The next-generation Windows interface is exposed; Spring Native 0.10.0 is released | SiFu Weekly

40s News Express

• ByteDance's first disclosure of the company's financial situation: 2020 revenue of 236.6 billion yuan, operating loss of 14.7 billion yuan
• Taobao's 1.2 billion user data leaked, including user IDs and phone numbers
• macOS Monterey removed its own PHP
• The next generation of Windows interface exposure: new start menu and taskbar, rounded corner design
• Huawei, OPPO, vivo, and Xiaomi take the lead in formulating a unified technology for fast charging agreement
• Apple's new Apple Watch development map exposed, will include blood glucose sensor
• Nvidia’s acquisition of Arm could not be completed as scheduled, European regulators delayed approval
• iPhone 13 debut! Exposure that Apple has issued a large number of A15 orders: enhanced version of 5nm process
• Huawei Mate 50 latest news exposure: debut after P50
• GitHub discloses details of Linux vulnerabilities, which have affected many Linux distributions
• Google Chrome v91.0.4472.114 official version released
• Spring Native 0.10.0 released
• OpenSSL 3.0 Beta1 is released, the open source license is changed to Apache 2.0
• Linux 5.14 kernel mainline is expected to be compatible with Raspberry Pi 400

Industry Information

ByteDance's first disclosure of the company's financial situation: 2020 revenue of 236.6 billion yuan, operating loss of 14.7 billion yuan

According to an internal report by ByteDance, the actual revenue of ByteDance in 2020 will reach 236.6 billion yuan, a year-on-year increase of 111%, and an operating loss of 14.7 billion yuan. As of the end of 2020, the number of global monthly active users of ByteDance's products reached 1.9 billion, covering more than 150 countries and regions around the world, and supporting more than 35 languages. At present, ByteDance has offices in more than 30 countries in Asia, America, Europe, etc., and there are 110,000 formal employees worldwide.

Taobao's 1.2 billion user data leaked, including user IDs and phone numbers

Recently, the criminal verdict published by the People’s Court of Suiyang District, Shangqiu City, Henan Province, showed that Lu and Li used their own crawler software to crawl Taobao for eight months, and they found this in Ali. Before the first issue, they had obtained nearly 1.2 billion user messages.

The court ruled that both Lu and Li were guilty of infringing on citizens' personal information and were sentenced to more than 3 years in prison and a total fine of 450,000 yuan. The illegal proceeds were turned over to the state treasury.

According to the "Wall Street Journal" quoted an Alibaba spokesperson in response, the company proactively discovered and dealt with the incident and is cooperating with law enforcement agencies to protect users. However, the spokesperson did not specify how many users were affected, only that no user information was sold to a third party, and no economic losses occurred.

But this statement does not match the content of the judgment.

The perpetrator Lu was employed by Li. Starting from November 2019, he used his own designed web crawler software on Taobao to collect user IDs, mobile phone numbers, and user comments, and provided the mobile phone numbers of Taobao customers to Liuyang Taichuang Network Technology Co., Ltd. established by Li Mou was used for business activities, and from August 2019 to July 2020, the company illegally made 3.95 million yuan in profits.

The judgment also showed that the main business of Liuyang Taichuang Network Technology Co., Ltd. is "Taobao guest", which mainly promotes Taobao products in WeChat groups, thereby obtaining Taobao commissions and merchant service fees. Witness Wang Mou testified that its company community After the group members have established their respective WeChat groups, they provide the group's QR code to the boss Li, and then someone will automatically join the group.

As one of the largest shopping platforms in China, Taobao has accumulated a large amount of user privacy and consumption data. According to Alibaba's latest financial report for the fourth quarter of fiscal 2021, its China retail market has 925 million mobile monthly active users. In fiscal 2021, Alibaba's global active consumers will reach 1 billion.

Zhang Xuesong, co-founder & CTO of Shanghai Moule Network Technology Co., Ltd., said that in this Taobao user information leakage incident, Alibaba has the technical ability to prevent data leakage. He speculated that the leakage of 1.2 billion pieces of information may be due to defects in Taobao's internal interface design and illegal use of IP pools to circumvent Taobao's counter-investigation.

In this incident, the suspect crawled Taobao data, but the actual victim was indeed the user. Regarding the maintenance of user privacy, Zhang Xuesong believes that Ali can strengthen management and control methods in interface settings, especially private information such as mobile phone numbers.

