Connect with us


What Does GitHub’s npm Acquisition Mean For Developers?



Microsoft’s open-source shopping spree has claimed another victim: npm. [Nat Friedman], CEO of GitHub (owned by Microsoft), announced the move recently on the GitHub blog.

So what motivated the acquisition, and what changes are we likely to see as a result of it? There are some obvious upsides and integrations, but these will be accompanied by the usual dose of skepticism from the open-source community. The company history and working culture of npm has also had its moments in the news, which may well have contributed to the current situation. This post aims to explore some of the rationale behind the acquisition, and what it’s likely to mean for developers in the future.

What is npm?

Many Hackaday readers will be familiar with npm (Node Package Manager), one of the backbones of the open-source JavaScript community. If you’ve played around with any kind of web or JavaScript project recently, you’ve probably used npm to install and manage dependencies, with it currently servicing 75 billion downloads a month. It is the most popular package manager for JavaScript, and enables re-use and sharing of modules throughout the JavaScript community; it’s what’s responsible for the node_modules folder in your project munching all your disk space.

At its most basic level, npm allows you to download and install JavaScript modules from the online registry, either individually, by running for example, npm install express, or installing from a package.json file, which contains details of all a project’s dependencies. If you want to read more about how npm manages dependencies and how its parallels with the Node Module Loader allow some neat simultaneous version loading, npm have written a nice explainer here.

npm is certainly not without criticism or competitors, but most developers are familiar with basic use, and I think would agree that it’s played a vital role in the growth of the JavaScript ecosystem, whether that’s new frameworks, niche modules, Typescript, polyfilling or testing.

What is its history?

npm was started in 2009, by [Isaac Schlueter], who details in a blog post his thoughts on the recent acquisition.

npm Inc is a company, not an entirely open source project. They provide the open-source registry as a free service, and charge a fee for private, commercial packages. It has previously been rumored that there was trouble making ends meet from low quantity, low fee license sales.

As a business, it has previously received venture capital funding, and also brought in new executive management to attempt to dramatically increase revenues. Under new management, numerous employees were dismissed, with many claiming they were dismissed unfairly. Further employees resigned voluntarily, raising questions about company culture and the stability/longevity of npm. We hope that the acquisition by GitHub will relieve the financial pressure on the company and allow it to resolve these issues whilst serving the open-source community more effectively, under stable conditions.

Enter GitHub

In npm’s blog post, [Isaac Schlueter] talks about how an acquisition by GitHub has been on the cards for a while, even going so far as recounting asking the GitHub product lead [Shanku Niyogi] why on earth they hadn’t already bought npm.

Why did it seem so obvious? With the source for so many npm packages hosted on GitHub, and GitHub launching the moderately popular GitHub Packages, it seemed only natural that both could benefit from tighter integration. So what might we see in the future?

Many users of GitHub will be familiar with its automated security alerts for vulnerabilities. When your project contains a dependency that has had a security vulnerability disclosed, GitHub will send you an automated email/notification containing the level of risk, the affected code, and an automatically generated pull request which fixes the issue. This is a pretty neat feature, and this author has been glad of it on numerous occasions. While this works well in theory, in complex projects with many interdependent packages, I’ve found that the automated security fixes can sometimes awkwardly bump package versions without fully propagating through the dependency tree, requiring a lot of manual hassle to fix.

I’m very hopeful that this acquisition can bring about a security update experience with much tighter integration with npm, whether that’s making the automated updates more intelligent and frictionless for the developer, or making it easier for maintainers to disclose vulnerabilities and release automated GitHub patches faster. In GitHub’s blog post announcing the acquisition, they state their commitment to using the opportunity to improve open source security, and their aim to “trace a change from a GitHub pull request to the npm package version that fixed it”.

As far as GitHub Packages is concerned, the aim is to move all private packages from npm’s paid service to GitHub Packages, with the view of making npm an entirely public package repository.

Even with these obvious benefits in mind, there is still some uncertainty as to whether the move was driven and initiated by GitHub for these reasons, or whether it’s because of the value it provides to Microsoft as a whole instead.

