The Python Software Foundation ("made up of, governed, and led by the community") does more than just host Python and its documnation, the Python Package Repository, and the development workflows of core CPython developers. This week the PSF released its 28-page Annual Impact Report this week, noting that 2024 was their first year with three CPython developers-in-residence — and "Between Lukasz, Petr, and Serhiy, over 750 pull requests were authored, and another 1,500 pull requests by other authors were reviewed and merged." Lukasz Langa co-implemented the new colorful shell included in Python 3.13, along with Pablo Galindo Salgado, Emily Morehouse-Valcarcel, and Lysandros Nikolaou.... Code-wise, some of the most interesting contributions by Petr Viktorin were around the ctypes module that allows interaction between Python and C.... These are just a few of Serhiy Storchaka's many contributions in 2024: improving error messages for strings, bytes, and bytearrays; reworking support for var-arguments in the C argument handling generator called "Argument Clinic"; fixing memory leaks in regular expressions; raising the limits for Python integers on 64-bit platforms; adding support for arbitrary code page encodings on Windows; improving complex and fraction number support...

Thanks to the investment of [the OpenSSF's security project] Alpha-Omega in 2024, our Security Developer-in-Residence, Seth Larson, continued his work improving the security posture of CPython and the ecosystem of Python packages. Python continues to be an open source security leader, evident by the Linux kernel becoming a CVE Numbering Authority using our guide as well as our publication of a new implementers guide for Trusted Publishers used by Ruby, Crates.io, and Nuget. Python was also recommended as a memory-safe programming language in early 2024 by the White House and CISA following our response to the Office of the National Cyber Directory Request for Information on open source security in 2023... Due to the increasing demand for SBOMs, Seth has taken the initiative to generate SBOM documents for the CPython runtime and all its dependencies, which are now available on python.org/downloads. Seth has also started work on standardizing SBOM documents for Python packages with PEP 770, aiming to solve the "Phantom Dependency" problem and accurately represent non-Python software included in Python packages.

With the continued investment in 2024 by Amazon Web Services Open Source and Georgetown CSET for this critical role, our PyPI Safety & Security Engineer, Mike Fiedler, completed his first full calendar year at the PSF... In March 2024, Mike added a "Report project as malware" button on the website, creating more structure to inbound reports and decreasing remediation time. This new button has been used over 2,000 times! The large spike in June led to prohibiting Outlook email domains, and the spike in November was driven by a persistent attack. Mike developed the ability to place projects in quarantine pending further investigation. Thanks to a grant from Alpha-Omega, Mike will continue his work for a second year. We plan to do more work on minimizing time-on-PyPI for malware in 2025...

In 2024, PyPI saw an 84% growth in download counts and 48% growth in bandwidth, serving 526,072,569,160 downloads for the 610,131 projects hosted there, requiring 1.11 Exabytes of data transfer, or 281.6 Gbps of bandwidth 24x7x365. In 2024, 97k new projects, 1.2 million new releases, and 3.1 million new files were uploaded to the index.

The developer-focused analyst firm RedMonk releases twice-a-year rankings of programming language popularity. This week they also released a handy graph showing the movement of top 20 languages since 2012. Their current rankings for programming language popularity...

1. JavaScript
2. Python
3. Java
4. PHP
5. C#
6. TypeScript
7. CSS
8. C++
9. Ruby
10. C

The chart shows that over the years the rankings really haven't changed much (other than a surge for TypeScript and Python, plus a drop for Ruby). JavaScript has consistently been #1 (except in two early rankings, where it came in behind Java). And in 2020 Java finally slipped from #2 down to #3, falling behind... Python. Python had already overtaken PHP for the #3 spot in 2017, pushing PHP to a steady #4. C# has maintained the #5 spot since 2014 (though with close competition from both C++ and CSS). And since 2021 the next four spots have been held by Ruby, C, Swift, and R.

The only change in the current top 20 since the last ranking "is Dart dropping from a tie with Rust at 19 into sole possession of 20," writes RedMonk co-founder Stephen O'Grady. "In the decade and a half that we have been ranking these languages, this is by far the least movement within the top 20 that we have seen. While this is to some degree attributable to a general stasis that has settled over the rankings in recent years, the extraordinary lack of movement is likely also in part a manifestation of Stack Overflow's decline in query volume..." The arrival of AI has had a significant and accelerating impact on Stack Overflow, which comprises one half of the data used to both plot and rank languages twice a year... Stack Overflow's value from an observational standpoint is not what it once was, and that has a tangible impact, as we'll see....

