Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to Python Bites where we deliver
0:02
Python news and headlines directly to your earbuds. This
0:04
is episode 380 recorded on April 23rd, 2023. I'm
0:13
Michael Kennedy. And I'm Brian Aken. And
0:17
this episode is brought to you by us. Support
0:19
us through our courses at Talk Python
0:21
Training, the complete PyTest course, Patreon supporters
0:23
links at the top of the show
0:25
notes. So very much appreciate that. And
0:27
while you're there, you can connect with
0:29
us over on Fostodon. If you
0:31
mast it on there. So
0:34
mast it on anywhere, but you can find us on Fostodon at
0:36
M. Kennedy, at Brian Aken
0:38
and at Python Bites. Join the
0:40
show live, pythonbytes.fm slash live. Usually,
0:43
usually Tuesdays at 10 AM
0:45
Pacific time now. And you can see all
0:47
the older versions there if you want the video as
0:50
well. And finally, Brian, a bunch of people
0:52
are signing up for the newsletter that you're
0:55
sending out about things from the show every
0:57
week. So that's awesome. People can just visit
1:00
Python by set of them, click on newsletter right
1:02
in the middle of the top of the screen
1:04
and put in their email, we will treat it
1:06
kindly, but then we will email you stuff that
1:09
we're up to, which we'd love to do. So we appreciate
1:11
that. And, you know, I really want to just like maybe
1:13
focus on, on that kind of stuff, Brian, what do you
1:15
think? Let's focus, man. Let's
1:18
focus. Speaking of focus, we've
1:20
got NumFocus. So NumFocus
1:22
is, you know, actually I probably
1:24
should have done a little more
1:27
research, NumFocus is a collection of
1:29
different resources. And I
1:31
let's just take a look at the about of
1:33
NumFocus. So NumFocus
1:35
has a mission of promoting open
1:38
practices and research data in
1:41
scientific computing. There's
1:43
a lot of information on
1:45
the NumFocus site. You can check it out. But if
1:47
you take a look at the projects that are involved,
1:50
this is crazy. So the
1:52
projects, sponsored
1:54
projects. There's a
1:56
lot of our favorites like NumPy, Pandas,
1:58
Jupiter. Sci-Fi,
2:01
so many things are involved with NumFocus
2:05
and collaborate with
2:07
NumFocus. I'm not, like I
2:09
said, we should have had Pamphiel on to talk
2:11
about it a little bit. But Pamphiel,
2:15
let us know something that's going on with
2:17
the NumFocus group. And it's
2:20
a little, there's some changes
2:23
going on. So this was suggested
2:25
by Pamphiel Roy, who's in
2:28
the audience right now. So thanks for showing up. So
2:31
this was an article by Paul
2:34
Ivanov called NumFocus Concerns. And we'll
2:36
link to it in the show notes, of course. But
2:40
there has been some,
2:42
there's some shake up going on
2:44
in NumFocus a little bit. There's been
2:48
some problems in the past with
2:51
NumFocus being able to meet the
2:53
expectations of some of the projects
2:56
within the NumFocus banner.
2:59
And there was a town hall meeting in
3:01
February announcing that there's a new direction and
3:05
it caught a lot of people by surprise. So
3:07
I'm trying to highlight it here as well so
3:09
people know about it. There's
3:13
really, I kind of want to point people to
3:15
this article and just say that there's some things
3:17
changing. There's apparently in the past,
3:19
there was some lack of transparency of how
3:21
the board was selected. So they're trying
3:24
to make that a little bit more transparent. There
3:26
is an initiated effort to
3:29
elect a open board seats to try
3:31
to get more people on
3:33
the board and
3:35
some proposed changes to the governance structure.
3:38
And then around some of these issues, there's
3:40
also some of the projects within NumFocus
3:45
are pursuing alternative venues
3:48
for fiscal sponsorship. So getting
3:50
money in other ways. So
3:52
a lot of information here. I
3:55
thought it was
3:58
interesting some of the different alter. alternatives
4:00
to, there's
4:02
like open source collective or some of the
4:05
ways to get money. There's different, I mean, money is
4:07
important to try to get some of the
4:09
projects, some people working on it. So
4:13
if you'd like to get more involved or
4:15
just know, have more information about what's going
4:17
on with NumFocus, this
4:19
is a really great write up. So
4:21
thanks for passing this along. Excellent.
4:25
I know NumFocus is interesting.
4:29
It's really one of the bigger ways that
4:31
funds Python open source and outside of Python
4:33
as well, but there's
4:36
not many other organizations like that.
4:38
So keeping it
4:40
healthy is definitely important.
