Microsoft intends to disable JavaScript JIT to improve Edge security; GoLand 2021.2 stable version released | SiFu Weekly

40s News Express

• Microsoft announces becoming a strategic member of the Eclipse Foundation
• NASA plans to send a probe to Mercury
• Kuaishou said it will close TIKTOK's competitor ZYNN application in August
• There is a problem with Xiaomi's high-end mobile phone 11 series, and the number of rights defenders exceeds 1,800
• Google accused of conspiring with Facebook to manipulate advertising prices
• Britain may intervene in Nvidia’s acquisition of ARM, triggering national security concerns
• In the Q2 mobile phone market in 2021, Apple's revenue accounted for 40%, and Xiaomi rose to the second largest brand
• After 13 years, Linux Mint will redesign the official website and announce the timetable for the next version
• Google calls on companies to devote more engineers to upstream Linux and tool chains
• Microsoft intends to disable JavaScript JIT to improve Edge security
• Visual Studio Code 1.59 released
• Elastic restricts Elasticsearch clients from connecting to OpenSearch
• Release of Tongxin server operating system V20 (1020e): oriented to multiple scenarios, safe and high-performance
• GoLand 2021.2 stable version released
• 4MLinux 37.0 stable version released, not only "4M" Linux distribution
• Nvidia and Mozilla announced a new version of the Common Voice data set, which already supports 76 languages

Industry Information

Microsoft announces becoming a strategic member of the Eclipse Foundation

Microsoft announced that it will become a strategic member of the Eclipse Foundation and join its board of directors to promote support for the Eclipse Foundation AISBL.

As early as 2016, Microsoft joined the Eclipse Foundation as a solution member and provided a set of development tools and services at that time. Now, in order to cooperate more closely with the Eclipse community, Microsoft announced that it will expand its participation to strategic members, and Chief Technology Officer Azure Office Chief Project Manager Stephen Walli will join the foundation’s board of directors and explained in the article. reason:

• The Eclipse Foundation has deep expertise in vendor-neutral governance, infrastructure, marketing, community building, and developer advocacy. The team showed initiative and vision, and turned to become an international non-profit organization headquartered in Europe to align with its members. The Eclipse Foundation is a natural place for Microsoft and European partners to develop new programs.
• The Eclipse Foundation remains an important cornerstone of the Java ecosystem. Microsoft is committed to the health of Java developers and the Java ecosystem, and actively participates in projects such as Eclipse Adoptium (formerly AdoptOpenJDK). Expanding participation in the foundation as a strategic member will help advance the modern Java project in the spirit of open source.
• The Eclipse Foundation also has close ties with the core parts of the Java community. Eclipse IDE, Jakarta EE (the successor of Java EE) and MicroProfile projects are all hosted by it. For Microsoft and its partners, the Eclipse Foundation is a reasonable choice for AdoptOpenJDK. As a vendor-neutral multi-vendor program, Eclipse Adoptium will continue to be the leading supplier of fully compatible, high-quality Java runtime releases based on OpenJDK source code.
• The Eclipse Foundation is expanding its role through working groups, many of which are important to Microsoft and its partners. The recent work around the Eclipse Dataspace Connector and Eclipse Tractus-X is an example of the new work that the Eclipse Foundation has begun in working groups that Microsoft is interested in participating in.

Finally, Microsoft stated that open source non-profit organizations are crucial in the community because they provide a structure that enables projects to realize opportunities for continued development. By supporting such non-profit organizations, it will help support the entire developer community.

NASA plans to send a probe to Mercury

According to the US "Forbes" biweekly website recently reported that Mercury is the smallest planet in the solar system. NASA's Mercury Lander mission is scheduled to launch in 2035 and arrive at its destination 10 years later. , To investigate the internal structure, magnetic field and atmosphere of Mercury.

