Welcome to the Fediverse!

An estimated 140,000 Twitter users have declared their intention to abandon the social media platform and move to the self-hosted social networking service Mastodon. According to some industry watchers, Mastodon has been growing by more than a million users per month since Twitter was acquired by Tesla founder Elon Musk. Last month, Mastodon reported (ironically, with a tweet) that the platform had just passed the two-million active user mark, bolstering its claim to being the largest decentralized social network on the Internet.

Mastodon is definitely having a moment. Like most of our readers, I knew about decentralized social media platforms, such as Mastodon, Diaspora, Minds, and Manyverse—or I thought I did. It wasn't until I saw the farewell to Twitter tweet by James Gosling (Father of Java) last month, that I realized I wasn't as well-informed on the topic as I thought I was. Gosling's tweet conjured pleas by many of his followers to join them on Mastodon, and he later announced (again, ironically, on Twitter) that he would be moving at least some of his social media activities to that platform. His Mastodon handle is @[email protected].

Since I saw that tweet, I've been getting up to speed on decentralized social media platforms. I joined Mastodon (@[email protected]), and I will be trying others. With the fate of Twitter… let's say, uncertain… it's an apt moment for all of us who use these platforms to consider alternatives. But joining the conversation currently underway via the collection of independently hosted servers that has come to be called "The Fediverse" takes some getting used to.

Some reporters have referred to Mastodon as an "upstart" social network, but it was actually founded in 2016 by computer scientist Eugen Rochko, then 24, to provide free and open-source software for running self-hosted social networking services. Mastodon is crowdfunded and does not publish ads; as of November 2022, it was supported by just 3,500 people. Since 2021 it has been registered in Germany as a not-for-profit.

Each Mastodon server, called an "instance," is set up by an individual, and it has its own set of rules and standards of behavior. Each instance can interact with other instances in much the same way your Gmail account can send and receive messages from an Outlook or Yahoo account. If you don't want to host your own instance, you can simply join one of the existing Mastodon instances, such as Mastodon Social.

The instances collectively form a microblogging platform similar to Twitter (the posts are called "toots," unfortunately), which is likely one reason it has been attracting the first wave of disillusioned tweeters. It's worth noting that the number of Twitter users who have fully abandoned the platform so far is small compared to the chorus promising to do so. According to the authors of a recently published case study ("Challenges in the Decentralized Web: The Mastodon Case"), of the tens of thousands of Twitter users who have said they plan to move to Mastodon, just 1.6 per cent have actually quit Twitter. It's a stat that makes sense; these are uncertain times and people probably just want to save their spot in case the Musk Massacre actually turns things around.  

I'm a fan of social media. They promote knowledge sharing and community building in the high-tech world. I've learned about best practices, shifting trends, and the where-and-when of events that matter to me. I've connected with knowledgeable experts and developed long-standing relationship with kindred spirits all over the world.

I've also had to wade through the underlying swamp of misinformation, cyberbullying, and outright crime. (Be careful not to git any onya!)

I'm not sure decentralized social media platforms will make that swamp much shallower, but they could. Mastodon gGmbH, the German non-profit that develops the Mastodon software, has published a document called "The Mastodon Server Covenant," which lays out a list of content moderation guidelines to which those on its server network are strongly encourages to commit. The list, which includes things like an admonition to implement daily backups and metadata recommendations, begins with this: "Users must have the confidence that they are joining a safe space, free from white supremacy, antisemitism, and transphobia of other platforms."

Mastodon instances can impose various levels of moderation with regard to other instances, ranging from "no moderation" (which is the default), to "filtered but still accessible," "available only to users they follow," and "fully banned." And there are lots of potentially swamp-draining individual content-moderation policies. Mastodon Social, for example, prohibits "racism, sexism, homophobia, transphobia, xenophobia, or casteism," as well as "harassment, dogpiling or doxing of other users."

And yet, the essential promise of these platforms is that the absence of a central authority fosters independence, censorship resistance, ownership of personal data, and improved control over user-generated content. In the Fediverse, no single group dictates the rules to another group.

That's one of the reasons the social media platform Gab changed its software infrastructure to run on a fork of Mastodon in 2019. Wikipedia describes Gab as "…an American alt-tech microblogging and social networking service known for its far-right userbase." The operators of that network made the infrastructure change, it was reported at the time, as a way of circumventing bans by Apple and Google of Gab's smartphone app.