What npm means to Microsoft

Microsoft’s appetite for open source is growing. It seems like yesterday that we wrote about Microsoft acquiring GitHub, and despite all the speculation on its future at the time, it only seems to have grown stronger with the extra resources available. Since the acquisition, we’ve notably seen the release of free unlimited private repos, GitHub Security Lab and GitHub Actions, all welcome and overdue features that have been well-received in the open-source community. GitHub mobile apps for iOS and Android have also been released in the past few days, attracting a few raised eyebrows for not being open source.

A cynic might say that acquiring npm is a cheap way of Microsoft trying to win some sentiment from the open-source community, and of course, that may be a factor, but the move will have technical benefits for them too. Microsoft are increasingly big users of JavaScript, and are invested in the ecosystem. Notably, they’ve created Typescript, and they need a stable and solid package repository as much as any group of developers.

It’s yet to be determined whether npm will have any integration with any of Microsoft’s offerings, or if it’s purely of use to GitHub. At this stage, it’s hard to say, though it’s telling that GitHub announced the move along with their strategy, whilst Microsoft has stayed quiet on the topic.


I don’t think anyone can deny that the open-source JavaScript development experience has the potential to become significantly smoother when the largest source repository becomes more integrated with the largest package repository. It remains to be seen how these improvements are implemented, whether they’re made available for public/private users, and how kind they’ll be to open-source competitors, but only time will tell.

Source link

قالب وردپرس

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Brit scientists snap highest ever resolution picture of the sun



The University of Lancashire showed off the highest-ever resolution images of the sun and its atmosphere. (PA)

British researchers have collaborated with Nasa to capture the highest-ever resolution images of the sun.

The images, analysed by researchers at the University of Central Lancashire (UCLan) and collaborators from Nasa’s Marshall Space Flight Centre, provide astronomers with a better understanding of the sun’s complex atmosphere.

Until now, certain parts of the Sun’s atmosphere had appeared dark or mostly empty.

However the new images have revealed it actually contains strands of hot electrified gases that are around 500km (311 miles) in width.

The ultra-sharp images were taken by Nasa’s High-Resolution Coronal Imager (Hi-C) telescope, carried into space on a sub-orbital rocket flight.

The telescope can pick out structures in the Sun’s atmosphere as small as 70km in size, or about 0.01% of its total size.

Photo supplied by University of Lancashire showing the highest-ever resolution images of the sun and its atmosphere. The images, analysed by researchers at the University of Central Lancashire (UCLan) and collaborators from NASA???s Marshall Space Flight Centre, provide astronomers with a better understanding of the Sun???s complex atmosphere.

These images provide astronomers with a better understanding of the sun’s complex atmosphere. (PA)

Although what exactly is creating these strands remains unclear, scientific debate will now focus on why they are formed and how their presence helps us understand the eruption of solar flares and solar storms that could affect life on Earth.

Robert Walsh, professor of solar physics at UCLan, said the images provided an ‘ultra-high definition’ glimpse of the sun for the first time.

‘Until now, solar astronomers have effectively been viewing our closest star in ‘standard definition’, whereas the exceptional quality of the data provided by the Hi-C telescope allows us to survey a patch of the sun in ‘ultra-high definition’ for the first time,’ he said.

Photo supplied by University of Lancashire showing the highest-ever resolution images of the sun and its atmosphere. The images, analysed by researchers at the University of Central Lancashire (UCLan) and collaborators from NASA???s Marshall Space Flight Centre, provide astronomers with a better understanding of the Sun???s complex atmosphere.

The ultra-sharp images were taken by Nasa’s High-Resolution Coronal Imager (Hi-C) telescope. (PA)

Tom Williams, a postdoctoral researcher at UCLan who worked on the Hi-C data, said the images would help provide a greater understanding of how the Earth and Sun related to each other.

‘This is a fascinating discovery that could better inform our understanding of the flow of energy through the layers of the Sun and eventually down to Earth itself,’ he said.

‘This is so important if we are to model and predict the behaviour of our life-giving star.’

Source link

قالب وردپرس

Continue Reading


What Is Jitsi and Is it More Secure Than Zoom?



Online conference apps help to maintain business and family connections when you can’t all appear in the same room. There is a wealth of video conferencing and video chat apps to choose from. However, if you’re talking about personal matters or discussing the details of a business contract, you need to know the service you’re using will protect your privacy.

