Can We Replace YAML With an Easier Markup Language?

On his personal blog, Red Hat's Chris Short (also a CNCF Cloud Native Ambassador) told his readers that "We kinda went down a rabbit hole the other day when I suggested folks check out yq. ("The aim of the project is to be the jq or sed of yaml files.") "First, there's nothing wrong with this project. I like it, I find the tool useful, and that's that. But the great debate started over our lord and savior, YAML." And then he shares what he learned from a bad experience reading the YAML spec in 2012: It was not an RFC, which I am fond of reading, but something about the YAML spec made me sad and frustrated. Syntax really mattered. Whitespace really mattered... It is human-readable because you see the human-readable words in the scalars and structures, but there was something off-putting about YAML. It was a markup language claiming not to be a markup language. I held the firm belief that markup languages are supposed to make things simpler for humans, not harder (XML is the antithesis of markup languages, in my opinion)... Close to ten years later, I see YAML in the same somewhat offputting light... I hope that a drop in replacement is possible. The fact that we need tools like yq does show that there is some work to be done when it comes to wrangling the YAML beast at scale... Incrementally, YAML is better than XML but, it sucks compared to something like HTML or Markdown (which I can teach to execs and children alike)... Yes, balancing machine and human readability is hard. The compromises suck, but, at some point, there's enough compute to run a process to take in something 100% human-readable and make it 100% machine-readable... There will always be complexity and a need to understand the tool you're using. But, YAML gives us an example that there can and should be better things. In a comment on the original submission, Slashdot reader BAReFO0t writes "Binary markup or GTFO." UTF8 is already binary. Hell, ASCII is already binary numbers, not directly readable, but mapped to vector drawings or bitmap images ... that again are rendered to pixel values, that are then turning on blinkenlights or ink blots or noises that a human can actually recognize directly. So why not extend it to structure, instead of just letters (... and colors ... and sound pressures... EBML's core [Extensible Binary Meta Language] is the logical choice. If all editors always display it as, say XML, just like they all convert numbers into text-shaped blinkenlights too, people will soon call it "plain, human readable" too... Read more of this story at Slashdot.
2020-10-25 17:45:01 preview's
Java Geeks Discuss 'The War for the Browser' and the State of Java Modularization

Self-described "Java geek" nfrankel writes: At the beginning of 2019, I wrote about the state of Java modularization. I took a sample of widespread libraries, and for each of them, I checked whether: - It supports the module system i.e. it provides an automatic module name in the manifest - It's a full-fledged module i.e. it provides a module-info The results were interesting. 14 out of those 29 libraries supported the module system, while 2 were modules in their own right. Nearly 2 years later, and with Java 16 looming around the corner, it's time to update the report. I kept the same libraries and added Hazelcast and Hazelcast Jet. I've checked the latest version... Three full years after that release, 10 out of 31 libraries still don't provide a module-compatible JAR. Granted, 3 of them didn't release a new version in the meantime. That's still 7 libraries that didn't add a simple line of text in their MANIFEST.MF Meanwhile, long-time Slashdot reader AirHog argues that "Java is in a war for the browser. Can it regain the place it once held in its heyday?" All major browsers have disabled support for Java (and indeed most non-JavaScript technologies). Web-based front-ends are usually coded in JavaScript or some wrapper designed to make it less problematic (like TypeScript). Yes, you can still make websites using Java technology. There are plenty of 'official' technologies like JSP and JSF. Unfortunately, these technologies are entirely server-side. You can generate the page using Java libraries and business logic, but once it is sent to the browser it is static and lifeless... Java client-side innovation has all but stopped, at least via the official channels.... How can Java increase its relevance? How can Java win back client-side developers? How can Java prevent other technologies from leveraging front-end dominance to win the back-end, like Java once did to other technologies? To win the war, Java needs a strong client-side option. One that lets developers make modern web applications using Java code. One that leverages web technologies. One that supports components. One that builds quickly. One that produces fast-downloading, high performance, 100-Lighthouse-scoring apps. One that plays nicely with other JVM languages. What does Java need? Spoiler: The article concludes that "What Java needs Is TeaVM... an ahead-of-time transpiler that compiles Java classes to JavaScript." Read more of this story at Slashdot.
2020-10-25 16:45:02 preview's
'How 30 Lines of Code Blew Up a 27-Ton Generator'