In an essay set for publication in the Journal of Free Speech Law sometime next year ("Moderating the Fediverse: Content Moderation on Distributed Social Media"), Alan Z Rozenshtein, associate professor of law at the University of Minnesota Law School, pointed to Gab as "a useful case study in how decentralized social media can self-police."

"On the one hand," Rozenshtein wrote, "there was no way for Mastodon to expel Gab from the Fediverse. As Mastodon’s founder Eugen Rochko explained, 'You have to understand it’s not actually possible to do anything platform-wide because it’s decentralized. . . . I don’t have the control.' On the other hand, individual Mastodon instances could—and the most popular ones did—refuse to interact with the Gab instance, effectively cutting it off from most of the network in a spontaneous, bottom-up process of instance-by-instance decision making. Ultimately, Gab was left almost entirely isolated, with more than 99% of its users interacting only with other Gab users. Gab responded by 'defederating:' voluntarily cutting itself off from the remaining instances that were still willing to communicate with it."

The response to Gab entering the Fediverse by other instances, Rozenshtein wrote, was an example of the principle of content moderation subsidiarity [italics mine].

"As the Gab story demonstrates," he explained, "the biggest benefit of a decentralized moderation model is its embrace of content-moderation subsidiarity: each community can choose its own content moderation standards according to its own needs and values, while at the same time recognizing and respecting other communities’ content-moderation choices. This is in stark contrast to the problem faced by large, centralized platforms, which by their nature must choose a single moderation standard, which different groups of users will inevitably find either under- or over-inclusive."

But as Rochko noted above, because there's a lack of a centralized Fediverse authority, there's simply no way to fully exclude even the most harmful content from the network. And Fediverse administrators aren't exactly rolling in resources.

And that's another thing that separates decentralized social networks from its better funded brethren: No sponsors, which means no dependence on advertising, which has, some would argue, corrupted the centralized platforms. The old saw, "If you can't figure out what the product is, it's you," which epitomizes those platforms, doesn't apply in the Fediverse. There's a kind of economic neutrality in this space.

To start your exploration of the Fediverse, you could do worse than Mastodon. Visit JoinMastodon.org to get the ball rolling. According to the website, the servers listed there have all committed "to specific standards of technical reliability and responsible content moderation."

Along with Mastodon, I'm going to be exploring the following list of decentralized social media platforms, in no particular order. I've included links to their home pages.

Diaspora: Launched in 2010, it's one of the oldest decentralized social media networks. It has more than a million users, it's independently run, and users own their data.

Minds: A growing platform that’s "dedicated to Internet freedom." It allows users to "speak freely, protect their privacy, earn crypto rewards, and take back control of their social media." Has more than 2 million users.

Manyverse: A free and open-source social network "without the bad stuff. Built on the peer-to-peer SSB protocol. Available for desktop and mobile.

Peepeth: An Ethereum blockchain-powered social network. Encourages "mindful engagement and positive contribution."

Steemit: Founded in 2014, it's a blockchain-based blogging and social media site. It was developed using STEEM blockchain technology.

I'm still on Twitter (@johnkwaters), for now, anyway. Love to hear what you think about all this.

Posted by John K. Waters on December 12, 20220 comments

Class-Action Lawsuit Claims GitHub Copilot is Violating Open-Source Licenses

GitHub rolled out a slew of product announcements at its annual GitHub Universe developer conference earlier this month. As we reported, expanded access for business users of its Copilot AI pair programming service generated the loudest buzz. (The company calls the new offering "Copilot for Business.")

Meanwhile, a different kind of buzz has been building about whether Copilot, which GitHub says has been trained on billions of lines of publicly-available code, is violating the legal rights of those who posted code on GitHub under open-source licenses.

On Nov. 3, a class-action lawsuit was filed in a U.S. Federal Court in San Francisco challenging the legality of this practice. Cited in the lawsuit was GitHub, its parent company, Microsoft, and their partner, OpenAI.

"By train­ing their AI sys­tems on pub­lic GitHub repos­i­to­ries (though based on their pub­lic state­ments, pos­si­bly much more) we con­tend that the defen­dants have vio­lated the legal rights of a vast num­ber of cre­ators who posted code or other work under cer­tain open-source licenses on GitHub," the complaint reads.

