Following the compromise of a popular GitHub tool, developers having to turn and face their code repo’s strange ch-ch-changes.

The poisoning of an automation mechanism used in over 23,000 repositories exposed software-development credentials known as secrets. While GitHub promptly stopped the attack days after the report’s release, the discoverers of the supply-chain threat see similar compromises on the horizon as the secret’s out.

“It is a very nightmare-ish scenario that we are facing right now, with all these credentials that have been leaked,” StepSecurity co-founder and CEO Varun Sharma told. “We can expect a lot more of these supply-chain attacks.”

On March 14, StepSecurity’s anomaly detection spotted the compromise of tj-actions/changed-files—a third-party GitHub Action that allows developers to see which files changed after a pull request or commit.

According to details from StepSecurity’s report, an access-token compromise of the “tj-actions” automation account used by the maintainer allowed a threat actor to modify the action’s code and retroactively update versions to reference the malicious commit, or revision.

The compromised action sent code-development “secrets”—credentials like passwords, encryption keys, API tokens, and digital certificates—into publicly viewable GitHub action logs, StepSecurity researchers said in their post.

GitHub, on March 15, both removed the tj-actions/changed-files Action for use and then later restored it free of the malicious exploit code.

There is currently no evidence to suggest a compromise of GitHub or its systems, Jesse Geraci, online safety counsel at GitHub, wrote to us, adding that GitHub tj-actions is a user-maintained, open-source project.

“We reinstated the account and restored the content after confirming that all malicious changes have been reverted and the source of compromise has been secured. Users should always review GitHub Actions or any other package that they are using in their code before they update to new versions. That remains true here as in all other instances of using third-party code," Geraci shared in a written statement...

TideLift’s 2024 State of the Open-Source Maintainer report, released in September of that year, found that 60% of maintainers are not paid for their work—and professional maintainers are more likely to be able to prioritize remediating security vulnerabilities. (Maintainers also admitted to spending three times more on security work compared to 2021.)

“For trivial things, sometimes it makes sense to build them yourself, rather than rely on third-party dependencies that you don’t know,” Dimitri Stiliadis, co-founder and CTO of Endor Labs, told us.

Sharma imagines a scenario where attackers use the exposed secrets to create more code chaos and supply-chain attacks.

Owners of packages used by other developers, for example, can use secrets to publish new versions. An owner of a brand-new secret can potentially launch a malicious package that starts to look for more credentials.

“It’s now really up to these open-source maintainers who have these credentials in their logs. They need to take action. They need to find out where those credentials are logged, and then they need to rotate them to prevent these supply-chain attacks,” Sharma said.

On March 18, StepSecurity claimed “conclusive evidence” of compromises in several actions related to the GitHub organization reviewdog. “It’s possible that the tj-actions/changed-files incident may have been caused due to this, as several GitHub Actions workflows in the tj-actions organization use the compromised Actions. However, there is no conclusive evidence currently to link these two supply-chain security incidents,” the post read(More details: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised#summary-of-the-incident).

Here are 11 open source AI projects that make a developer’s job a little easier. Some fine-tune the process of training models, while others help you find or access the data sources you need. There are productivity hacks, performance optimizers, SQL wranglers, and more.

1. Upscayl

Sometimes, an image just needs a bit more detail to look good on a page. Upscayl(https://github.com/upscayl/upscayl) increases image resolution for the crispness and detail you seek. If you’ve got the right hardware, it’s a good way to enhance digital artwork or add detail to a photograph. Just remember that the AI is pretty much hallucinating these details. That means Upscayl is ideal for enhancing fictional images created by a digital artist, but it’s not as good for images that require absolute accuracy, such as documenting evidence at a crime scene.

More details: https://upscayl.org

2. Nyro

Developers spend a fair amount of time interacting with the computer’s operating system via the command line. While they are easy to overlook, all those seconds add up. Nyro is an open source project written on top of Electron(https://www.infoworld.com/article/3547072/electron-vs-tauri-which-cross-platform-framework-is-for-you.html) that handles mundane tasks like taking screenshots, resizing windows, and synchronizing data between applications. Automating everyday tasks like these can save you many small fractions of time, which ultimately adds up to a big productivity boost.

More details: https://github.com/trynyro/nyro-app

3. Geppetto

Some development teams do most of their work in Slack channels, so the posts end up being pretty solid first-generation documentation. Geppetto is a Slackbot that connects your channels with several different LLMs (OpenAI, Anthropic, and Gemini), which can clean up and enhance your musings. Geppetto will even send a request to Dall-E if you want art to add life to your documentation.

