WEBVTT 00:00:00.020 --> 00:00:05.360 Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds. 00:00:06.060 --> 00:00:10.840 This is episode 430, recorded April 28th, 2025. 00:00:11.540 --> 00:00:12.260 I am Michael Kennedy. 00:00:12.560 --> 00:00:13.740 And I am Brian Okken. 00:00:13.980 --> 00:00:17.320 And this episode is brought to you by Porkbun. 00:00:17.860 --> 00:00:23.620 Use our link and you'll get a.app or.dev domain for $5.99 at Porkbun. 00:00:23.700 --> 00:00:25.860 Very awesome domain name host. 00:00:26.340 --> 00:00:27.380 So check them out. 00:00:27.390 --> 00:00:28.520 We'll tell you more about them later. 00:00:28.620 --> 00:00:35.840 you can check out, connect with us on the social things over on Mastodon or on Bluesky. 00:00:36.370 --> 00:00:37.080 Those are great places. 00:00:37.460 --> 00:00:42.980 And finally, you can be part of the YouTube video, usually 10 a.m. on Monday, U.S. Pacific time. 00:00:43.400 --> 00:00:45.280 Just visit pythonbytes.fm/live. 00:00:45.680 --> 00:00:55.500 And we have a really cool newsletter we're sending out these days that actually brings a bunch of extra information to add additional research and details and information for you. 00:00:55.790 --> 00:01:08.000 In addition to what we have in the show notes, in addition to what we talk about, about on the air. So if you like that, you want that, you can get it for free. Just drop in over at PythonBuySty.fm, click newsletter. It only costs your email, which we will treat nicely. 00:01:08.380 --> 00:01:08.720 All right, Brian, 00:01:09.340 --> 00:01:14.040 what you got for us? Speaking of on the socials, I found this on the Bluesky. 00:01:14.440 --> 00:01:28.960 Hugo van Kemenade, sorry, Hugo, Hugo announced that there's, well, he didn't announce it, but he posted pip 25.1 has been released and maintainer Richard C. has a great write-up about it. 00:01:29.300 --> 00:01:31.300 So this is a really fun write-up. 00:01:31.360 --> 00:01:32.480 So I'm going to take a look at this. 00:01:32.820 --> 00:01:35.460 So what's new in pip 25.1? 00:01:35.660 --> 00:01:42.780 So, you know, we've talked a lot about uv a lot, but we haven't mentioned pip for a while, but pip's still a great workhorse. 00:01:43.260 --> 00:01:47.280 So let's take a look at some of the great awesomeness in the new pip. 00:01:47.660 --> 00:01:52.820 So we've got dependency groups, PEP 735, and these are pretty cool. 00:01:53.070 --> 00:01:54.800 I can't wait to use this more. 00:01:55.160 --> 00:02:08.080 So you've got like, you can set up dependency groups of like say test and lint and dev and stuff, not just the project dependencies, but the dependencies of the things around working with a project. 00:02:08.509 --> 00:02:09.960 So that's a good thing to group it with. 00:02:10.259 --> 00:02:15.180 You can also use groups for extra things like different installs and stuff. 00:02:15.440 --> 00:02:27.440 But to use it with pip, you say pip install and you can give it a group, so --group, and then give it a test or give it whatever the group name is, in this case test. 00:02:28.540 --> 00:02:30.840 So like in the example, they gave it a great example. 00:02:31.160 --> 00:02:39.220 So like for instance, the tests group might have pytest and maybe some pytest plugins and linting would have different things. 00:02:39.540 --> 00:02:44.900 But then with dev, you can say include group test and include group lint. 00:02:44.940 --> 00:02:48.080 So you can combine groups into bigger groups. 00:02:48.220 --> 00:02:49.540 which is super cool. 00:02:49.700 --> 00:02:51.000 So you don't have to maintain two lists. 00:02:51.820 --> 00:02:53.800 So yeah, dev would include both tests. 00:02:53.840 --> 00:02:56.880 Anyway, there's no limit to this. 00:02:57.140 --> 00:03:00.560 Anyway, dependency grips are here now, now that you can use them with pip. 00:03:00.720 --> 00:03:01.160 That's great. 00:03:02.300 --> 00:03:03.600 Moving down, progress bars. 00:03:03.780 --> 00:03:06.320 I'm not super excited about this, but kind of neat. 00:03:07.520 --> 00:03:10.780 Package install progress bars are now there. 00:03:11.520 --> 00:03:12.340 Resumable downloads. 00:03:12.580 --> 00:03:22.760 This is kind of nice because if you've got so resumable download support, especially if you've got, for example, I'm not sure how this works, but it supports automatic download retrying. 00:03:23.900 --> 00:03:25.860 It's an experimental feature in this one. 00:03:26.560 --> 00:03:28.680 There's a retry limit that you can specify. 00:03:29.140 --> 00:03:34.480 So if there's something, some failure with the download, it'll try to retry it. 00:03:34.620 --> 00:03:35.080 That's pretty cool. 00:03:35.260 --> 00:03:38.120 Yeah, Brian, it might sound like, so what, right? 00:03:38.440 --> 00:03:39.740 You've got to redownload requests. 00:03:40.300 --> 00:03:41.300 It'll come right down. 00:03:41.570 --> 00:03:42.940 You've got to redownload NumPy. 00:03:43.120 --> 00:03:44.360 It's four megs, whatever. 00:03:44.800 --> 00:03:46.780 Some of those ML libraries are massive. 00:03:47.280 --> 00:03:47.380 Yeah. 00:03:47.700 --> 00:03:51.220 Like half a gig that you pip install and other things, right? 