Specifically, the code generated by Copilot does not include any attribution of the original author, copyright notices, and/or a copy of the license, which most open-source licenses require, the complaint alleges. It also lists 11 pop­u­lar open-source licenses Copilot is potentially violating, all of which require attri­bu­tion of the author's name and copy­right, includ­ing the MIT license, the GPL and the Apache license, among others.

"Copilot ignores, violates, and removes the licenses offered by thousands—possibly millions—of software developers, thereby accomplishing software piracy on an unprecedented scale," the complaint alleges.

GitHub responded to the allegations in a statement: "We've been committed to innovating responsibly with Copilot from the start, and will continue to evolve the product to best serve developers across the globe." The company has also said it plans to introduce a new Copilot feature that will "provide a reference for suggestions that resemble public code on GitHub, so that you can make a more informed decision about whether and how to use that code," including "providing attribution where appropriate." GitHub also has a configurable filter to block suggestions matching public code.

The lawsuit was filed by the Joseph Saveri Law Firm, a San Francisco-based antitrust litigation law group, and Matthew Butterick, who is a lawyer, designer and coder, on behalf of "open-source programmers." 

Butterick, a longtime open-source advocate, expressed his concerns about GitHub Copilot this summer in a blog post entitled, "This Copilot is Stupid and Wants to Kill Me." He makes his case in some detail. (Recommended reading.)

"The fact is, since Copilot was released in its limited technical preview by Microsoft in June 2021, open-source programmers have been raising concerns about how it works," Butterick told me during a video conference. "I wrote that post because I agreed with members of the open-source community who felt that Copilot was really a device for laundering open-source licenses."

One of the points Butterick made during our conversation is that Microsoft is effectively passing the buck on this issue. Notably, on its About GitHub Copilot page, Microsoft writes, "You are responsible for ensuring the security and quality of your code. We recommend you take the same precautions when using code generated by GitHub Copilot that you would when using any code you didn't write yourself. These precautions include rigorous testing, IP scanning, and tracking for security vulnerabilities…."

"You have to ask, what are the ethics of just hoovering up all of this material and just kind of arrogating it to yourself for free?" Butterick said.

Copilot, which installs as an extension in a range of IDEs (e.g., Visual Studio, VS Code, Neovim and JetBrains), uses OpenAI's Codex, a system that translates natural language into code, to suggest code and entire functions in real time, directly from the editor. Codex is based on OpenAI's GPT-3 language model.

Its use of Codex is one of the things that makes Copilot different from traditional autocomplete tools, Butterick pointed out. Codex, which is licensed to Microsoft, makes it possible for Copilot to offer suggestions based on text prompts typed by the user. Although it can be used for small suggestions, Microsoft has touted its ability to suggest larger blocks of code, such as the entire body of a function, Butterick said.

Some have put forward the argument that Microsoft's use of code from GitHub constitutes fair use. For­mer GitHub CEO Nat Friedman claimed in a 2021 tweet:

In general: (1) training ML systems on public data is fair use (2) the output belongs to the operator, just like with a compiler.

But Bradley M. Kuhn, director of the Soft­ware Free­dom Con­ser­vancy, wrote in a February 2022 blog post:

While [Nat] Friedman ignored the community's requests publicly, we inquired privately with Friedman and other Microsoft and GitHub representatives in June 2021, asking for solid legal references for GitHub's public legal positions [for the tweeted assertions]. They provided none, and reiterated, without evidence, that they believed the model does not contain copies of the software, and output produced by Copilot can be licensed under any license. We further asked if there are no licensing concerns on either side, why did Microsoft not also train the system on their large proprietary codebases such as Office? They had no immediate answer. Microsoft and GitHub promised to get back to us, but have not.

And there have been some pointed reactions to the lawsuit.

"I've had people literally tweet that I am destroying the geopolitical order, because this lawsuit is going to be handing China an unbeatable advantage in AI," Butterick said. "It's really the opposite; I think we should have the best AI in the world. But look, I think we can agree that Spotify and Apple Music are better than Napster. Once we get through this 'Napster phase' of AI, we're going to bring creators to the table, and we're going to make it work for them. And the next generation of these tools is going to be much better."

The attorneys at the Joseph Saveri Law Firm noted in a press release that this is a potentially history-making lawsuit: "This lawsuit constitutes a critical chapter in an industry-wide debate regarding the ethics of training AI tools with data sourced without permission from its creators and what constitutes a fair use of intellectual property. Despite Microsoft's protestations to the contrary, it does not have the right to treat source code offered under an open-source license as if it were in the public domain."