More details: https://github.com/Deeptechia/geppetto

4. E2B sandboxes

The earliest LLMs answered questions and maybe generated a bit of art using all the knowledge in their training set. But what if they were free to roam the Internet and use all the same tools that humans use? E2B is an agent sandbox that lets LLMs connect with many of the same tools that we humans use every day. That means web browsers, GitHub code repositories, and command-line tools like linters. LLMs can then use the power of these tools to do useful things like manage cloud infrastructure, so humans don’t have to.

More details: https://github.com/e2b-dev/e2b

5. Dataline

Not everyone wants to upload all their data to some distant AI GPU for training. Dataline uses an LLM to generate SQL commands that suck the data out of the database. Then, the code creates a data science report using a local connection to the local data. It’s a hybrid approach that merges classic data science algorithms for analysis with LLMs that guide them.

More details: https://github.com/RamiAwar/dataline

6. Swirl Connect

Sometimes, you want to start working with a data set but you don’t want to go to the trouble of extracting and reformatting it. If the data set is large, these processes can be very time-consuming. Swirl Connect (https://github.com/swirlai/swirl-search) links many standard databases with most standard LLMs and RAG search indices. All the data you need is in one place, and you can just focus on the training.

More details: https://swirlaiconnect.com

7. DSPy

The emergence of LLMs has created a whole new job specialization in prompt engineering. Unlike the algorithms that developers use, prompt engineers fiddle with words and write long instructions that wheedle and nudge an LLM to produce just the right result. This is a role that requires the gift of gab and the ability to use Jedi mind tricks on LLMs. DSPy is a tool that wants to bring a more systematic approach to LLM training. Instead of words and phrases, DSPy connects modules and optimizers and arranges them in a pipeline for the LLM. Developers using DSPy can spend less time worrying about linguistic nuance and more time working with code.

More details: https://github.com/stanfordnlp/dspy

8. Guardrails

One of the challenges of generative AI is keeping the AI from straying off course. The engineers of Portkey Gateway found a way to integrate more controls into the generative AI pipeline. Asynchronous functions, known as guardrails, can track the evolution of AI-generated answers and “vote” at various stages of the pipeline. With each vote, an answer is refined. The end result should be fewer hallucinations and more correct answers.

More details: https://github.com/Portkey-AI/gateway/wiki/Guardrails-on-the-Gateway-Framework

9. Unsloth

Training a foundational LLM on a new set of data is often expensive. Unsloth(https://github.com/unslothai/unsloth) is a tool designed to optimize such training for some of the most common open source models. By some accounts, the open source version of the tool is two to five times faster than model training without Unsloth, and the professional version is as much as 30 times faster. Carefully handwritten kernel code is applied in a way that lowers memory usage while maintaining or even increasing accuracy.

More details: https://unsloth.ai

10. Wren AI for SQL

Most data in the world is stored in vast tables, often accessible with SQL. Alas, few people know how to write great SQL queries. Even good programmers struggle with writing fast and efficient SQL queries. Wren AI(https://github.com/Canner/WrenAI) is a natural language front end to SQL. You ask your questions in plain English and the AI translates them into SQL, saving everyone a bit of time and grief.

More details: https://www.infoworld.com/article/2335617/sql-unleashed-9-ways-to-speed-up-your-sql-queries.html

11. AnythingLLM

Many people these days have a massive pile of digital documents tucked away somewhere for future reference. The challenge is finding that perfect quote or data point when you need it. AnythingLLM organizes your pile of documents into something useful. You just feed your documents into any LLM or RAG system and then query it for the answers you need. The tool runs on Linux, macOS, or Windows machines, and responses can be in a variety of formats including speech-to-text.

More details: https://github.com/Mintplex-Labs/anything-ll

The founder and president of the Free Software Foundation Richard Stallman has resigned in the wake of comments he made about accused sex offender Jeffrey Epstein and his victims. He is also removing himself from the foundation’s board of directors effective immediately.

In addition, Stallman will no longer be a visiting scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL).

Stallman wrote: “I am resigning effective immediately from my position in CSAIL at MIT. I am doing this due to pressure on MIT and me over a series of misunderstandings and mischaracterizations.”

Stallman’s remarks were written after he saw an MIT event protesting Epstein on Facebook (More details: https://www.facebook.com/events/687098025098336)

In an email published by MIT alum Selam Jie Gano, Stallman wrote: “We can imagine many scenarios, but the most plausible scenario is that she presented herself to him as entirely willing. Assuming she was being coerced by Epstein, he would have had every reason to tell her to conceal that from most of his associates.”

