Microsoft has found that approximately 70 percent of the security vulnerabilities it addresses are due to memory safety issues. To make it easier to write safer code, the company is developing a language designed for safe infrastructure programming.[ Also on InfoWorld: 15 noob mistakes even experienced developers still make ]
Due to be open-sourced soon, the first version of the new language, called Project Verona, incorporates three core ideas:
- Data-race freedom, which gives up concurrent, arbitrary mutation to enable scalable memory management with temporal safety without global synchronization.
- Concurrent owners, which provides a new concurrency model that offers lightweight, asynchronous coordination of resources.
- Linear regions, with the ownership model based on groups of objects. This differs from the memory-safe Rust language, which is based on a single object, Microsoft explained. In Verona, there are memory management strategies per region. Also featured is compartmentalization for legacy components.
Verona explores compartmentalization at the language design level. With Verona, there are threads that can access regions. Any region can be accessed by only one thread. There is a linear entry point into a region, and regions can be nested within other regions. A shared immutable region can maintain items not being mutated.
Earlier this week, two Python libraries containing malicious code were removed from the Python Package Index (PyPI), Python’s official repository for third-party packages.
It’s the latest incarnation of a problem faced by many modern software development communities, raising an important question for all developers who rely on open source software: How can you make it possible for people to contribute their own code to a common repository for re-use, without those repos becoming vectors for attacks?[ Also on InfoWorld: 10 software development cults to join ]
By and large, the official third-party library repositories for languages run as open source projects, like Python, are safe. But malicious versions of a library can spread quickly if unchecked. And the fact that most such language repositories are overseen by volunteers means that only so many eyes are on the lookout and contributions don’t always get the scrutiny needed.
Led by Tim Berners-Lee’s World Wide Web Foundation, more than 160 organizations including Google and Microsoft have officially launched the Contract for the Web, a pledge to deal with challenges facing the web including threats to online privacy and security and unequal access and service quality.
The contract, described as a global action plan, is intended to guide the digital policy agendas of governments and the decisions of companies building web technologies. Featured are nine principles, three each for governments, companies, and individuals. For governments, the principles include: