0:00

Hello and welcome to Python Bites where we deliver

0:02

Python news and headlines directly to your earbuds. This

0:04

is episode 380 recorded on April 23rd, 2023. I'm

0:13

Michael Kennedy. And I'm Brian Aken. And

0:17

this episode is brought to you by us. Support

0:19

us through our courses at Talk Python

0:21

Training, the complete PyTest course, Patreon supporters

0:23

links at the top of the show

0:25

notes. So very much appreciate that. And

0:27

while you're there, you can connect with

0:29

us over on Fostodon. If you

0:31

mast it on there. So

0:34

mast it on anywhere, but you can find us on Fostodon at

0:36

M. Kennedy, at Brian Aken

0:38

and at Python Bites. Join the

0:40

show live, pythonbytes.fm slash live. Usually,

0:43

usually Tuesdays at 10 AM

0:45

Pacific time now. And you can see all

0:47

the older versions there if you want the video as

0:50

well. And finally, Brian, a bunch of people

0:52

are signing up for the newsletter that you're

0:55

sending out about things from the show every

0:57

week. So that's awesome. People can just visit

1:00

Python by set of them, click on newsletter right

1:02

in the middle of the top of the screen

1:04

and put in their email, we will treat it

1:06

kindly, but then we will email you stuff that

1:09

we're up to, which we'd love to do. So we appreciate

1:11

that. And, you know, I really want to just like maybe

1:13

focus on, on that kind of stuff, Brian, what do you

1:15

think? Let's focus, man. Let's

1:18

focus. Speaking of focus, we've

1:20

got NumFocus. So NumFocus

1:22

is, you know, actually I probably

1:24

should have done a little more

1:27

research, NumFocus is a collection of

1:29

different resources. And I

1:31

let's just take a look at the about of

1:33

NumFocus. So NumFocus

1:35

has a mission of promoting open

1:38

practices and research data in

1:41

scientific computing. There's

1:43

a lot of information on

1:45

the NumFocus site. You can check it out. But if

1:47

you take a look at the projects that are involved,

1:50

this is crazy. So the

1:52

projects, sponsored

1:54

projects. There's a

1:56

lot of our favorites like NumPy, Pandas,

1:58

Jupiter. Sci-Fi,

2:01

so many things are involved with NumFocus

2:05

and collaborate with

2:07

NumFocus. I'm not, like I

2:09

said, we should have had Pamphiel on to talk

2:11

about it a little bit. But Pamphiel,

2:15

let us know something that's going on with

2:17

the NumFocus group. And it's

2:20

a little, there's some changes

2:23

going on. So this was suggested

2:25

by Pamphiel Roy, who's in

2:28

the audience right now. So thanks for showing up. So

2:31

this was an article by Paul

2:34

Ivanov called NumFocus Concerns. And we'll

2:36

link to it in the show notes, of course. But

2:40

there has been some,

2:42

there's some shake up going on

2:44

in NumFocus a little bit. There's been

2:48

some problems in the past with

2:51

NumFocus being able to meet the

2:53

expectations of some of the projects

2:56

within the NumFocus banner.

2:59

And there was a town hall meeting in

3:01

February announcing that there's a new direction and

3:05

it caught a lot of people by surprise. So

3:07

I'm trying to highlight it here as well so

3:09

people know about it. There's

3:13

really, I kind of want to point people to

3:15

this article and just say that there's some things

3:17

changing. There's apparently in the past,

3:19

there was some lack of transparency of how

3:21

the board was selected. So they're trying

3:24

to make that a little bit more transparent. There

3:26

is an initiated effort to

3:29

elect a open board seats to try

3:31

to get more people on

3:33

the board and

3:35

some proposed changes to the governance structure.

3:38

And then around some of these issues, there's

3:40

also some of the projects within NumFocus

3:45

are pursuing alternative venues

3:48

for fiscal sponsorship. So getting

3:50

money in other ways. So

3:52

a lot of information here. I

3:55

thought it was

3:58

interesting some of the different alter. alternatives

4:00

to, there's

4:02

like open source collective or some of the

4:05

ways to get money. There's different, I mean, money is

4:07

important to try to get some of the

4:09

projects, some people working on it. So

4:13

if you'd like to get more involved or

4:15

just know, have more information about what's going

4:17

on with NumFocus, this

4:19

is a really great write up. So

4:21

thanks for passing this along. Excellent.

4:25

I know NumFocus is interesting.

4:29

It's really one of the bigger ways that

4:31

funds Python open source and outside of Python

4:33

as well, but there's

4:36

not many other organizations like that.

4:38

So keeping it

4:40

healthy is definitely important.