Stallman was also defending AI pioneer Marvin Minsky, who was named as having assaulted one of Epstein’s underaged victims. “The announcement of the Friday event does an injustice to Marvin Minsky,” Stallman wrote. “The injustice is in the word ‘assaulting.’ The term ‘sexual assault’ is so vague and slippery that it facilitates accusation inflation: taking claims that someone did X and leading people to think of it as Y, which is much worse than X.”

More information can be found in Gano’s blog post titled Remove Richard Stallman at: https://medium.com/@selamie/remove-richard-stallman-appendix-a-a7e41e784f88

Stallman is widely known as one of the first people who started the free software movement with his GNU project in 1983, which spurred the GNU public license.

“On September 16, 2019, Richard M. Stallman, founder and president of the Free Software Foundation(FSF), resigned as president and from its board of directors. The board will be conducting a search for a new president, beginning immediately,” the FSF wrote in a post.

All these high-demand jobs come with signing bonuses, stock options, and the ability to work remotely, of course. More eyebrow-raising perks include college debt payoffs and planned sabbaticals. If you want to move to Silicon Valley to cash in, think again. because the top five states for job growth last year, in order: Utah, North Carolina, Michigan, Washington, and Montana. All five states saw growth of between 4.5 and 6 percent.

Happy hunting:

1. AI

As Artificial Intelligence(AI) speeds how we work with massive amounts of data and converts it into actionable insights, the area is starved for new talent. Corporate and consumer interest are on the rise in areas like automation and autonomous driving, which means engineers with deep learning experience are hard to find. And if you’re thinking of investing in a shift, rest assured. The demand for engineers with AI, machine learning, and deep learning chops doesn’t look to be slowing anytime soon. With the intense focus on predictive analytics, deep learning, machine learning, and artificial intelligence, these positions should remain relevant for years to come.

2. VR/AR

Despite being one of the most in-demand fields, there were fewer than 5,000 potential candidates for Virtual Reality(VR) jobs as of the end of last year. You can expect that number to increase as more organizations embrace the virtual reality trend. While Augmented Reality(AR) and VR tech made a splash with a range of consumer products shown at this year, more promising opportunities will occur this year in the enterprise for simulation and training, which should mean more roles for AR and VR developers -- both in development and security. Companies will begin to realize incredible efficiencies and cost savings by leveraging immersive enterprise apps. In fact, by prediction that by 2020, augmented reality, virtual reality, and mixed reality immersive solutions will be a part of 20 percent of enterprise’s digital transformation strategy.

3. Security analyst

With all the recent cybersecurity breaches and rise of advanced persistent threats, it should come as no surprise that security analysts are in high demand, marked by high starting salaries, potential for growth, and greater influence in the workplace these days. In the United States, more than 285,000 cybersecurity positions sat vacant in 2016, and an estimated 2 million positions will be left unfilled by 2020. With the struggle to hire in-house cybersecurity talent, organizations open themselves up to hacking, data breaches, and ransomware attacks. Security analysts need to be generalists with skills that are broader than deep, with the ability to work in various areas of the company doing the hiring. They should be able to think strategically and see the big picture regarding information security, and have the necessary interpersonal skills to deal with stakeholders and speak to board members.

4. Cloud integrator

The evolution of IT can be divided into three stages: the mainframe era, the PC/internet era, and now the cloud/mobile era, where new technologies built with the cloud in mind will gain more traction, including machine learning and blockchain. Companies facing tightening budgets are constantly forced to do more with less, and then cut costs all over again. Enter the cloud. And where cost-cutting closes one door, another opens. Consequently, developers and implementation specialists who specialize in cloud solutions roles are in high demand for those who are familiar with Microsoft 365, Workday, Salesforce.com, Amazon Web Services, Microsoft Azure, Service Now, Oracle Cloud, and SAP. Contractors can make $150-250 an hour implementing cloud services, or as much as $175,00 a year, which is too much skin in the game for many companies. That opens up opportunities for “system integrators” who both install the cloud service and train up the IT department on how to use it.

