Skip to content

Software Development News: .NET, Java, PHP, Ruby, Agile, Databases, SOA, JavaScript, Open Source

Methods & Tools

Subscribe to Methods & Tools
if you are not afraid to read more than one page to be a smarter software developer, software tester or project manager!

Open Source

Congratulations to the Open IoT Challenge 3.0 Winners!

Eclipse News - Thu, 03/16/2017 - 17:15
Eclipse IoT is pleased to announce the winners of the third annual Open IoT Challenge.
Categories: Open Source

Accessing and Managing Third-Party Libraries

DevX: Open Source Articles - Mon, 03/13/2017 - 21:49
Learn about package management in your programming language and take advantage of all the goodness that's out there.
Categories: Open Source

Projects of the Week, March 13, 2017 Front page news - Mon, 03/13/2017 - 05:05

Here are the featured projects for the week, which appear on the front page of


GnuCash is a personal and small-business finance manager with a check-book like register GUI to enter and track bank accounts, stocks, income and expenses. GnuCash is designed to be simple and easy to use but still based on formal accounting principles.
[ Download GnuCash ]

Money Manager Ex

Money Manager Ex (mmex) is an easy to use, money management application. It is a personal finance manager. It can be used to track your net worth, income vs expenses etc. It runs on Windows, Linux and Mac OSX.
[ Download Money Manager Ex ]

Ultimate Edition

Ultimate Edition Linux, previously “Ubuntu Ultimate Edition”. We cater to a large base of *nix users including, but certainly not limited to gamers & low resource computers. We have a Ultimate Edition for virtually any user.
[ Download Ultimate Edition ]


Change is good but changing everything isn’t always great. Same is true for aging computers and their operating systems. Support is sometimes lost too quickly with a 6 month core release cycle. Graphics & Audio cards and chipsets get dropped along with other miscellaneous functions with programs or drivers that just go missing. We all like having updated software but we certainly don’t like down time or loss of features and capabilities. I believe most aging hardware just needs the right system on it, and lets face it, it helps keep a couple bucks in your pocket if you can squeeze a few more years out of your current system; without sacrificing, performance, capability, usability and of course aesthetics.
[ Download LXLE ]


rEFInd is a fork of the rEFIt boot manager. Like rEFIt, rEFInd can auto-detect your installed EFI boot loaders and it presents a pretty GUI menu of boot options. rEFInd goes beyond rEFIt in that rEFInd better handles systems with many boot loaders, gives better control over the boot loader search process, and provides the ability for users to define their own boot loader entries.
[ Download rEFInd ]

Maui Linux

Maui is a full desktop Linux distribution, that ships with the Plasma Shell workspace and many Open Source applications.
[ Download Maui Linux ]


GPerftools (formerly Google Performance Tools) is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools useful for creating more robust applications. These tools can be especially useful when developing multi-threaded applications in C++ with templates. Among these tools are TCMalloc, a thread-friendly heap-checker, heap-profiler and cpu-profiler.
[ Download GPerftools ]


This is the download repository for TenFourFox, the Firefox port for Power Macintosh computers running 10.4 and 10.5. TenFourFox is not an official Mozilla product and is not a Mozilla-maintained build of Firefox. PowerPC forever! Our SF repo is only for hosting our current and future downloads at this time (thanks, SourceForge!); Github hosts our wiki, FAQ and issue tracker: Do not open trouble tickets here — they will be DELETED. If you are an end-user requiring support, please visit our Tenderapp support ticketing site: Read the TenFourFox Development blog for what’s next:
[ Download TenFourFox ]

winPenPack: Portable Software Collection

winPenPack is a project that aims at collecting the most frequently used and most popular open source applications made portable, so that they can be executed without installation from any USB Flash Drive or Hard Disk. The winPenPack suites offer a wide range of portable applications like office tools, internet tools, multimedia tools, development tools, security applications and other frequently used utilities. Everything you need, completely free, open source and portable!
[ Download winPenPack: Portable Software Collection ]

Categories: Open Source

Last week | Complete the IoT Developer Survey 2017

Eclipse News - Fri, 03/10/2017 - 18:25
Now's the time. Get your answers in and your voice heard! Complete the survey today.
Categories: Open Source

Getting ready for Google Summer of Code 2017

Google Open Source Blog - Fri, 03/10/2017 - 17:48
Spring is just around the corner here in the Northern Hemisphere and Google Summer of Code is fast approaching. If you are a student interested in participating this year, now is the time to prepare -- read on for tips on how to get ready.