Butterick believes this is the first class-action case in the United States chal­leng­ing the train­ing and out­put of AI sys­tems. He believes it will not be the last. On his blog, he wrote: "AI sys­tems are not exempt from the law. Those who cre­ate and oper­ate these sys­tems must remain account­able. If com­pa­nies like Microsoft, GitHub, and OpenAI choose to dis­re­gard the law, they should not expect that we the pub­lic will sit still. AI needs to be fair & eth­i­cal for every­one. If it's not, then it can never achieve its vaunted aims of ele­vat­ing human­ity. It will just become another way for the priv­i­leged few to profit from the work of the many."

Posted by John K. Waters on November 22, 20220 comments

Java has a 'Commanding Lead' with App Log Data

New Relic just released its 2022 State of Logs Report, which captured the data gathered from millions of applications within the New Relic observability platform to provide an in-depth look at the use and management of logs.

The publication of a report on log data stats is not the sexiest tech news to cross my desk, but amid the Sturm und Drang of the current landscape the report's authors offer some appealingly quotidian insights into an activity that is, let's face it, critical to every business in every industry.

"With proper management and practices in place, logs have the power to help software engineers optimize the performance of systems and operations, identify and resolve technical issues, better manage resources, and strengthen security," the report's authors observed.

The report is based on petabytes of data gathered from millions of applications within the New Relic observability platform. The data was drawn entirely from applications reporting to New Relic in July 2022 and August 2022. The company anonymized and "coarse-grained" the data to provide a general overview of how logs are used and managed. "Any detailed information that could help attackers and other malicious parties was deliberately not included in the report," the authors stated.

The stat that caught my eye, of course, was this one: "When examining popularity around languages, the data shows that 50% of all logs ingested by language agents comes from Java. Java has a commanding lead over .Net (26%), Ruby (21%), Node.js (2%), and Python (0.1%)."

But the report is packed with insights into other log-related activities. For example, the authors noted a 35% year-over-year increase in logging data in general, along with a concomitant need among engineers to have access to that data.

"As the volume of log files grows, a trend is emerging with software engineers wanting to have log data available in one place to speed up the time to detecting and responding to transactions, errors, and security incidents," the report's author stated. "The practice of centralized log management was created out of the frustration and time commitment felt from software engineers in examining thousands of log files across a number of sources to pinpoint and resolve incidents. Even for relatively small companies, managing multiple logging sources and tools becomes increasingly complex, creating information silos and data that is not always adequately parsed or accessible."

Notably, Fluent Bit, the open-source logging and metrics processor and forwarder, emerged as the most used open-source tool for logs. NGINX was the most common type of log. And Firehose will soon be the de facto log forwarder for AWS serverless users.

Much more in the report, which is well worth reading New Relic also published an annual "State of the Java Ecosystem." More on that report in my next post.

Posted by John K. Waters on October 16, 20220 comments

Popular Previews and Incubating Features: Java 19 Now GA

Oracle today announced the general availability of version 19 of the Java Development Kit (JDK 19), and though it's not a long-term support (LTS) release, the latest version of the reference implementation of the Java SE platform comes with a bundle of previews and incubating features that make this short-term release well worth a look.

On schedule with the accelerated, six-month release cadence Oracle announced in 2017, JDK 19 includes seven JEPs (JDK Enhancement Proposals), only one of which is final. The list includes:

JEPs are similar to the JSRs (Java Specification Requests) of the Java Community Process (JCP), but they don't replace them. JCP approval is still required for changes in the Java API and/or language.

I talked with Georges Saab, senior vice president of development in Oracle's Java Platform group and chair of the OpenJDK Governing Board about this release. The faster release cadence is almost universally praised, and I understand that you can't release a ton of enhancements every six months, but I had to ask, do four previews and two incubating features justify even a short-term release?

"It's in keeping with the fact that you don't get these big-bang releases that you used to get," Georges Saab told me during a Zoom call. "Releases that you'd have to live with for years and years. You might look at a particular releases and find that maybe there's not that much there. But when you look at this body of work over multiple releases, you see a kind of story arc that makes sense. You see a throughput of features you get access to, faster, and which, because of the preview, you've been able to provide feedback on."

That story arc is evident in this release. You could even say that the JEPs are essentially chapters in longer "narratives," such as OpenJDK's Project Amber. The goal of that project is "to explore and incubate smaller, productivity-oriented Java language features that have been accepted as candidate JEPs." Two of the previews in this release—Record Patterns and Pattern Matching for switch—aim to deliver language improvements for Amber.