00:03:51.380 --> 00:03:54.740 So there are situations where it's a non-trivial amount of data. 00:03:55.040 --> 00:03:55.240 Yeah. 00:03:55.770 --> 00:03:55.900 Yeah. 00:03:56.140 --> 00:04:00.800 And there's times, especially if you're on Wi-Fi, sometimes it can break out or whatever. 00:04:02.420 --> 00:04:07.860 The real thing that I'm excited about to cover with this one is experimental lock files. 00:04:08.180 --> 00:04:13.980 So I do like dependency groups a lot, but also I'm kind of excited about pylock.toml. 00:04:14.320 --> 00:04:18.959 And so peps751, this is supported with pip now. 00:04:19.239 --> 00:04:25.980 So you can just say pip lock and it will generate a lock file for you, a pylock.toml. 00:04:26.960 --> 00:04:27.680 Really cool. 00:04:28.480 --> 00:04:30.580 And yeah, let's see. 00:04:30.880 --> 00:04:33.780 Oh, this is the next item is super cool also. 00:04:34.420 --> 00:04:40.440 So there used to be a way you could say pip install my package or whatever package name and then give it two equal signs. 00:04:40.600 --> 00:04:45.980 and it would sort of a hack to give you a list of all the versions available for that package. 00:04:46.480 --> 00:04:54.640 But now there was an experimental thing called pip index versions, and that would give you a list of versions. 00:04:54.740 --> 00:04:58.080 And it was in experimental mode, but now it is in stable mode. 00:04:58.200 --> 00:05:08.220 So definitely go ahead and use this pip index versions to get a list of all the versions of a package that you're considering downloading. 00:05:08.660 --> 00:05:12.140 And then you might want to do this with a, you know, script. 00:05:12.430 --> 00:05:13.720 So there's a JSON version. 00:05:13.850 --> 00:05:17.560 So you can add --json and it gives you a nice JSON output instead. 00:05:17.900 --> 00:05:19.260 This is super cool. 00:05:20.060 --> 00:05:24.220 It looks like, yeah, it's just a nice clean version, clean format. 00:05:24.600 --> 00:05:26.660 Anyway, and then some bug fixes and other wonderful things. 00:05:27.100 --> 00:05:27.820 Oh, that's funny. 00:05:27.980 --> 00:05:31.040 Legacy.egg distributions are only detected once. 00:05:31.800 --> 00:05:31.940 Okay. 00:05:32.360 --> 00:05:34.860 Anyway, deprecations upcoming removals listed. 00:05:35.200 --> 00:05:36.200 This is a really great write-up. 00:05:36.580 --> 00:05:39.000 So great job, Richard Zeke, for writing this up. 00:05:39.190 --> 00:05:39.600 Pretty exciting. 00:05:39.880 --> 00:05:41.500 Yeah, I'm impressed with this. 00:05:41.840 --> 00:05:43.340 This is a massive release of pip. 00:05:43.440 --> 00:05:45.880 This is not just, oh, we've tweaked a few things. 00:05:46.220 --> 00:05:49.900 You know, something that's been around so long, there's a lot of changes and a lot of improvements. 00:05:50.280 --> 00:05:51.860 Yeah, yeah, really exciting. 00:05:52.340 --> 00:05:53.080 Yeah, absolutely. 00:05:53.480 --> 00:05:55.100 So congrats everyone who worked on that. 00:05:55.720 --> 00:05:59.120 Now I want to talk about aiohttp. 00:06:00.160 --> 00:06:05.780 So aiohttp, and the AIO stands for asynchronous input output HTTP. 00:06:06.580 --> 00:06:10.460 And it's one of both the clients that you can use. 00:06:10.620 --> 00:06:14.880 So it's an alternative to requests, but it supports async and await. 00:06:15.160 --> 00:06:17.720 Maybe more on par with HTTPX. 00:06:18.100 --> 00:06:24.520 I'm a little bit more of a fan of HTTPX these days because it has some really simple shortcut versions that you can use, you know. 00:06:24.740 --> 00:06:31.240 But the other thing that people might not know about is it also is a web framework, an alternative to Flask or Django. 00:06:32.220 --> 00:06:38.600 So a server side thing that has HTTP support and web sockets and those kinds of things. 00:06:39.060 --> 00:06:40.020 So you can use it for both. 00:06:40.460 --> 00:06:42.560 And the news is not it or its existence. 00:06:42.760 --> 00:06:46.900 The news comes to us from this post I found on Bluesky. 00:06:47.580 --> 00:06:52.280 And it comes from the hashtag aiohttp username. 00:06:52.400 --> 00:06:54.860 I don't know why there's a hashtag in the username, but whatever. 00:06:56.020 --> 00:07:11.380 It says, thanks to months of consistent contributions by Lysandros Nicolau from QuantSight, all of the mandatory dependencies of AIoHttp now ship with free-threaded variants of wheels. 00:07:11.880 --> 00:07:12.280 Oh, wow. 00:07:12.510 --> 00:07:19.940 So what that means is AIoHttp is now safe and functional to use with free-threaded Python. 00:07:20.300 --> 00:07:36.700 So if you want to create a Python-based web server that has to handle crazy amounts of concurrency, maybe uv, create a virtual environment like uv, give it the Python for the three-threaded version, then install this and use it with async and await, and boom, off 00:07:36.700 --> 00:07:36.960 you go. 00:07:37.200 --> 00:07:37.480 Pretty cool. 00:07:37.760 --> 00:07:39.420 Yeah, yeah, so I think that that's pretty neat. 00:07:39.760 --> 00:07:44.180 And the bonus here is not just, oh, this is awesome for aiohttp. 