4:43

Yeah, I'm glad it's a, it got,

4:45

there's some attention being

4:47

drawn to it before it, you know, kind

4:50

of implodes. So I don't think it will,

4:52

I think we'll see NumFocus for quite a

4:54

while. Definitely. All

4:57

right. Speaking of shining

4:59

a little bit of light on something, let's

5:02

talk about leaping. Python, this, right,

5:05

this, this PyTest

5:07

project should be one that

5:10

you're focusing on, but I beat you to it.

5:12

So here we go. Have you heard of this

5:14

leaping? I have not. Okay.

5:16

Well, it's because the description is so, wait,

5:18

no, there's no description. This is a small

5:20

project that does, it's got 238 stars. So

5:23

it's not a huge thing, but

5:27

I want to give it a bit of a shout out because I

5:29

think this is cool and I would love to hear your take, right?

5:32

So leaping is a PyTest

5:34

debugger, simple,

5:37

fast, lightweight for Python tests,

5:39

and it traces the execution

5:41

of your code and then

5:43

allows you, so you run a

5:45

test session, you know, PyTest.whatever. And

5:50

then you can retroactively ask

5:52

questions about how your PyTest

5:54

session went using natural

5:56

language. Okay. Okay.

6:00

So what would you possibly ask

6:02

it? So it does this

6:04

by keeping track of the variable changes,

6:06

at variables changing over time, and other

6:08

sources of non-determinism within your code. So

6:11

you would just say pytest-leaping, if

6:14

you install that, and it runs. You

6:18

can ask questions like, why am I not

6:20

hitting this function? Why was this

6:22

variable set to this value? What

6:26

is the value of a variable at this

6:28

point? And what changes can I make to

6:30

my code to make this test pass, even?

6:32

Stuff like that. I

6:35

see this is pretty neat. You

6:38

know, I don't have any experience with it,

6:40

but it sounds pretty creative.

6:43

It says it's based on both OLAMA

6:45

and GPT-4. You can pick which

6:47

model you would like. And those

6:49

are both pretty powerful. So why

6:52

leaping? Leaping

6:55

llamas? I don't know.

6:58

Well, typically llamas do leap a lot. No,

7:00

I don't think they do, actually. Maybe

7:02

a little bit. OK.

7:07

I don't know. I can't tell you why. I

7:11

think it might come from a larger project

7:13

here, but I don't

7:15

really know. Well, I'll

7:17

play with it. And maybe I could get

7:19

somebody on to tell us. Or I'll ask

7:22

somebody, why leaping? Anyway,

7:24

I thought this was kind of interesting, so I wanted to

7:26

turn the light off. Thanks for giving

7:28

me some homework to work on. Yeah, of

7:31

course. Last one we gave, was

7:33

it Mike Fiedler? We gave homework this time.

7:35

I'm giving you homework. Haven't

7:37

heard back from Mike, though. What's up, Mike? Yeah,

7:40

where's that article, man? Yeah. Over

7:44

to you. So OK. So

7:47

I've got an extras, extras, extras

7:49

section because I

7:51

kind of got down in a rabbit hole. So

7:54

on the last discussion

7:56

of this NEM focus

7:58

concerns. I

8:01

was looking at. A.

8:05

Well. Anyway, am one of the other

8:07

topics that that perfume passed over is

8:09

that there's a Twenty Twenty Four developer.

8:11

Some it going on says get started

8:13

to at Twenty Twenty four a developer,

8:16

some it happening in Seattle. A June

8:18

third to sepsis is a invite only

8:20

thing. I'm. It's so I'm

8:22

just announcing it because it's cool. Don't.

8:25

Try to sign up his kid, but that's.

8:28

It's still need that we have one

8:30

is one of the reasons why I

8:32

wanted to bring it up. His are

8:34

not to try to promote it but

8:36

to say I went with like some

8:38

of the am the was the ecstasy

8:40

or something that last that bug that

8:42

went by recently and I can remember

8:44

sex acts Z X a near downfall

8:46

of all the internet won't move. One

8:48

of the problems was this discussion that

8:50

people in a project don't talk to

8:52

each other that much of it. so.

8:55

And in dude there's a lot

8:57

of times are you can't really

8:59

get away from that by the

9:01

scientific Python develop. My Summit is

9:04

one place where a lot of

9:06

the people from these are Python

9:08

scientific projects get together and as

9:10

pretty neat. Last year. Was

9:13

the first and are they did a whole

9:16

bunch of cool things last year including. Some.