Project Panama gets two chapters with the preview of Foreign Function and Memory API and the fourth incubator version of Vector API. Panama is all about improving and enriching the connections between the Java virtual machine and well-defined non-Java APIs, including many interfaces commonly used by C programmers.

Project Loom also gets two chapters with the previews of Virtual Threads and Structured Concurrency. The main goal of Loom is to support a high-throughput, lightweight concurrency model in Java by exploring and incubating JVM features for the implementation of lightweight, user-mode threads or fibers—thus the project's name.

The seventh JEP in this release, Linux/RISC-V Port, "sets the stage" for easier Linux/RISC-V implementations by integrating this port into the JDK main-line repository.

Another OpenJDK project to which features will be added over multiple releases, Project Valhalla, was left out of this episode. (Call it a cliffhanger.) Valhalla is focused on augmenting the Java object model with value objects and user-defined primitives, combining the abstractions of object-oriented programming with the performance characteristics of simple primitives.

This small-yet-potentially-mighty release got the nod from IDC analyst Arnal Dayaratna. "Java developers are increasingly seeking tools to help them efficiently build highly functional applications for deployment in the cloud, on-premises, and in hybrid environments," he said in a statement. "The enhancements in Java 19 deliver on these requirements and illustrate how the Java ecosystem is well-positioned to meet the current and future needs of developers and enterprises."

Posted by John K. Waters on September 20, 20220 comments

Lightbend Changes Licensing Model for Akka Amid Accusations of 'Cakeism'

Lightbend, the company behind the Scala JVM language and developer of the Reactive Platform, is changing the license on its Akka technology from Apache 2.0 to the BSL v1.1 (Business Source License), starting with Akka v2.7, which is set for release in October.

Under the new licensing model, companies with an annual income of less than $25m will not be required to pay license fees for production usage of Akka, though a $0 commercial license must still be granted by Lightbend, the company says. Organizations with annual revenue exceeding $25m will be required to pay for a license plus a subscription for production usage. Back-porting of any software released under the new license is not permitted.

Previously available via an open-core license, Akka is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala. Akka has spread far and wide since Swedish programmer Jonas Bonér (now the company's CEO) pushed out the first public release back in 2009. The company now includes some big names on its Akka user list, including Apple, Disney, GM, HPE, Norwegian Cruise Lines, Starbucks, and Tesla.

More than a few in the open-source community were not happy to hear about this decision. When the licensing change was announced, accusations of "cakeism" began appearing on social media (as in, "they want to have their cake and eat it, too"), along with assertions that this and other companies implementing similar license adjustments could no longer claim to be true open-source vendors.  

But this seems to have been a pragmatic decision by the company to address an existential moment for this enormously popular project that goes beyond ideology.

"We have decided to change Akka’s license to ensure a healthy balance between all parties, shared responsibility, and, by extension, contribute to Akka’s future development," Bonér said in a blog post. "This will enable Akka to remain at the forefront of building innovative solutions that are used by many globally recognized brands to build and run some of their most business-critical applications."

I talked with Lightbend EVP Brad Murdoch about the new licensing scheme. "Akka is an old project by open-source standards," he told me. "More and more organizations have gotten very comfortable with the idea that they can use this infrastructure and just not pay anything for it. We've had an open-core model and we've generated revenue by adding commercial software and services around the core product, but we've reached a point where there's too great a mismatch between the importance of the software and the users' willingness to invest in it."

The BSL was developed by the creators of the MariaDB relational database management system, David Axmark and Michael Widenius, to provide a "mutually beneficial balance between the user benefits of true Open Source software that is free of cost and provides open access to all of the product code for modification, distribution, etc., and the sustainability needs of software developers to continue delivering product innovation and maintenance," the company's website reads.

As Lightbend is implementing it, the BSL unfolds in two stages:

  1. Commercial: Software is viewable (source available), downloadable, and usable in non-production environments. Production usage requires a software license from Lightbend.
  1. Open-source: After three years, the source for that version will be released under the current Apache 2.0 license. A customizable "additional use grant" is also available, which allows usage for other open-source software (such as Lightbend's Play Framework).

The Apache 2.0 license is a "permissive" (as opposed to "copyleft') open-source, license written by the Apache Software Foundation. It allows licensees to use of the software for any purpose, distribute it, modify it, and distribute modified versions of it under the terms of the license, without paying royalties.