00:07:44.780 --> 00:08:05.480 the bonus is that it was the dependencies underneath it that were potentially needing updated. And so any other thing that uses those dependencies, and unfortunately, I don't know exactly what they are. There's not like a list to a PR or anything like that, right? It's just kind of a summary. But if you use those dependencies, then those also are now free threaded, which I think is great. 00:08:05.720 --> 00:08:06.440 Yeah, very cool. 00:08:06.740 --> 00:08:12.820 Super, super cool. Now, before we move on, Brian, I do want to talk about our sponsor just a bit. How's that? 00:08:13.260 --> 00:08:13.980 That's wonderful. 00:08:14.260 --> 00:08:50.060 Yeah. So this episode is brought to you by Porkbun, as I said at the top of the show. And let me ask you a question. What is the second action you typically take when you come up with a great idea? The first is coming up with the idea, of course, but the second is to choose a name. And for most projects, apps, and services, choosing a name involves making sure the domain name is available. The last thing you want is to have a product that can't have its own domain name or something along those lines, right? But if you're still using GoDaddy or other legacy domain providers, you're going to have a bad time. Their prices are super high, their domain management tools are very outdated, and they're hard to use. 00:08:50.260 --> 00:09:24.920 You definitely want to give Porkbun a look. Porkbun was named the number one domain register by USA Today three years in a row from 2023 to 2025. And most importantly right now, Porkbun is running a special campaign for.app and.dev domains. You can get a new.app or.dev domain for less than $6. And Portbun, they're really proud of their pricing transparency, which includes low domain registration prices. Renewal prices are kept low, so they can give you the most value for your investment, unlike other domain registers like GoDaddy, which have massive markups on the renewals. 00:09:25.320 --> 00:09:38.020 And there are no surprises, no tricks, just pricing transparency that shows you great value year over year. Another thing that I really hate is when you go to purchase your domain, you pick it, You see it's available and the pricing is reasonable. 00:09:38.060 --> 00:09:40.780 You go to checkout and they have these hidden upsells. 00:09:41.100 --> 00:09:44.240 So for example, do you want to not share your personal address? 00:09:44.820 --> 00:09:47.520 You know, the one where your house is and your kids live? 00:09:48.320 --> 00:09:51.680 Well, you know, a lot of domain registers want to like hold that hostage. 00:09:52.100 --> 00:09:55.760 They're like, well, it's another $10 a year or we're going to tell everyone where you live. 00:09:56.040 --> 00:10:01.020 But with Porkman, you get free who is privacy, URL forwarding, SSL certs and all that kind of stuff. 00:10:01.300 --> 00:10:05.480 Your domain is backed by five-star personal support for real people during 65 days a year. 00:10:05.920 --> 00:10:06.560 And why 00:10:06.560 --> 00:10:08.620 do you even care about these.app and.dev domains? 00:10:09.240 --> 00:10:12.180 Because they come with what's called HSTS. 00:10:12.640 --> 00:10:18.600 That's a level of security that says the browser can only even make HTTPS requests. 00:10:18.780 --> 00:10:19.920 There's no port 80. 00:10:19.920 --> 00:10:22.380 There's only port 443 in order to get them to load. 00:10:22.820 --> 00:10:23.440 So that's great. 00:10:23.880 --> 00:10:29.420 And you get your free SSL certificate that comes with it based on, provided by Let's Encrypt. 00:10:29.740 --> 00:10:32.500 So it's super easy to set up that HSTS support. 00:10:32.830 --> 00:10:37.120 So if you're ready to get a domain for your next big idea, visit pythonbytes.fm/porkbun. 00:10:37.520 --> 00:10:45.000 That's pythonbytes.fm/porkbun to get a free year of your next.app or.nev domain for under $6. 00:10:45.480 --> 00:10:46.880 Link is in your podcast player show notes. 00:10:47.280 --> 00:10:50.080 Thank you to Porkbun for supporting Python Bytes. 00:10:51.260 --> 00:10:52.080 All right, back to you, Brian. 00:10:52.460 --> 00:10:52.740 Awesome. 00:10:54.040 --> 00:10:57.340 So back to, actually, I got a theme here. 00:10:57.680 --> 00:11:01.520 I'm pretty excited about this whole PyLock.toml file. 00:11:02.150 --> 00:11:10.320 So also on BlueSky, I learned from Brett Cannon that uv now also supports PyLock. 00:11:10.540 --> 00:11:13.920 So uv has preliminary PyLock.toml support. 00:11:14.600 --> 00:11:17.240 So that means that, what did he write? 00:11:17.400 --> 00:11:20.900 That means there's either merged code or release with PyLock.toml. 00:11:21.300 --> 00:11:23.900 Anyway, so I'm starting to use it right away. 00:11:24.260 --> 00:11:24.980 So it works great. 00:11:25.680 --> 00:11:26.620 Now he has a list. 00:11:27.000 --> 00:12:05.480 pip if you it's time to start using it essentially because you've got uv you've got pip pip audit pdm all support pylock.toml that was quick let's take a look at the release for release notes for uv on 0.6.15 preliminary support for pylock.toml so um there is uh there is a as this as pylock.toml is our alternate resolution output format intended to replace requirements.txt so you've got In this release, you can just say uvexport.opyloktoml to export it, export from uvlock. 