Jitsi is an encrypted open-source video conferencing app you can use to protect your privacy. So, how does Jitsi compare to Zoom? Is Jitsi easy to use? Should you switch to Jitsi?

Let’s take a look.

What Is Jitsi?

Jitsi Meet is a secure video conferencing app you can use to chat with people from a web browser, Android, or iOS app.

The version included in the link is the web deployment of the Jitsi Meet software. Anyone can click the link, create a video call, and begin chatting. However, for the more technically minded, you can download and install the Jitsi Meet software to a private server, drastically increasing your privacy. For the majority of users, the regular Jitsi video web chat and smartphone apps are perfect.

Jitsi Meet supports up to 75 participants at the current time. However, for best results, the development team suggests limiting that number to a maximum of 35 participants otherwise, “the experience will suffer.”

You can work around this limitation using the integrated live-streaming option. Jitsi allows you to live-stream your video conference to an external streaming service, such as YouTube, to increase your number of viewers without negatively impacting on the video conferencing quality.

The Jitsi Meet web app and smartphone apps are incredibly simple to use. You don’t have to worry about having a username or signing up for the service. Type a name for your Jitsi video conferencing room, and press Go. Share the name of the room with your friends, family, or colleagues, and they can begin joining you.

Jitsi Meet Features

Jitsi comes with a substantial list of features, some of which are only available as premium tools in other video conferencing apps. Here are some of Jitsi’s features:

  • Screensharing and live chat
  • Dial-in option
  • Livestreaming
  • Blur my background (currently in beta)
  • Slack integration
  • Jitsi Meetings Google Chrome extension to integrate Google Calendar and Office 365 Calendar

Does Jitsi Use Encryption?

One of the most important Jitsi features is privacy. Jitsi uses hop-by-hop encryption to protect your video conference.

Hop-by-hop encryption means each stage of the video call is encrypted in part. Your video call to the server carries encryption. The server decrypts the video call, then re-encrypts it and forwards it to the video participants.

Hop-by-hop encryption isn’t perfect, by any means. It means that the server owner could eavesdrop on your conversation if they wish. The way around this is to host a Jitsi Meet server for total privacy. Of course, that isn’t possible for everyone. However, there are no indications that Jitsi’s owners, 8×8, are eavesdropping on private video conversations.

Still, the increase in privacy is significant, especially as the volume of video calling increases.

How to Use Jitsi for Video Calling

As mentioned above, Jitsi makes video calling a cinch. Here’s how you start a Jitsi Meet video call using the web app and smartphone apps.

Using the Jitsi Web App

jitsi web app dual screen

  1. First up, head to Jitsi Meet.
  2. In the white box, type your meeting room name. Then hit Go.
  3. When your meeting begins, select the white i icon in the bottom right corner. Add a secure password. Do this, or people can access your video chat.
  4. Press the copy to clipboard icon, then paste the meeting details to whoever you want to invite to your chat.

jitsi change password meeting room web app

That’s it. A Jitsi Meet chat is that straightforward to get up and running.

Using the Jitsi Android or iOS App

You need to download the Android or iOS app to follow this section. The images are taken from the Android app, but the iOS app is the same.

Download: Jitsi Meet for Android | iOS (Both Free)

  1. Open the Jitsi Meet Android or iOS app.
  2. Type your meeting room name, then select Create/Join.
  3. Tap the three-dot settings menu in the bottom right corner, then drag the settings panel upward to reveal more options.
  4. Select Add meeting password, then add your secure password. Do this, or people can access your video chat.
  5. From the same settings menu, select Invite someone. You can invite people from your contacts list, or share the meeting invitation on a different service.

There is one thing you should also note. The Jitsi meeting room doesn’t close automatically after the host leaves. No option appears to the host or other users to close the call, either.

Is Jitsi More Secure Than Zoom?

At the start of the COVID-19 pandemic, Zoom saw a drastic uptick in subscribers, rising from 10 million users to over 200 million users in just a few weeks. Suddenly, the eyes of the world were focusing on Zoom.

Unfortunately for Zoom, it wasn’t ready for the level of scrutiny that would follow. Privacy and security issues abound, and the management and development teams are left scrambling to fix a raft of issues.