This year we’ve accepted 201 open source organizations into the program, nearly 40 of which are new to the program. The organizations cover a wide range of topics including (but certainly not limited to!):

  • Operating systems
  • Web application frameworks
  • Healthcare and bioinformatics
  • Music and graphic design
  • Machine learning
  • Robotics
  • Security

How should you prepare for Google Summer of Code?While student applications don’t open until March 20th at 16:00 UTC, you need to decide which projects you’re interested in and what you’ll propose. You should also communicate with those projects to learn more before you apply.

Start by looking at the list of participating projects and organizations. You can explore by searching for specific names or technologies, or filtering by topics you are interested in. Follow the “Learn More” link through to each organization’s page for additional information.

Once you’ve identified the organizations that you’re interested in, take a look at their ideas list to get a sense of the specific projects you could work on. Typically, you will choose a project from that list and write a proposal based on that idea, but you could also propose something that’s not on that list.

You should reach out to the organizations after you’ve decided what you want to work on. Doing this can make the difference between a good application and a great application.

Whatever you do, don’t wait until March 20th to begin preparing for Google Summer of Code! History has shown that students who reach out to organizations before the start of the application period have a higher chance of being accepted into the program, as they have had more time to talk to the organizations and understand what they are looking for with the project.

If you have any questions along the way, take a look at the Student Manual, FAQ and Timeline. If you can’t find the answer to your question, try taking your question to the mailing list.

By Josh Simmons, Open Source Programs Office
Categories: Open Source

The Many Ways Open Source Software Give SMBs an Edge over Larger Companies Front page news - Fri, 03/10/2017 - 06:37

Size doesn’t matter. Not when you’ve got open source software on your side.

More and more small to medium-sized businesses (SMBs) are realizing that with open source software, their smaller size is no longer a hindrance. On the contrary, being a small business equipped with open source software may just give them the upper hand over larger companies. How so? It’s because open source is:

Easier on the Budget

Compared to big business proprietary software, open source software is way more budget-friendly. Basic software packages are free and even with paid additional features and services, they would still cost a lot less. This frees SMB budgets for other areas of business development.

Offers More Customization

Being open source means being able to change aspects of the software freely to suit specific business needs. SMBs need to stand out in order to compete with larger companies, and being able to customize their software and consequently their service helps them do exactly that. They are able to provide a more personalized and unique experience or service, gaining clients’ or customers’ attention and loyalty.

Encourages Collaboration that Fosters Faster Development

Open source software development is a highly collaborative effort among projects, developers and users. With such diverse groups involved and working together, the software becomes incredibly easy to improve, build onto existing software and adapt quickly to new technology and changing needs– things that often come at a much slower pace with restrictive big business proprietary software.

Provides Access to Bigger and Better Tools

Open source software provides SMBs with the tools they need to compete on a larger scale and enables them to leverage data from established brands like Twitter and Facebook. And since it also enables small companies to be more agile, it allows them to take advantage of new tools and technology before others, particularly large companies tied to proprietary software.

Allows More Focus on Creativity and Innovation

With more business resources freed from the task of developing software, the focus turns to innovation. Creativity flourishes among SMBs as they are more able to create competitive alternatives to standard technology and proprietary software. They can set themselves up to be more distinctive and forward-thinking than their bigger competitors.

If you’re currently developing or are planning to develop open source software it would be helpful to keep SMBs in mind. With the many benefits your software can offer SMBs, this segment will most likely make up a significant portion of your software’s users.

Categories: Open Source

dbMigration .NET v5 released

PostgreSQL News - Fri, 03/10/2017 - 01:00

dbMigration .NET v5 is a simple, easy and intuitive multiple database migration and sync tool, With it you can easily migrate schema and data between different databases without complicated procedures.

Supported databases: PostgreSQL, SQL Server, SQL Azure, LocalDB, MySQL, Oracle, IBM DB2, Informix, Vertica, NuoDB, Teradata, Sybase ASE, Firebird, SQLite, SQLCe, VistaDB, Access, dBase, FoxPro, Text, Excel, ODBC, OleDB...etc.

Free, All-In-One, Portable, Single executable file and Multi-language.

Major New features from version 3.8 to 5.0 (2016/10/01~2017/03/10):

  • Added support for PostgreSQL <-> VistaDB migration
  • Added support for PostgreSQL error detail message
  • Added support for PostgreSQL (one/two) dimensional arrays
  • Added Multi-Language UI (Options->Language)
  • Added Automatically generate foreign keys (PG)
  • Ability to add custom delimited file extensions
  • Improved Migrating VIEWS/FUNCTIONS/SEQUENCES definitions (PG->PG)
  • Improved Data Synchronization
  • Improved Automatic Mapping Types (UDT)
  • Improved Custom Mapping Types
  • Improved Command-Line
  • Compiled with Visual Studio 2017
  • ...and more
The new version is immediately available for download.
Categories: Database, Open Source

Another option for file sharing

Google Open Source Blog - Wed, 03/08/2017 - 17:59
Originally posted on the Google Security Blog

Existing mechanisms for file sharing are so fragmented that people waste time on multi-step copying and repackaging. With the new open source project Upspin, we aim to improve the situation by providing a global name space to name all your files. Given an Upspin name, a file can be shared securely, copied efficiently without "download" and "upload", and accessed by anyone with permission from anywhere with a network connection.

Our target audience is personal users, families, or groups of friends. Although Upspin might have application in enterprise environments, we think that focusing on the consumer case enables easy-to-understand and easy-to-use sharing.

File names begin with the user's email address followed by a slash-separated Unix-like path name:
Any user with appropriate permission can access the contents of this file by using Upspin services to evaluate the full path name, typically via a FUSE filesystem so that unmodified applications just work. Upspin names usually identify regular static files and directories, but may point to dynamic content generated by devices such as sensors or services.

If the user wishes to share a directory (the unit at which sharing privileges are granted), she adds a file called Access to that directory. In that file she describes the rights she wishes to grant and the users she wishes to grant them to. For instance,

allows Joe and Mae to read any of the files in the directory holding the Access file, and also in its subdirectories. As well as limiting who can fetch bytes from the server, this access is enforced end-to-end cryptographically, so cleartext only resides on Upspin clients, and use of cloud storage does not extend the trust boundary.

Upspin looks a bit like a global file system, but its real contribution is a set of interfaces, protocols, and components from which an information management system can be built, with properties such as security and access control suited to a modern, networked world. Upspin is not an "app" or a web service, but rather a suite of software components, intended to run in the network and on devices connected to it, that together provide a secure, modern information storage and sharing network. Upspin is a layer of infrastructure that other software and services can build on to facilitate secure access and sharing. This is an open source contribution, not a Google product. We have not yet integrated with the Key Transparency server, though we expect to eventually, and for now use a similar technique of securely publishing all key updates. File storage is inherently an archival medium without forward secrecy; loss of the user's encryption keys implies loss of content, though we do provide for key rotation.

It’s early days, but we’re encouraged by the progress and look forward to feedback and contributions. To learn more, see the GitHub repository at Upspin.

By Andrew Gerrand, Eric Grosse, Rob Pike, Eduardo Pinheiro and Dave Presotto, Google Software Engineers
Categories: Open Source

By maintainers, for maintainers: Wontfix_Cabal

Google Open Source Blog - Mon, 03/06/2017 - 19:00
The Google Open Source Programs Office likes to highlight events we support, organize, or speak at. In this case, Google’s own Jess Frazelle was responsible for running a unique event for open source maintainers.

This year I helped organize the first inaugural Wontfix_Cabal. The conference was organized by open source software maintainers for open source software maintainers. Our initial concept was an unconference where attendees could discuss topics candidly with their peers from other open source communities.

The idea for the event stemmed from the response to a blog post I published about closing pull requests. The response was overwhelming, with many maintainers commiserating and sharing lessons they had learned. It seemed like we could all learn a lot from our peers in other projects -- if we had the space to do so -- and it was clear that people needed a place to vent.

Major thanks to Katrina Owen and Brandon Keepers from GitHub who jumped right in and provided the venue we needed to make this happen. Without their support this would’ve never become a reality!

It was an excellent first event and the topics discussed were wide ranging, including:
  • How to deal with unmaintained projects
  • Collecting metrics to judge project health
  • Helping newcomers
  • Dealing with backlogs
  • Coping with, and minimizing, toxic behavior in our communities

Never have I seen so many open source maintainers in one place. Thanks @wontfix_, this is amazing— Gregor (@gr2m) February 15, 2017
The discussion around helping newcomers focused on creating communities with welcoming and productive cultures right from the start. I was fascinated to learn that some projects pre-fill issues before going public so as to set the tone for the future of the project. Another good practice is clearly defining how one becomes a maintainer or gets commit access. There should be clear rules in place so people know what they have to do to succeed.

Another discussion I really liked focused on “saying no.” Close fast and close early was a key takeaway. There’s no sense in letting a contribution sit waiting when you know it will never be accepted. Multiple projects found that having a bot give the hard news was always better than having the maintainer do it. This way it is not personal, just a regular part of the process.