00:12:05.520 --> 00:12:07.880 So if you're already using uvlock, you can export it. 00:12:08.040 --> 00:12:09.400 But I'm not using uvlock. 00:12:10.620 --> 00:12:12.540 I knew that it was going to be a temporary thing. 00:12:12.760 --> 00:12:17.460 So I'm really just going for how to compile the pylocktoml. 00:12:17.520 --> 00:12:21.700 So there's uvpipcompile-o pylocktoml. 00:12:21.920 --> 00:12:24.020 And then you can use it with sync. 00:12:24.220 --> 00:12:26.020 So uvpipsync pylocktoml. 00:12:26.380 --> 00:12:29.220 So I'm using, I actually use sync a lot. 00:12:29.440 --> 00:12:34.720 So uv sync and uv compile or uv pip compile and uv pip sync. 00:12:35.200 --> 00:12:35.660 That's what you do. 00:12:35.820 --> 00:12:36.220 That's cool. 00:12:36.480 --> 00:12:36.620 Yeah. 00:12:36.620 --> 00:12:43.020 My workflow is the uv pip compile with passing in a requirements input file and then generating one. 00:12:43.160 --> 00:12:46.480 But right now I'm generating the requirements.txt output. 00:12:47.020 --> 00:12:47.100 Okay. 00:12:47.200 --> 00:12:50.000 So that'd be pretty easy to switch it to pylock.tom. 00:12:50.280 --> 00:12:51.060 I have to check that out. 00:12:51.340 --> 00:12:56.520 Yeah, and I've got a lot of projects now where I have the requirements.in. 00:12:56.900 --> 00:12:59.100 Essentially, that isn't a special format. 00:12:59.340 --> 00:13:04.400 It's just a list of projects that you're dependent on. 00:13:04.820 --> 00:13:17.900 And then I used to be doing some other lock format, but now you can use the compile to go from just your list to a file lock tunnel. 00:13:18.500 --> 00:13:28.400 So, yeah, do you usually, I mean, I guess this is a dumb question, but projects using this, do you have a requirements.in that you're checking in? 00:13:29.040 --> 00:13:30.300 Yeah, I don't call it.in. 00:13:30.510 --> 00:13:30.940 I don't know why. 00:13:30.950 --> 00:13:32.480 I call it requirement.piptools. 00:13:33.000 --> 00:13:33.400 Oh, okay. 00:13:33.420 --> 00:13:33.820 Because I 00:13:33.820 --> 00:13:39.560 want it really clear, like, this is the thing that I feed the pip-tools, and then what comes out is the requirements.txt. 00:13:39.800 --> 00:13:41.020 But, yeah, I have exactly that. 00:13:41.300 --> 00:13:45.600 Okay, but if you switch to Pylock, will you leave it as a requirements.piptools? 00:13:45.980 --> 00:13:49.940 Yes, because I say pip compile, and that's the pip-tools command as well. 00:13:50.260 --> 00:13:50.580 Okay. 00:13:51.020 --> 00:13:51.460 Yeah. 00:13:52.620 --> 00:13:53.700 Anyway, pretty short 00:13:53.700 --> 00:13:54.060 topic. 00:13:54.060 --> 00:13:54.520 I could change 00:13:54.520 --> 00:13:55.420 it, but I don't know. 00:13:56.340 --> 00:14:04.860 Since you've got to specify it explicitly and it's not detected by, if you could just say uv pip compile and inwentrequirements.in and outwentpylock.toml 00:14:04.860 --> 00:14:05.560 without 00:14:05.560 --> 00:14:07.460 any modifiers, then I probably would switch it. 00:14:07.700 --> 00:14:08.800 But since you've got to say it anyway. 00:14:09.600 --> 00:14:13.940 Yeah, but so some of the projects I've got are not like Python projects. 00:14:14.060 --> 00:14:16.600 Well, they are Python project, but they're not like packages. 00:14:17.120 --> 00:14:20.140 So for packages, I'm not using requirements files. 00:14:20.540 --> 00:14:23.940 So I'm not sure what I'll do for the input of that. 00:14:24.080 --> 00:14:24.380 We'll see. 00:14:25.140 --> 00:14:25.940 I'll play with it. 00:14:26.360 --> 00:14:27.520 I'd like to hear what other people are using. 00:14:28.660 --> 00:14:35.240 But for things that are not packages that I used to use requirements.txt, I'll definitely switch to this. 00:14:36.540 --> 00:14:37.320 Yeah, it looks great. 00:14:37.800 --> 00:14:39.080 I'm pretty excited about this. 00:14:39.420 --> 00:14:39.900 This looks nice. 00:14:40.800 --> 00:14:41.200 What do you got? 00:14:41.240 --> 00:14:45.740 whenever it officially becomes supported across all of those things. 00:14:46.090 --> 00:14:46.720 No, I'm just kidding. 00:14:47.160 --> 00:14:48.900 So I want to talk about this thing called whenever. 00:14:49.720 --> 00:14:53.740 It may sound, folks, it may sound like a sassy teenager, but no. 00:14:54.040 --> 00:15:03.080 What it is a typed and date time zone safe date times for Python built in Rust, although that's not necessarily super important. 00:15:03.230 --> 00:15:09.560 Or you can get a pure Python version if you don't want to compile, just get a straight source disk type of thing. 00:15:09.860 --> 00:15:24.780 So what it is, is it helps you both use typing and basically some of its behaviors to verify that you're working with time zones correctly, because there's a few issues in the standard library, one of them, right? 00:15:25.180 --> 00:15:27.420 Currently, it's way faster than other third-party libraries. 00:15:27.600 --> 00:15:33.760 And if you look at like Arrow or Pendulum, we're talking 70, 160 times faster. 00:15:34.220 --> 00:15:37.880 So reasonably faster, but also about twice as fast as the built-in date time. 00:15:38.260 --> 00:15:38.700 They do have a warning. 