4:43
Yeah, I'm glad it's a, it got,
4:45
there's some attention being
4:47
drawn to it before it, you know, kind
4:50
of implodes. So I don't think it will,
4:52
I think we'll see NumFocus for quite a
4:54
while. Definitely. All
4:57
right. Speaking of shining
4:59
a little bit of light on something, let's
5:02
talk about leaping. Python, this, right,
5:05
this, this PyTest
5:07
project should be one that
5:10
you're focusing on, but I beat you to it.
5:12
So here we go. Have you heard of this
5:14
leaping? I have not. Okay.
5:16
Well, it's because the description is so, wait,
5:18
no, there's no description. This is a small
5:20
project that does, it's got 238 stars. So
5:23
it's not a huge thing, but
5:27
I want to give it a bit of a shout out because I
5:29
think this is cool and I would love to hear your take, right?
5:32
So leaping is a PyTest
5:34
debugger, simple,
5:37
fast, lightweight for Python tests,
5:39
and it traces the execution
5:41
of your code and then
5:43
allows you, so you run a
5:45
test session, you know, PyTest.whatever. And
5:50
then you can retroactively ask
5:52
questions about how your PyTest
5:54
session went using natural
5:56
language. Okay. Okay.
6:00
So what would you possibly ask
6:02
it? So it does this
6:04
by keeping track of the variable changes,
6:06
at variables changing over time, and other
6:08
sources of non-determinism within your code. So
6:11
you would just say pytest-leaping, if
6:14
you install that, and it runs. You
6:18
can ask questions like, why am I not
6:20
hitting this function? Why was this
6:22
variable set to this value? What
6:26
is the value of a variable at this
6:28
point? And what changes can I make to
6:30
my code to make this test pass, even?
6:32
Stuff like that. I
6:35
see this is pretty neat. You
6:38
know, I don't have any experience with it,
6:40
but it sounds pretty creative.
6:43
It says it's based on both OLAMA
6:45
and GPT-4. You can pick which
6:47
model you would like. And those
6:49
are both pretty powerful. So why
6:52
leaping? Leaping
6:55
llamas? I don't know.
6:58
Well, typically llamas do leap a lot. No,
7:00
I don't think they do, actually. Maybe
7:02
a little bit. OK.
7:07
I don't know. I can't tell you why. I
7:11
think it might come from a larger project
7:13
here, but I don't
7:15
really know. Well, I'll
7:17
play with it. And maybe I could get
7:19
somebody on to tell us. Or I'll ask
7:22
somebody, why leaping? Anyway,
7:24
I thought this was kind of interesting, so I wanted to
7:26
turn the light off. Thanks for giving
7:28
me some homework to work on. Yeah, of
7:31
course. Last one we gave, was
7:33
it Mike Fiedler? We gave homework this time.
7:35
I'm giving you homework. Haven't
7:37
heard back from Mike, though. What's up, Mike? Yeah,
7:40
where's that article, man? Yeah. Over
7:44
to you. So OK. So
7:47
I've got an extras, extras, extras
7:49
section because I
7:51
kind of got down in a rabbit hole. So
7:54
on the last discussion
7:56
of this NEM focus
7:58
concerns. I
8:01
was looking at. A.
8:05
Well. Anyway, am one of the other
8:07
topics that that perfume passed over is
8:09
that there's a Twenty Twenty Four developer.
8:11
Some it going on says get started
8:13
to at Twenty Twenty four a developer,
8:16
some it happening in Seattle. A June
8:18
third to sepsis is a invite only
8:20
thing. I'm. It's so I'm
8:22
just announcing it because it's cool. Don't.
8:25
Try to sign up his kid, but that's.
8:28
It's still need that we have one
8:30
is one of the reasons why I
8:32
wanted to bring it up. His are
8:34
not to try to promote it but
8:36
to say I went with like some
8:38
of the am the was the ecstasy
8:40
or something that last that bug that
8:42
went by recently and I can remember
8:44
sex acts Z X a near downfall
8:46
of all the internet won't move. One
8:48
of the problems was this discussion that
8:50
people in a project don't talk to
8:52
each other that much of it. so.
8:55
And in dude there's a lot
8:57
of times are you can't really
8:59
get away from that by the
9:01
scientific Python develop. My Summit is
9:04
one place where a lot of
9:06
the people from these are Python
9:08
scientific projects get together and as
9:10
pretty neat. Last year. Was
9:13
the first and are they did a whole
9:16
bunch of cool things last year including. Some.