Regarding the IP proxy model, Zhang Xuesong believes that Alibaba is also fully capable of constructing a risk database, setting the risk IP as a threat signature database and adding it to the prevention, control and risk control system. In addition, Ali can also appropriately introduce a third-party security company cooperation mechanism to conduct a more comprehensive verification of massive data, which will improve the security mechanism.

macOS Monterey removed its own PHP

Recently, a user asked in the Apple developer community that macOS 12 seems to lack PHP. The engineer in charge of developer tools replied: "macOS Monterey has removed PHP."

Some people expressed their understanding of Apple's decision, because the PHP version that comes with the system is almost out of date and lacks useful extensions. For anyone using PHP, there is now an easier way to install and manage multiple versions (brew, Docker, etc.) at the same time without having to deal with outdated and conflicting versions.

There are also users who think this is a huge step backwards, because one of the great advantages of macOS is the built-in Apache, which includes PHP, and he thinks Apple needs to reconsider this.

The next generation of Windows interface exposure: new start menu and taskbar, rounded corner design

According to a report by foreign media The Verge, since the first screenshot of Windows 11 appeared in Baidu Tieba, a mirror image of Microsoft's upcoming next-generation operating system (or named Windows 11) has appeared on the Internet.

From the exposed screenshots, we can see that the taskbar of the new system has undergone a major visual transformation, such as centering the icon, clearing the tray area, and using the new "Start" button.

Of course, if you don’t want to center the application icon and start menu, you can choose to move them all back to the left. In addition, compared to Windows 10, the start menu has also been simplified a lot, such as the removal of dynamic tiles, and the overall look is more concise and refined.

You can also see an important change from the screenshots, that is, the new system uses rounded corners globally, such as the right-click menu, start menu, file explorer and other windows and interfaces.

Some other changes:

• Windows widget

• New snap control

• New Microsoft Store

Huawei, OPPO, vivo, and Xiaomi take the lead in formulating a unified technology for fast charging agreement

According to the Telecommunications Terminal Industry Association, on May 28, the Telecommunications Terminal Industry Association released the "Mobile Terminal Converged Fast Charging Technical Specification" for the converged fast charging standard. In order to solve the industry’s pain points, the Green Energy Working Group (WG10) is actively working. The China Academy of Information and Communications Technology, Huawei, OPPO, vivo, and Xiaomi have led the "Mobile Terminal Convergence Fast Charging Technical Specification", which has won honors, Xilijie, and Rockchip. , Lihui Technology, Onbao Electronics, Dianku Networks and many other terminal, chip companies and industry partners. During the standard development process, leading manufacturers such as Huawei, OPPO, vivo, and Xiaomi broke the inherent technical thinking and took the lead in formulating a unified technology standard for fast charging of mobile terminals for the purpose of fast charging compatibility, to meet the long-term development needs of the industrial ecology .

Apple's new Apple Watch development map exposed, will contain blood glucose sensor

On June 15 news, people familiar with the matter revealed on Monday that Apple is developing a new Apple Watch and health features, including display and speed upgrades, extreme sports versions, and body temperature and blood glucose sensors.

It is reported that Apple plans to update the Apple Watch product line this year, launching a new device codenamed "Apple Watch Series 7". The processor of this product runs faster, and is equipped with an improved wireless connection and an upgraded display. In addition, Apple also plans to update the main Apple Watch products next year, and launch a new low-end Apple Watch SE and a new version for extreme sports athletes.

The news also said that Apple's original goal was to install a body temperature sensor in this year's model, but it is now more likely to be launched in the 2022 update. In addition, blood glucose sensors that help diabetics monitor blood glucose levels are unlikely to be ready for commercial release in the next few years.

For this year's new Apple Watch, Apple has tested thinner display bezels and lamination technology that brings the display closer to the front cover. The new Apple Watch may be slightly thicker overall, but it won't attract users' attention. The new Apple Watch will include updated ultra-wideband features, the same as the underlying technology in Apple's AirTag item finder. At the Global Developers Conference held earlier this month, Apple demonstrated the upcoming watchOS 8 software update, which will enable the device to unlock doors and hotel rooms.