Kuaishou said it will close TIKTOK's competitor ZYNN application in August

According to reports, Kuaishou Technology will close its video-sharing application Zynn, a move that marks the company’s attempt to challenge ByteDance’s TikTok in the United States has failed. , Kuaishou told users in a notice that the Zynn service will be terminated on August 20. The notice stated that this TikTok-like app was launched in the North American market last year and will delete all user data after a 45-day grace period after the closure was announced. The company confirmed the news in a statement and added that its other overseas products will not be affected. Kuaishou responded that it is a product Zynn in the US market that has stopped serving Kuaishou, and Kuaishou’s overseas market strategy remains unchanged.

There is a problem with Xiaomi's high-end mobile phone 11 series, and the number of rights defenders exceeds 1,800

On August 4, it is understood that the Xiaomi 11 mobile phone rights protection group spontaneously formed by users currently has more than 1,800 people. The problem phones are basically Xiaomi 11, Xiaomi 11ultra and Xiaomi 11PRO, all of which are high-end Xiaomi models, priced at 3999 yuan rise.

After the problem occurred, Xiaomi in some areas said after-sales service that it could replace the new machine, but there are still many users who are unable to refund or replace the new machine, and they are still struggling to defend their rights. Some users believe that this is a design defect of the Mi 11 products, and all users of the Mi 11 series who have problems should be given an unconditional return or warranty. At the same time, they should give a solution on how to protect the data in the mobile phone from damage to the mobile phone motherboard.

Google accused of conspiring with Facebook to manipulate advertising prices

According to reports, Google was accused of a reciprocal deal with Facebook in an antitrust lawsuit, giving the social network an advantage in virtual auctions that determine whose ads appear where.

Two Massachusetts companies stated in a proposed class-action lawsuit that the transaction allows Google to maintain a dominant position in the online advertising market, crowd out other advertisers, and limit the income of online content publishers.

The indictment shows that this title bidding system was designed in 2014, allowing publishers to guide users' browsers to obtain real-time bids from multiple auction platforms instead of just using Google's bidding system.

Facebook initially accepted this system, but after reaching an agreement with Google in 2018, the company agreed to restrict the program in exchange for Google's preferential treatment.

The indictment stated: “When Google’s market position was threatened, it used an agreement with Facebook to weaken innovation and competition.”

The indictment argued that this agreement "restricted the innovation of the title bidding system, making it only beneficial to them, and at the same time obstructing competition", which violated the anti-monopoly law.

Two companies in Massachusetts believe that Google should be responsible for all losses suffered by advertisers.

Britain may intervene in Nvidia’s acquisition of ARM, triggering national security concerns

According to reports, people familiar with the matter revealed that the British government may prevent Nvidia from spending $40 billion to acquire the chip design company ARM for consideration of potential risks to national security. In terms of market value, Nvidia has surpassed Intel to become the largest chip company in the United States.

As part of its efforts to expand its influence in the surging semiconductor market, the company announced in September last year that it would spend $40 billion to acquire ARM, which is owned by SoftBank Group.

As early as April of this year, the British Minister of Culture Oliver Dowden asked the Competition and Markets Authority (CMA) to prepare a report on whether the transaction could be considered anti-competitive and summarize any national security concerns raised by third parties.

In the Q2 mobile phone market in 2021, Apple's revenue accounted for 40%, and Xiaomi rose to the second largest brand

Global smartphone shipments increased by 19% year-on-year in the second quarter of 2021, but decreased by 7% from the previous quarter. Shipments were 329 million units. Samsung ranked first, and Xiaomi became the second largest mobile phone brand for the first time... Globally in the second quarter of 2021 Smartphone revenue increased by 25% year-on-year, reaching US$96 billion, and Apple took the lead with a record 41% market revenue share.

After 13 years, Linux Mint will redesign the official website and announce the timetable for the next version

Linux Mint recently published a blog on the official website, sharing some future update plans of Linux Mint in the blog. In the rest of this year, Linux Mint will make comprehensive improvements and upgrades to the official website design, and announced Linux Mint 20.3 release date.