One theme seen in multiple sessions: “Being kind is not the same as being nice.” The distinction here is that being nice comes from a place of fear and leads people to bend over backwards just to please. Being kind comes from a place of strength, from doing the right thing.

Summaries of many of the discussions have been added to the GitHub repo if you would like to read more.

After the event concluded many maintainers got right to work, putting what they had learned into practice. For instance, Rust got help from the Google open source fuzzing team.

Flurry of internal emails following up on ideas from @wontfix_: all sent! Now it's time to start on some PRs.— Rainer Sigwald (@Tashkant) February 22, 2017
Our goal was to put together a community of maintainers that could support and learn from each other. When I saw Linux kernel maintainers talking to people who work on Node and JavaScript, I knew we had achieved that goal. Laura Abbott, one of those kernel developers, wrote a blog post about the experience.

Not only was the event useful, it was also a lot of fun. Meeting maintainers, people who care a great deal about open source software, from such a diverse group of projects was great. Overall, I think our initial run was a success! Follow us on Twitter to find out about future events.

By Jess Frazelle, Software Engineer
Categories: Open Source

Eclipse IoT Day - San Jose 2017

Eclipse News - Mon, 03/06/2017 - 12:10
Seats are filling-up! Register for the Eclipse IoT Day on March 20.
Categories: Open Source

Projects of the Week, March 6, 2017 Front page news - Mon, 03/06/2017 - 06:25

Here are the featured projects for the week, which appear on the front page of

Linux Lite

By producing an easy to use Linux based Operating System, we hope that people will discover just how simple it can be to use Linux Lite. Linux Lite is free for everyone to use and share, and suitable for people who are new to Linux or for people who want a lightweight environment that is also fully functional. Linux Lite is based on the Ubuntu LTS series giving you 5 years of support per major release. The following software is included: LibreOffice Suite, VLC Media Player, Firefox Web Browser, Thunderbird Email, Gimp Image Editor, Lite Themes, Lite User Manager, Lite Software, Lite Tweaks, Lite Welcome, Lite Manual, Whiskermenu and more. Laptop/Ultrabook/Netbook users: If the screen locks during Live mode, type ‘linux’ into the user box and click on the Login button (no password required)
[ Download Linux Lite ]

Bodhi Linux

Bodhi is a minimalistic, enlightened, Linux desktop.
[ Download Bodhi Linux ]

Google Apps Manager

Google Apps Manager or GAM is a free and open source command line tool for Google G Suite Administrators that allows them to manage many aspects of their Google Apps Account quickly and easily. With GAM you can create and manage users, groups and domains; manage email, security and calendar settings; manage admins and organizations and many more.

To use GAM Google Apps Business, Education, Partner or Government Edition is required.
[ Download Google Apps Manager ]


digiCamControl is a free and open source software. This allows you to save time by transferring images directly from your camera to your computer as you take each shot and allow to control camera shooting parameters.
[ Download digiCamControl ]

Super Audio CD Decoder

Super Audio CD Decoder input plugin for foobar2000. Decoder is capable of playing back Super Audio CD ISO images, DSDIFF, DSF and DSD WavPack files. Direct DSD playback for compatible devices.
[ Download Super Audio CD Decoder ]


Skim is a PDF reader and note-taker for OS X. It is designed to help you read and annotate scientific papers in PDF, but is also great for viewing any PDF file. Skim requires Mac OS X 10.6 or higher.
[ Download Skim ]


MediaPortal turns your PC into a very advanced MediaCenter / HTPC. It allows you to listen to your favorite music & radio, watch and store your videos and DVDs, view, schedule and record live TV as a digital video recorder and much much more.
[ Download MediaPortal ]


We believe that free/open source software is enough, we don’t need pirated softwares on Windows. But most of these aren’t portables, or provided by due to .NET dependencies, 64-bit etc. So we provide what’s missing here. Software publisher who wishes their portablized software taken down, can tip us through or We promise to take it down without questions, but please be patient—we might not be able to respond promptly, but we eventually *will* …thanks for your patience, and sorry for being such a #naughty uploader

Categories: Open Source

Dojo 1.12.2 and various backports released!

The Dojo Toolkit - Announcements - Sun, 03/05/2017 - 18:37

Today we’ve released Dojo 1.12.2, 1.11.4, 1.10.8, 1.9.11, 1.8.14, 1.7.12, 1.6.5, 1.5.6, and 1.4.8, which consists of bug and regression fixes reported since our last batch of releases in December.