9:20

Yeah, had been planning implemented says

9:22

that A working group on sparse

9:24

arrays. I'm. A bunch

9:27

of specs for worked on. And

9:29

even some pitre stuff. So community

9:31

building. A lot of the great

9:33

resources to try to get some

9:36

is this tour things together and

9:38

some even some Petersburg. It's pretty

9:40

neat am. And so one

9:43

of the six year was like

9:45

another pint has begun and like

9:47

cool what's that Do so popped

9:49

over. This is Protests Rejects and.

9:52

Well. If you've got a large them

9:54

as especially parameter as but really a

9:56

large pie test code. Test. code

9:59

base sometimes You've got like quite a

10:01

few tests coming in and how do

10:03

you specify? One of the ways

10:05

you can pick out a subset of

10:07

tests is to use the dash K

10:09

option to say Hey, I just want to use something

10:11

that has tests like underscore 3d

10:13

and it to try to get those but

10:15

that might still be a long list and

10:18

what this is is a Has the

10:20

ability and there is some logic in the dash K

10:22

So if you don't know about the logic of the

10:24

dash K, definitely read my book or take

10:26

my course but the

10:32

It isn't as powerful as a regular

10:34

expression But with this plug-in you can

10:36

use a regular expression to select the

10:38

test names, which is kind

10:40

of awesome. I Think

10:42

it's kind of awesome. It's also kind

10:44

of scary to think of using regular

10:46

expressions in test selection You're

10:49

going to need to write a test for your command line

10:52

Yeah, okay. So it's

10:54

called my test regex is one of my

10:56

my extra extra extras the

10:58

next one on the list is

11:01

this this write-up called by

11:03

J Carlos rolled and I think my

11:06

latest today I learns about Python and

11:10

Why these are fun, but the thing that I

11:12

wanted to highlight oh I

11:14

guess I always just forget that underscores are a

11:16

thing for long long numbers and

11:19

it's very handy for constants Okay,

11:21

the thing that I thought was neat was

11:23

this What

11:26

was it there was an example of

11:28

a decorator with just a class you

11:30

don't have to import anything or decorator

11:34

Stuff if you just have a class with

11:36

a dundra in it and under call You

11:38

can implement your own decorator and I didn't

11:40

realize that it was that easy. So kind

11:43

of a cool small example alright

11:45

next up on our extras is and

11:47

last is is a

11:50

rough got a little faster, so version 0 4 0 of

11:52

rough is supposedly

11:58

Greater than two times faster which

12:00

is 20 to 40 percent speed up. Oh

12:03

so these are pretty neat

12:05

numbers so it was already pretty zippy

12:07

already so it's pretty cool anyway

12:11

those are my extras yeah very cool

12:13

that was four zero point four point oh

12:15

yeah yeah okay I think that's not

12:17

out yet but it's going

12:19

to be or something that's awesome I

12:22

just did my pipx upgrade

12:24

all which is a really cool

12:26

command just go find all the things that uses

12:28

Python command line tools and upgrade them I got

12:30

one dot three dot zero dot

12:33

one dot thirty seven but very

12:35

cool all

12:38

right well that's

12:40

a lot of extra

12:44

yeah so not not the end

12:46

of extra I'm thinking but a lot of extra yeah

12:49

so let's talk about

12:51

PyPI and packages now

12:54

I've covered this a fair number

12:56

of times where we've talked about oh there's somebody

12:58

uploading some horrible package that if

13:00

you install it bad thing happen bad

13:03

things happen but this has nothing to do with

13:05

that not directly anyway even

13:07

though it might sound like it

13:10

PyPI has completed its first security

13:12

audit okay so this

13:14

is an article I leave

13:17

by no Dustin Ingram and

13:20

says who's part

13:22

of the Python packaging group authority

13:25

says we are proud

13:27

to announce that PyPI has completed

13:29

its first ever external security audit

13:32

the work is funded in partnership

13:34

with the open technology fund and

13:37

they've done a previous security

13:40

stuff there and they selected

13:42

trail of bits which

13:44

is a very well-known security pen

13:46

testing company to work on it

13:49

and they spent so if you've

13:51

ever thought like should I have should I have

13:53

a security audit done on my project maybe

13:55

but trail of bits spent 10 Engineering

13:57

weeks of effort. Go

14:00

enough going not trying to break into

14:02

the systems and break them and look

14:04

in the code and making sure everything

14:06

as good. As a

14:08

lotta that I don't know that cause for that

14:11

can be cheap So. Now.

14:13

I'm really cool that that was funded to make

14:15

that happen. Us

14:18

as the other. The other important part

14:20

is the scope. So this has to

14:22

do specifically with what's called a which

14:25

is when you go a pipe he

14:27

I .org. That. Things

14:29

that website the A P eyes

14:31

the stuff behind the scenes that

14:33

people create accounts add that they

14:35

upload packages to. I like. That.