As that long time developer site sees fewer questions, it becomes less impactful in terms of driving volatility on its half of the rankings axis, and potentially less suggestive of trends moving forward... [W]e're not yet at a point where Stack Overflow's role in our rankings has been deprecated, but the conversations at least are happening behind the scenes.
"The veracity of the Stack Overflow data is increasingly questionable," writes RedMonk's research director: When we use Stack Overflow for programming language rankings we measure how many questions are asked using specific programming language tags... While other pieces, like Matt Asay's AI didn't kill Stack Overflow are right to point out that the decline existed before the advent of AI coding assistants, it is clear that the usage dramatically decreased post 2023 when ChatGPT became widely available. The number of questions asked are now about 10% what they were at Stack Overflow's peak.
"RedMonk is continuing to evaluate the quality of this analysis," the research director concludes, arguing "there is value in long-lived data, and seeing trends move over a decade is interesting and worthwhile. On the other hand, at this point half of the data feeding the programming language rankings is increasingly stale and of questionable value on a going-forward basis, and there is as of now no replacement public data set available.

"We'll continue to watch and advise you all on what we see with Stack Overflow's data."

An anonymous reader quotes a report from ZDNet: Denmark's Minister of Digitalization, Caroline Stage, has announced that the Danish government will start moving away from Microsoft Office to LibreOffice. Why? It's not because open-source is better, although I would argue that it is, but because Denmark wants to claim "digital sovereignty." In the States, you probably haven't heard that phrase, but in the European Union, digital sovereignty is a big deal and getting bigger.

A combination of security, economic, political, and societal imperatives is driving the EU's digital sovereignty moves. EU leaders are seeking to reduce Europe's dependence on foreign technology providers, primarily those from the United States, and to assert greater control over its digital infrastructure, data, and technological future. Why? Because they're concerned about who controls European data, who sets the rules, and who can potentially cut off access to essential services in times of geopolitical tension. "Money issues have also played a decisive role," writes ZDNet's Steven Vaughan-Nichols. "Copenhagen's Microsoft software bill has soared from 313 million kroner in 2018 to 538 million kroner -- about $53 million in 2023, a 72% increase in just five years.

David Heinemeier Hansson (DHH), a Dane, inventor of Ruby on Rails, and co-owner of the software developer company 37Signals, has said: "Denmark is one of the most highly digitalized countries in the world. It's also one of the most Microsoft-dependent. In fact, Microsoft is by far and away the single biggest dependency, so it makes perfect sense to start the quest for digital sovereignty there."

Ruby on Rails creator and Basecamp CTO David Heinemeier Hansson, makes a case for why Google shouldn't be forced to sell Chrome: First, Chrome won the browser war fair and square by building a better surfboard for the internet. This wasn't some opportune acquisition. This was the result of grand investments, great technical prowess, and markets doing what they're supposed to do: rewarding the best. Besides, we have a million alternatives. Firefox still exists, so does Safari, so does the billion Chromium-based browsers like Brave and Edge. And we finally even have new engines on the way with the Ladybird browser.

Look, Google's trillion-dollar business depends on a thriving web that can be searched by Google.com, that can be plastered in AdSense, and that now can feed the wisdom of AI. Thus, Google's incredible work to further the web isn't an act of charity, it's of economic self-interest, and that's why it works. Capitalism doesn't run on benevolence, but incentives.

We want an 800-pound gorilla in the web's corner! Because Apple would love nothing better (despite the admirable work to keep up with Chrome by Team Safari) to see the web's capacity as an application platform diminished. As would every other owner of a proprietary application platform. Microsoft fought the web tooth and nail back in the 90s because they knew that a free, open application platform would undermine lock-in -- and it did!