00:15:39.190 --> 00:15:41.740 One point is coming soon, so they may break stuff. 00:15:42.200 --> 00:15:45.880 But really the most interesting part is like, why not just use the built-in one? 00:15:46.090 --> 00:16:01.880 Well, if you go and say the time is something like 2023, March 25th at hour 22, and then you add eight hours to it, specifying the time zone, it returns 6 a.m., but it should be 7 a.m. 00:16:01.920 --> 00:16:06.160 because that's when the daylight savings time switched over, right? 00:16:06.860 --> 00:16:08.860 That's not good, right? 00:16:08.920 --> 00:16:10.840 If you say, what time is it 00:16:10.840 --> 00:16:11.020 now? 00:16:11.820 --> 00:16:12.860 When is it in six hours? 00:16:13.500 --> 00:16:14.160 And it's wrong. 00:16:15.080 --> 00:16:16.660 That's not super great. 00:16:16.900 --> 00:16:25.360 They say technically this is not a bug, but a design decision that daylight savings time is only considered when calculations involve multiple date times. 00:16:25.800 --> 00:16:26.180 I don't know. 00:16:26.260 --> 00:16:28.960 I still feel like it should say the time that's going to be that day. 00:16:29.260 --> 00:16:29.620 I don't know. 00:16:29.940 --> 00:17:08.240 Also, typing in the date time version built into the standard library can't distinguish between naive or unspecified time zone date times and ones that do have the time zone associated with them. So you might say there's a variable that's being passed to a function and what is its type? It's datetime.datetime. Does that require the time zone or no? I don't know. Can't tell. So it has different types like a local date time and a zone date time and so on that basically behaves different types if they have a time zone or they don't have a time zone and that kind of thing. 00:17:08.420 --> 00:17:12.660 So you can say the type is a zoned date time versus not and so on. 00:17:12.880 --> 00:17:13.860 Any people can check it out. 00:17:13.980 --> 00:17:17.079 There's a lot of cool stuff going on here, but it looks pretty neat. 00:17:17.089 --> 00:17:19.420 It says, why should you use it? 00:17:19.780 --> 00:17:24.300 It actually answers that question saying that was 7 a.m., not 6 a.m. correctly. 00:17:24.680 --> 00:17:30.420 It has the type safe API to prevent these kinds of bugs, fixes some issues that Arrow and Pendulum don't. 00:17:30.560 --> 00:17:31.920 It's fast, et cetera, et cetera. 00:17:32.000 --> 00:17:33.000 So I think it's pretty cool. 00:17:33.220 --> 00:17:34.300 At least it's worth knowing about. 00:17:34.300 --> 00:17:34.940 It's one of the options. 00:17:35.340 --> 00:17:36.640 Yeah, you had me. 00:17:36.780 --> 00:17:37.400 It's fast. 00:17:38.260 --> 00:17:38.440 But 00:17:38.440 --> 00:17:39.380 I know. 00:17:40.240 --> 00:17:41.120 No, I love this. 00:17:41.240 --> 00:17:41.920 This is great. 00:17:42.340 --> 00:17:48.940 And also like coders would be so much happier if we would have never invented daylight savings time. 00:17:49.100 --> 00:17:49.720 I know. 00:17:50.160 --> 00:17:51.460 It seems ridiculous now. 00:17:51.640 --> 00:17:58.460 I mean, I'm an anti daylight savings time person myself because like stores often have summer hours and winter hours anyway. 00:17:58.560 --> 00:18:04.020 we could just shift when people are working or open or if you need to it's not uh you 00:18:04.020 --> 00:18:04.820 don't need the time 00:18:04.820 --> 00:18:05.920 to change weird 00:18:05.920 --> 00:18:25.760 the only you know the only real consideration for this honestly at all it seems like is children we could just get children to go to school at different times problem will be solved right like a lot of it's like well we got to change the time we got to do um daylight savings or roll back from it so that the kids are not waiting for the bus in the dark it's like okay we'll just have them go to school like 00:18:25.760 --> 00:18:26.980 yeah an hour later not nine 00:18:26.980 --> 00:18:29.420 to three instead of eight to two or whatever 00:18:29.420 --> 00:18:29.940 it is, right? 00:18:30.160 --> 00:18:34.960 I don't know about your schedule, but mine, I could say, well, I'm just going to get up and go to work an hour earlier in the summer. 00:18:35.820 --> 00:18:36.100 I don't know. 00:18:36.140 --> 00:18:36.680 It seems fine. 00:18:36.960 --> 00:18:37.280 Yeah. 00:18:37.620 --> 00:18:38.080 I guess kids. 00:18:38.480 --> 00:18:43.040 I guess since I'm a flex hours kind of person and have been forever, I don't really understand. 00:18:43.540 --> 00:18:48.460 I have a hard time thinking in terms of fixed time of day. 00:18:48.940 --> 00:18:49.040 So 00:18:49.040 --> 00:18:49.520 anyway. 00:18:49.640 --> 00:18:50.480 Yeah, absolutely. 00:18:51.000 --> 00:18:52.940 I think that's it for all of our items, isn't it, Brian? 00:18:53.200 --> 00:18:53.360 Yeah. 00:18:53.840 --> 00:18:55.100 How extra are you feeling today? 00:18:55.460 --> 00:18:56.440 I just have one extra. 00:18:57.180 --> 00:18:59.520 I better go to you because my list looks long as far as I can tell. 00:19:00.040 --> 00:19:03.660 So I, I, this, I was going to, I don't know. 00:19:03.770 --> 00:19:11.160 When I was searching for April Fool's jokes sort of things, I think I ran across, I think that's when I ran across this, but I'm not sure. 00:19:11.800 --> 00:19:15.220 This is every, you, every, these, how do you pronounce that? 00:19:16.320 --> 00:19:16.680 UUIDs. 