Christine Hall at FOSS Force reports: It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the sites previous owners. FOSS Force has just learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don't make the grade will be noticeably flagged with a red warning badge located beside the project's download button. According to a notice posted on the SourceForge website this afternoon, the scans look for "adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package." Account holders with projects flagged as containing malware will be notified by SourceForge. In today's announcement, SourceForge said that a thousand or so of the sites most popular projects [representing 84% of all SourceForge traffic] have so far been scanned, with scans continuing to eventually include "every last project, even dating back years." As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks. The company also says that beginning immediately, all new projects will be scanned during the uploading process. This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28, 2016.

Read more of this story at Slashdot.

Thousands from ethnic minority accuse Kabul government of cutting them out of a power-transmission-line project.

Despite a lot of talk about a third party run against Donald Trump, it seems implausible a candidate will be ready.

President Zuma calls for decorum in assembly after forcible removal of opposition MPs who tried to prevent his address.

President Zuma calls for decorum in assembly after forcible removal of opposition MPs who tried to prevent his address.

Reader erier2003 shares an article on Daily Dot: Contrary to the claims of America's top spies, the details of your phone calls and text messages -- including when they took place and whom they involved -- are no less revealing than the actual contents of those communications. In a study published online Monday in the journal Proceedings of the National Academy of Sciences, Stanford University researchers demonstrated how they used publicly available sources -- like Google searches and the paid background-check service Intelius -- to identify "the overwhelming majority" of their 823 volunteers based only on their anonymized call and SMS metadata. The results cast doubt on claims by senior intelligence officials that telephone and Internet "metadata" -- information about communications, but not the content of those communications -- should be subjected to a lower privacy threshold because it is less sensitive. Contrary to those claims, the researchers wrote, "telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences."IEEE has more details.

Read more of this story at Slashdot.

Joe Groff reminded me that checking for protocol conformance is Swift’s respondsToSelector equivalent:

protocol RespondsToCopy { func copy() }
if let copier = responder as? RespondsToCopy {
  return copier.copy()
}

And, later, Ölbaum asked:

Wow, so all this fuss around lack of performSelector in Swift is just about laziness to use protocols?

My terse — and jerky, because it was the morning — answer was “No.” This post is the longer answer that the questioner deserves.

Let’s Do This Thing with This Thing

Take it from the top.

You’re in IB wiring up a menu item or button to First Responder. You set the selector as copy: — or, better yet, because I think people may get confused by using a common command, let’s say the selector is goFishing:.

To make this work with protocols instead of respondsToSelector, you then also type in a protocol name: RespondsToGoFishing. Or maybe the responder chain automatically generates that protocol name based on the selector. (Either way.)

In your code you define a RespondsToGoFishing protocol (as in the first line in Joe’s example above) and implement it in the various classes that can goFishing.

Then, after you’ve launched the app, you tap the button or choose the menu item. The responder chain walks its hierarchy, looking for the correct implementor.

What does the responder chain code have at this moment? Four things: a responder hierarchy, the sender (menu item, button, etc.), a reference to a protocol, and a selector.

(Let’s assume that some previous machinery turned the typed-in protocol name and selector from a string into more-usable types. Which assumes some kind of protocolFromString and selectorFromString methods, or some form of compilation.)

So the responder chain code looks something like this:

if let actionImplementor = responder as? protocolReference.Self {
  actionImplementor.​performSelector​(selector, withObject: sender)
}

(I’m never sure if it’s Self or what. The above may not be strictly correct. But you get the idea.)

Conceptually this is not much different from the Objective-C version — the main difference is that it adds an entity (a protocol) which wasn’t previously needed. But I’m cool with that. (Maybe. It means adding a whole bunch of protocols — possibly one for every action method.)

For reference, here’s the Objective-C version:

if ([responder respondsToSelector:selector]) {
  [responder performSelector:selector withObject:sender];
}

That’s fine, that totally works, but…

The point of my previous article was to imagine a responder chain written in Swift minus the Objective-C runtime.

So the above solution — with actionImplementor.​performSelector​(selector, withObject: sender) — won’t work in this hypothetical world, since performSelector is an Objective-C thing. And then there’s the need to convert from strings (protocol, selector) in IB to an actual protocol reference and a selector.

But — this is all just to say that perhaps it’s too early to be concerned with things like this, since we do have the Objective-C runtime (and AppKit and UIKit). At some point in the future, I imagine we’ll see Swift-minus-Objective-C-runtime app frameworks for Mac and iOS. And I will be very interested to see how these kinds of problems are solved.

I stand ready to be amazed, knowing it may be years from now.

In the meantime, though, it’s fun to write about.

Joe Groff reminded me that checking for protocol conformance is Swift’s respondsToSelector equivalent:

protocol RespondsToCopy { func copy() }
if let copier = responder as? RespondsToCopy {
  return copier.copy()
}

And, later, Ölbaum asked:

Wow, so all this fuss around lack of performSelector in Swift is just about laziness to use protocols?

