Slashdot Mirror

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

First time accepted submitter LibbyMC writes "Google's approach to bringing older C software to the browser is demonstrated in bringing the '80s-era AmigaOS to Chrome. 'The Native Client technology runs software written to run on a particular processor at close to the speeds that native software runs. The approach gives software more direct access to a computer's hardware , but it also adds security restrictions to prevent people from downloading malware from the Web that would take advantage of that power.'" Chrome users can go straight to the demo.

Last week you had a chance to ask Guido van Rossum, Python's BDFL (Benevolent Dictator For Life), about all things Python and his move to Dropbox. Guido wasted no time answering your questions and you'll find his responses below. From Google to Dropbox
by nurhussein

Hi, What prompted the move from Google to Dropbox? What did you do at Google, and what are you going to do at Dropbox?

Guido: After seven years at Google I was just ready for some change in environment, and then the Dropbox offer came along. At a high level, my job hasn't changed much: I still

- spend 50% of my time on whatever I want to do for Python in my BDFL role
- am a regular engineer in the organization (not a manager or even TL)
- do a lot of code reviews, architecture and design work
- handle a lot of email
- do a lot of actual coding for my job, in Python

The specifics differ of course. I really did only two things at Google: the first two years I worked on one of the first online code review tools Mondrian, which itself was never open-sourced but begat Rietveld, which did, and is used amongst others, by the Python, Go and Chromium communities. After that I joined Google App Engine where I did a lot of different things, almost all of them in Python. My last big project there was a new Python database API, NDB.

I've been at Dropbox for 7 months and my main project has been the design of the Dropbox Datastore API . It's ironic but not my fault that this also uses the "datastore" moniker -- there's little overlap between Dropbox Datastores and the Google App Engine Datastore.

What's even more ironic is that even though I did much of the design, and wrote two prototypes in Python, the SDKs we released last month only support Java, Objective-C and JavaScript. But I am working on a fix, this interview is just slowing me down. :-)



Why did Python avoid some common "OO" idioms?
by i_ate_god

Interfaces, abstract classes, private members, etc... Why did python avoid all this?

Guido: I can think of two reasons: (a) you don't really need them, and (b) they are hard to do if you have no compile-time type checking. Python started out as a skunkworks project (not endorsed or encouraged by management but not actively prevented), and I wanted results quickly. This led me to remove features that weren't actually needed or urgent; it also led me to do all type checking at run time, which gave me natural constraints on what features Python could support. I also had no religious OO ax to grind -- I just wanted an easy language, and it became OO more or less by accident.

In modern Python there are rough equivalents for all of these, but they don't necessarily work all that well, or they cause a lot of execution overhead, so they are often avoided, but they have their uses and their fans.



functional programming
by ebno-10db

Some people claim that Python is, at least partly, a functional language. You disagree, as do I. Simply having a few map and filter type functions does not make for a functional language. As I understand it those functions were added to the libraries by a homesick Lisper, and that several times you've been tempted to eliminate them. In general it seems you're not a fan of functional programming, at least for Python.

Question: do you feel that the functional programming approach is not very useful in general, or simply that it's not appropriate for Python? It would be nice to hear your reasons either way.

Guido: I'm not a fan of religiously taking some idea to the extreme, and I try to be pragmatic in my design choices (but not *too* pragmatic, see the start of this sentence :-). I value readability and usefulness for real code. There are some places where map() and filter() make sense, and for other places Python has list comprehensions. I ended up hating reduce() because it was almost exclusively used (a) to implement sum(), or (b) to write unreadable code. So we added builtin sum() at the same time we demoted reduce() from a builtin to something in functools (which is a dumping ground for stuff I don't really care about :-).

If I think of functional programming, I mostly think of languages that have incredibly powerful compilers, like Haskell. For such a compiler, the functional paradigm is useful because it opens up a vast array of possible transformations, including parallelization. But Python's compiler has no idea what your code means, and that's useful too. So, mostly I don't think it makes much sense to try to add "functional" primitives to Python, because the reason those primitives work well in functional languages don't apply to Python, and they make the code pretty unreadable for people who aren't used to functional languages (which means most programmers).