9:20
Yeah, had been planning implemented says
9:22
that A working group on sparse
9:24
arrays. I'm. A bunch
9:27
of specs for worked on. And
9:29
even some pitre stuff. So community
9:31
building. A lot of the great
9:33
resources to try to get some
9:36
is this tour things together and
9:38
some even some Petersburg. It's pretty
9:40
neat am. And so one
9:43
of the six year was like
9:45
another pint has begun and like
9:47
cool what's that Do so popped
9:49
over. This is Protests Rejects and.
9:52
Well. If you've got a large them
9:54
as especially parameter as but really a
9:56
large pie test code. Test. code
9:59
base sometimes You've got like quite a
10:01
few tests coming in and how do
10:03
you specify? One of the ways
10:05
you can pick out a subset of
10:07
tests is to use the dash K
10:09
option to say Hey, I just want to use something
10:11
that has tests like underscore 3d
10:13
and it to try to get those but
10:15
that might still be a long list and
10:18
what this is is a Has the
10:20
ability and there is some logic in the dash K
10:22
So if you don't know about the logic of the
10:24
dash K, definitely read my book or take
10:26
my course but the
10:32
It isn't as powerful as a regular
10:34
expression But with this plug-in you can
10:36
use a regular expression to select the
10:38
test names, which is kind
10:40
of awesome. I Think
10:42
it's kind of awesome. It's also kind
10:44
of scary to think of using regular
10:46
expressions in test selection You're
10:49
going to need to write a test for your command line
10:52
Yeah, okay. So it's
10:54
called my test regex is one of my
10:56
my extra extra extras the
10:58
next one on the list is
11:01
this this write-up called by
11:03
J Carlos rolled and I think my
11:06
latest today I learns about Python and
11:10
Why these are fun, but the thing that I
11:12
wanted to highlight oh I
11:14
guess I always just forget that underscores are a
11:16
thing for long long numbers and
11:19
it's very handy for constants Okay,
11:21
the thing that I thought was neat was
11:23
this What
11:26
was it there was an example of
11:28
a decorator with just a class you
11:30
don't have to import anything or decorator
11:34
Stuff if you just have a class with
11:36
a dundra in it and under call You
11:38
can implement your own decorator and I didn't
11:40
realize that it was that easy. So kind
11:43
of a cool small example alright
11:45
next up on our extras is and
11:47
last is is a
11:50
rough got a little faster, so version 0 4 0 of
11:52
rough is supposedly
11:58
Greater than two times faster which
12:00
is 20 to 40 percent speed up. Oh
12:03
so these are pretty neat
12:05
numbers so it was already pretty zippy
12:07
already so it's pretty cool anyway
12:11
those are my extras yeah very cool
12:13
that was four zero point four point oh
12:15
yeah yeah okay I think that's not
12:17
out yet but it's going
12:19
to be or something that's awesome I
12:22
just did my pipx upgrade
12:24
all which is a really cool
12:26
command just go find all the things that uses
12:28
Python command line tools and upgrade them I got
12:30
one dot three dot zero dot
12:33
one dot thirty seven but very
12:35
cool all
12:38
right well that's
12:40
a lot of extra
12:44
yeah so not not the end
12:46
of extra I'm thinking but a lot of extra yeah
12:49
so let's talk about
12:51
PyPI and packages now
12:54
I've covered this a fair number
12:56
of times where we've talked about oh there's somebody
12:58
uploading some horrible package that if
13:00
you install it bad thing happen bad
13:03
things happen but this has nothing to do with
13:05
that not directly anyway even
13:07
though it might sound like it
13:10
PyPI has completed its first security
13:12
audit okay so this
13:14
is an article I leave
13:17
by no Dustin Ingram and
13:20
says who's part
13:22
of the Python packaging group authority
13:25
says we are proud
13:27
to announce that PyPI has completed
13:29
its first ever external security audit
13:32
the work is funded in partnership
13:34
with the open technology fund and
13:37
they've done a previous security
13:40
stuff there and they selected
13:42
trail of bits which
13:44
is a very well-known security pen
13:46
testing company to work on it
13:49
and they spent so if you've
13:51
ever thought like should I have should I have
13:53
a security audit done on my project maybe
13:55
but trail of bits spent 10 Engineering
13:57
weeks of effort. Go
14:00
enough going not trying to break into
14:02
the systems and break them and look
14:04
in the code and making sure everything
14:06
as good. As a
14:08
lotta that I don't know that cause for that
14:11
can be cheap So. Now.
14:13
I'm really cool that that was funded to make
14:15
that happen. Us
14:18
as the other. The other important part
14:20
is the scope. So this has to
14:22
do specifically with what's called a which
14:25
is when you go a pipe he
14:27
I .org. That. Things
14:29
that website the A P eyes
14:31
the stuff behind the scenes that
14:33
people create accounts add that they
14:35
upload packages to. I like. That.