One change has been made, which is that cross-domain support for the Flash version of dojox/storage has been removed due to a reported security vulnerability. If you are using the Flash-based version of dojox/storage, please note this change in behavior. Thanks to Enguerran Gillier for reporting this issue.

New releases are available at or via npm.

Releases will also be available via the Google CDN once they’ve had a chance to deploy the updates.

Categories: Open Source, RIA

March 2017, “Staff Pick” Project of the Month – Outlook CalDav Synchronizer Front page news - Fri, 03/03/2017 - 06:05

For our March “Staff Pick” Project of the Month, we selected Outlook CalDav Synchronizer, a free Outlook Plugin that synchronizes events, tasks and contacts between Outlook and Google, SOGo, Horde or any other CalDAV or CardDAV server. Developer Alexander Nimmervoll shared some thoughts about the project’s history, purpose, and direction.

SourceForge (SF): Tell me about the Outlook CalDav Synchronizer project please.
Alexander Nimmervoll (AN): Outlook CalDav Synchronizer is the only open source Outlook plugin that offers two-way sync for CalDAV calendars and tasks, CardDAV contacts and can also handle the Google native Contacts and Tasks API. Supported Outlook versions are 2007-2016. It handles Outlook categories, mapping CalDAV server colors to Outlook category colors and syncing calendars and tasks to the categories. The plugin also handles different timezones and recurring events with exceptions and can deal with Outlook custom properties.

SF: What made you start this?
AN: The first proof of concept of this project was started in 2015 as a master thesis project at the University of Applied Sciences Technikum Wien, Software Engineering Degree program. Motivated by the lack of free sync solutions, the goal was to develop an easy to use tool which can sync almost any CalDAV or CarDDAV server with Outlook with special focus on performance.

SF: Has the original vision been achieved?
AN: Definitely, we get a lot of positive feedback from the community and many reviews which say that our solution is the best CalDAV/CardDAV Outlook plugin on the market.

SF: Who can benefit the most from your project?
AN: Everyone who wants to integrate Outlook with an open groupware service, whether it’s a self-hosted family calendar server for three users or an open source Exchange server replacement for 5000 users in an enterprise deployment.

SF: What core need does Outlook CalDav Synchronizer fulfill?
AN: Outlook CalDav Synchronizer is the missing link in Open Source Exchange Server replacement.

SF: What’s the best way to get the most out of using Outlook CalDav Synchronizer?
AN: Use Outloook 2013 or higher with latest .NET framework and one of the preconfigured server account types of a supported server solution. Fine tune the advanced settings to your needs and read the documentation or use an automatic deployment via Active Directory group policies in an enterprise environment.

SF: What has your project team done to help build and nurture your community?
AN: We try to provide fast responses to questions, bug reports and work closely together with many server vendors.

SF: Have you all found that more frequent releases helps build up your community of users?
AN: Yes, we try to fix reported bugs fast and released quite frequently in the past, but users also have the freedom to turn off automatic search for updates of course. The average release schedule is one release every two weeks at the moment.

SF: What was the first big thing that happened for your project?
AN: When we realized that big German universities recommend our plugin to their Outlook users and more and more positive reviews and press coverage showed up in late 2015 and beginning of 2016.

SF: What helped make that happen?
AN: The project would never been such a success without the experience and passion of Gerhard Zehetbauer, the main developer of the project.

SF: How has SourceForge and its tools helped your project reach that success?
AN: SourceForge helped to make the project known to the community and provides easy ways to ask questions and report issues.

SF: What is the next big thing for Outlook CalDav Synchronizer?
AN: We started a collaboration with Nextcloud in late 2016 and are in contact with more server vendors like SOGo, and plan to offer enterprise support this year.

SF: How long do you think that will take?
AN: It is already work in progress.

SF: Do you have the resources you need to make that happen?
AN: Since we lack full-time contributors it’s always hard to find enough time for all the ideas and feature requests of the project.

SF: If you had to do it over again, what would you do differently for Outlook CalDav Synchronizer?
AN: Nothing really, since the design decisions and the goal of the project were well defined and structured at the beginning.

SF: Is there anything else we should know?
AN: Well, we are asked this a lot, unfortunately there is no Mac OS X version of the project and since C# VSTO Outlook addins aren’t even supported, we also have no plans in that direction.