The last time Linux Mint made major changes to the official website was in 2008, which is 13 years old. Although the performance of the website is still good, people's first impression after visiting the website is definitely "this website looks very old and outdated", and it may even give people the illusion that the project has ceased to be maintained.

Previously, the development of the new website was interrupted by the release of Linux Mint 20.2, and now the development of the new website will continue.

The new website will have a new look and an adaptive layout, which will work well on any device by then, display information in a modern way, and will place most visitors in a prominent position in the first time What you expect to find when browsing-download links. After updating the website, Linux Mint will also improve the overall appearance of icon themes, GTK themes, title bars and the Linux Mint desktop.

When Linux Mint 20.2 was released in July, it received unanimous praise from the community and users, especially the search function and batch renaming function. But Linux Mint will not stop there. The development cycle of the next version has now started, and version 20.3 is planned to be launched during the Christmas period of 2021.

Affected by the global epidemic, it is difficult to guarantee whether Linux Mint 20.3 will be officially released during Christmas. Having said that, according to the roadmap announced by Linux Mint, it is quite reliable in terms of punctual completion.

Google calls on companies to devote more engineers to upstream Linux and tool chains

Kees Cook, a long-term kernel developer of the Google security team, published a blog calling on organizations to put more engineers into the upstream Linux kernel as soon as possible to improve open source security. "Instead of just starting from the perspective of one bug at a time, preemptive action can prevent bugs from having bad effects. Since Linux is written in C, it will continue to have a long list of related issues. Linux must be designed to be proactive Measures to withstand its own risks."

The blog content pointed out that the stable Linux kernel version has nearly 100 new fixes every week. Faced with such a high rate of change, vendors are not always able to get the latest fixes, or in some cases just try to pick "important" fixes.

Obviously, ignoring all repairs is the wrong "solution", but this is a very common position of vendors; they think that their equipment is just a physical product, not a hybrid product/service that must be updated regularly. In this regard, in addition to acknowledging the need for more upstream kernel developers; Google also encourages suppliers to follow the path of chasing the latest Linux stable version or LTS version of the kernel in order to integrate all fixes.

Google called for more engineers to fix bugs, conduct code reviews, engage in testing and infrastructure work around the kernel, and engage in security and compiler tool chain development.

"According to our most conservative estimate, there are currently at least 100 engineers underinvestment in the Linux kernel and its tool chain, so everyone should gather their developer talent upstream. This is the only way to ensure a security balance at a reasonable long-term cost. s solution."

Microsoft intends to disable JavaScript JIT to improve Edge security

Microsoft Edge vulnerability research leader Johnathan Norman revealed that the team is experimenting with a new feature in Edge and intends to disable the JavaScript JIT compiler to enable some additional security protections. They also gave this experiment an interesting and slightly provocative name, "Super Duper Secure Mode (SDSM)".

Norman said that JIT compilation is a "very complicated process, few people understand, and the error is very small." However, although JIT can improve the performance of the browser, it also introduces some vulnerabilities. "Performance and complexity usually come at a price. We usually bear this price in the form of security vulnerabilities and follow-up patches."

CVE data after 2019 shows that about 45% of the CVEs released for V8 are related to the JIT engine. In addition, attackers also weaponize and abuse these vulnerabilities; an analysis by Mozilla shows that more than half of "wild" Chrome vulnerabilities exploit JIT vulnerabilities.

Norman pointed out that after simply disabling JIT, this reduction in the attack surface may significantly improve user security; it will eliminate about half of the V8 vulnerabilities that must be fixed. For users, this means fewer security updates and fewer emergency patches are needed. At the same time, by disabling JIT, you can also enable two mitigation measures and make it more difficult to exploit security vulnerabilities in any renderer process component.

"The reduction in the attack surface eliminates half of the vulnerabilities we see in exploits, and also makes each remaining vulnerability more difficult to exploit. In other words, we reduce the cost of users, but increase the cost of attackers. ."