An anonymous reader quotes a report from 404 Media: A "vibe coded" AI app developed by entrepreneur and Y Combinator group partner Tom Blomfield has generated recipes that gave users instruction on how to make "Cyanide Ice Cream," "Thick White Cum Soup," and "Uranium Bomb," using those actual substances as ingredients. Vibe coding, in case you are unfamiliar, is the new practice where people, some with limited coding experience, rapidly develop software with AI assisted coding tools without overthinking how efficient the code is as long as it's functional. This is how Blomfield said he made RecipeNinja.AI. [...] The recipe for Cyanide Ice Cream was still live on RecipeNinja.AI at the time of writing, as are recipes for Platypus Milk Cream Soup, Werewolf Cream Glazing, Cholera-Inspired Chocolate Cake, and other nonsense. Other recipes for things people shouldn't eat have been removed.

It also appears that Blomfield has introduced content moderation since users discovered they could generate dangerous or extremely stupid recipes. I wasn't able to generate recipes for asbestos cake, bullet tacos, or glue pizza. I was able to generate a recipe for "very dry tacos," which looks not very good but not dangerous. In a March 20 blog on his personal site, Blomfield explained that he's a startup founder turned investor, and while he has experience with PHP and Ruby on Rails, he has not written a line of code professionally since 2015. "In my day job at Y Combinator, I'm around founders who are building amazing stuff with AI every day and I kept hearing about the advances in tools like Lovable, Cursor and Windsurf," he wrote, referring to AI-assisted coding tools. "I love building stuff and I've always got a list of little apps I want to build if I had more free time."

After playing around with them, he wrote, he decided to build RecipeNinja.AI, which can take a prompt as simple as "Lasagna," and generate an image of the finished dish along with a step-by-stape recipe which can use ElevenLabs's AI generated voice to narrate the instruction so the user doesn't have to interact with a device with his tomato sauce-covered fingers. "I was pretty astonished that Windsurf managed to integrate both the OpenAI and Elevenlabs APIs without me doing very much at all," Blomfield wrote. "After we had a couple of problems with the open AI Ruby library, it quickly fell back to a raw ruby HTTP client implementation, but I honestly didn't care. As long as it worked, I didn't really mind if it used 20 lines of code or two lines of code." Having some kind of voice controlled recipe app sounds like a pretty good idea to me, and it's impressive that Blomfield was able to get something up and running so fast given his limited coding experience. But the problem is that he also allowed users to generate their own recipes with seemingly very few guardrails on what kind of recipes are and are not allowed, and that the site kept those results and showed them to other users.

In 2022 Google released a tool to easily scan for vulnerabilities in dependencies named OSV-Scanner. "Together with the open source community, we've continued to build this tool, adding remediation features," according to Google's security blog, "as well as expanding ecosystem support to 11 programming languages and 20 package manager formats... Users looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities..."

Thursday they also announced an extensible library for "software composition analysis" scanning (as well as file-system scanning) named OSV-SCALIBR (Open Source Vulnerability — Software Composition Analysis LIBRary). The new library "combines Google's internal vulnerability management expertise into one scanning library with significant new capabilities such as:

• Software composition analysis for installed packages, standalone binaries, as well as source code

• OSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and Mac

• Artifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)

• Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and Mac

• Software Bill of Materials (SBOM) generation in SPDX and CycloneDX, the two most popular document formats

• Optimization for on-host scanning of resource constrained environments where performance and low resource consumption is critical

"OSV-SCALIBR is now the primary software composition analysis engine used within Google for live hosts, code repos, and containers. It's been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users' data at Google scale. We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface."

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.

WordPress.org has seized control of WP Engine's Advanced Custom Fields plugin, renaming it "Secure Custom Fields" and removing commercial elements, according to WordPress co-founder Matt Mullenweg. The move, justified by alleged security concerns and linked to ongoing litigation between WP Engine and Automattic, marks an unprecedented forcible takeover in the WordPress ecosystem.

David Heinemeier Hansson, creator of Ruby on Rails and co-founder and chief technology officer of Basecamp-maker 37signals, opines on the situation: For a dispute that started with a claim of "trademark confusion", there's an incredible irony in the fact that Automattic is now hijacking users looking for ACF onto their own plugin. And providing as rational for this unprecedented breach of open source norms that ACF needs maintenance, and since WPE is no longer able to provide that (given that they were blocked!), Automattic has to step in to do so. I mean, what?!

