructure at the Python Software Foundation, told The Register, "Things like this tend not to be very surprising. One of the most overlooked or misunderstood parts of PyPI as a service is that it's intended to be freely accessible, freely available, and freely usable. Because of that we don't make any guarantees about the things that are available there..."

Durbin welcomed the work of the Finnish researchers because it makes people more aware of issues that are common among open package management systems and because it benefits the overall health of the Python community. "It's not something we ignore but it's also not something we historically have had the resources to take on," said Durbin. That may be less of an issue going forward. According to Durbin, there's been significantly more interest over the past year in supply chain security and what companies can do to improve the situation. For the Python community, that's translated into an effort to create a package vulnerability reporting API and the Python Advisory Database, a community-run repository of PyPI security advisories that's linked to the Google-spearheaded Open Vulnerability Database.

"Dallas-based Texas Instruments' latest generation of calculators is getting a modern-day update with the addition of programming language Python," reports the Dallas Morning News: The goal is to expand students' ability to explore science, technology, engineering and math through the device that's all-but-required in the nation's high schools and colleges...

Though most of the company's $14 billion in annual revenue comes from semiconductors, its graphing calculator remains its most recognized consumer product. This latest TI-84 model, priced between $120 to $160 depending on the retailer, was made to accommodate the increasing importance of programming in the modern world.
Judging by photos in their press release, an "alpha" key maps the calculator's keys to the letters of the alphabet (indicated with yellow letters above each key). One page on its web site also mentions "Menu selections" that "help students with discovery and syntax." (And the site confirms the calculator will "display expressions, symbols and fractions just as you write them.")

There's even a file manager that "gives quick access to Python programs you have saved on your calculator. From here, you can create, edit, run and manage your files." And one page also mentions something called TI Connect CE software application, which "connects your computer and graphing calculator so they can talk to each other. Use it to transfer data, update your operating system, download calculator software applications or take screenshots of your graphing calculator."

I'm sure Slashdot's readers have some fond memories of their first calculator. But these new models have a full-color screen and a rechargeable battery that can last up to a month on a single charge. And Texas Instruments seems to think they could even replace computers in the classroom. "By adding Python to the calculators many students are already familiar with and use in class, we are making programming more accessible and approachable for all students," their press release argues, "eliminating the need for teachers to reserve separate computer labs to teach these important skills.

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

Fossbytes has an article detailing how you can check to see if your mobile device is infected with the "Pegasus" spyware. What's Pegasus you ask? It's phone-penetrating spy software developed by NSO Group and sold to governments to target journalists and activists around the world. The CEO of NSO Group says law-abiding citizens have "nothing to be afraid of," but that doesn't help us sleep any better. Here's how to check if your device has been compromised (heads up: it's a bit of a technical and lengthy process): First off, you'll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you'll have to install libimobiledevice beforehand for that. Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system -- if you don't have it already. Here's how you can install the same for Windows, macOS, and Linux. After that, go through Amnesty's manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line. Now, let's go through the steps for detecting Pegasus on an iPhone backup using MVT.

First of all, you have to decrypt your data backup. To do that, you'll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path: "mvt-ios decrypt-backup -p password -d /decrypted /backup". Note: Replace "/decrypted" with the directory where you want to store the decrypted backup and "/backup" with the directory where your encrypted backup is located.

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder. To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path: "mvt-ios check-backup -o /output -i /pegasus.stix2 /backup". Note: Replace "/output" with the directory where you want to store the scan result, "/backup" with the path where your decrypted backup is stored, and "/pegasus.stix2" with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix "_detected," then that means your iPhone data is most likely Pegasus-infected. However, the IOCs are regularly updated by Amnesty's team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.