Apple internally describes the extreme sports style as an "explorer" or "adventure" version. The product has been under development and was originally planned to be released as soon as this year. However, judging from the current situation, the extreme sports version of Apple Watch is more likely to be available in 2022. This new version of the device will help Apple compete with manufacturers such as Gaming and Casio. People familiar with the matter said that Apple's plan is still uncertain and may change. As of now, an Apple spokesperson has not commented on this report.

Nvidia’s acquisition of Arm could not be completed as scheduled, European regulators delayed approval

As the regulatory authorities delay the review time until after the summer vacation, Nvidia's acquisition of ARM will not be completed before March next year.

Nvidia said in its bid for Arm in September 2020 that it hopes to combine Nvidia's AI technology with Arm's complete ecosystem to provide customers with the best technical services. At the same time, NVIDIA will provide all Arm customers with new technologies to help the Arm ecosystem continue to develop in the AI era and gain an advantage in the competition with Intel's X86 architecture, instead of only a few giant companies such as Qualcomm that can use Arm's new technologies.

Three people familiar with the matter said that the European Commission raised more questions than Nvidia expected. It is reported that the antitrust agency has told Nvidia that if they do not submit the documents before the end of this month, they will have to wait until September because of the summer vacation of European staff. The potential delay in the transaction may cause it to exceed the expected completion time of the acquisition in March 2022. There are reports that if Nvidia’s acquisition fails, Qualcomm will be willing to invest in ARM.

iPhone 13 debut! Exposure that Apple has issued a large number of A15 orders: enhanced version of 5nm process

According to the latest news from DigiTimes, well-known chip manufacturers have recently received a large number of chip orders from Apple, including the A15 chip that has not been unveiled this year. It is reported that TSMC has fully launched the mass production plan of the A15 chip. The chip will be built using the N5P process, which is the second generation of 5nm. The performance of the process level is further increased, the power consumption is further reduced, and the performance is at least 20% compared to the A14. It can improve the efficiency by 30% at the same time.

Thanks to this, the iPhone 13 that will be unveiled in September of this year will not only improve performance again, but also balance 5G and power consumption, which will improve the current 5G iPhone battery life experience.

It is worth mentioning that, in addition to improvements in chip power consumption, the entire iPhone 13 series will also bring greater battery capacity.

According to previous reports, the new iPhone 13 has recently passed the domestic 3C certification, which shows that the iPhone 13 Pro Max is 4352mAh, which is nearly 700mAh more than the 3687mAh of the 12 Pro Max, the iPhone 13 is 3095mAh, and the iPhone 13 mini is 2406mAh.

This means that the entire iPhone 13 series will bring a better battery life experience, and users do not have to choose between 5G and battery life.

In addition, the new iPhone 13 will be upgraded to a small notch screen this year. This is the first time Apple has brought a positive appearance change in four years. The screen-to-body ratio has been effectively improved, and it is expected to attract countless consumers.

In terms of screens, the sizes of these four models are still 5.4, 6.1, and 6.7 inches, but the two models of the Pro version finally usher in the legendary high refresh screen, which supports up to 120Hz specifications, and will introduce LTPO panels. Support 1-120Hz adaptive refresh rate adjustment, which can save more power.

In terms of price, the cheapest model is still the iPhone 13 mini. The 64GB version is priced at only US$700, which is about 4,473 yuan. The top model iPhone 13 Pro Max is priced at US$1,600, which is about 10,224 yuan.

Huawei Mate 50 latest news exposure: debut after P50

Due to well-known reasons, Huawei’s P50 series flagship, which was supposed to debut in March and April of this year, has not yet been released. As for the Mate 50 series, which was originally supposed to be released in the second half of the year, there was news of “stopping changes”. Some domestic media recently reported that Huawei will not release new Mate series flagship mobile phones this year. This is also the first time that Huawei has "broken change" since it launched the Mate series of mobile phones in 2013.

However, according to the latest news from sources, the Huawei Mate series will not stop updating. Although it is very difficult at the moment, Huawei will still find ways to continue the iteration. Even if it does not appear this year, it will release a new generation of models next year.

For now, Huawei's focus will still be on the P50 series.

According to recent news from various sources, Huawei has now determined the release time of the P50 series and will officially debut before September, but the specific release date has not yet been revealed.

At the Hongmeng conference not long ago, Huawei officially announced a promotional video for the P50 series, which also proved that Huawei is ready for this new flagship.

Judging from the official appearance video, the back design of the Huawei P50 series is basically the same as the previous news. The rear camera will adopt a double-ring design, which will be equipped with different camera modules according to the specifications.