In terms of performance impact, Norman said that when testing Edge with JIT disabled, users seldom notice the difference in daily browsing; but in the benchmark test, the performance of Edge without JIT dropped by 58%.

Currently, SDSM disables JIT (TurboFan/Sparkplug) and enables CET, but it is not currently compatible with WebAssembly. The team plans to slowly enable new mitigation measures and increase support for Web Assembly in the next few months. Users can now find this feature under edge://flags in Edge Canary, Dev and Beta.

Norman also revealed that it is planning to introduce this feature to MacOS and Android.

The latest technology trends

Visual Studio Code 1.59 released

Visual Studio Code 1.59 has been released, some of the main highlights are as follows:

Workbench

• Expand

Improved the expanded view on resizing. The expanded view of the default width shows all the detailed information (icons, ratings, and install counts were not previously shown). When the view is reduced, a smaller expansion icon will be displayed, and when its width is further reduced, the icon and rating will be hidden.

The extension view now displays a custom hover on the extension, including the full description of the extension and other useful information, such as why an extension is disabled or recommended.

The runtime status of the extension can now be checked in the new runtime status tab in the extension pane. The status information includes its activation time, whether it was activated at startup, and whether there are any warnings or errors.

The "Extension Panel Details" tab now displays categories, resource links, and other information, such as extension release and update dates. Selecting a category will display other extensions in that category in the "Extensions" view.

• Settings editor

The settings editor now supports object validation. Verification checks for type errors that may be introduced when directly editing the JSON file.

editor

• Navigate between collapsed areas

There are some new commands to set the cursor position to the corresponding fold:

1. Go to the next fold (editor.gotoNextFold)
2. Go to the previous fold (editor.gotoPreviousFold)
3. Go to the parent fold (editor.gotoParentFold)

There are currently no default key bindings for these commands.

• Inline suggestions for improvements

The presentation of inline suggestions has been changed. This not only fixes a lot of bugs, but also makes word wrap recognize inline suggestions. In addition, multi-line inline suggestions for non-trailing positions are now supported.

terminal

• Drag and drop terminal across windows

Drag and drop the terminal from the tab list or editor area of one window to the tab list, editor area or panel of another window.

• Underline and strikethrough support

The integrated terminal now supports underline and strikethrough attributes. For example, Git can be configured to use these new properties:

debug

• Improved the run/debug button in the editor title

The drop-down button of the debug button now has two click areas, one for the default operation (left) and the other for the drop-down (right), run the operation when selected and remember it as the new default value.

In addition, some updates for expansion are also included.

Elastic restricts Elasticsearch clients from connecting to OpenSearch

The Elastic developer submitted a PR to elasticsearch-py (which has been merged) last month to modify the authentication logic for the Elasticsearch Python client to connect to Elasticsearch. According to the description of the PR, the modified client will not be able to connect to the Elasticsearch branch OpenSearch maintained by AWS, as well as some lower version of Elasticsearch open source releases, or Elasticsearch hosted to AWS Elasticsearch Service.

AWS said: "Elastic maintains an open source client library that provides convenient high-level interfaces for multiple programming languages. However, in the past few weeks, Elastic has added the aforementioned new logic to clients in multiple languages. Although the client of Elasticsearch is still open source, it is only allowed to connect to Elastic's commercial products."

AWS believes that widely adopted open source projects usually emphasize flexibility and inclusiveness in order to avoid being restricted to a single project, so this behavior of Elastic is destructive and hinders developers. Therefore, it decided to fork new branches from all Elasticsearch clients and ensure that these branches can be easily connected to any OpenSearch or Elasticsearch cluster. The clients that AWS plans to fork include:

• elasticsearch-py
• elasticsearch-java
• elasticsearch-net
• go-elasticsearch
• elasticsearch-js
• elasticsearch-ruby
• eland
• elasticsearch-php
• elasticsearch-rs
• elasticsearch-perl
• elasticsearch-specification
• elasticsearch-hadoop

AWS said that developers only need to make small changes to the code of their applications to connect to Elasticsearch and related derivatives as before. It also advises developers not to upgrade any clients maintained by Elastic to the latest version, as this may cause application interruptions.