5. Full-stack engineers

Web users are increasingly demanding more robust, app-like consumer experiences, which has led to strong demand for front- and back-end web developers -- and even more for those who combine those skills as full-stack engineers. Familiarity with open-source platforms is key. While .Net and Java will continue their dominance in 2017, larger trends in open source development are growing. We’re seeing uptick in requests for IT professionals with PHP, Python, Node.JS, and HTML/CSS experience. This trend is driven by companies moving away from the traditional platforms that require licensing fees. The JavaScript ecosystem is maturing rapidly and ES2015 (formerly ES6) is the foundation of its future. While JavaScript is currently hot and the JavaScript frameworks rock, what will differentiate JavaScript developers going forward is their knowledge of ES2015 and associated tools. Openings for full-stack engineers grew more than 100 percent from 2015 to 2016, with salaries ranging from just over six figures to nearly $140,000. Certifications for application development and ScrumMaster may help boost your pay or expand your opportunities, once you have proven your mettle with a full-stack framework.

6. Data scientist

As AI becomes part of the business toolkit, making decisions quickly based on large amounts of data is increasingly important to firms hiring new developers. All developer roles are in high demand, but there is especially high demand for data scientists. Every company is looking to leverage data and analytics to improve their business and they need individuals who are experts at solving complex data questions. Predictive analytics and machine learning are the future of tech, so you would focus on math, statistics, and behavioral psychology. Regarding programming languages and back-end tech you would emphasize R, Python, Java, JavaScript, Julia, Scala, and Hadoop, among others. Data science has become more complex, broader and more involved as it’s difficult for a single individual to possess all of the required knowledge. Coders come in many forms, and the path to one’s dream role isn’t always linear. Understand what your ultimate goal is. Whether pursuing a career as a data analyst, a statistical modeler, or a data scientist -- which is a subset of the two -- there will be continuous career opportunities.

7. IoT engineer

Job postings for IoT (internet of things) architects spiked more than 40 percent in the last year, and the company predicts that growth is just the start. The internet of things is where the world of technology is going. Working as an IoT engineer has a lot of current and future opportunity, the position is often competitively compensated, and experience with IoT will prepare candidates to move forward within the information technology industry even if they choose to move away from working directly with the internet of things. IoT devices are overwhelming companies with data, much of it unstructured, and firms want to find ways to collect and make sense of that information in a timely way. Companies need more data to have better visibility into their assets, people, and transactions. Businesses will increasingly take advantage of sensors, beacons, and RFID tags in the enterprise environment, lending them a voice to communicate with [users] and producing data constantly and immediately. Decoding the data collected through IoT-enabled devices and wearables will help companies accelerate their decision-making processes, and make more informed business judgments.

Every 10 years, Microsoft informs its programmer community that it's radically changing platforms. In the early 1990s, it moved developers from DOS-based APIs to Win32 by forcing them through a painful series of API subsets: Win16 to Win32s and Win32g to Win32. In the early 2000s came the push to migrate to .NET. Now comes a new migration to Windows 8's constellation of new technologies under name "Metro".

At least the migration from DOS to Win32 had compelling motivators: a GUI interface and a 32-bit operating system. The migration from Win32 to .NET had a less obvious benefit: so-called "managed code", which in theory eliminated a whole class of bugs and provided cross-language portability. It's not clear that the first benefit warranted rewriting applications, nor that the second one created lasting value.

The just-announced Window 8 technologies are for writing "Metro" apps. Metro apps have a wholly new UI derived from Microsoft's mobile offerings and intended to look like kiosk software with brightly colored boxy buttons and no complex, messy features like dialog boxes.

Bottom line, the costs of these past migrations have been enormous and continue to accumulate, especially for sites that, for one reason or another, can't migrate applications to the new platforms.

Q&A with Ken Thompson, creator of UNIX.

Q: At what point in Unix's development did it become clear it was going to be something much bigger than you'd anticipated?

A: The actual magnitude, that no one could have guessed. I gather it's still growing now. I thought it would be useful to essentially anybody like me, because it wasn't built for someone else or some third party. That was a pejorative term then. It was written for Dennis and me, and our group to do its work, and I through it would be useful to anybody who did the kind of work that we did. And therefore, I always thought it was something really good that was going to take off. Especially the language [C]. The language grew up with one of the rewritings of the system and, as such, it became perfect for writing systems. We would change it daily as we ran into trouble building Unix out of the language, and we'd modify it for our needs.

Q: A symbiosis of sort.

A: Yeah. It became the perfect language for what it was designed to do. I always thought the language and the system were widely applicable.

Q: The presentation for the Japan Prize mentioned that Unix was open source. Was Unix open source from the beginning?

A: Well there was no such term as "open source" then.

Q: I was under the impression that Unix really became open source with the Berkeley distribution..