14:38
Infrastructure not pip other packages stored
14:40
in pepper like the infrastructure that
14:42
provides the website and a P
14:45
eyes as well as something called.
14:48
I have it as. A
14:51
custom open source container orchestration framework that
14:53
they created to deploy Warehouse which sounds
14:56
interesting and I know nothing about this,
14:58
but those are the two things which
15:00
were on. And the really nice part.
15:04
Everything. For us, find. A
15:07
decided that they didn't have any significant
15:09
problems. I found twenty nine different advisories.
15:13
Fourteen. Or informational six for low
15:15
priority, eight were medium and zero
15:17
a high priority issues discovered so
15:19
that's pretty awesome, right there is
15:21
pretty cool. Man. And
15:24
so there's. Multiple.
15:26
Articles and details published as follow up so
15:28
I all the suffer they did their it's
15:30
all public and you can check it out
15:32
if you wish but I feel like that's
15:34
enough to give people the idea there. So
15:36
thanks Destined for right in that up and.
15:39
Very. Good to hear that. at least
15:41
the infrastructure A puppy eyes solid. Capital.
15:45
Sounds like a super something. Has
15:49
had a lovely characters. Last night for dinner.
15:53
He does. I
15:56
was our main items France I feel
15:58
I'm bout a got any more. There's
16:00
an Airforce. I have some personal
16:02
extra so you had to settle
16:04
a girl just so I laid
16:07
some precise and so on. I'm
16:09
on the pie test course, commute
16:11
painters course they have. The community
16:14
was based on ah. It.
16:16
Was based on. Slack
16:18
mostly pick trying to use lack
16:20
but zoc as as ninety day
16:22
limitation thing on large communities. So
16:24
I'm and had to lead stuff
16:26
so I'm I'm trying out. Put
16:29
a minute trial podium community for
16:31
the community feature of by discourses.
16:33
So I was just kind of
16:35
hoping. To. Reach out and
16:37
say as anybody tried painters community are.
16:40
Not. By Just That has a
16:42
by tried podium community features. And.
16:44
Have a community set up on that
16:46
and has a going if you. If
16:50
you if you have and you have
16:52
some feedback for me I'm going try
16:54
to contact me at. At. Must.
16:56
M en masse and on I met Brain
16:59
I can avast learns let me know if
17:01
you have a cool community they can check
17:03
out the be neat and if you're interested
17:05
in joining the fighters community itself you can
17:08
of course by course. but you know so
17:10
I'm gonna try to open it up to
17:12
their people and if when I do make
17:14
changes I'll announce it both through our newsletter.
17:16
So become a friend of the show at
17:19
Don't Buy Them Bites. Or. You can
17:21
sign up for the newsletter at Python Tests
17:23
and. Podcast.
17:25
Also house all announcer number of things.
17:27
so does it give me a few
17:30
cents. I ever see what we got
17:32
here. I have some extras actually. I
17:34
had a sign up don't spoil the
17:36
jokes and almost got the joke at
17:39
first. So the first thing is ah,
17:41
recently had a lot of fun hang
17:43
out with sessile Philip. I'm Brian Clark.
17:46
Those. Guys road the Vs code
17:48
course at have Python which is an
17:50
awesome course. check it out at have
17:52
I done that of em click on
17:55
courses thread stop but as sort of
17:57
a follow up to that we had
17:59
a. VS Code AMA, and so
18:01
I had Brian and Cecil there,
18:04
but also Luciano, who's
18:06
been on the show before, and
18:08
Karthik from the Python VS Code
18:10
team, and we spent 35 minutes
18:12
and 44 seconds taking
18:14
questions from the audience and talking
18:17
about features and direction of Python and VS Code, and
18:19
that was a lot of fun. So people can check
18:21
that out on YouTube and just
18:24
go check it out if they want. Next,
18:29
do you gUnicorn? Not Gunicorn,
18:31
because the icon is a
18:33
green unicorn, so
18:35
gUnicorn has
18:37
a CVE, which is not
18:40
ideal. CVE means
18:42
there is some problem worth
18:45
giving a number and a record
18:47
to. So this is CVE-2824-1135,
18:49
and it's a waiting analysis, it seems, but gUnicorn
18:51
fails to properly
18:58
validate transfer encoding headers
19:01
leading to HTTP request
19:03
smuggling vulnerabilities. You
19:05
don't want smugglers in your web app, do you, Brian? No.
19:08
No. By crafting requests
19:11
with conflicting transfer encoding headers,
19:13
attackers can bypass security restrictions
19:15
and access restricted endpoints.
19:18
So I would say maybe you don't want to do
19:20
that. Okay.
19:24
Yeah, it doesn't sound incredibly
19:27
dangerous, but it is a 7.5,
19:30
it is high in the danger danger
19:33
level. So I
19:36
guess it depends, to me, it just depends
19:38
on how is, how
19:41
are you actually restricting those things
19:43
and what part of gUnicorn versus what part
19:45
of your own code is actually checking
19:48
whether something has access to a thing and so
19:50
on. So yeah.
19:54
But I want to put that out there because you
19:56
might want to update your gUnicorn.
20:00
Next up, another announcement,
20:02
you had the Sci-Fi
20:04
one. So PyCon South
20:06
Africa, PyCon ZA, is
20:09
gonna be a hybrid event. And right now
20:11
the big news is that the talk
20:14
submissions are open, they
20:16
prefer them in person, but they can
20:18
be given remotely as well, or
20:20
recorded I believe. So you can possibly
20:24
submit a talk. If you're interested, the main
20:26
conference is in October.
20:28
So there's that end
20:31
speaking of conferences. This one was sent in
20:33
by Philip Jones. Brian,
20:35
what would happen if you had
20:37
like a stealth conference that invaded
20:39
some other conference? Like
20:42
a symbiote. Yeah,
20:48
so there's FlaskCon inside
20:51
PyCon this year. Okay.
20:55
So on Friday, they will
20:57
be having FlaskCon 2024. And
21:01
you know, the Friday, which is May
21:03
17th at PyCon US, and call for
21:06
proposals are live. Basically,
21:09
they give you some ideas of things
21:12
they might find interesting and
21:14
so on. But yeah, there's
21:16
a whole series of events and introduction
21:18
from David Lord, who leads the Palettes
21:20
Project, which manages Flask among other
21:22
things. But yeah, there's a whole from 11 a.m.
21:25
till 7 p.m., maybe
21:29
till 6 p.m., depending on what you call a conference,
21:33
series just focused on Flask. So I
21:35
think that's pretty interesting. I'm most
21:37
interested to just see how this logistically works out.
21:39
But if you're gonna be there anyway, that's cool.
21:43
Yeah. Actually,
21:45
it's kind of an interesting idea. It's on
21:47
Friday, which I'm normally like, you know, going
21:49
to other talks and there's other stuff on
21:51
Fridays. And I'd be curious
21:53
to see some other piggyback things, because at
21:57
PyCon, there's the tutorial site.
22:00
before and then there's the sprints after.
22:02
But there's also like there's a lot less people
22:05
in there so there might be there might
22:07
be a lot of might
22:09
be opportunities to do some other
22:11
piggyback conference sub conferences before
22:14
after as well in the future.
22:16
Yeah, interesting. Absolutely. Alright,
22:18
are you ready to close this out
22:20
with a debugging joke? I
22:23
yeah sure. Okay, we got a little role
22:25
playing here. Okay, so this is a conversation.
22:27
You want to be the developer
22:29
or you want to be the the person curious about
22:31
how developers work it out? I'll
22:35
be the developer. Okay, you do the
22:37
green bubble. So here's a text
22:40
exchange between somebody who's sitting
22:42
next to a software developer on a train or
22:44
something like that and then texting with
22:46
their developer friend go make this make sense. Right?
22:48
Okay, so here's the non-developer. Is
22:51
it common for software engineers
22:53
to take out their laptops on the train
22:55
only to stare at them without
22:57
doing anything? Well, yes,
22:59
legally you have to or you lose
23:02
your license as a software engineer. Oh,
23:04
but seriously, like he just
23:06
shut his laptop, opened it back up, pressed a
23:08
button and resumed staring at it. Oh
23:11
yeah, and now he's browsing his phone while
23:13
staring. It's called debugging. You
23:16
stare at the code until it works again. Why
23:19
do you guys get paid so much? Yeah, well
23:22
it's yeah and it's
23:26
further than that. I mean after
23:28
staring at it for a while, I often not
23:30
bring in other people to stare at it with
23:32
me. Can we just stare at this together for
23:35
a while because my staring is
23:37
ineffective. It's called cold reviews. Exactly.
23:41
Sometimes AI will also stare at it with you. It
23:45
can also propose new ways to break it. Yeah,
23:48
that's right. Yeah. All right,
23:52
well, well if I had Pytest
23:55
leaping, I could just ask it why it's not
23:57
working. Exactly. Come on. We've
24:00
been to action. What's happening here? All
24:03
right. Well, thanks for being here, Brian. Thank you, everyone, for listening. Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More