Lightbend has been briefing its customers quietly about the new licensing plan for a few weeks, and Murdock says the feedback has been "pretty balanced."

"There have been people who are up in arms, calling us a traitor to open-source," he said. "But there are others who recognize that there will be no Akka without engineers to pay to work on it, because it doesn't just happen magically."

"There has to be a model for sustainable open-source, and whether this is the right one or not, I can't speak for the industry," he added. "But we had to find a model that allowed us to monetize the software that people are using to run the world. We want to be able to invest in the future of Akka, and we looked at a number of different licenses, and the BSL fit the situation best."

Posted by John K. Waters on September 8, 20220 comments

Microsoft Amps up its Support for Java Developers with a New Website

Microsoft today announced the launch of a new website designed to provide Java developers with a new level of support in the form of tools and resources that enable them to code, deploy, and scale their apps more productively.

The website is another brick in the foundation of support for Java developers that Microsoft has been building over the last couple of years (which my colleague, David Ramel, has been tracking quite diligently in Visual Studio Magazine.) The new site is chock-a-block (pun intended) with content and links to technical documentation, learning paths, and on-demand videos from Microsoft conferences and its Java Cloud Developer Advocacy team.

The list of resources provided by the site includes:

  • Documentation, videos, and samples designed to help Java developers build and scale efficiently on Microsoft Azure and other operating systems
  • A PDF that outlines how to code, deploy, and scale Java development meant to empower developers to use any tool, framework, and/or application server on any operating system
  • A white paper that illustrates best practices from Microsoft on how the company itself uses Java, including significant parts of its business.

"Many people are surprised to learn that we’re using Java to run significant parts of Microsoft," wrote Julia Liuson, President of Microsoft's Developer Division, in a blog post, "and to empower thousands of customers to do the same."

Liuson pointed out that Bing, Microsoft’s web search engine, which also powers the search feature in the Windows Start menu, uses Java to perform indexing-related functions. She also cited Azure’s infrastructure control plane and other divisions, such as LinkedIn, Minecraft, and Yammer, that use Java extensively. And Microsoft has deployed more than two million Java virtual machines (JVMs) for the company's "internal systems and business needs," she said.

As I reported in July, Microsoft joined two working groups in the Eclipse Foundation this year: the Jakarta EE Working Group, which focuses on the overall evolution of enterprise Java, and the MicroProfile Working Group, which focuses on optimizing enterprise Java for a microservices architecture. Microsoft also supports several other Java community organizations, including OpenJDK, and Eclipse Adoptium, Jakarta EE, and the venerable Java Community Process. And in 2019, it acquired leading Java app optimizer jClarity.

Redmond has partnered with a truly impressive number of leading vendors in the Java ecosystem. Azure Spring Apps, for example, was developed jointly with Pivotal /VMWare to provide native integrations with third-party application performance monitoring (APM) tools from New RelicApp DynamicsDynatrace, and Elastic. Microsoft's list of jointly developed solutions also includes Red Hat JBoss EAP on Azure App ServiceWebSphere Application Server, WebSphere Liberty, and Open Liberty on Azure, Oracle WebLogic Server on Azure VMs and Azure Kubernetes Service, and Apache Kafka for Confluent Cloud. The has also attracted marquee names to Java on its Azure cloud platform, including  AdobeAIABoschDaimlerFedExJ.B. HuntKrogerMaerskMercedes Benz, and Swiss Re
The new website also links to an ebook entitled Code, Deploy, And Scale Java Your Way: Empowered Java Application Development in The Cloud. It's about building, migrating, and scaling Java apps on Azure. In the foreword, the author, Asir Selvasingh, a Principal Architect for Java on Microsoft Azure, writes: "I have witnessed Microsoft’s commitment to the Java ecosystem from the first row consistently for many years now…. Today, more and more Java developers are looking at how they can bring their existing Java applications to the cloud, or at how to build new cloud-native applications. This e-book covers the entire journey for developers and operators to code, deploy, and scale with confidence." (The author is worth following on Twitter.)

Another ebook linked to the site, How Microsoft Applies Java: The Inside Story, was written by Bruno Borges, Principal PM Manager in Microsoft's Java Engineering Group, and Theresa Nguyen, Senior Product Manager in that group. It's a great timeline of Microsoft's evolution from days of the Holy War on Anything Not .NET or Windows to its all-in embrace of open-source technologies.