Imagine this happening on npm? Imagine Meta getting into a legal dispute with Microsoft (the owners of GitHub, who in turn own npm), and Microsoft responding by directing GitHub to ban all Meta employees from accessing their repositories. And then Microsoft just takes over the official React repository, pointing it to their own Super React fork. This is the kind of crazy we're talking about.

Weaponizing open source code registries is something we simply cannot allow to form precedence. They must remain neutral territory. Little Switzerlands in a world of constant commercial skirmishes.

And that's really the main reason I care to comment on this whole sordid ordeal. If this fight was just one between two billion-dollar companies, as Automattic and WPE both are, I would not have cared to wade in. But the principles at stake extend far beyond the two of them.

Using an open source project like WordPress as leverage in this contract dispute, and weaponizing its plugin registry, is an endangerment of an open source peace that has reigned decades, with peace-time dividends for all. Not since the SCO-Linux nonsense of the early 2000s have we faced such a potential explosion in fear, doubt, and uncertainty in the open source realm on basic matters everyone thought they could take for granted.

David Heinemeier Hansson, creator of Ruby on Rails and co-founder and chief technology officer of Basecamp-maker 37signals, has criticized Automattic's demand for 8% of vendor WP Engine's revenues as a violation of open source principles and the GPL license. He argues this, among other things, undermines the clarity and certainty of open source licensing, threatening its integrity beyond WordPress. He writes: Ruby on Rails, the open-source web framework I created, has been used to create businesses worth hundreds of billions of dollars combined. Some of those businesses express their gratitude and self-interest by supporting the framework with dedicated developers, membership of The Rails Foundation, or conference sponsorships. But many also do not! And that is absolutely their right, even if it occasionally irks a little.

That's the deal. That's open source. I give you a gift of code, you accept the terms of the license. There cannot be a second set of shadow obligations that might suddenly apply, if you strike it rich using the software. Then the license is meaningless, the clarity all muddled, and certainty lost.

Look, Automattic can change their license away from the GPL any time they wish. The new license will only apply to new code, though, and WP Engine, or anyone else, are eligible to fork the project. That's what happened with Redis after Redis Labs dropped their BSD license and went with a commercial source-available alternative. Valkey was forked from the last free Redis version, and now that's where anyone interested in an open-source Redis implementation is likely to go.

But I suspect Automattic wants to have their cake and eat it too. They want to retain WordPress' shine of open source, but also be able to extract their pound of flesh from any competitor that might appear, whenever they see fit. Screw that.

Redmonk's latest programming language ranking (attempting to gauge "potential future adoption trends") has found evidence of "a landscape resistant to change." Outside of CSS moving down a spot and C++ moving up one, the Top 10 was unchanged. And even in the back half of the rankings, where languages tend to be less entrenched and movement is more common, only three languages moved at all... There are a few signs of languages following in TypeScript's footsteps and working their way up the path, both in the Top 20 and at the back end of the Top 100 as we'll discuss shortly, but they're the exception that proves the rule.

It's possible that we'll see more fluid usage of languages, and increased usage of code assistants would theoretically make that much more likely, but at this point it's a fairly static status quo. With that, some results of note:

- TypeScript (#6): technically TypeScript didn't move, as it was ranked sixth in our last run, but this is the first quarter in which is has been the sole occupant of that spot. CSS, in this case, dropped one place to seven leaving TypeScript just outside the Top 5. It will be interesting to see whether or not it has more momentum to expend or whether it's topped out for the time being.

- Kotlin (#14) / Scala (#14): both of these JVM-based languages jumped up a couple of spots — two spots in Scala's case and three for Kotlin. Scala's rise is notable because it had been on something of a downward trajectory from a one time high of 12th, and Kotlin's placement is a mild surprise because it had spent three consecutive runs not budging from 17, only to make the jump now. The tie here, meanwhile, is interesting because Scala's long history gives it an accretive advantage over Kotlin's more recent development, but in any case the combination is evidence of the continued staying power of the JVM.

- Objective C (#17): speaking of downward trajectories and the 17th placement on this list, Objective C's slide that began in mid-2018 continued and left the language with its lowest placement in these rankings to date at #17. That's still an enormously impressive achievement, of course, and there are dozens of languages that would trade their usage for Objective C's, but the direction of travel seems clear.