14:38

Infrastructure not pip other packages stored

14:40

in pepper like the infrastructure that

14:42

provides the website and a P

14:45

eyes as well as something called.

14:48

I have it as. A

14:51

custom open source container orchestration framework that

14:53

they created to deploy Warehouse which sounds

14:56

interesting and I know nothing about this,

14:58

but those are the two things which

15:00

were on. And the really nice part.

15:04

Everything. For us, find. A

15:07

decided that they didn't have any significant

15:09

problems. I found twenty nine different advisories.

15:13

Fourteen. Or informational six for low

15:15

priority, eight were medium and zero

15:17

a high priority issues discovered so

15:19

that's pretty awesome, right there is

15:21

pretty cool. Man. And

15:24

so there's. Multiple.

15:26

Articles and details published as follow up so

15:28

I all the suffer they did their it's

15:30

all public and you can check it out

15:32

if you wish but I feel like that's

15:34

enough to give people the idea there. So

15:36

thanks Destined for right in that up and.

15:39

Very. Good to hear that. at least

15:41

the infrastructure A puppy eyes solid. Capital.

15:45

Sounds like a super something. Has

15:49

had a lovely characters. Last night for dinner.

15:53

He does. I

15:56

was our main items France I feel

15:58

I'm bout a got any more. There's

16:00

an Airforce. I have some personal

16:02

extra so you had to settle

16:04

a girl just so I laid

16:07

some precise and so on. I'm

16:09

on the pie test course, commute

16:11

painters course they have. The community

16:14

was based on ah. It.

16:16

Was based on. Slack

16:18

mostly pick trying to use lack

16:20

but zoc as as ninety day

16:22

limitation thing on large communities. So

16:24

I'm and had to lead stuff

16:26

so I'm I'm trying out. Put

16:29

a minute trial podium community for

16:31

the community feature of by discourses.

16:33

So I was just kind of

16:35

hoping. To. Reach out and

16:37

say as anybody tried painters community are.

16:40

Not. By Just That has a

16:42

by tried podium community features. And.

16:44

Have a community set up on that

16:46

and has a going if you. If

16:50

you if you have and you have

16:52

some feedback for me I'm going try

16:54

to contact me at. At. Must.

16:56

M en masse and on I met Brain

16:59

I can avast learns let me know if

17:01

you have a cool community they can check

17:03

out the be neat and if you're interested

17:05

in joining the fighters community itself you can

17:08

of course by course. but you know so

17:10

I'm gonna try to open it up to

17:12

their people and if when I do make

17:14

changes I'll announce it both through our newsletter.

17:16

So become a friend of the show at

17:19

Don't Buy Them Bites. Or. You can

17:21

sign up for the newsletter at Python Tests

17:23

and. Podcast.

17:25

Also house all announcer number of things.

17:27

so does it give me a few

17:30

cents. I ever see what we got

17:32

here. I have some extras actually. I

17:34

had a sign up don't spoil the

17:36

jokes and almost got the joke at

17:39

first. So the first thing is ah,

17:41

recently had a lot of fun hang

17:43

out with sessile Philip. I'm Brian Clark.

17:46

Those. Guys road the Vs code

17:48

course at have Python which is an

17:50

awesome course. check it out at have

17:52

I done that of em click on

17:55

courses thread stop but as sort of

17:57

a follow up to that we had

17:59

a. VS Code AMA, and so

18:01

I had Brian and Cecil there,

18:04

but also Luciano, who's

18:06

been on the show before, and

18:08

Karthik from the Python VS Code

18:10

team, and we spent 35 minutes

18:12

and 44 seconds taking

18:14

questions from the audience and talking

18:17

about features and direction of Python and VS Code, and

18:19

that was a lot of fun. So people can check

18:21

that out on YouTube and just

18:24

go check it out if they want. Next,

18:29

do you gUnicorn? Not Gunicorn,

18:31

because the icon is a

18:33

green unicorn, so

18:35

gUnicorn has

18:37

a CVE, which is not

18:40

ideal. CVE means

18:42

there is some problem worth

18:45

giving a number and a record

18:47

to. So this is CVE-2824-1135,

18:49

and it's a waiting analysis, it seems, but gUnicorn

18:51

fails to properly

18:58

validate transfer encoding headers

19:01

leading to HTTP request

19:03

smuggling vulnerabilities. You

19:05

don't want smugglers in your web app, do you, Brian? No.

19:08

No. By crafting requests

19:11

with conflicting transfer encoding headers,

19:13

attackers can bypass security restrictions

19:15

and access restricted endpoints.