Microsoft's commitment to Java has been real for some time, so that's not actually news, but I do think this latest step in the company's evolving investment in Java is worth reporting—and for you Java jocks out there, the website is worth a look.


Posted by John K. Waters on August 30, 20220 comments

Survey Says: 'Python Going Through the Roof'

I haven't reported on the TIOBE Index in a while, but that headline is a real attention grabber. Since 2001, TIOBE Software has published the results of its monthly search for the languages in which the most lines of code were written. And year after year, Java and C++ have topped the list—but not always, and when they don't, obituaries for these two venerable languages spread like crabgrass.

Which is crazy. The enterprise is effectively running on Java, and… okay, C++ is pretty long in the tooth, but it's been around for 40-plus years, which means, currently generating new lines of code or not, there are millions of programs out there written in C++.

And the rising popularity of Python is not exactly news. It's an interpreted, high-level, general-purpose programming language that's easy to learn, so it's the go-to language taught in beginning computer programming courses in high school. And its readability, extensibility, and maintainability have made it a popular second or third language for the pros.

But it is worth noting that Python ranked No.1 in the TIOBE Index for August with an all-time high of 15.42%. Paul Jansen, CEO TIOBE Software, has described Python as "unstoppable."

"It is hard to find a field of programming in which Python is not used extensively nowadays," Jansen wrote in the intro to the latest index. "The only exception is (safety-critical) embedded systems, because of Python being dynamically typed and too slow."

In a previous posting, Jansen offered his theory about the spread of Python. "I believe that Python's popularity has to do with general demand," he wrote. "In the past, most programming activities were performed by software engineers. But programming skills are needed everywhere nowadays and there is a lack of good software developers. As a consequence, we need something simple that can be handled by non-software engineers, something easy to learn with fast edit cycles and smooth deployment. Python meets all these needs."

The TIOBE Index ratings are based on the number of skilled engineers worldwide, language courses, and third-party vendors, the company says. TIOBE uses 25 search engines to collect key words from the highest ranked websites of Web traffic monitor Alexa and calculates the most lines of code written in a given month to determine its percentage share of developers' attention. Google, Bing, Yahoo!, Wikipedia, Amazon, YouTube, and Baidu are all used to calculate the ratings.

Since the last TIOBE Index posting, Swift and PHP swapped places at No. 10, Rust is getting close to the top 20, and Kotlin returns to the top 30. Google's new experimental replacement for C++, called Carbon, entered the TIOBE Index at No. 192. C came in behind Python at 14.59%, up 2.03%. It was followed by Java at 12.40%, up 1.96%, C++ at 10.17%, up 2.81%, and C# at 5.59%, up 0.45%.

I do think the Index can be useful if you want to get a quick read on whether your programming skills are still up to date, and if you look at a few of them (the company publishes old ratings) they might help  with a strategic decision about which programming language should be adopted when starting to build a new software system.

A detailed definition of the TIOBE Index can be found here.


Posted by John K. Waters on August 24, 20220 comments

Spring Authorization Server Set for November GA

The Spring Security team says it will release version 1.0 of its long-in-the-works Spring Authorization Server in November of this year.

The new authorization framework, which was announced in April 2020, provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specs. It's built on top of Spring Security, which is a highly customizable authentication and access-control framework. The result, say the project's leaders, is a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

This version of the framework will come with a full feature set (it's a long list), and the APIs have stabilized and matured since the project was launched, said Joe Grandja, Spring Security senior engineer, in a blog post. " A lot of effort and care was put into this project to ensure that it can grow and adapt over the next few years," he wrote.

Spring Authorization Server 1.0 will be based on Spring Security 6.0, which will be based on Spring Framework 6.0 (it takes a village). It will require a minimum of Java 17 at runtime, as well as a minimum of Tomcat 10 or Jetty 11 (for Jakarta EE 9 compatibility). Also, this release will inherit the VMware Tanzu OSS support policy Commercial support, which offers an extended support period, is also available from VMware.

When the project was first announced, the team was careful to give credit where credit was due regarding the projects Spring Authorization Server would effectively be replacing:

"Almost a decade ago, we brought in a community-driven, open-source project, Spring Security OAuth, and made it part of the Spring portfolio of projects," Rob Winch, Spring Security project lead, wrote in a blog post at the time. "Since its inception, it has evolved into a mature project that supports a large portion of the OAuth specification, including resource servers, clients, login, and the authorization server. It is no wonder that it has become the basis for UAA, which, among other things, acts as the identity management service for all Cloud Foundry installations. The Spring Security OAuth project has become a model project and is a testament to what our wonderful community can accomplish."

