Commonly used devices and software will benefit from performance improvements — such as fewer crashes, increased battery performance, and more up-to-date security patching — if a new feature in one of the world's most popular software development tools gains widespread adoption and traction.
GitHub, which builds a product that rivals Australian golden child start-up Atlassian's Bitbucket software development platform, unveiled a suite of new features that will make the internet safer and software developers' lives less stressful at its GitHub Universe 2017 conference on Wednesday in the United States (Thursday morning Australian time).
While many features will not be of interest to mainstream consumers, one will be.
Called the "dependency graph", it ensures thatdevelopers whose code is dependant on other, open source projects are given the chance to update their work immediately whenever a security breach, bug or performance issue is uncovered.
This will ensure that any performance improvements made in open source code will be reflected in a developer's own software.
Such performance improvements can (and often do) lead to better battery performance on hardware such as tablets, laptops, and smartphones, such as the iPhone.
For software more specifically, it can lead to apps running faster and crashing fewer times.
Programs on desktops, such as Firefox or Chrome, and apps on smartphones, such as Snapchat and Tinder, could get speed bumps and security updates much faster as a result.
At present, developers often rely on as many as 100 other "open source" projects in their own code, leading to a reliance on those other projects keeping their code secure and optimised for performance. Open source projects are "repositories" of code where people donate their own time to contribute code for free.
But given many companies and start-up founders of apps don't conduct what's called a "code review", whereby code is examined for flaws and annoying bugs, this often leads to an over-reliance on code that hasn't had more than two sets of eyes go over it. Sometimes only a single person might ever inspect code that will be used by millions.
This is where security flaws, bugs and performance issues are often introduced, not deliberately, but unintentionally or through laziness or lack of time.
In 2014, for example, a security flaw dubbed "Heartbleed" was discovered in OpenSSL, a widely used encryption software that was depended upon in hundreds of thousands of the world's machines, such as web servers, and software, such as in iPhones. The flaw was labelled a "big deal" by security experts, who said at least 117,000 web servers were running vulnerable versions of OpenSSL.
The line that caused all the trouble? It was introduced by Robin Seggelmann, an open source contributor who was accused of being a spy. Dr Stephen Henson, a UK consultant on OpenSSL, reviewed the code and also missed the flaw, demonstrating that there are not always a great number of eyes trained on the open source community's software projects, which are used in many of the world's products.
Upon disclosure of the Heartbleed flaw, the race to fix it was messy, with many developers having to figure out how to fix their code on the same day as the disclosure, and then having to commit changes and deploy an update to users of their software. If those developers did not fix their code quick enough, they left users of their software open to malicious actors potentially exposing their personal data by breaching their servers or software. The Canadian tax office was one victim that didn't patch fast enough, with a Canadian teen caught using the flaw to steal tax data.
Google, who employed a staff member who found the Heartbleed flaw, was accused of playing favourites over who it notified about the flaw prior to public disclosure.
Many so-called "orphan" open source projects — where developers abandon updating their software but it remains in use — remain unpatched from Heartbleed today.
GitHub's "dependency graph" aims to address many of the problems outlined, but not all of them, by allowing developers of open source projects to alert all users of their code when security or bug-killing changes are made.
There's one catch, however: those programmers all need to be using GitHub. If they're using a rival, such as Atlassian's Bitbucket, they won't be alerted.
However, a spokesperson for GitHub told Fairfax Media it was hoping to partner with its rivals, such as Atlassian, to ensure apps are made more secure, as well as the software and servers that the internet relies upon. It has shared an application programming interface, or API, to make this frictionless between companies.
GitHub is also making it far easier for developers to update their dependencies in almost real-time and at the press of a button after a flaw is discovered. This will only work, however, if their code has been written in a structure that lends itself to being friendly to an algorithm, machine learning, and artificial intelligence determining how to correctly patch lines of code without breaking it in other sections that do not need to be touched.
As well as using developer data it has collected over the past decade when it started in 2007, GitHub utilises nascent machine learning and artificial intelligence technology to do this.
GitHub also unveiled a vision of the future where it would act as a virtual assistant to developers, making recommendations to them about better ways they might consider writing their code.
Like Microsoft's infamous 'Clippy' helper, but hopefully less annoying, GitHub might notice when a user is writing something in four lines of code when it knows that another user has solved the same problem in under two lines. When it sees this, it could then recommend, for instance, that the developer code that portion of their project it in the more optimised way.
The author travelled to San Francisco as a guest of GitHub.
0 comments
New User? Sign up