I also don't think that the current crop of functional languages is ready for mainstream. Admittedly I don't know much about the field besides Haskell, but any language *less* popular than Haskell surely has very little practical value, and I haven't heard of functional languages *more* popular than Haskell. As for Haskell, I think it's a great proving ground for all sorts of ideas about compiler technology, but I think its "purity" will always remain in the way of adoption. Having to come to grips with Monads just isn't worth it for most people.

(A similar comment applies to Scala. It may be the best you can do trying to combine functional and OO paradigms in one language, but the result isn't all that easy to use unless you're really smart.)



Multi-line lambdas
by NeverWorker1

One of the most common complaints about Python is the limitations of its lambdas, namely being one line only without the ability to do assignments. Obviously, Python's whitespace treatment is a major part of that (and, IIRC, I've read comments from you to that effect). I've spent quite a bit of time thinking about possible syntax for a multi-line lambda, and the best I've come up with is trying to shoehorn some unused (or little used) symbol into a C-style curly brace, but that's messy at best. Is there a better way, and do you see this functionality ever being added?

Guido: Really? I almost never hear that complaint except from people who submit questions to Slashdot interviews. :-)

There is indeed a better way, and that is using the 'def' keyword to define a regular function in a local scope. The defined function object becomes a local variable that has exactly the same semantics as a lambda except that it is bound to a local variable, and it doesn't have any of the syntactic constraints. For example, there is *no* semantic difference between

def make_adder(n):
__def adder(x):
____return x + n
__return adder

and this equivalent using lambda:

def make_adder(n):
__return lambda x: x + n

(except that when you introspect the lambda asking for its name, it will say '' instead of 'adder').

Andrew Koenig once pointed out to me that there's one pattern where lambdas are really much more convenient, and that is if you have a long list or dict (perhaps some kind of switching definition) containing lots of lambdas, since if you wanted to do that without lambda you'd end up first having to define lots of little functions, giving them all names, and then referencing them all by name from inside the list or dict. But in that pattern the lambdas are usually simple enough to be lambdas, and if you have a few exceptions, using 'def' before starting the list or dict is a fine compromise.



PyPy
by Btrot69

Do you see PyPy as the future? Or do you remain unconvinced, and -- if so -- why ?

Guido: I'm still unconvinced, for two reasons: (a) they don't support Python 3 (well) yet, and (b) there are lots of extension modules (both third party and in the standard library) that they don't support well. But I hope they'll fix those issues. I think it's competition from projects like PyPy, Jython and IronPython that keeps the CPython project honest and on its toes.



Python in the browser ?
by Btrot69

Over the years, there have been several attempts to create a sandboxed version of python that will safely run in a web browser.Mostly this was because of problems with Javascript. Now that Javascript works -- and we have nice things like CoffeeScript -- is it time to give up on python in the browser ?

Guido: I gave up on it in 1995, so yes. And please don't try to compile Python to JavaScript. The semantics are so different that you end up writing most of a Python runtime in JavaScript, which slows things down too much. (CoffeScript's strength is that it is designed to map cleanly to JavaScript, and the two are now co-evolving to make the mapping even cleaner.)



Python 3
by MetalliQaZ

How do you feel about the current state of the migration to Python 3 (Py3k)? From a user perspective it seems that the conversion of popular libraries has lagged far behind, which has impeded the transition. In my professional capacity, nearly every single system I use lacks an installed 3.x interpreter. In fact, 2.7 is a rarity. I'd like to get your thoughts.

Guido: Curious where you work. I agree that Python 3 migration will still take a long time, but if your systems don't come with Python 2.7 they must be pretty ancient! When I left Google they were about done with the internal transition to Python 2.7 (having successfully migrated from 2.4 to 2.6 over the past few years) and here at Dropbox both the client and the server are using Python 2.7. Both companies are already thinking about Python 3 too.

Back to Python 3 migration, I am actually pretty optimistic. Lots of popular libraries have a working port or are working on one. (The Python Software Foundation also occasionally funds projects to port libraries that are widely used but don't have enough of a community to do a port.) It will take a long time, but I see a lot of progress, and in a few years I expect most new code will be written in Python 3. Totally eradicating Python 2 usage will probably take much longer, but then again, Windows XP isn't quite dead yet either. :-)



Key question for any language designer
by dkleinsc

Have the prospects of Python in any way improved since you grew a beard? To what degree does language success correlate to beard length?

Guido: It is absolutely essential. Just look at Perl's fate -- Larry Wall is just too clean-shaven. :-)

An anonymous reader writes "Google is working on identifying Chrome tabs that are currently playing audio (or recording it). The feature is expected to show an audio animation if a tab is broadcasting or recording sound. François Beaufort spotted the new feature, a part of which is already available in the latest Chromium build."

An anonymous reader writes "All software has bugs, but this one is a particularly odd one. If you type "File:///" (no quotes) into almost any app on your Mac, it will crash. The discovery was made recently and a bug report was posted to Open Radar. First off, it’s worth noting that the bug only appears to be present in OS X Mountain Lion and is not reproducible in Lion or Snow Leopard. That’s not exactly good news given that this is the latest release of Apple’s operating system, which an increasing number of Mac users are switching to. ... A closer look shows the bug is inside Data Detectors, a feature that lets apps recognize dates, locations, and contact data, making it easy for you to save this information in your address book and calendar."

Hugh Pickens writes "Sarah Harris writes that roadkill may not be glamorous, but wildlife ecologist Danielle Garneau says dead critters carry lots of valuable information providing an opportunity to learn about wildlife and pinpoint migratory patterns, invasive species, and predatory patterns. 'We're looking at a fine scale at patterns of animal movement — maybe we can pick up migratory patterns, maybe we can see a phenology change,' says Garneau. 'And also, in the long term, if many of these animals are threatened or they're in a decline, the hope would be that we could share this information with people who could make changes.' Garneau turns students out into the world to find dead animals, document them and collect the data using a smartphone app RoadkillGarneau and she has already received data from across New York, as well as Vermont, Pennsylvania, Massachusetts, Michigan, Minnesota, Florida and Colorado. Participants take photos of the road kill, and the app uploads them through EpiCollect, which pinpoints the find on the map. Participants can then update the data to include any descriptors of the animal such as its species; sex; how long the dead animal had been there; if and when it was removed; the weather conditions; and any predators around it. 'People talk a lot about technology cutting us off from nature,' says Garneau. 'But I found that with the road kill project, it's the opposite. You really engage with the world around you — even if it is a smelly skunk decaying on the side of the road.'"

An anonymous reader writes "The evolution of user interface design in software is a long one, and has historically tracked the capabilities of computers of the time. Early computers used batch processing which, is mostly unheard of today, and consequently had minimal human interaction. The late 60s saw the introduction of command line interfaces, which remain popular to this day, mostly with technical users. Arguably, what propelled computer use to what it is today is the introduction of the ubiquitous graphical user interface. Although graphical interfaces have evolved, in principle they have remained largely unchanged. The resurgence of Apple saw the rise of skeuomorphic graphical user interfaces, which are now starting to appear on Linux. Are skeuomorphic designs making technology accessible to the masses, or is it simply a case of an unwillingness to innovate and move forward?"

suraj.sun sends word that a recent Facebook patent application details specific methods for tracking its users while they're using other websites. Michael Arrington pointed out over the weekend that this follows explicit statements from Facebook employees that the social networking giant has "no interest in tracking people." Quoting the Patent Application: "In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user. The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the third-party website. The method additionally includes logging the actions taken on the third-party website in the social networking system, each logged action including information about the action."