The need for the new framework emerged gradually. As Winch explained, the original support for OAuth open-standard authorization protocol was provided very early, and the team could not have anticipated the myriad ways in which it would need to be used. With the new framework, the team was able to address the needs of the entire Spring portfolio and provide a single cohesive OAuth library, Winch explained

The Spring Security team has posted the release schedule for the Spring Authorization Server on GitHub.

"Over the next couple of months, we will focus on fine-tuning the public APIs and enhancing the configuration model to allow for easier configuration and greater extensibility," Grandja said. "We will also make some minor API changes, resulting in breaking changes, which may require updates to consuming applications."

The Spring Framework continues to be one of the most popular programming and configuration models for building modern Java-based enterprise applications on any type of deployment platform. It's an open-source, layered Java/J2EE framework based on code published in SpringSource founder Rod Johnson's book Expert One-on-One Java EE Design and Development (Wrox Press, October 2002).

Posted by John K. Waters on August 22, 20220 comments

Microsoft Joins Eclipse Jakarta EE and MicroProfile Working Groups

Microsoft boosted its support for Java developers yet again this week by expanding its participation in the Eclipse Foundation to include memberships in two working groups: the Jakarta EE Working Group, which focuses on the overall evolution of enterprise Java, and the MicroProfile Working Group, which focuses on optimizing enterprise Java for a microservices architecture.

"Our goal is to help advance these technologies to deliver better outcomes for our Java customers and the broader community," said Julia Liuson, president of Microsoft's Developer Division, in a blog post. "We’re committed to the health and well-being of the vibrant Java ecosystem, including Spring (Spring utilizes several key Jakarta EE technologies)."

Joining these working groups complements the company's participation in the Java Community Process (JCP) "to help advance Java SE," Liuson said, adding, "We believe our experience with running Java workloads in the cloud will be valuable to the working groups, and we look forward to building a strong future for Java together with our customers, partners, and the community."

Eclipse working groups provide the governance structure for Eclipse projects, making it possible for organizations—even competitors—to collaborate on new technology development. The working groups provide a set of basic services, including intellectual property management and licensing, development processes, IT infrastructure, and ecosystem development.

Microsoft has been a member of the Eclipse Foundation since 2016, when it joined as a Solutions Member. The company became a Strategic Member in 2021. Among other privileges, Strategic Members have a seat on the foundation's board of directors, its architecture council, and expanded board voting rights on key aspects of the Eclipse ecosystem, including licensing, governing policy development, and amendments to membership agreements and bylaws.

"Microsoft has warmly embraced all things Java across its product and service portfolio, particularly Azure," said the foundation's executive director, Mike Milinkovich, in a statement. "Its enterprise customers can be confident that they will be actively participating in the further evolution of the Jakarta EE specifications, which are defining enterprise Java for today's cloud-native world."

Microsoft has been investing in its support for Java and related technologies for a number of years, including Jakarta EE, MicroProfile, and Spring technologies on Azure in collaboration with its strategic partners. With Red Hat, for example, the company built a managed service for JBoss EAP on the Azure App Service, Liuson noted. Redmond is also collaborating with Red Hat to enable solutions for JBoss EAP on Virtual Machines (VMs) and Azure Red Hat OpenShift (ARO). Working with VMware, Microsoft jointly develops and supports Azure Spring Apps, a fully managed service for Spring Boot applications. And with Oracle and IBM, the company has been building solutions for customers to run WebLogic and WebSphere Liberty/Open Liberty on VMs, Azure Kubernetes Service, and ARO (WebSphere).

"It is great to see Microsoft officially join both MicroProfile and Jakarta EE, as they'd been informally involved in these efforts for a long time," said Mark Little, vice president of the Software Engineering group at Red Hat, in a statement. "I hope to see Microsoft's participation bring experience from their many users and partners who have developed and deployed enterprise Java applications on Azure for several years."

The Eclipse Foundation announced the released the first Jakarta EE specification in August 2019, almost exactly two years after Oracle declared its intention to transfer the responsibility for enterprise Java to that open-source standards organization.

Posted by John K. Waters on July 14, 20220 comments