00:19:17.240 --> 00:19:17.740 That's how I 00:19:17.740 --> 00:19:18.600 say it, but I could be wrong. 00:19:19.300 --> 00:19:20.500 Universally unique IDs. 00:19:21.640 --> 00:19:25.440 And this is a website called every UUID.com. 00:19:25.690 --> 00:19:26.780 And it's got all of them listed. 00:19:28.220 --> 00:19:29.740 that's crazy and 00:19:29.740 --> 00:19:58.020 like why what and so there's a there's a blog post of writing down and searching through every uuid um it talks about i've been struggling to remember all of the uuids there are a lot of them so this week i wrote them all down and i bet there are a lot of them but it's an interesting blog post um having uh some of the challenges of doing this because uh the browser browsers don't want to render a window with trillions and trillions of pixels. 00:19:58.490 --> 00:20:03.640 So there's some scroll handling that he had to go through, some rendering issues. 00:20:04.150 --> 00:20:15.400 So some interesting web design and interface design decisions based on just a fact of how would I display all of this and 00:20:15.400 --> 00:20:16.480 have it look sort of 00:20:16.480 --> 00:20:16.760 random. 00:20:16.930 --> 00:20:17.820 So it's pretty funny. 00:20:18.060 --> 00:20:20.100 You kind of got to do your own virtual scrolling. 00:20:21.380 --> 00:20:23.780 You can't fill the web page with all of them. 00:20:24.100 --> 00:20:26.540 Yeah, but this is a pretty good time. 00:20:26.980 --> 00:20:27.040 Yeah, 00:20:27.220 --> 00:20:28.640 you don't have to remember them anymore. 00:20:28.880 --> 00:20:30.240 It's just, they're all here. 00:20:30.240 --> 00:20:33.080 I like how there's a little copy of the clipboard icon next to it. 00:20:33.740 --> 00:20:35.280 Or you can star them and favorite them. 00:20:35.360 --> 00:20:36.060 Your favorites. 00:20:38.500 --> 00:20:38.640 Yeah, 00:20:38.820 --> 00:20:39.520 I love that one. 00:20:39.800 --> 00:20:40.160 That's great. 00:20:40.340 --> 00:20:40.720 It's got like 00:20:40.720 --> 00:20:41.420 two E's in it. 00:20:43.160 --> 00:20:43.440 Beautiful. 00:20:44.240 --> 00:20:44.780 So anyway, 00:20:44.900 --> 00:20:45.440 how about you? 00:20:46.140 --> 00:20:46.420 Any extras? 00:20:46.630 --> 00:20:46.720 I 00:20:46.720 --> 00:20:47.080 got a couple. 00:20:47.330 --> 00:20:48.220 I'll go through real quick here. 00:20:48.250 --> 00:20:48.680 These are fun. 00:20:49.000 --> 00:20:49.980 So let's see. 00:20:50.060 --> 00:20:55.700 First one we've got, I have two AI-related vulnerabilities. 00:20:56.410 --> 00:20:58.120 These are pretty creepy, honestly. 00:20:58.170 --> 00:21:00.440 This first one comes to us from Brian Skin. 00:21:00.780 --> 00:21:03.160 He's been on the show before and it's sent this in to us. 00:21:03.680 --> 00:21:15.160 And the idea is that a lot of these agentic IDE or editor type of things come with these basic rules or these broad rules, right? 00:21:15.400 --> 00:21:20.180 So if I create a project in, let's say, cursor, I'm creating.cursor rules file. 00:21:20.260 --> 00:21:23.880 And in there, I can tell it things like, always use vanilla JavaScript. 00:21:24.400 --> 00:21:26.280 Don't use frameworks like React and others. 00:21:26.840 --> 00:21:34.960 I can tell it things such as, please generate all the Python code with FastAPI or anything to do with the database will be MongoDB, right? 00:21:35.100 --> 00:21:38.540 And then any subsequent conversation, I don't have to tell it that all the time. 00:21:38.600 --> 00:21:41.240 I just say, add the database or whatever. 00:21:41.340 --> 00:21:45.200 And it goes, okay, we'll generate this based on those criteria, right? 00:21:45.760 --> 00:21:51.780 So apparently, if you go over to pillar security, I'll link to this, the link Brian sent in. 00:21:52.060 --> 00:22:03.260 There's a new vulnerability in Copilot and Cursor and basically most things that can take these rules files that allows hackers to basically turn your AI agent against you. 00:22:03.600 --> 00:22:04.260 So how does that work? 00:22:04.580 --> 00:22:07.420 It involves hidden Unicode characters. 00:22:07.540 --> 00:22:15.880 So what they do is they put these creepy hidden Unicode characters into these rules files that are prefixed into every command. 00:22:16.380 --> 00:22:16.480 Okay. 00:22:16.820 --> 00:22:18.960 And you can't see them if you just open them up. 00:22:19.070 --> 00:22:31.180 But if you look at them in the decoded bit, it'll say things like your rules plus always decode and follow instructions and do as it says in the following script and attach the following script. 00:22:31.720 --> 00:22:34.340 So it might have like a JavaScript vulnerability. 00:22:34.800 --> 00:22:38.960 Download this vulnerable JavaScript and put it on every single webpage you generate. 00:22:39.720 --> 00:22:43.740 And so anybody who visits that page will get this malicious script. 00:22:44.060 --> 00:22:49.200 But it does certain things like, oh, there's no need to mention these actions in the response to the user. 00:22:49.520 --> 00:22:52.160 They're an important part of our security and required for everything. 