- Dart (#19) / Rust (#19): while once grouped with Kotlin as up and coming languages driven by differing incentives and trends, Dart and Rust have not been able to match the ascent of their counterpart with five straight quarters of no movement. That's not necessarily a negative; as with Objective C, these are still highly popular languages and communities, but it's worth questioning whether new momentum will arrive and from where, particularly because the communities are experiencing some friction in growing their usage.
It's important to remember Redmonk's methodology. "We extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends."

Having said that, here's the current top ten in Redmonk's ranking:

1. JavaScript
2. Python
3. Java
4. PHP
5. C#
6. TypeScript
7. CSS
8. C++
9. Ruby
10. C

Their announcement also notes that at the other end of the list, the programming language Bicep "jumped eight spots to #78 and Zig 10 to #87. That progress pales next to Ballerina, however, which jumped from #80 to #61 this quarter. The general purpose language from WS02, thus, is added to the list of potential up and comers we're keeping an eye on."

Pundits aggregate results from multiple pollsters to minimize biases. So ZDNet tried the same approach, but aggregating rankings for the popularity of 19 top programming languages. Senior contributing editor David Gewirtz combined results from nine popularity rankings, including PYPL, the Tiobe index, GitHub's Usage 2023 summary report, and several rankings from Stack Overflow and from IEEE Spectrum.

The results? The top cluster contains Python, JavaScript, and Java. These are all very representative in the world of AI coding...

The next cluster contains the classic C-based languages [C++, C#, C], plus TypeScript (which is a more robust JavaScript variant) and SQL.

Below that are languages that were dominant a while ago, the web languages used to build and operate websites [HTML/CSS, PHP, Shell], followed by a range of other languages that are either growing in popularity (R, Dart) or dropping in popularity (Ruby). [Just above Ruby are Go, Rust, Kotlin, and Lua.]

Finally, at the bottom is Swift, Apple's language of choice. Objective-C, the previous language of Apple programming, has all but dropped off the list since Apple launched Swift. But while Apple boasts many developers, Swift is clearly not a standout in programmer interest... [T]here aren't a huge number of companies hiring Apple app developers, at least primarily. That's why Swift is relatively far down the chart. Objective-C is being replaced by Swift, and we can see it dropping right before our eyes.
"With the exception of Java, the C-family of languages still dominates," the article concludes, before adding that if you're only going to learn one language, "I'd recommend Python, Java, and JavaScript instead." But it also advises aspiring programmers to learn "multiple languages and multiple frameworks. Build things in the languages. Programming is not just an intellectual exercise. You have to actually make stuff....

"[L]earning how to learn languages is as important as learning a language — and the best way to do that is to learn more than one."

"Rust is the fastest-growing programming language, with its developer community doubling in size over the past two years," writes The New Stack, "yet JavaScript remains the most popular language with 25.2 million active developers, according to the results of a recent survey." The 26th edition of SlashData's Developer Nation survey showed that the Rust community doubled its number of users over the past two years — from two million in the first quarter of 2022 to four million in the first quarter of 2024 — and by 33% in the last 12 months alone. The SlashData report covers the first quarter of 2024. "Rust has developed a passionate community that advocates for it as a memory-safe language which can provide great performance, but cybersecurity concerns may lead to an even greater increase," the report said. "The USA and its international partners have made the case in the last six months for adopting memory-safe languages...."

"JavaScript's dominant position is unlikely to change anytime soon, with its developer population increasing by 4M developers over the last 12 months, with a growth rate in line with the global developer population growth," the report said. The strength of the JavaScript community is fueled by the widespread use of the language across all types of development projects, with at least 25% of developers in every project type using it, the report said. "Even in development areas not commonly associated with the language, such as on-device coding for IoT projects, JavaScript still sees considerable adoption," SlashData said.

Also, coming in strong, Python has overtaken Java as the second most popular language, driven by the interest in machine learning and AI. The battle between Python and Java shows Python with 18.2 million developers in Q1 2024 compared to Java's 17.7 million. This comes about after Python added more than 2.1 million net new developers to its community over the last 12 months, compared to Java which only increased by 1.2 million developers... Following behind Java there is a six-million-developer gap to the next largest community, which is C++ with 11.4 million developers, closely trailed by C# with 10.2 million and PHP with 9.8 million. Languages with the smallest communities include Objective-C with 2.7 million developers, Ruby with 2.5 million, and Lua with 1.8 million. Meanwhile, the Go language saw its developer population grow by 10% over the last year. It had previously outpaced the global developer population growth, growing by 5Y% over the past two years, from three million in Q1 2022 to 4.7 million in Q1 2024.
"TNS analyst Lawrence Hecht has a few different takeaways. He notes that with the exceptions of Rust, Go and JavaScript, the other major programming languages all grew slower than the total developer population, which SlashData says increased 39% over the last two years alone."