After the U.S. unveiled charges against six members of the Sandworm unit in Russia's military intelligence agency, Wired re-visited "a secret experiment in 2007 proved that hackers could devastate power grid equipment beyond repair — with a file no bigger than a gif." It's an excerpt from the new book SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers which also remembers the late industrial control systems security pioneer Mike Assante: Among [Sandworm's] acts of cyberwar was an unprecedented attack on Ukraine's power grid in 2016, one that appeared designed to not merely cause a blackout, but to inflict physical damage on electric equipment. And when one cybersecurity researcher named Mike Assante dug into the details of that attack, he recognized a grid-hacking idea invented not by Russian hackers, but by the United State government, and tested a decade earlier... [S]creens showed live footage from several angles of a massive diesel generator. The machine was the size of a school bus, a mint green, gargantuan mass of steel weighing 27 tons, about as much as an M3 Bradley tank. It sat a mile away from its audience in an electrical substation, producing enough electricity to power a hospital or a navy ship and emitting a steady roar. Waves of heat coming off its surface rippled the horizon in the video feed's image. Assante and his fellow Idaho National Laboratory researchers had bought the generator for $300,000 from an oil field in Alaska. They'd shipped it thousands of miles to the Idaho test site, an 890-square-mile piece of land where the national lab maintained a sizable power grid for testing purposes, complete with 61 miles of transmission lines and seven electrical substations. Now, if Assante had done his job properly, they were going to destroy it. And the assembled researchers planned to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter.... Protective relays are designed to function as a safety mechanism to guard against dangerous physical conditions in electric systems. If lines overheat or a generator goes out of sync, it's those protective relays that detect the anomaly and open a circuit breaker, disconnecting the trouble spot, saving precious hardware, even preventing fires... But what if that protective relay could be paralyzed — or worse, corrupted so that it became the vehicle for an attacker's payload...? Black chunks began to fly out of an access panel on the generator, which the researchers had left open to watch its internals. Inside, the black rubber grommet that linked the two halves of the generator's shaft was tearing itself apart. A few seconds later, the machine shook again as the protective relay code repeated its sabotage cycle, disconnecting the machine and reconnecting it out of sync. This time a cloud of gray smoke began to spill out of the generator, perhaps the result of the rubber debris burning inside it... The engineers had just proven without a doubt that hackers who attacked an electric utility could go beyond a temporary disruption of the victim's operations: They could damage its most critical equipment beyond repair... Assante also remembers feeling something weightier in the moments after the Aurora experiment. It was a sense that, like Robert Oppenheimer watching the first atomic bomb test at another U.S. national lab six decades earlier, he was witnessing the birth of something historic and immensely powerful. "I had a very real pit in my stomach," Assante says. "It was like a glimpse of the future." Read more of this story at Slashdot.
2020-10-25 15:45:02 preview's
'Apple, Google and a Deal That Controls the Internet'