Eric S. Yuan, chief executive of Zoom Video Communications, openly admits that the sudden stratospheric rise of Zoom caught the team napping. If not for the coronavirus, Zoom probably wouldn’t have taken such a deep delve into the security and privacy issue for some time.

But, what does that mean for Jitsi Meet? Is it truly more secure than Zoom?

Jitsi Meet has a few security and privacy measures that set it aside from Zoom. For once, Jitsi Meet is an open-source project, meaning anyone can download and vet the project. At the time of writing, there are no security warnings relating to Jitsi Meet sending data to external sources or leaking private information elsewhere.

The level of encryption is what most people want to know about. Jitsi Meet does not use end-to-end encryption (E2EE), like FaceTime, Signal, or WhatsApp. Because Jitsi Meet uses the WebRTC protocol, there is no way of implementing E2EE, at least not at the current time.

That doesn’t mean Jitsi Meet is insecure. Far from it. But there is a definite weak point in the privacy process, and that is the decryption and re-encryption of data on a Jitsi Meet server. The way around this is to install the Jitsi Meet software on a private server that you control, which means all of the data remains secure.

What’s the Best Video Conferencing App?

Many privacy advocates suggest using Jitsi Meet instead of Zoom or other video conferencing alternatives, including the Tor Project:

Other security researchers aren’t so sure, reasoning that although Jitsi Meet is open source, it still suffers from similar limitations to Zoom (as it uses similar protocols).

If you must use Zoom, check out these tips on how you can attempt to increase your security and privacy. But if you want a truly secure alternative, Signal allows fully encrypted video calling with a limited number of users.

Read the full article: What Is Jitsi and Is it More Secure Than Zoom?

Source link

قالب وردپرس

Continue Reading


Why it’s too early to start giving out “immunity passports”



Imagine, a few weeks or months from now, having a covid-19 test kit sent to your home. It’s small and portable, but pretty easy to figure out. You prick your finger as in a blood sugar test for diabetics, wait maybe 15 minutes, and bam—you now know whether or not you’re immune to coronavirus. 

If you are, you can request government-issued documentation that says so. This is your “immunity passport.” You are now free to leave your home, go back to work, and take part in all facets of normal life—many of which are in the process of being booted back up by “immunes” like yourself. 

Pretty enticing, right? Some countries are taking the idea seriously. German researchers want to send out hundreds of thousands of tests to citizens over the next few weeks to see who is immune to covid-19 and who is not, and certify people as being healthy enough to return to society. The UK, which has stockpiled over 17.5 million home antibody testing kits, has raised the prospect of doing something similar, although this has come under major scrutiny from scientists who have raised concerns that the test may not be accurate enough to be useful. As the pressure builds from a public that has been cooped up for weeks, more countries are looking for a way out of strict social distancing measures that doesn’t require waiting 12 to 18 months for a vaccine (if one even comes).

So how does immunity testing work? Very soon after infection by SARS-CoV-2, polymerase chain reaction (PCR) tests can be used to look for evidence of the virus in the respiratory tract. These tests work by greatly amplifying viral genetic material so we can verify what virus it comes from. But weeks or months after the immune system has fought the virus off, it’s better to test for antibodies.

You can read our most essential coverage of the coronavirus/covid-19 outbreak for free, and also sign up for our coronavirus newsletter. But please consider subscribing to support our nonprofit journalism.

About six to 10 days after viral exposure, the body begins to develop antibodies that bind and react specifically to the proteins found on SARS-CoV-2. The first antibody produced is called immunoglobulin m (IgM), which is short-lived and only stays in the bloodstream for a few weeks. The immune system refines the antibodies and just a few days later will start producing immunoglobulins G (IgG) and A (IgA), which are much more specific. IgG stays in the blood and can confer immunity for months, years, or a lifetime, depending on the disease it’s protecting against. 

In someone who has survived infection with covid-19, the blood should, presumably, possess these antibodies, which will then protect against subsequent infection by the SARS-CoV-2 virus. Knowing whether someone is immune (and eligible for potential future certification) hinges on serological testing, drawing blood to look for signs of these antibodies. Get a positive test and, in theory, that person is now safe to walk the street again and get the economy moving. Simple.