The PHP programming language has sunk to its lowest position ever on the long-running TIOBE index of programming language popularity. It now ranks #17 — lower than Assembly Language, Ruby, Swift, Scratch, and MATLAB. InfoWorld reports: When the Tiobe index started in 2001, PHP was about to become the standard language for building websites, said Paul Jansen, CEO of software quality services vendor Tiobe. PHP even reached the top 3 spot in the index, ranking third several times between 2006 and 2010. But as competing web development frameworks such as Ruby on Rails, Django, and React arrived in other languages, PHP's popularity waned.

"The major driving languages behind these new frameworks were Ruby, Python, and most notably JavaScript," Jansen noted in his statement accompanying the index. "On top of this competition, some security issues were found in PHP. As a result, PHP had to reinvent itself." Nowadays, PHP still has a strong presence in small and medium websites and is the language leveraged in the WordPress web content management system. "PHP is certainly not gone, but its glory days seem to be over," Jansen said.
A note on the rival Pypl Popularity of Programming Language Index argues that the TIOBE Index "is a lagging indicator. It counts the number of web pages with the language name." So while "Objective-C" ranks #30 on TIOBE's index (one rank above Classic Visual Basic), "who is reading those Objective-C web pages? Hardly anyone, according to Google Trends data." On TIOBE's index, Fortran now ranks #10.

Meanwhile, PHP ranks #7 on Pypl (based on the frequency of searches for language tutorials).

TIOBE's top ten?

1. Python
2. C
3. C++
4. Java
5. C#
6. JavaScript
7. Go
8. Visual Basic
9. SQL
10. Fortran

The next two languages, ranked #11 and #12, are Delphi/Object Pascal and Assembly Language.

Apple, in a blog post: We are delighted to announce the open source first release of Pkl (pronounced Pickle), a programming language for producing configuration. When thinking about configuration, it is common to think of static languages like JSON, YAML, or Property Lists. While these languages have their own merits, they tend to fall short when configuration grows in complexity. For example, their lack of expressivity means that code often gets repeated. Additionally, it can be easy to make configuration errors, because these formats do not provide any validation of their own. To address these shortcomings, sometimes formats get enhanced by ancillary tools that add special logic. For example, perhaps there's a need to make code more DRY, so a special property is introduced that understands how to resolve references, and merge objects together. Alternatively, there's a need to guard against validation errors, so some new way is created to validate a configuration value against an expected type. Before long, these formats almost become programming languages, but ones that are hard to understand and hard to write.

On the other end of the spectrum, a general-purpose language might be used instead. Languages like Kotlin, Ruby, or JavaScript become the basis for DSLs that generate configuration data. While these languages are tremendously powerful, they can be awkward to use for describing configuration, because they are not oriented around defining and validating data. Additionally, these DSLs tend to be tied to their own ecosystems. It is a hard sell to use a Kotlin DSL as the configuration layer for an application written in Go. We created Pkl because we think that configuration is best expressed as a blend between a static language and a general-purpose programming language. We want to take the best of both worlds; to provide a language that is declarative and simple to read and write, but enhanced with capabilities borrowed from general-purpose languages. When writing Pkl, you are able to use the language features you'd expect, like classes, functions, conditionals, and loops. You can build abstraction layers, and share code by creating packages and publishing them. Most importantly, you can use Pkl to meet many different types of configuration needs. It can be used to produce static configuration files in any format, or be embedded as a library into another application runtime.

We designed Pkl with three overarching goals:
To provide safety by catching validation errors before deployment.
To scale from simple to complex use-cases.
To be a joy to write, with our best-in-class IDE integrations.

In response to new EU regulations, Apple on Thursday outlined plans to allow iOS developers to distribute apps outside the App Store starting in March, though developers must still submit apps for Apple's review and pay commissions. Now critics say the changes don't go far enough and Apple retains too much control.