19:18

So I would say maybe you don't want to do

19:20

that. Okay.

19:24

Yeah, it doesn't sound incredibly

19:27

dangerous, but it is a 7.5,

19:30

it is high in the danger danger

19:33

level. So I

19:36

guess it depends, to me, it just depends

19:38

on how is, how

19:41

are you actually restricting those things

19:43

and what part of gUnicorn versus what part

19:45

of your own code is actually checking

19:48

whether something has access to a thing and so

19:50

on. So yeah.

19:54

But I want to put that out there because you

19:56

might want to update your gUnicorn.

20:00

Next up, another announcement,

20:02

you had the Sci-Fi

20:04

one. So PyCon South

20:06

Africa, PyCon ZA, is

20:09

gonna be a hybrid event. And right now

20:11

the big news is that the talk

20:14

submissions are open, they

20:16

prefer them in person, but they can

20:18

be given remotely as well, or

20:20

recorded I believe. So you can possibly

20:24

submit a talk. If you're interested, the main

20:26

conference is in October.

20:28

So there's that end

20:31

speaking of conferences. This one was sent in

20:33

by Philip Jones. Brian,

20:35

what would happen if you had

20:37

like a stealth conference that invaded

20:39

some other conference? Like

20:42

a symbiote. Yeah,

20:48

so there's FlaskCon inside

20:51

PyCon this year. Okay.

20:55

So on Friday, they will

20:57

be having FlaskCon 2024. And

21:01

you know, the Friday, which is May

21:03

17th at PyCon US, and call for

21:06

proposals are live. Basically,

21:09

they give you some ideas of things

21:12

they might find interesting and

21:14

so on. But yeah, there's

21:16

a whole series of events and introduction

21:18

from David Lord, who leads the Palettes

21:20

Project, which manages Flask among other

21:22

things. But yeah, there's a whole from 11 a.m.

21:25

till 7 p.m., maybe

21:29

till 6 p.m., depending on what you call a conference,

21:33

series just focused on Flask. So I

21:35

think that's pretty interesting. I'm most

21:37

interested to just see how this logistically works out.

21:39

But if you're gonna be there anyway, that's cool.

21:43

Yeah. Actually,

21:45

it's kind of an interesting idea. It's on

21:47

Friday, which I'm normally like, you know, going

21:49

to other talks and there's other stuff on

21:51

Fridays. And I'd be curious

21:53

to see some other piggyback things, because at

21:57

PyCon, there's the tutorial site.

22:00

before and then there's the sprints after.

22:02

But there's also like there's a lot less people

22:05

in there so there might be there might

22:07

be a lot of might

22:09

be opportunities to do some other

22:11

piggyback conference sub conferences before

22:14

after as well in the future.

22:16

Yeah, interesting. Absolutely. Alright,

22:18

are you ready to close this out

22:20

with a debugging joke? I

22:23

yeah sure. Okay, we got a little role

22:25

playing here. Okay, so this is a conversation.

22:27

You want to be the developer

22:29

or you want to be the the person curious about

22:31

how developers work it out? I'll

22:35

be the developer. Okay, you do the

22:37

green bubble. So here's a text

22:40

exchange between somebody who's sitting

22:42

next to a software developer on a train or

22:44

something like that and then texting with

22:46

their developer friend go make this make sense. Right?

22:48

Okay, so here's the non-developer. Is

22:51

it common for software engineers

22:53

to take out their laptops on the train

22:55

only to stare at them without

22:57

doing anything? Well, yes,

22:59

legally you have to or you lose

23:02

your license as a software engineer. Oh,

23:04

but seriously, like he just

23:06

shut his laptop, opened it back up, pressed a

23:08

button and resumed staring at it. Oh

23:11

yeah, and now he's browsing his phone while

23:13

staring. It's called debugging. You

23:16

stare at the code until it works again. Why

23:19

do you guys get paid so much? Yeah, well

23:22

it's yeah and it's

23:26

further than that. I mean after

23:28

staring at it for a while, I often not

23:30

bring in other people to stare at it with

23:32

me. Can we just stare at this together for

23:35

a while because my staring is

23:37

ineffective. It's called cold reviews. Exactly.

23:41

Sometimes AI will also stare at it with you. It

23:45

can also propose new ways to break it. Yeah,

23:48

that's right. Yeah. All right,

23:52

well, well if I had Pytest

23:55

leaping, I could just ask it why it's not

23:57

working. Exactly. Come on. We've

24:00

been to action. What's happening here? All

24:03

right. Well, thanks for being here, Brian. Thank you, everyone, for listening. Bye.