Except it’s not. There are some serious problems with trying to use the tests to determine immunity status. For example, we still know very little about what human immunity to the disease looks like, how long it lasts, whether an immune response prevents reinfection, and whether you might still be contagious even after symptoms have dissipated and you’ve developed IgG antibodies. Immune responses vary greatly between patients, and we still don’t know why. Genetics could play a role.

“We’ve only known about this virus for four months,” says Donald Thea, a professor of global health at Boston University. “There’s a real paucity of data out there.” 

SARS-CoV-1, the virus that causes SARS and whose genome is about 76% similar to that of SARS-CoV-2, seems to elicit an immunity that lasts up to three years. Other coronaviruses that cause the common cold seem to elicit a far shorter immunity, although the data on that is limited—perhaps, says Thea, because there has been far less urgency to study them in such detail. It’s too early to tell right now where SARS-CoV-2 will fall in that time range. 

Even without that data, dozens of groups in the US and around the world are developing covid-19 tests for antibodies. Many of these are rapid tests that can be taken at the point of care or even at home, and deliver results in just a matter of minutes. One US company, Scanwell Health, has licensed a covid-19 antibody test from the Chinese company Innovita that can look for SARS-CoV-2 IgM and IgG antibodies through just a finger-prick blood sample and give results in 13 minutes. 

There are two key criteria we look for when we’re evaluating the accuracy of an antibody test. One is sensitivity, the ability to detect what it’s supposed to detect (in this case antibodies). The other is specificity, the ability to detect the particular antibodies it is looking for. Scanwell’s chief medical officer, Jack Jeng, says clinical trials in China showed that the Innovita test achieved 87.3% sensitivity and 100% specificity (these results are unpublished). That means it will not target the wrong kind of antibodies and won’t deliver any false positives (people incorrectly deemed immune), but it will not be able to tag any antibodies in 12.7% of all the samples it analyzes—those samples would come up as false negatives (people incorrectly deemed not immune).

By comparison, Cellex, which is the first company to get a rapid covid-19 antibody test approved by the FDA, has a sensitivity of 93.8% and a specificity of 95.6%. Others are also trumpeting their own tests’ vital stats. Jacky Zhang, chairman and CEO of Beroni Group, says his company’s antibody test has a sensitivity of 88.57%, for example. Allan Barbieri of Biomerica says his company’s test is over 90% sensitive. The Mayo Clinic is making available its own covid-19 serological test to look for IgG antibodies, which Elitza Theel, the clinic’s director of clinical microbiology, says has 95% specificity.

The specificity and sensitivity rates work a bit like opposing dials. Increased sensitivity can reduce specificity by a bit, because the test is better able to react with any antibodies in the sample, even ones you aren’t trying to look for. Increasing specificity can lower sensitivity, because the slightest differences in the molecular structure of the antibodies (which is normal) could prevent the test from finding those targets. 

“It really depends on what your purpose is,” says Robert Garry, a virologist at Tulane University. Sensitivity and specificity rates of 95% or higher, he says, are considered a high benchmark, but those numbers are difficult to hit; 90% is considered clinically useful, and 80 to 85% is epidemiologically useful. Higher rates are difficult to achieve for home testing kits. 

But the truth is, a test that is 95% accurate isn’t much use at all. Even the smallest errors can blow up over a large population. Let’s say coronavirus has infected 5% of the population. If you test a million people at random, you ought to find 50,000 positive results and 950,000 negative results. But if the test is 95% sensitive and specific, it test will correctly identify only 47,500 positive results and 902,500 negative results. That leaves 50,000 people who have a false result. That’s 2,500 people who are actually positive—immune—but are not getting an immunity passport and must stay home. That’s bad enough. But even worse is that a whopping 47,500 people who are actually negative—not immune—could incorrectly test positive. Half of the 95,000 people who are told they are immune and free to go about their business might never have been infected yet. 

Because we don’t know what the real infection rate is—1%, 3%, 5%, etc.—we don’t know how to truly predict what proportion of the immunity passports would be issued incorrectly. The lower the infection rate, the more devastating the effects of the antibody tests’ inaccuracies. The higher the infection rate, the more confident we can be that a positive result is real.

And people with false positive results would unwittingly be walking hazards who could become infected and spread the virus, whether they developed symptoms or not. A certification system would have to test people repeatedly for several weeks before they could be issued a passport to return to work—and even then, this would only reduce the risk, not eliminate it outright.