First time accepted submitter Core Condor writes "According to Australian technologist Nik Cubrilovic: 'Logging out of Facebook is not enough.' He added, Even after you are logged out, Facebook is able to track your browser's page every time you visit a website. He wrote in his blog: 'With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook.' After explaining the cookies behavior he also suggested a way to fix the tracking problem: 'The only solution to Facebook not knowing who you are is to delete all Facebook cookies.'"

Gendou writes "The EFF issued a statement that it will no longer accept Bitcoin donations, has not used any of the donations, and will transfer all past donations to The Bitcoin Faucet. See also additional and forum threads."

An anonymous reader writes "Cablegate: The Game is a game where players can read, tag and summarize the recently released US Embassy Cables. Points are awarded for finding the most tags in a cable." I wish this game were extended to more news sources generally — automated scans are nice, but can't (yet) make all the connections humans can.

Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.) "In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."

shadowmage13 writes "After the recent post about YouTube, so many votes were put in for HTML5 using Free and Open formats that Google has already cleared them all out (to make space for others) and issued an official response (requires Google login): 'We've heard a lot of feedback around supporting HTML5 and are working hard to meet your request, so stay tuned. We'll be following up when we have more information. We're answering this idea now because there are so many similar HTML5 ideas and we want to give other ideas a chance to be seen.' Now all the top ideas are concerning copyright and DMCA abuse."

An anonymous reader writes "YouTube's latest blog post indicated that some changes are on the way. Google has opened up a call to submit and vote on ideas. HTML 5 open video with Free formats has dominated the vote, maintaining over twice as many votes as the next-highest item almost since the vote opened up. You may vote here (Google login required). Perhaps we don't even need to since their blog post comes suspiciously soon after their revised merger with On2. Could these improvements be a completely overhauled YouTube 2.0?"

mask.of.sanity writes "Over a 1000 students were accepted into the fifth year of the program from 70 countries and will work on about 150 open source projects with mentor organisations. The program, created in 2005, has exposed some 2500 students to "real-world" software development and opened employment opportunities within mentor organisations and in fields relevant to their academic study. The United States scored the lion's share with 212 accepted students; 101 from India; 55 from Germany; 44 from Canada, 43 from Brazil. The Dominican Republic, Iceland, Luxembourg and Nigeria were new entrants to the program each with a single accepted student. Check out the slideshow summary of some project highlights, with hyperlinks back the detailed project pages."

mithro writes "As everyone should already know, Google is running the Summer of Code again this year. For those who don't know, GSoC is where Google funds student's to participate in Open Source projects and has been running for 5 years, bringing together over 2600 students and 2500 mentors from nearly 100 countries worldwide. Google has just announced the projects which will be mentor organizations this year. It includes a great list of Open Source projects from a wide range of different genres, include content management systems, compilers, many programming languages and even a bunch of games!"

bigearcow writes "ASCII art is nothing new, but this site takes it one step further by allowing you to embed another data file within the image. The resulting ASCII art remains printable (i.e. no special unicode symbols) — this means you can print the image out, hang it on your wall, and have it look like an innocent ASCII art when it's hiding a secret document of your choice." You'll need a small (200x200 pixel max) base image from which the ASCII art will be built.

theodp writes "So where do you turn to for great ideas when tough times force you to abort your engineers' brainchildren? If you're Google, reports Nicholas Carlson, you simply outsource brainstorming to your users. Google's launched a new Google Product Ideas blog as well as a Product Ideas for Google Mobile site where users can submit feature and product ideas and vote on others. So what's in it for you if you come up with Google's next billion-dollar-idea? 'If you post an idea or suggestion and we put it into action, we may give you a shout out on our Product Ideas blog,' explains Google, 'but we won't be compensating users for their ideas.' Lucky thing don't-be-evil Googlers don't have to live up to the IEEE Code of Ethics, or they might have to credit properly the contributions of others." So what's wrong with a shout out among consenting adults?