It is worth mentioning that it is reported that the Huawei P50 will be equipped with Sony’s exclusive custom IMX800 sensor as standard, with an ultra-large base close to 1 inch. This is also the largest sensor in Sony’s history and can bring more powerful imaging effects.

Latest technical information

GitHub discloses details of Linux vulnerabilities, which have affected many Linux distributions

This week, GitHub disclosed the details of an easily exploitable Linux vulnerability that can be used to elevate the user privileges of the target system to root privileges.

The vulnerability is classified as high-risk and marked as CVE-2021-3560, affecting the authorization service polkit that exists by default in many Linux distributions.

This security vulnerability was discovered by Kevin Backhouse of the GitHub Security Lab. The researcher published a blog post detailing his findings and a video showing the vulnerability.

A local, unprivileged attacker only needs to execute a few commands on the terminal to use this vulnerability to elevate his authority to root. The vulnerability has been confirmed to affect some versions of Red Hat Enterprise Linux, Fedora, Debian and Ubuntu. The patch for CVE-2021-3560 was released on June 3.

Backhouse said: "The vulnerability I found is quite old. It was introduced in submission bfa5036 seven years ago and first appeared with polkit 0.113."

The attacked component polkit is a system service designed to control the permissions of the entire system and provide a way for non-privileged processes to communicate with privileged processes. Backhouse describes it as a service that plays the role of a judge in its blog. The service decides whether actions initiated by users—especially actions that require higher authority—can be executed directly or require additional authorization, such as entering a password.

Google Chrome v91.0.4472.114 official version released

The official version of Google Chrome v91 is mainly updated. Thanks to the new Sparkplug compiler and short builtins calling mechanism, the browser speed is increased by up to 23%. The new Sparkplug compiler is designed to execute and optimize JavaScript code. Blank for maximum performance.

In addition, Google is also using "built-in calls" to optimize the browser's process of using generated code to reduce jumps when calling functions. Support desktop applications for read-only access to the clipboard. This feature will allow users to use clipboard keyboard shortcuts, such as Ctrl+C and Ctrl+V, to attach files to emails instead of just relying on drag and drop.

The main update of the official version of Google Chrome v90 introduces many user-centric functional improvements, supplemented by further improvements in security. By default, all links to the target website are enabled with the SSL secure transmission protocol (HTTPS), the new AV1 open source video encoder is supported by the technical support, and the high-definition video usage is greatly reduced. New window renaming function, you can rename multiple windows that have been opened, you can remember the configuration of the window, and it will automatically restore the state when it restarts in case of a crash. There are also WebXR deep API, URL protocol setting program enabled, effect overlay, and many improvements in security. For example, in order to prevent and mitigate NAT Slipstream 2.0 attacks, the HTTP/HTTPS/FTP server access through port 554 is blocked.

The main update of the official version of Google Chrome v89 fixes a zero-day vulnerability. It is recommended that users update as soon as possible. Optimized the support for APIs applicable to HID devices such as WebHID, WebNFC and Web Serial. In addition, NFC and serial devices are also considered ready for production use. Also initially added support for AV1 encoding for WebRTC. In addition, the desktop also brings Web Share and Web Share Target support and other enhancements.

Spring Native 0.10.0 released

Spring Native 0.10.0 has been released, this version is based on Spring Boot 2.5 and GraalVM 21.1, and mainly brings the following new features:

• Introduce native testing
• Added a new official Gradle plugin from the GraalVM team
• Introduce AOT (ahead-of-time) agents that can be used for classes

It also includes 43 bug fixes, documentation improvements, and dependency upgrades.

Native testing and Gradle plugin

The Spring Native development team said that they have been working with the GraalVM team to take the native image to a new level in terms of building plug-ins. Now, the new native build tool replaces the former native-image-maven-plugin, and supports the use of native compiler native-image to build and test native applications.

Previously only Maven support was provided, now Maven and Gradle plugins are provided. If you are upgrading, the coordinates of the new Maven plugin is org.graalvm.buildtools:native-maven-plugin:0.9.0. After configuring the native build tool plugin, developers can not only build through mvn -Pnative -DskipTests package or gradle nativeBuild For your own applications, you can also use mvn -Pnative test or gradle nativeTest to run JUnit 5 tests as native images.