Since Elasticsearch changed its open source agreement, the two companies, AWS and Elastic, have gradually "decoupled." AWS first created a branch of Elasticsearch that claimed to be truly open source, and received support from many vendors. Now, Elastic modifies the Elasticsearch client to prevent OpenSearch from connecting to AWS. Neither party wants to have any relationship with each other.

Some people think that AWS's behavior is nakedly "robbing" open source projects. Others think that Elastic changed from the original open source protocol to now restrict users from using the client normally, which not only violates the spirit of open source, but also means using users as a bargaining chip. .

Release of Tongxin server operating system V20 (1020e): oriented to multiple scenarios, safe and high-performance

Recently, Tongxin server operating system V20 (1020e) (hereinafter referred to as: 1020e version) was released.

The 1020e version has been optimized in terms of ease of use, scalability, reliability, security, and stability. At the same time, the performance of the system and file reading and writing has been significantly improved. It is a model that satisfies autonomy, security, and high performance. Self-developed operating system.

The server operating system of Tongxin closely follows the development of the Euler operating system open source community. Based on the openEuler 20.03 LTS SP2 (Linux kernel 4.19) community release, it integrates self-developed application software, third-party commercial software and open source software. A general-purpose server operating system for cloud, virtualization, containers, databases, big data, artificial intelligence, distributed storage, security auditing and other application scenarios.

The 1020e version incorporates the new features of the Euler operating system open source community, and has achieved leading advantages in reducing memory costs, enhancing data security, improving migration performance, and covering confidential scenarios.

GoLand 2021.2 stable version released

GoLand 2021.2 stable version has been released.

GoLand 2021.2 introduces new Go modules functions, new formatting options, and support for Go 1.17 functions. In addition, new quick fixes have been added, including corrections to help developers use the new //go:build syntax correctly.

In this version, the version control function has been updated, and improvements include the ability to sign submissions with GPG keys. For web developers, the function of automatically reloading the page in the browser when saving the code has been added, and completion is provided for MongoDB fields and operators.

Download : 16117da7848c7a https://www.jetbrains.com/zh-cn/go/download/

Go modules

Manually load go.mod and change

In GoLand 2021.2, the developer can control how the IDE calls the go list when editing go.mod, or manually load the go.mod file to change.

Go to Settings | Build, Execution, Deployment | Build Tools and select the External changes option. When the user edits the file in the IDE, GoLand will automatically stop calling go list.

better supports different Go versions

If the features in the Go language version used are newer than the version specified in the go.mod file, you will receive an error message. At this time, GoLand will prompt the problem.

The default Go option of the welcome screen

The Go option on the welcome screen is now the default option for the Go modules project. The official also renamed the GOPATH-based project to Go (GOPATH).

formatter

This version introduces the Run gofmt on code reformat option. This is the first step to make gofmt easier to find in GoLand, which has its own formatter. After selecting this option, the developer can use the shortcut key Ctrl+Alt+L to call the two formatters, and gofmt will run after the GoLand formatter.

This option is enabled by default and can be switched in Settings | Editor | Code Style | Go.

Go 1.17

In Go 1.17, you can convert slices to array pointers. GoLang will not mark these conversions as errors. To try out Go 1.17 features, please change GOROOT in Settings | Go to "Go 1.17beta1" or "Go 1.17rc1".

UI improvements

Toolbox App update notification

GoLand will notify you when a new version is available and provide users with the option to update directly from the IDE to the new version. To use this function, Toolbox App 1.20.8804 or higher is required.

New terminal option

You can now go to Settings | Tools | Terminal to change the cursor shape in the built-in terminal to underline or vertical.