My terse — and jerky, because it was the morning — answer was “No.” This post is the longer answer that the questioner deserves.

Let’s Do This Thing with This Thing

Take it from the top.

You’re in IB wiring up a menu item or button to First Responder. You set the selector as copy: — or, better yet, because I think people may get confused by using a common command, let’s say the selector is goFishing:.

To make this work with protocols instead of respondsToSelector, you then also type in a protocol name: RespondsToGoFishing. Or maybe the responder chain automatically generates that protocol name based on the selector. (Either way.)

In your code you define a RespondsToGoFishing protocol (as in the first line in Joe’s example above) and implement it in the various classes that can goFishing.

Then, after you’ve launched the app, you tap the button or choose the menu item. The responder chain walks its hierarchy, looking for the correct implementor.

What does the responder chain code have at this moment? Four things: a responder hierarchy, the sender (menu item, button, etc.), a reference to a protocol, and a selector.

(Let’s assume that some previous machinery turned the typed-in protocol name and selector from a string into more-usable types. Which assumes some kind of protocolFromString and selectorFromString methods, or some form of compilation.)

So the responder chain code looks something like this:

if let actionImplementor = responder as? protocolReference.Self {
  actionImplementor.​performSelector​(selector, withObject: sender)
}

(I’m never sure if it’s Self or what. The above may not be strictly correct. But you get the idea.)

Conceptually this is not much different from the Objective-C version — the main difference is that it adds an entity (a protocol) which wasn’t previously needed. But I’m cool with that. (Maybe. It means adding a whole bunch of protocols — possibly one for every action method.)

For reference, here’s the Objective-C version:

if ([responder respondsToSelector:selector]) {
  [responder performSelector:selector withObject:sender];
}

That’s fine, that totally works, but…

The point of my previous article was to imagine a responder chain written in Swift minus the Objective-C runtime.

So the above solution — with actionImplementor.​performSelector​(selector, withObject: sender) — won’t work in this hypothetical world, since performSelector is an Objective-C thing. And then there’s the need to convert from strings (protocol, selector) in IB to an actual protocol reference and a selector.

But — this is all just to say that perhaps it’s too early to be concerned with things like this, since we do have the Objective-C runtime (and AppKit and UIKit). At some point in the future, I imagine we’ll see Swift-minus-Objective-C-runtime app frameworks for Mac and iOS. And I will be very interested to see how these kinds of problems are solved.

I stand ready to be amazed, knowing it may be years from now.

In the meantime, though, it’s fun to write about.

VMWare published today a security advisory about the following CVEs:

• CVE-2016-3427 Critical JMX issue when deserializing authentication credentials. This vulnerability allows to execute commands to the RMI Server of Oracle JRE JMX without proper authentication. This is a remote and local vulnerability.
• CVE-2016-2077 Important VMWare Workstation and Player for Windows host privilege escalation vulnerability. This vulnerability allows privilege escalation. It">We have not noticed exploits in the wild so far. If you notice one, please let us know using our contact form.

  Manuel Humberto Santander Pelez
  SANS Internet Storm Center - Handler
  Twitter: @manuelsantander
  Web:http://manuel.santander.name
  e-mail: msantand at isc dot sans dot org

  (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

VMWare published today a security advisory about the following CVEs:

• CVE-2016-3427 Critical JMX issue when deserializing authentication credentials. This vulnerability allows to execute commands to the RMI Server of Oracle JRE JMX without proper authentication. This is a remote and local vulnerability.
• CVE-2016-2077 Important VMWare Workstation and Player for Windows host privilege escalation vulnerability. This vulnerability allows privilege escalation. It">We have not noticed exploits in the wild so far. If you notice one, please let us know using our contact form.

  Manuel Humberto Santander Pelez
  SANS Internet Storm Center - Handler
  Twitter: @manuelsantander
  Web:http://manuel.santander.name
  e-mail: msantand at isc dot sans dot org

  (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft has released a "convenience rollup" update for Windows 7 computers. The update to the nearly seven-year-old operating system brings with it a number of security fixes and patches that Microsoft labels as "recommended." Mary Jo Foley, reporting for ZDNet: The convenience rollup -- officially known as Windows 7 SP1 convenience rollup -- isn't Service Pack 2 for Windows 7, but it's the next best thing. The new Windows 7 convenience rollup is cumulative back to Service Pack 1, which Microsoft released in 2011. (Editor's note, the convenience rollup consists of all security and non-security fixes all through April 2016.) It doesn't include updates to IE 11 (which are released separately) or updates to .NET releases. But it does include core Windows fixes, security fixes and hot fixes.Microsoft says that convenience rollup package is completely optional. "Install this one update, and then you only need new updates released after April 2016."

Read more of this story at Slashdot.