[ Download Outlook CalDav Synchronizer ]

Categories: Open Source

Google Cloud Tools for Eclipse

Date Created: Thu, 2017-03-02 15:40Date Updated: Wed, 2017-05-17 12:42Google Inc.Submitted by: Elliotte Rusty Harold

Cloud Tools for Eclipse is a Google-sponsored open source plugin that supports the Google Cloud Platform. Cloud Tools for Eclipse enables you to create, import, edit, build, run, debug, and deploy Java servlet applications for the App Engine Standard environment without leaving Eclipse.

Categories: Open Source

Introducing Python Fire, a library for automatically generating command line interfaces

Google Open Source Blog - Thu, 03/02/2017 - 19:00
Today we are pleased to announce the open-sourcing of Python Fire. Python Fire generates command line interfaces (CLIs) from any Python code. Simply call the Fire function in any Python program to automatically turn that program into a CLI. The library is available from pypi via `pip install fire`, and the source is available on GitHub.

Python Fire will automatically turn your code into a CLI without you needing to do any additional work. You don't have to define arguments, set up help information, or write a main function that defines how your code is run. Instead, you simply call the `Fire` function from your main module, and Python Fire takes care of the rest. It uses inspection to turn whatever Python object you give it -- whether it's a class, an object, a dictionary, a function, or even a whole module -- into a command line interface, complete with tab completion and documentation, and the CLI will stay up-to-date even as the code changes.

To illustrate this, let's look at a simple example.

#!/usr/bin/env python
import fire

class Example(object):
def hello(self, name='world'):
"""Says hello to the specified name."""
return 'Hello {name}!'.format(name=name)

def main():

if __name__ == '__main__':

When the Fire function is run, our command will be executed. Just by calling Fire, we can now use the Example class as if it were a command line utility.

$ ./ hello
Hello world!
$ ./ hello David
Hello David!
$ ./ hello --name=Google
Hello Google!

Of course, you can continue to use this module like an ordinary Python library, enabling you to use the exact same code both from Bash and Python. If you're writing a Python library, then you no longer need to update your main method or client when experimenting with it; instead you can simply run the piece of your library that you're experimenting with from the command line. Even as the library changes, the command line tool stays up to date.

At Google, engineers use Python Fire to generate command line tools from Python libraries. We have an image manipulation tool built by using Fire with the Python Imaging Library, PIL. In Google Brain, we use an experiment management tool built with Fire, allowing us to manage experiments equally well from Python or from Bash.

Every Fire CLI comes with an interactive mode. Run the CLI with the `--interactive` flag to launch an IPython REPL with the result of your command, as well as other useful variables already defined and ready to use. Be sure to check out Python Fire's documentation for more on this and the other useful features Fire provides.

Between Python Fire's simplicity, generality, and power, we hope you find it a useful library for your own projects.

By David Bieber, Software Engineer on Google Brain
Categories: Open Source

Operation Rosehub

Google Open Source Blog - Thu, 03/02/2017 - 18:19
Twelve months ago, a team of 50 Google employees used GitHub to patch the “Apache Commons Collections Deserialization Vulnerability” (or the “Mad Gadget vulnerability” as we call it) in thousands of open source projects. We recently learned why our efforts were so important.

The San Francisco Municipal Transportation Agency had their software systems encrypted and shut down by an avaricious hacker. The hacker used that very same vulnerability, according to reports of the incident. He demanded a Bitcoin ransom from the government. He threatened to leak the private data he stole from San Francisco’s citizens if his ransom wasn’t paid. This was an attack on our most critical public infrastructure; infrastructure which underpins the economy of a major US city.

Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.

The announcement of Mad Gadget triggered the cambrian explosion of enterprise security disclosures. Oracle, Cisco, Red Hat, Jenkins, VMWare, IBM, Intel, Adobe, HP and SolarWinds all formally disclosed that they had been impacted by this issue.

But unlike big businesses, open source projects don’t have people on staff to read security advisories all day and instead rely on volunteers to keep them informed. It wasn’t until five months later that a Google employee noticed several prominent open source libraries had not yet heard the bad news. Those projects were still depending on vulnerable versions of Collections. So back in March 2016, she started sending pull requests to those projects updating their code. This was easy to do and usually only required a single line change. With the help of GitHub’s GUI, any individual can make such changes to anyone’s codebase in under a minute. Given how relatively easy the changes seemed, she recruited more colleagues at Google to help the cause. As more work was completed, it was apparent that the problem was bigger than we had initially realized.

For instance, when patching projects like the Spring Framework, it was clear we weren’t just patching Spring but also patching every project that depended on Spring. We were furthermore patching all the projects that depended on those projects and so forth. But even once those users upgraded, they could still be impacted by other dependencies introducing the vulnerable version of Collections. To make matters worse, build systems like Maven can not be relied upon to evict old versions.