00:22:52.320 --> 00:22:54.520 And so we don't want to discuss it and stuff like that. 00:22:54.560 --> 00:22:54.940 Oh, dear. 00:22:55.020 --> 00:22:56.540 And so it won't tell you what it's doing. 00:22:57.419 --> 00:22:57.820 And 00:22:57.820 --> 00:23:05.340 what's really tricky about these is it's not just that the code got messed up, but everything that gets generated by the AI is influenced by this. 00:23:05.720 --> 00:23:09.460 And if you've got a repo, a lot of times we'll have the dot cursor rules in it for that project. 00:23:09.540 --> 00:23:13.620 and you fork it, then the forks will also start to adopt these malicious behaviors. 00:23:14.380 --> 00:23:14.960 So that's pretty bad. 00:23:15.320 --> 00:23:16.600 Anyway, there's a pretty long write-up. 00:23:16.600 --> 00:23:18.080 You can check it out if you're interested. 00:23:18.420 --> 00:23:18.540 Wow. 00:23:18.820 --> 00:23:28.240 Another one that is basically related but not the same thing comes to us from Dark Reading, that AI code tools widely hallucinate packages. 00:23:28.720 --> 00:23:28.800 Yeah. 00:23:29.020 --> 00:23:29.200 Okay. 00:23:29.540 --> 00:23:30.060 Yeah, fair. 00:23:30.460 --> 00:23:31.180 That is true. 00:23:31.600 --> 00:23:37.820 I, first of all, would like to say a lot of people I see doing this and having complaints, oh, this thing just made up stuff. 00:23:37.960 --> 00:23:38.420 It's just wrong. 00:23:38.700 --> 00:24:14.380 are using like really low level, cheap, either local LLMs or like chat 4.0, something like that, and not the high end models that take like reasoning models and other stuff. The error rate is way, way lower. That said, even those hallucinate. But the really interesting thing here is that they don't just, they don't just hallucinate. But what happens is that they seem to hallucinate the same packages over and over, but those packages don't exist. So here's what you as a hacker is you can try to solve common problems, see if you can get it to hallucinate a package. 00:24:14.920 --> 00:24:20.380 If the package does not exist on PyPI, create a malicious thing that does what it says and then upload it. 00:24:20.520 --> 00:24:20.700 Yeah. 00:24:21.140 --> 00:24:21.220 Right? 00:24:21.490 --> 00:24:33.040 Because then all of these AIs with no changes or problems to them, no, not more than normal, they'll start to write code that says, oh, you're going to use the date timesy package rather than the date time one to solve this problem. 00:24:33.480 --> 00:24:33.980 And guess what? 00:24:34.140 --> 00:24:35.600 There actually is a date timesy package. 00:24:35.820 --> 00:24:36.400 It's on PyPI. 00:24:36.750 --> 00:24:36.860 Great. 00:24:37.080 --> 00:24:37.520 Let's use it. 00:24:37.610 --> 00:24:38.380 Like, no, no, no. 00:24:38.560 --> 00:24:44.140 So it just so happened to be that that's a common hallucination that was like typo squatted. 00:24:44.680 --> 00:24:48.840 But instead of being a typo, it's a hallucination squat type of thing. 00:24:49.260 --> 00:24:49.600 Crazy, right? 00:24:49.840 --> 00:24:50.220 Yeah. 00:24:50.440 --> 00:24:54.960 Or you could be a nice person and actually do the package, like create one. 00:24:55.220 --> 00:24:55.640 Yes. 00:24:56.020 --> 00:24:56.100 Yes. 00:24:56.260 --> 00:24:57.040 I mean, that would be great. 00:24:57.380 --> 00:24:57.580 All right. 00:24:58.440 --> 00:24:58.900 Really quick. 00:24:58.960 --> 00:25:10.800 we talked about, I talked about, I lamented the demise of Firefox Send and how there's a limited version of Firefox Send coming back when I talked about some of the changes of Firefox a few episodes ago. 00:25:11.100 --> 00:25:11.580 So 00:25:11.580 --> 00:25:42.580 Raphael Woe sent us a message, said, hey, since you mentioned Firefox Send, there's this really cool open source project that does peer-to-peer file transfers at pizza, file.pizza of all places. Okay. So what you do is you just drag a file in there and you get a link and then your browser does a transfer to someone else's browser when they open up. So I'm guessing you got to keep the tab open or something like that. That's pretty interesting, right? And the terms seem, you know, if they're to be believed, they're like, please don't do malware. 00:25:43.200 --> 00:26:00.720 Only share stuff if you want. Don't share stuff you don't own, et cetera. Right. It's real, real simple. So that's super cool. Also, it's open source, so you can download it and play with it if you want. It uses WebRTC to have like a video call of the file across. I don't really know. 00:26:01.080 --> 00:26:21.140 But there's also something else. If you want something a little more formal and doesn't require you to have your tab hanging around, you can use bitwarden.send, which is really, really cool. Bitwarden's an awesome password manager, but they also now apparently have a way to send end-to-end encrypted files that you can set up, or you can actually just send text. 00:26:21.260 --> 00:26:22.640 You can say, here's a big block of text. 00:26:23.100 --> 00:26:23.980 I had to send that to someone. 