The New York Times' looks at "a deal that controls the internet" — Apple's agreement to feature Google as the preselected search engine for iPhones, saying America's Justice Department views it "as a prime example of what prosecutors say are Google's illegal tactics to protect its monopoly and choke off competition..." The scrutiny of the pact, which was first inked 15 years ago and has rarely been discussed by either company, has highlighted the special relationship between Silicon Valley's two most valuable companies — an unlikely union of rivals that regulators say is unfairly preventing smaller companies from flourishing. "We have this sort of strange term in Silicon Valley: co-opetition," said Bruce Sewell, Apple's general counsel from 2009 to 2017. "You have brutal competition, but at the same time, you have necessary cooperation." Apple and Google are joined at the hip even though Mr. Cook has said internet advertising, Google's bread and butter, engages in "surveillance" of consumers and even though Steve Jobs, Apple's co-founder, once promised "thermonuclear war" on his Silicon Valley neighbor when he learned it was working on a rival to the iPhone. Apple and Google's parent company, Alphabet, worth more than $3 trillion combined, do compete on plenty of fronts, like smartphones, digital maps and laptops. But they also know how to make nice when it suits their interests. And few deals have been nicer to both sides of the table than the iPhone search deal. Nearly half of Google's search traffic now comes from Apple devices, according to the Justice Department, and the prospect of losing the Apple deal has been described as a "code red" scenario inside the company. When iPhone users search on Google, they see the search ads that drive Google's business. They can also find their way to other Google products, like YouTube. A former Google executive, who asked not to be identified because he was not permitted to talk about the deal, said the prospect of losing Apple's traffic was "terrifying" to the company. The Justice Department, which is asking for a court injunction preventing Google from entering into deals like the one it made with Apple, argues that the arrangement has unfairly helped make Google, which handles 92 percent of the world's internet searches, the center of consumers' online lives... [C]ompetitors like DuckDuckGo, a small search engine that sells itself as a privacy-focused alternative to Google, could never match Google's tab with Apple. Apple now receives an estimated $8 billion to $12 billion in annual payments — up from $1 billion a year in 2014 — in exchange for building Google's search engine into its products. It is probably the single biggest payment that Google makes to anyone and accounts for 14 to 21 percent of Apple's annual profits. That's not money Apple would be eager to walk away from. In fact, Mr. Cook and Mr. Pichai met again in 2018 to discuss how they could increase revenue from search. After the meeting, a senior Apple employee wrote to a Google counterpart that "our vision is that we work as if we are one company," according to the Justice Department's complaint. The article remembers Steve Jobs unveiling the iPhone in 2007 — and then inviting Google CEO Eric Schmidt onto the stage. Schmidt, who was also on Apple's board of directors, joked "If we just sort of merged the two companies, we could just call them AppleGoo." He'd also added that with Google search on the iPhone, "you can actually merge without merging." Read more of this story at Slashdot.
2020-10-25 14:45:02 preview's
Is X.Org Server Abandonware?

Phoronix ran a story this morning with this provocative headline: "It's Time To Admit It: The X.Org Server Is Abandonware." The last major release of the X.Org Server was in May 2018 but don't expect the long-awaited X.Org Server 1.21 to actually be released anytime soon. This should hardly be surprising but a prominent Intel open-source developer has conceded that the X.Org Server is pretty much "abandonware" with Wayland being the future. [Or, more specifically, that "The main worry I have is that xserver is abandonware without even regular releases from the main branch."] This comes as X.Org Server development hits a nearly two decade low, the X.Org Server is well off its six month release regimen in not seeing a major release in over two years, and no one is stepping up to manage the 1.21 release. A year ago was a proposal to see new releases driven via continuous integration testing but even that didn't take flight and as we roll into 2021 there isn't any motivation for releasing new versions of the X.Org Server by those capable of doing so. Red Hat folks have long stepped up to manage X.Org Server releases but with Fedora Workstation using Wayland by default and RHEL working that way, they haven't been eager to devote resources to new X.Org Server releases. Other major stakeholders also have resisted stepping up to ship 1.21 or commit any major resources to new xorg-server versions. Read more of this story at Slashdot.
2020-10-25 13:45:02 preview's
The U.S. Health Department Tried to Offer Early Vaccines to Shopping Mall Santas