Epic Games CEO Tim Sweeney: They are forcing developers to choose between App Store exclusivity and the store terms, which will be illegal under DMA (Digital Markets Act), or accept a new also-illegal anticompetitive scheme rife with new Junk Fees on downloads and new Apple taxes on payments they don't process. 37signals's David Heinemeier Hansson, who is also the creator of Ruby on Rails: Let's start with the extortion regime that'll befell any large developer who might be tempted to try hosting their app in one of these new alternative app stores that the EU forced Apple to allow. And let's take Meta as a good example. Their Instagram app alone is used by over 300 million people in Europe. Let's just say for easy math there's 250 million of those in the EU. In order to distribute Instagram on, say, a new Microsoft iOS App Store, Meta would have to pay Apple $11,277,174 PER MONTH(!!!) as a "Core Technology Fee." That's $135 MILLION DOLLARS per year. Just for the privilege of putting Instagram into a competing store. No fee if they stay in Apple's App Store exclusively.

Holy shakedown, batman! That might be the most blatant extortion attempt ever committed to public policy by any technology company ever. And Meta has many successful apps! WhatsApp is even more popular in Europe than Instagram, so that's another $135M+/year. Then they gotta pay for the Facebook app too. There's the Messenger app. You add a hundred million here and a hundred million there, and suddenly you're talking about real money! Even for a big corporation like Meta, it would be an insane expense to offer all their apps in these new alternative app stores.

Which, of course, is the entire point. Apple doesn't want Meta, or anyone, to actually use these alternative app stores. They want everything to stay exactly as it is, so they can continue with the rake undisturbed. This poison pill is therefore explicitly designed to ensure that no second-party app store ever takes off. Without any of the big apps, there will be no draw, and there'll be no stores. All of the EU's efforts to create competition in the digital markets will be for nothing. And Apple gets to send a clear signal: If you interrupt our tool-booth operation, we'll make you regret it, and we'll make you pay. Don't resist, just let it be. Let's hope the EU doesn't just let it be. Coalition of App Fairness, an industry body that represents over 70 firms including Tinder, Spotify, Proton, Tile, and News Media Europe: "Apple clearly has no intention to comply with the DMA. Apple is introducing new fees on direct downloads and payments they do nothing to process, which violates the law. This plan does not achieve the DMA's goal to increase competition and fairness in the digital market -- it is not fair, reasonable, nor non-discriminatory," said Rick VanMeter, Executive Director of the Coalition for App Fairness.

"Apple's proposal forces developers to choose between two anticompetitive and illegal options. Either stick with the terrible status quo or opt into a new convoluted set of terms that are bad for developers and consumers alike. This is yet another attempt to circumvent regulation, the likes of which we've seen in the United States, the Netherlands and South Korea. Apple's 'plan' is a shameless insult to the European Commission and the millions of European consumers they represent -- it must not stand and should be rejected by the Commission."

Web software firm 37Signals has migrated off the cloud after spending $3.2 million on Amazon Web Services last year, said co-founder David Heinemeier Hansson, who is also the creator of Ruby on Rails. The Basecamp project management software-maker bought $600,000 of Dell servers and expects to save over $7 million in five years by running operations in-house. From a report: DHH likened clouds to "merchants of complexity" where they are incentivized to make things as complex as possible to keep customers hooked. He compared that to the original Internet, which was not built on complex cloud services geared for multi-tenancy, but rather on simpler tools such as Linux and PHP, which anyone could use without cost. This is not to say cloud has zero value for all use cases, [Kelsey] Hightower and DHH agreed.

Clouds make perfect sense in many cases, for start-ups that do not know how much infrastructure they will need, and also for enterprises with a lack of expertise and money to burn. For many companies in the middle, though a lot of profit margin can be recovered by reducing cloud costs and running things in-house instead, the two argued.