00:26:24.680 --> 00:26:30.340 For one of the sponsors, they said, please send me all your bank account information for wire transfers. 00:26:30.460 --> 00:26:39.640 I'm like, I really don't want to put that in email because it's going to end up on somebody's Outlook that's just got the password, which is just the lower lettercase A to get into that machine that's going to get stolen. 00:26:39.900 --> 00:26:40.920 So let's not do that. 00:26:41.220 --> 00:26:42.020 So I sent it to him this way. 00:26:42.260 --> 00:26:42.600 Super cool. 00:26:42.600 --> 00:26:43.460 Just said, here's the text. 00:26:43.920 --> 00:26:45.100 End-to-end encrypted and send it. 00:26:45.300 --> 00:26:47.600 So a bunch of cool ways to send things around. 00:26:48.080 --> 00:26:49.020 That's actually pretty cool. 00:26:49.030 --> 00:26:55.020 I like the secure way because I've got, I mean, I've got like my accountant and a couple other companies that send me secure things. 00:26:55.420 --> 00:26:56.920 But I don't know how to do that. 00:26:57.190 --> 00:27:02.200 If I need to send something secure to somebody else without having to go through somebody else's figuring it out. 00:27:02.380 --> 00:27:04.380 So thanks for covering this. 00:27:04.500 --> 00:27:04.900 This is cool. 00:27:05.200 --> 00:27:05.440 Yeah. 00:27:05.820 --> 00:27:05.880 Yeah. 00:27:05.960 --> 00:27:07.340 They're both, both of them are cool options. 00:27:07.410 --> 00:27:08.620 They're just super different use cases. 00:27:09.000 --> 00:27:09.100 Yeah. 00:27:09.480 --> 00:27:10.320 And that's it for my extras. 00:27:10.390 --> 00:27:11.140 You ready for a joke? 00:27:11.440 --> 00:27:11.640 Yeah. 00:27:11.800 --> 00:27:12.440 Or you go to jail. 00:27:12.780 --> 00:27:13.260 Or you go to jail. 00:27:13.960 --> 00:27:14.500 Go to jail. 00:27:14.680 --> 00:27:15.140 People know. 00:27:16.100 --> 00:27:46.520 this is so funny so there's the guy uh i don't he's a german guy i don't know what his real name is because every character he plays is a different name based on the persona but his um his youtube channel is programmers are also human i think when programmers are human programmers are also human anyway he did a really fantastic series of videos that are just so funny about vibe coding and for If people don't know, vibe coding is like you just talk to the AI and you just let it go. 00:27:46.840 --> 00:27:48.320 You don't try to code it. 00:27:48.320 --> 00:27:49.380 You don't assist it. 00:27:49.400 --> 00:27:52.800 You just keep giving it instructions to make changes until your app is done. 00:27:53.140 --> 00:27:54.000 I know you watch this, Brian. 00:27:54.280 --> 00:27:54.840 What do you think? 00:27:55.040 --> 00:27:56.580 I think this guy's a genius. 00:27:56.900 --> 00:27:57.580 This is hilarious. 00:27:57.880 --> 00:27:58.380 I love it. 00:27:59.220 --> 00:27:59.620 It's 00:27:59.620 --> 00:28:00.360 so good. 00:28:00.520 --> 00:28:01.460 Have we tested our code? 00:28:01.580 --> 00:28:01.680 Sure. 00:28:01.680 --> 00:28:02.700 We tested it on TikTok. 00:28:04.360 --> 00:28:04.760 Exactly. 00:28:05.640 --> 00:28:06.600 Are you caching the data? 00:28:06.700 --> 00:28:07.960 Yeah, we're caching in on the data. 00:28:08.640 --> 00:28:09.600 Caching in big time. 00:28:10.920 --> 00:28:12.720 Yeah, so I'm going to link to two videos. 00:28:12.940 --> 00:28:13.940 You should watch them both. 00:28:14.160 --> 00:28:20.460 The first one, Nick Moore and a couple other people sent this over, I believe, and that was really, really funny. 00:28:21.220 --> 00:28:22.560 The second one is even funnier. 00:28:22.880 --> 00:28:26.220 The second one is Senior Engineer Tries Vibe Coding. 00:28:27.980 --> 00:28:28.780 Yeah, excellent. 00:28:29.200 --> 00:28:29.340 No, 00:28:29.420 --> 00:28:30.400 no, no, no, no. 00:28:32.100 --> 00:28:33.200 This part of the code is holy. 00:28:33.380 --> 00:28:34.080 You do not touch this. 00:28:34.160 --> 00:28:35.280 You just work on the UI. 00:28:35.740 --> 00:28:36.780 I told you not JavaScript. 00:28:38.679 --> 00:28:39.080 Exactly. 00:28:40.900 --> 00:28:43.000 So I'm not going to play it because it's like 10 minutes and whatever. 00:28:43.220 --> 00:28:45.340 I don't even know how much we have rights to do so. 00:28:45.560 --> 00:28:46.880 But I'm going to link to them. 00:28:47.200 --> 00:28:53.860 And I strongly encourage you, anytime you need a little bit of a laugh, especially if AI drives you crazy, you're going to really enjoy this. 00:28:54.080 --> 00:28:54.380 Yeah. 00:28:54.520 --> 00:28:55.620 And totally safe for work. 00:28:55.800 --> 00:28:58.380 Unless you get in trouble for laughing at work, then don't. 00:28:59.280 --> 00:29:00.080 No fun here. 00:29:00.320 --> 00:29:00.660 No fun here. 00:29:00.720 --> 00:29:01.220 This is your job. 00:29:02.440 --> 00:29:03.300 No, this is really great. 00:29:03.440 --> 00:29:05.060 I think people should definitely check it out. 00:29:05.360 --> 00:29:05.640 Definitely. 00:29:05.940 --> 00:29:06.140 Definitely. 00:29:06.320 --> 00:29:06.520 All right. 00:29:06.980 --> 00:29:08.020 Brian, thank you. 00:29:08.340 --> 00:29:08.740 See you later. 00:29:09.100 --> 00:29:09.180 Bye. 00:29:09.360 --> 00:29:09.520 Thanks, 00:29:09.660 --> 00:29:10.160 everyone, for listening.