In this regard, Spring Native itself has been upgraded to add initial test support, so @SpringBootTest will run as a native image. This is an important milestone for native Spring Boot applications and an important milestone for the JVM ecosystem, including Spring itself. Official plugins can now be used to improve the quality and maintainability of native support.

AOT (ahead-of-time) agent that can be used for classes

For native images, the proxy needs to be defined at build time. So far, Spring Native only supports JDK proxies that can only be used on interfaces, and does not support proxies for classes handled through CGLIB proxies on the JVM, because the native world does not support generating bytecode at runtime.

// Typical security use case of a class proxy now supported on native
@Service
public class GreetingService {

    public String hello() {
        return "Hello!";
    }

    @PreAuthorize("hasRole('ADMIN')")
    public String adminHello() {
        return "Goodbye!";
    }
}

But starting from 0.10, it is now possible to generate proxies for classes through the @AotProxyHint annotation at build time. Please note that the former @ProxyHint has been renamed to @JdkProxyHint to avoid confusion.

This feature allows implementation of support for security, transactions, and a wide range of other agent-based mechanisms on the class.

OpenSSL 3.0 Beta1 is released, the open source license is changed to Apache 2.0

OpenSSL 3.0 released the first Beta version, and the development team stated that they regard it as an RC version, so all OpenSSL users are encouraged to build and test this beta version and provide feedback.

According to reports, in the past few months, the development team has done a lot of work for the final release of OpenSSL 3.0. They stated that the overall development workload of OpenSSL 3.0 is huge. Since the start of 3.0, more than 300 different contributors have submitted more than 7000 commits.

The following introduces the main new features and changes of OpenSSL 3.0.

• Adopt a new open source license. OpenSSL 3.0 will be released under the standard and widely used Apache License 2.0 instead of the custom "dual" license used in 1.1.1 and earlier versions: OpenSSL and SSLeay License (both are used)
• Adopt a new version control scheme
• Adopts a "Provider"-based architecture, which replaces the old "engine" interface, provides greater flexibility, and facilitates third-party authors to add new encryption algorithms to OpenSSL
• Add a new Provider, which will be verified in accordance with FIPS 140-2 standards
• Fully "pluggable" TLSv1.3 group, enabling third-party authors to add new TLS key exchange/encapsulation groups through Provider
• Add new encoder and decoder support
• Complete Certificate Management Protocol (CMP) implementation
• Added new APIs for handling MAC (message authentication code), KDF (key derivation function) and random number (EVP_RAND)
• Integrated support for kernel TLS

OpenSSL 3.0 is an important major version update, and the ABI of the tool library has changed. Users need to recompile all dependent applications. In addition, there are some minor API destructive changes.

OpenSSL 3.0 Beta1 download link:

https://www.openssl.org/source/

Linux 5.14 kernel mainline is expected to be compatible with Raspberry Pi 400

Starting from Linux 5.14, Raspberry Pi 400 may be perfectly compatible with the mainline kernel.

Raspberry Pi 400 is a unique new single-board computer released by the Raspberry Pi Foundation in November 2020; its appearance looks like a small keyboard, and the development board is integrated inside the keyboard. Officially, its performance is slightly higher than that of Raspberry Pi 4.

The Raspberry Pi 400 actually embeds the Raspberry Pi 4 SBC into the keyboard and integrates it into a large aluminum block. Buyers who spend $100 on Raspberry Pi 400 can get a built-in Raspberry Pi keyboard, which provides 4GB of memory, 1.8GHz quad-core Broadcom processor, 16GB of storage space and related peripherals. This means that buyers will be able to have a fully working computer, and do not need to be equipped with anything other than a monitor.

The arrival of mainline kernel support will make Raspberry Pi 400 more attractive. The patch lined up in the SoC/SoC "for-next" branch a few days ago is the DeviceTree added for Raspberry Pi 400. Since it is basically very close to Raspberry Pi 4, there is no need to change the kernel driver; but because of the 1.8GHz clock frequency, different WiFi chips, power-off handling through GPIO, and no ACT LED on the 400 model, the DTS configuration needs to be updated.

As stated by Phoronix, thanks to the efforts of developers in the next Git branch of SoC, which is now ranked before the Linux 5.14 kernel, the status of Raspberry Pi 400 support is fairly good. Unfortunately, this relatively simple additional function took a long time to get ready to enter the main line.