America's national health agency "halted a public-service coronavirus advertising campaign funded by $250 million in taxpayer money after it offered a special vaccine deal to an unusual set of essential workers: Santa Claus performers." The Wall Street Journal reports: As part of the plan, a top Trump administration official wanted the Santa performers to promote the benefits of a Covid-19 vaccination and, in exchange, offered them early vaccine access ahead of the general public, according to audio recordings. Those who perform as Mrs. Claus and elves also would have been included.... The decision comes as the Covid-19 spread continues to accelerate in most states, and the vaccines are unlikely to be broadly available to the public before the holiday season. The coronavirus ad effort — titled "Covid 19 Public Health and Reopening America Public Service Announcements and Advertising Campaign" — was intended to "defeat despair, inspire hope and achieve national recovery," according to a work statement reviewed by The Wall Street Journal. It was to include television, radio, online and podcast announcements, starting immediately. The public-relations blitz began to fizzle after some celebrities, including actor Dennis Quaid, shied away from participating, a former White House official said, amid concerns that the campaign would be viewed as political rather than aiding public health.... [Former pharmaceutical lobbyist Alex Azar, now serving as America's Secretary of Health], has "ordered a strategic review of this public health education campaign that will be led by top public health and communications experts to determine whether the campaign serves important public health purposes," Health and Human Services officials said in a statement. Santa's vaccines were the brainchild of Michael Caputo, a political strategist/lobbyist also appointed to America's Health and Human Services as assistant secretary, according to the Journal. But an HHS spokesman now tells them that the Santa "collaboration will not be happening." They also get a quote from Ric Erwin, chairman of the Fraternal Order of Real Bearded Santas — who called the news "extremely disappointing." In a 12-minute phone call in late August, Mr. Caputo told Mr. Erwin of the Santa group that vaccines would likely be approved by mid-November and distributed to front-line workers before Thanksgiving. "If you and your colleagues are not essential workers, I don't know what is," Mr. Caputo said on the call, which was recorded by Mr. Erwin and provided to the Journal. [In audio of the call published by the Journal, Santa responds by saying "Ho ho ho ho, ho ho ho. I love you."] "I cannot wait to tell the president," Mr. Caputo said at another point about the plan. "He's going to love this." Mr. Erwin said on the call: "Since you would be doing Santa a serious favor, Santa would definitely reciprocate." Mr. Caputo said: "I'm in, Santa, if you're in...." Mr. Caputo said he wanted Santas to appear at rollout events in as many as 35 cities. In exchange, he said the Santas would get an early crack at inoculation. Read more of this story at Slashdot.
2020-10-25 12:30:02 preview's
So How Good Is Edge on Linux?

"No one asked Microsoft to port its Edge browser to Linux," writes Steven J. Vaughan-Nichols at ZDNet, adding "Indeed, very few people asked for Edge on Windows. "But, here it is. So, how good — or not — is it..?" The new release comes ready to run on Ubuntu, Debian, Fedora, and openSUSE Linux distributions... Since I've been benchmarking web browsers since Mosaic rolled off the bit assembly line, I benchmarked the first Edge browser and Chrome 86 and Firefox 81 on my main Linux production PC.... First up: JetStream 2.0, which is made up of 64 smaller tests. This JavaScript and WebAssembly benchmark suite focuses on advanced web applications. It rewards browsers that start up quickly, execute code quickly, and run smoothly. Higher scores are better on this benchmark. JetStream's top-scorer — drumroll please — was Edge with 136.971. But, right behind it within the margin of error, was Chrome with a score of 132.413. This isn't too surprising. They are, after all, built on the same platform. Back in the back was Firefox with 102.131. Next up: Kraken 1.1. This benchmark, which is based on the long-obsolete SunSpider, measures JavaScript performance. To this basic JavaScript testing, it added typical use-case scenarios. Mozilla, Firefox's parent organization, created Kraken. With this benchmark, the lower the score, the better the result. To no great surprise, Firefox took first place here with 810.1 milliseconds (ms). Following it was Chrome with 904.5ms and then Edge with 958.8ms. The latest version of WebXPRT is today's best browser benchmark. It's produced by the benchmark professionals at Principled Technology. This company's executives were the founders of the Ziff Davis Benchmark Operation, the gold-standard of PC benchmarking. WebXPRT uses scenarios created to mirror everyday tasks. These include Photo Enhancement, Organize Album, Stock Option Pricing, Local Notes, Sales Graphs, and DNA Sequencing. Here, the higher the score, the better the browser. On this benchmark, Firefox shines. It was an easy winner with a score of 272. Chrome edges out Edge 233 to 230. The article concludes that "Oddly, Edge, which turned in a poor performance when I recently benchmarked it on Windows, did well on Linux. Who'd have guessed...? Edge is a good, fast browser on Linux. If you're a Windows user coming over to Linux or you're doing development work aimed at Edge, then by all means try Edge on Linux. It works and it works well." Yet Vaughan-Nichols admits he's still not going to switch to Edge. "Chrome is more than fast enough for my purposes and I don't want my information tied into the Microsoft ecosystem. For better or worse, mine's already locked into the Googleverse and I can live with that." Read more of this story at Slashdot.
2020-10-25 09:45:01 preview's
The new adaptation of The Witches is almost too much fun