New Change project icon window

Simplified the dialog box, allowing users to customize project icons in the project list on the welcome screen. To upload a custom icon, just right-click on the project and select Choose project icon from the context menu.

Web development

Reload the page in the browser when saving the code

When developers edit and save HTML, CSS, and JavaScript files, GoLand is now able to update the page in the browser.

By default, the reload page is turned on when saving. It can be switched in Settings | Build, Execution, Deployment | Debugger | Built-in Server.

4MLinux 37.0 stable version released, not only "4M" Linux distribution

4MLinux 37.0 stable version has been released. 4MLinux is a Linux distribution, it focuses on four aspects, which is the origin of the name "4MLinux":

• System Maintenance (Maintenance): Contains some system maintenance and recovery tools, such as cfdisk and GNU parted to manage partitions, testdisk to recover partitions, photorec to recover files, and ntfs3g to support data reading and writing in NTFS partition format. Can be used as a self-starting CD for system emergency repair
• Multimedia: can play video DVD and other multimedia files
• Miniserver: Use the inetd daemon
• Mystery (Mystery): Provide several Linux mini games

Download : 16117da7848fa0 http://4mlinux.com/index.php?page=download

Major changes

• Added FluidSynth (software synthesizer) with VMPK (virtual MIDI piano keyboard)
• Add Dmidecode (a tool to read hardware-related data from SMBIOS)
• HandBrake and qBittorrent are now available for download as extensions
• 4MLinux now uses its own server to update the ClamAV virus database
• The Linux kernel patch that supports the reiser4 file system has been added to the 4MLinux driver collection

software package upgrade

• LibreOffice 7.1.5.1
• GNOME Office (AbiWord 3.0.5, GIMP 2.10.24, Gnumeric 1.12.50)
• DropBox 126.4.4618
• Firefox 90.02
• Chromium 90.0.4430.212
• Thunderbird 78.12.0
• Audacious 4.1
• VLC 3.0.16
• mpv 0.33.0
• Mesa 21.0.1
• Wine 6.12
• 4MLinux LAMP Server (Linux 5.10.47, Apache 2.4.48, MariaDB 10.6.3, PHP 5.6.40 and PHP 7.4.21)
• Perl 5.32.1
• Python 2.7.18
• Python 3.9.1

Nvidia and Mozilla announced a new version of the Common Voice data set, which already supports 76 languages

Common Voice is an open source project of Mozilla, based on the MPL protocol. It has been born for several years so far. It allows volunteers to contribute to the database of speech recognition software. This database is in the public domain, and everyone can use it. These data are used in speech synthesis and recognition software.

In April of this year, Nvidia participated in this project by investing 1.5 million US dollars in Mozilla.

Recently, with the joint efforts of both parties and the entire community, the latest version of the Common Voice data set was officially released. It brings a number of noteworthy new content. First, the corpus data set now has more than 13,000 hours of crowdsourced voice data. Compared with the previous version, the latest version brings 4622 hours of new audio data. 16 new languages have been added, namely Basa, Slovak, Kurdish, Bulgarian, Kazakh, Bashkir, Galician, Uyghur, Armenian, Belarusian, Urdu, Guarani, Serbian, Uzbek, Azerbaijani and Hausa. This brings the total number of languages in the data set to 76. In total, the dataset now has more than 182,000 unique voices, and the contributor community has grown by 25% in the past six months.

Other contents of Mozilla's newly released Common Voice data set include:

• The top five languages ranked by total time are English (2630 hours), Kinyarwanda (2260 hours), German (1040 hours), Catalan (920 hours) and Esperanto (840 hours);
• The languages that increased the most by percentage were Thai (a 20-fold increase from 12 hours to 250 hours), Luganda (a 10-fold increase from 8 hours to 80 hours), and Esperanto (a increase of more than 8 times from 100 hours to 840 hours), and Tamil (increased by more than 9 times, from 24 hours to 220 hours);