This was when we realized the particularly viral nature of Mad Gadget. We came to the conclusion that, in order to improve the health of the global software ecosystem, the old version of Collections should be removed from as many codebases as possible.

We used BigQuery to assess the damage. It allowed us to write a SQL query with regular expressions that searched all the public code on GitHub in a couple minutes.

SELECT pop, repo_name, path
SELECT id, repo_name, path
FROM `bigquery-public-data.github_repos.files` AS files
WHERE path LIKE '%pom.xml' AND
FROM `bigquery-public-data.github_repos.contents`
content LIKE '%commons-collections<%' AND
content LIKE '%>3.2.1<%' AND
id =
difference.new_sha1 AS id,
ARRAY_LENGTH(repo_name) AS pop
FROM `bigquery-public-data.github_repos.commits`
CROSS JOIN UNNEST(difference) AS difference
USING (id)

We were alarmed when we discovered 2,600 unique open source projects that still directly referenced insecure versions of Collections. Internally at Google, we have a tool called Rosie that allows developers to make large scale changes to codebases owned by hundreds of different teams. But no such tool existed for GitHub. So we recruited even more engineers from around Google to patch the world’s code the hard way.

Ultimately, security rests within the hands of each developer. However we felt that the severity of the vulnerability and its presence in thousands of open source projects were extenuating circumstances. We recognized that the industry best practices had failed. Action was needed to keep the open source community safe. So rather than simply posting a security advisory asking everyone to address the vulnerability, we formed a task force to update their code for them. That initiative was called Operation Rosehub.

Operation Rosehub was organized from the bottom-up on company-wide mailing lists. Employees volunteered and patches were sent out in a matter of weeks. There was no mandate from management to do this—yet management was supportive. They were happy to see employees spontaneously self-organizing to put their 20% time to good use. Some of those managers even participated themselves.

Patches were sent to many projects, avoiding threats to public security for years to come. However, we were only able to patch open source projects on GitHub that directly referenced vulnerable versions of Collections. Perhaps if the SF Muni software systems had been open source, we would have been able to bring Mad Gadget to their attention too.

Going forward, we believe the best thing to do is to build awareness. We want to draw attention to the fact that the tools now exist for fixing software on a massive scale, and that it works best when that software is open.

In this case, the open source dataset on BigQuery allowed us to identify projects that still needed to be patched. When a vulnerability is discovered, any motivated team or individual who wants to help improve the security of our infrastructure can use these tools to do just that.

By Justine Tunney, Software Engineer on TensorFlow

We’d like to recognize the following people for their contributions to Operation Rosehub: Laetitia Baudoin, Chris Blume, Sven Blumenstein, James Bogosian, Phil Bordelon, Andrew Brampton, Joshua Bruning, Sergio Campamá, Kasey Carrothers, Martin Cochran, Ian Flanigan, Frank Fort, Joshua French, Christian Gils, Christian Gruber, Erik Haugen, Andrew Heiderscheit, David Kernan, Glenn Lewis, Roberto Lublinerman, Stefano Maggiolo, Remigiusz Modrzejewski, Kristian Monsen, Will Morrison, Bharadwaj Parthasarathy, Shawn Pearce, Sebastian Porst, Rodrigo Queiro, Parth Shukla, Max Sills, Josh Simmons, Stephan Somogyi, Benjamin Specht, Ben Stewart, Pascal Terjan, Justine Tunney, Daniel Van Derveer, Shannon VanWagner, and Jennifer Winer.
Categories: Open Source

Eclipse Converge & Devoxx US are three weeks away - register now

Eclipse News - Wed, 03/01/2017 - 17:31
Join us March 20-24 in San Jose for an amazing developer conference.
Categories: Open Source

March 2017, “Community Choice” Project of the Month – NAS4Free Front page news - Wed, 03/01/2017 - 06:04

For our March “Community Choice” Project of the Month, the community elected NAS4Free, an embedded Storage distribution for Windows, Mac, & UNIX-like systems.

‘NAS’ stands for “Network-Attached Storage” and it is ‘4Free’ since it is free and open source. It is the simplest and fastest way to create a centralized and easily-accessible server for all kinds of data.

The NAS4Free operating system can be installed on virtually any hardware platform to share computer data storage over a computer network. It supports sharing across Windows, Apple, and UNIX-like systems and includes ZFS, Software RAID (0,1,5), disk encryption, S.M.A.R.T / email reports with several different protocols/ services. All this is easily managed by a configurable web interface.