As mentioned, cross-reactivity with other antibodies, especially ones that target other coronaviruses, is another concern. “There are six different coronaviruses known to infect humans,” says Thea. “And it’s entirely possible if you got a garden-variety coronavirus infection in November, and you did not get covid-19, you could still test positive for the SARS-CoV-2 antibodies.” 

Lee Gehrke, a virologist and biotechnology researcher at Harvard and MIT, whose company E25Bio is also developing serological tests for covid-19, raises another issue. “It’s not yet immediately clear,” he says, “that the antibodies these tests pick up are neutralizing.” In other words, the antibodies detected in the test may not necessarily act against the virus to stop it and protect the body—they simply react to it, probably to tag the pathogen for destruction by other parts of the immune system. 

Gehrke says he favors starting with a smaller-scale, in-depth study of serum samples from confirmed patients that defines more closely what the neutralizing antibodies are. This would be an arduous trial, “but I think it would be much more reassuring to have this done in the US before we take serological testing to massive scale,” he says.

Alan Wells, the medical director of clinical laboratories at the University of Pittsburgh Medical Center, raises a similar point. He says that some patients who survive infection and are immune may simply not generate the antibodies you’re looking for. Or they may generate them at low levels that do not actually confer immunity, as some Chinese researchers claim to have found

“I would shudder to use IgM and IgG testing to figure out who’s immune and who’s not,” says Wells. “These tests are not ready for that.” 

Even if the technology is more accurate, it might still simply be too early to start certifying immunity just to open up the economy. Chris Murray from the University of Washington’s Institute for Health Metrics and Evaluation told NPR his group’s models predict that come June, “at least 95% of the US will still be susceptible to the virus,” leaving them vulnerable to infection by the time a possible second wave comes around in the winter. Granting immunity passports to less than 5% of the workforce may not be all that worthwhile. 

Theel says that instead of being used to issue individual immunity passports, serology tests could be deployed en masse, over a long period of time, to see if herd immunity has set in—lifting or easing restrictions wholesale after 60 to 70% of a community’s population tests positive for immunity. There are a few case studies that hold promise. San Miguel County in Colorado has partnered with biotech company United Biomedical in an attempt to serologically test everyone in the county. The community is small and isolated, and therefore easier to test comprehensively. Iceland has been doing the same thing across the country. 

This would require a massively organized effort to pull off well in highly populated areas, and it’s not clear whether the decentralized American health-care system could do it. But it’s probably worth thinking about if we hope to reopen whole economies, and not just give a few individuals a get-out-of-jail-free card. 

Not everyone is so skeptical about using serological testing on a case-by-case basis. Thea thinks the data right now suggests SARS-CoV-2 should behave like its close cousin SARS-CoV-1, resulting in an immunity that lasts for a maybe a couple of years. “With that in mind, it’s not unreasonable to identify individuals who are immune from reinfection,” he says. “We can have our cake and eat it too. We can begin to repopulate the workforce—most importantly the health-care workers.” For instance, in hard-hit cities like New York that are suffering from a shortage of health-care workers, a serological test could help nurses and doctors figure out who might be immune, and therefore better equipped to work in the ICU or conduct procedures that put them at a high risk of exposure to the virus, until a vaccine comes along. 

And at the very least, serological testing is potentially useful because many covid-19 cases present, at most, only mild symptoms that don’t require any kind of medical intervention. About 18% of infected passengers on the Diamond Princess cruise ship showed no symptoms whatsoever, suggesting there may be a huge number of asymptomatic cases. These people almost certainly aren’t being tested (CDC guidelines for covid-19 testing specifically exclude those without symptoms). But their bodies are still producing antibodies that should be detectable long after the infection is cleared. If they develop immunity to covid-19 that’s provable, then in theory, they could freely leave the house once again. 

For now, however, there are too many problems and unknowns to use antibody testing to decide who gets an immunity passport and who doesn’t. Countries now considering it might find out they will either have to accept enormous risks or simply sit tight for longer than initially hoped.

Correction: The initial version of the story incorrectly stated: “The higher the infection rate, the more devastating the effects of the antibody tests’ inaccuracies.A higher infection would actually produce more confident antibody test results. We regret the error.

Source link

قالب وردپرس

Continue Reading