A: No, we charged $100, which was essentially the reproduction cost of the tape, and then sent it out. And we distributed, oh, probably close to 100 copies to universities and others.

Q: Skipping several decades of work, let's speak about Go. I was just at the Google I/O Conference, where it was announced the Go will be supported on the Google  App Engine. Does that presage a wider adoption of Go within Google, or is it still experimental?

A: It's expanding every day and not being forced down anybody's throat. It's hard to adopt it to a project inside of Google because of the learning curve. It's brand new, and there aren't good manuals for it, except what's on the Web. And then, of cource, it's labeled as being experimental, so people are a little afraid. In spite of that, it's growing very fast inside of Google.

Q: In the presentation, you were quoted on the distinction between research and development. [Thompson said research is directionless, whereas development has a specific goal.] So in that context, is Go experimental?

A: Yes, When we [Thompson, Rob Pike and Robert Griesemer] got started, it was pure research. The three of us got toether and decided that we hated C++. [Laughs]

Q: I think there's a lot of people who are with you on that.

A: It's too complex. And going back, if we'd thought of it, we'd have done an object-oriented version of C back in the old days.

Q: You're saying you would have?

A: Yes, but we were not evangelists of object orientation. [In developing Go,] we started off with the idea that all three of us had to be talked into every feature in the language, so there was no extraneous garbage put into language fro any reason.

Q: It's a lean language, indeed. Returning to Unix, when you and Dennis worked together, how did that collaboration operate? Were you working side by side?

A: I did the first of two or three versions of Unix all alone. And Dennis became an evangelist. Then there was a rewrite in a higher-level language that would come to be called C. He worked mostly on the language and on the I/O system, and I worked on all the rest of operating system. That was for the PDP-11, which was serendipitous, because that was the computer that took aver academic community.

Q: Right.

A: We collaborated every day. There was a lunch that we went to. And we'd talk over lunch. Then, at night we each worked from our separate homes, but we were in constant communication. In those days, we had mail and writ [pronounced "write"], and writ would pop up on your screen and say there was a message from so-and-so.

Q: So, IM, essentially.

A: Yes, IM. There was no doubt about that! And we discussed things from home with writ. We worked very well together and didn't collaborate a lot except to decide who was going to do what. Then we'd run and very independently do separate things. Rarely did we ever work on the same thing.

Q: Was there any concept of looking at each others code or doing code reviews?

A: [Shaking head] We were all pretty good coders.

Q: I suspect you probably were. Did you use any kind of source code management product when working together?

A: No, those products really came latter; after Unix. We had something like it, which we called "the code motel", because you could check your code in, but you couldn't check it out! So, really, no we didn't.

Q: I bet you use source code management today, in your work on Go.

A: Oh, yes, Google makes us do that.

Hans Reiser, the creator of the Linux filesystem ReiserFS, was convicted of murdering his estranged wife and hiding her body. His defense attempted to explain away the preponderance of evidence against him as the quirky behavior of an eccentric if gifted man. It didn't work, and not long after that Reiser led police to where he'd buried the body in the hopes of obtaining a reduced sentence.

What's striking about the case is the fate of ReiserFS itself. Thanks to the project being open source, it'll continue. Even if future editions of ReiserFS lose out to competing filesystems like "ext4" and the upcoming "btrfs", it'll be due to technical merit and not the stigma from Reiser's murder conviction. Such is the way open source grants a new lease on life to its projects.

Details: http://www.informationweek.com/news/software/open_source/showArticle.jhtml?articleID=207403553

http://www.informationweek.com/news/management/legal/showArticle.jhtml?articleID=208803147

http://www.informationweek.com/blog/main/archives/2008/04/reiserfs_withou.html

Ron Hovsepian, 45, spent 17 years at IBM before he joined Novell in 2003 as president of North American sales. After only a few months being named Novell CEO, Hovsepian inked a $442 million deal in November 2006 with Microsoft that covers Windows and Linux product integration, patent protection, and marketing. A short time after, all hell broke loose.

First, the open source community accused Novell of selling its soul to the devil. Second, Microsoft chief Steve Balmer fanned the flames by saying that Linux uses Microsoft intellectual property and that Novell's SuSe OS is the only Linux distribution with patent protection from Microsoft.

For now, Hovsepian will have to use all his political skills, for which he has a well-deserved reputation, to keep both open source advocates and Microsoft happy. With the controversy still alive and Novell still in a fight for its life, there's no reason to expect Hovsepian will get too comfortable in the months ahead.