NAS4Free was previously elected “Community Choice” Project of the Month in August of 2015 and the NAS4Free team spoke about the project’s developments and direction. Recently we caught up with the owner, developer and project leader of NAS4Free, Michael Zoon to find out how the project has been doing since then.

SourceForge (SF): What significant changes have occurred with your project since you were voted Project of the Month in August 2015?
Michael Zoon (MZ): First we would like to thank all users who voted NAS4Free for project of the month again.
A vote means more than a thousand words to us. Back to the original question:
We are happy to welcome a new pleasant developer in our team. His name is Michael Schneider and he’s currently rewriting parts of the user interface and is adding improvements to the backend of the underlying operating system.

Another change since 2015 is the phase out of 32-bits versions of NAS4Free. We took the decision with the start of the series based on FreeBSD 11.0. We do believe this is a logical step to provide the full potential of the operating system and the system hardware.

SF: Have any of your project goals changed since then?
MZ: No, our project goal has not changed in the past and we don’t have any plans to change them in the future. We would like to provide one of the best NAS software based solutions on planet earth. We do everything to keep its footprint as small as possible. NAS4Free comes with no bloatware or adverts and does not collect and does not submit any user data or statistic information to the internet. Our hardware requirements are low in comparison to other NAS solutions. NAS4Free performs pretty well on nearly every hardware.

SF: What project goals have you achieved so far?
MZ: We are very proud about the fact that our user base is growing constantly although NAS4Free is not sponsored and not actively promoted in the news, magazine or in the web.

SF: What can we look forward to with NAS4Free?
MZ: NAS4Free’s user interface is in the middle of a rewrite with a new framework and improvements in design. Users who upgrade their systems already noticed positive changes with every release we pull out; those changes will keep coming for a while as this task requires a lot of time and testing before they get published.

SF: Is there anything else we should know?
MZ: NAS4Free is an open source project. We have many volunteers who do all the translations on Launchpad, other volunteers who provide support on our forum and on our IRC channel. We would like to invite everyone who is interested to become a member of the NAS4Free team. With you we can make NAS4Free even more successful.

[ Download NAS4Free ]

Categories: Open Source

PL/SQL Enterprise Workbench

Date Created: Mon, 2017-02-27 18:53Date Updated: Tue, 2017-02-28 09:27Jan Richter, Germany, HamburgSubmitted by: Jan Richter

The PL/SQL Enterprise Workbench integrates a powerful editor to edit PL/SQL procedures, functions and packages. All resources are file based and automatically supports the installed team scm system like svn, git etc.

The PL/SQL Connector Builder generates Java access classes. The generated Java code is organized as the JEE base patterns : Implementation classes, transfer object classes, service interfaces and remote call service factories.

Oracle Parameter types of collection tables, collection varrays, object types, typed ref cursors, xml_type, sdo_geometry, inherited objects and more are supported. It simple prepares stored procedure calls for bulk processing and other tuning.

Have a closer look at the documentation at :

Categories: Open Source

Introducing the Google Summer of Code 2017 Mentor Organizations

Google Open Source Blog - Mon, 02/27/2017 - 18:19
Today’s the day! We are excited to announce the mentor organizations accepted for this year’s Google Summer of Code (GSoC). Every year we receive more applications than we can accept and 2017 was no exception. After carefully reviewing almost 400 applications, we have chosen 201 open source projects and organizations, 18% of which are new to the program. Please see the program website for a complete list of the accepted organizations.

Interested in participating as a student? We will begin accepting student applications on Monday, March 20, 2017 at 16:00 UTC and the deadline is Monday, April 3, 2017 at 16:00 UTC.

Over the next three weeks, students who’d like to participate in Google Summer of Code should research the organizations and their Ideas Lists to explore which organizations are a good fit for their interests and skills and learn how they might contribute. Some of the most successful proposals have been completely new ideas submitted by students, so if you don’t see a project that appeals to you, don’t hesitate to suggest a new idea to the organization! There are contacts listed for each organization on their Ideas List — students should contact the organization directly to discuss their ideas. We also strongly encourage all interested students to reach out to and become familiar with the organization before applying.

You can find more information on our website, including a full timeline of important dates and program milestones. We also highly recommend all interested students read the Student Manual, FAQ and the Program Rules.

Congratulations to all of our mentor organizations! We look forward to working with all of you during Google Summer of Code 2017.

By Josh Simmons, Open Source Programs Office

Categories: Open Source