HBO Max's new movie evokes a very un-Dahlian mood.
2020-10-25 08:45:02 preview's
Does Python Need to Change?

The Python programming language "is a big hit for machine learning," read a headline this week at ZDNet, adding "But now it needs to change." Python is the top language according to IEEE Spectrum's electrical engineering audience, yet you can't run Python in a browser and you can't easily run it on a smartphone. Plus no one builds games in Python these days. To build browser applications, developers tend to go for JavaScript, Microsoft's type-safety take on it, TypeScript, Google-made Go, or even old but trusty PHP. On mobile, why would application developers use Python when there's Java, Java-compatible Kotlin, Apple's Swift, or Google's Dart? Python doesn't even support compilation to the WebAssembly runtime, a web application standard supported by Mozilla, Microsoft, Google, Apple, Intel, Fastly, RedHat and others. These are just some of the limitations raised by Armin Ronacher, a developer with a long history in Python who 10 years ago created the popular Flask Python microframework to solve problems he had when writing web applications in Python. Austria-based Ronacher is the director of engineering at US startup Sentry — an open-source project and tech company used by engineering and product teams at GitHub, Atlassian, Reddit and others to monitor user app crashes due to glitches on the frontend, backend or in the mobile app itself... Despite Python's success as a language, Ronacher reckons it's at risk of losing its appeal as a general-purpose programming language and being relegated to a specific domain, such as Wolfram's Mathematica, which has also found a niche in data science and machine learning... Peter Wang, co-founder and CEO of Anaconda, maker of the popular Anaconda Python distribution for data science, cringes at Python's limitations for building desktop and mobile applications. "It's an embarrassing admission, but it's incredibly awkward to use Python to build and distribute any applications that have actual graphical user interfaces," he tells ZDNet. "On desktops, Python is never the first-class language of the operating system, and it must resort to third-party frameworks like Qt or wxPython." Packaging and redistribution of Python desktop applications are also really difficult, he says. Read more of this story at Slashdot.
2020-10-25 03:45:02 preview's
Google Patched an Actively-Exploited Zero-Day Bug in Chrome

"Google released an update to its Chrome browser that patches a zero-day vulnerability in the software's FreeType font rendering library that was actively being exploited in the wild, Threatpost reported this week: Security researcher Sergei Glazunov of Google Project Zero discovered the bug which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities. By Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux — among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. "Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild," Prudhvikumar Bommana of the Google Chrome team wrote in a blog post announcing the update Tuesday... "The fix is also in today's stable release of FreeType 2.10.4," Ben Hawkes, technical lead for the Project Zero team, tweeted. Meanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw... In addition to the FreeType zero day, Google patched four other bugs — three of high risk and one of medium risk — in the Chrome update released this week... So far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser. Read more of this story at Slashdot.
2020-10-25 01:45:02