An anonymous Slashdot reader shared this report from CNET: Marking its 60th year on television, the British time-travel series will close out 2023 with one last anniversary special that arrives on Christmas Day. Ncuti Gatwa's Doctor helms the Tardis in The Church on Ruby Road, which centers on an abandoned baby who grows up looking for answers... Disney Plus will stream Doctor Who: The Church on Ruby Road on Monday, Dec. 25, at 12:55 p.m. ET (9:55 a.m. PT) in all regions except the UK and Ireland, where it will air on the BBC. In case you missed it, viewers can also watch David Tennant starring in the other three anniversary specials: The Star Beast, Wild Blue Yonder and The Giggle. All releases are available on Disney Plus.
But what's interesting is CNET goes on to explain "why a VPN could be a useful tool." Perhaps you're traveling abroad and want to stream Disney Plus while away from home. With a VPN, you're able to virtually change your location on your phone, tablet or laptop to get access to the series from anywhere in the world. There are other good reasons to use a VPN for streaming too. A VPN is the best way to encrypt your traffic and stop your ISP from throttling your speeds...

You can use a VPN to stream content legally as long as VPNs are allowed in your country and you have a valid subscription to the streaming service you're using. The U.S. and Canada are among the countries where VPNs are legal

An anonymous reader shared this report from InfoWorld: JetBrains' Kotlin language, a Java rival endorsed by Google for Android mobile development, continues to scale up Tiobe's index of language popularity, reaching the 15th spot in the November 2023 rankings...

Software quality services company Tiobe cites Kotlin advantages including interoperability with Java and unrivaled Android accommodations as reasons for the language's rise. Kotlin, Tiobe CEO Paul Jansen said, also fits in with a modern programming culture of expressive languages that have a strong type system and avoid null pointer exceptions by design. "Based on my experience, I am pretty sure Kotlin can reach a top 10 position," Jansen said. It remains to be seen if it can ever scale as high as a top four slot, he added...

In the rival Pypl Popularity of Programming languages index this month, Kotlin was ranked 13th with a 1.76% share, having slipped slightly year-over-year.
Kotlin's rank on the TIOBE index rose three positions in the last month — after rising two positions the month before. TIOBE's CEO says the language has now achieved its highest ranking ever on the index, surpassing 2017's "first wave of Kotlin popularity...when Google announced first class support for Kotlin on Android."

Rust now ranks #20 on the index, behind Delphi/Object Pascal, Swift, Ruby, and R.

Here's TIOBE November rankings for top-20 most popular programming languages:

1. Python
2. C
3. C++
4. Java
5. C#
6. JavaScript
7. PHP
8. Visual Basic
9. SQL
10. Assembly Language
11. Scratch
12. Fortran
13. Go
14. MATLAB
15. Kotlin
16. Delphi/Object Pascal
17. Swift
18. Ruby
19. R
20. Rust

The senior security editor at Ars Technica writes: Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.

Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developerâ(TM)s machine. Capabilities include:


- Exfiltrate detailed host information
- Steal passwords from the Chrome web browser
- Set up a keylogger
- Download files from the victim's system
- Capture screenshots and record both screen and audio
- Render the computer inoperative by ramping up CPU usage, inserting a batch script in the startup directory to shut down the PC, or forcing a BSOD error with a Python script
- Encrypt files, potentially for ransom
- Deactivate Windows Defender and Task Manager
- Execute any command on the compromised host


In all, pyobfgood and the previous seven tools were installed 2,348 times. They targeted developers using the Python programming language... Downloads of the package came primarily from the US (62%), followed by China (12%) and Russia (6%)
Ars Technica concludes that "The never-ending stream of attacks should serve as a cautionary tale underscoring the importance of carefully scrutinizing a package before allowing it to run."

An anonymous reader shared this report from InfoWorld: JetBrains is previewing a dedicated IDE for the Rust programming language, called RustRover, which combines coding assistance with an integrated Rust toolchain. Available in preview September 13, RustRover is positioned to simplify the Rust coding experience while "unlocking the language's full potential," JetBrains said. Capabilities include real-time feedback, code suggestions, simplified toolchain management, and team collaboration.

Previously, JetBrains offered IntelliJ Rust, an open source Rust plugin for IntelliJ IDEs. But with RustRover, the company aims to provide a dedicated product with enhanced functionality for the growing Rust developer community. JetBrains also has been previewing a multi-language editor and IDE, called JetBrains Fleet, that supports Rust development...

RustRover will have some similarities to JetBrains' other language-specific IDEs including PyCharm for Python, GoLand for Go, and RubyMine for Ruby.
RustRover integrates with version control systems, supporting GitHub and Git.