#442: Cloud bills in scientific notation

00:00 Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds.

00:05 This is episode 442, recorded July 28, 2025. I'm Michael Kennedy.

00:12 And I'm Brian Okken.

00:14 You can connect with us and the show over on Mastodon or on Blue Sky.

00:19 You can find the links at the top of the show notes to all the different accounts for me, Brian, and the show on those various places.

00:26 If you want to be part of the live show, as I know some of you I can see now are, then join us usually Monday, 10 a.m. Pacific time on YouTube, pythonbytes.fm/live.

00:37 That'll take you there.

00:37 And if there's a live episode going there and even like point out, hey, we're live right now and here's how you find us.

00:42 So we appreciate all the live interactions.

00:45 It makes the show better, we think.

00:47 And yeah, so support all of our work, Brian, through his three courses.

00:54 You got three courses right now?

00:56 Yeah.

00:56 pythontest.com?

00:58 Yeah, three or four, something like that.

01:00 Beautiful.

01:01 And obviously the course is over at Talk Python, got a bunch of them.

01:05 And I have more to say about that later, actually.

01:08 So some very cool things coming there.

01:10 What's our first item?

01:11 Well, I was going to talk about, which button do we push?

01:16 That one?

01:17 Okay.

01:17 I wanted to talk about open source security.

01:20 Actually, security with respect to open source projects.

01:23 And this is something that Seth Larson likes to talk about.

01:26 He's the security dude at, isn't he?

01:30 Does some security for.

01:31 Yeah, this is official title is security dude at the PSF.

01:35 Security dude.

01:36 So he's got an article, open source security work isn't special, but it kind of is, but it's kind of not.

01:44 So the discussion is around how we, one of the amazing things about open source work is you can,

01:52 you can have contributors from around around different places you can have community can

01:57 people helping with the community building people helping with development docs tests uh funding

02:04 all sorts of stuff people can help out uh security is one of those things and um but um but one of the

02:12 the one of the topics really is that seth brought up is that people kind of think of security as

02:17 different because it's so important. It's, it's, you don't, you want, you don't like if somebody

02:22 just randomly came in and like implemented a cool feature, you can look at the code and go,

02:26 oh yeah, and that's kind of neat. Maybe we'll take it. Maybe we won't. But if somebody wants

02:30 to modify the security settings or do something around security with your project, either of the

02:37 project, the code project code itself, or just the community around the project and maybe the website

02:43 or something. That would be a little scarier, but maybe it shouldn't be. One of the things he

02:50 brought up, which is really important, is we kind of want the core maintainers to be like the people

02:55 that only can muck with the security stuff, but they might not have the skills necessary. So

03:01 maintainers, especially for smaller projects, are almost always experts in the domain of the project,

03:07 but not necessarily security experts. And that's definitely the case for me. I could see myself

03:12 working on like the test code or some other like, you know, application, but I'm not going to be the

03:19 security expert. So I would love to have somebody help out, but there's issues around that, right?

03:25 So the article goes into discussing things like trust and different things. One of the benefits,

03:31 like let's say we had security specialists that work on lots of different open source projects.

03:37 They could, because they are understanding multiple projects, they can see how other projects are triaging vulnerabilities and learn from different projects.

03:47 So we kind of want to spread that knowledge around between projects.

03:50 And having security experts bounce around would be good.

03:53 Just like we might have people that are good at pytest jump around and help out with the test code on different projects.

03:59 We could have security experts.

04:01 But how do we trust them?

04:02 And he does talk about trust.

04:05 And one of the great things about how to trust people is to meet them, like actually go to

04:09 go to project, go to like conferences and stuff and meet people in person.

04:15 And I think that's important.

04:16 But I would say like for a project of mine, I would if somebody said they wanted to help

04:22 out with the with the security aspect of it, I would if they had a portfolio, like, you

04:28 know, if they're already a contributor to like Flask, I'd be like, oh, yeah, they do

04:33 security for Flask.

04:34 They totally can work on this.

04:36 So building, and I think that's kind of where Seth is going, is to try to build up a community of trusted security people

04:43 within the Python open source community.

04:45 And I think that'd be really cool.

04:47 So cool article.

04:48 Yeah, it's a neat idea.

04:50 Like, why should it be special, right?

04:51 You don't restrict the looping aspects of your project to like, these are the loop specialists.

04:57 Yeah, well, he did talk about like the scary bit of like that XZ thing or whatever, where somebody kind of pushes into a project to help with something else.

05:08 And then they maybe are one of the fears is also is if a security person changes something,

05:15 I don't know if it's bad or good. Right. Because I'm not the security expert. So,

05:21 yeah, dealing with that. But Seth is like saying that that's not as big of a problem as

05:27 as we might think. And and part of the, you know, trusted people around it would help.

05:33 Yeah, I would say diverging slightly from Seth's article, it might be worth just asking your favorite code AI agent like, hey, don't make any changes, but please do a security review of my code and explain the issues and see if it finds anything.

05:50 Or if somebody makes a change, you could say, hey, AI, what is the security impact of this change?

05:57 It's, you know, it's not necessarily 100% perfect, but it's sort of like double input accounting sort of thing, right?

06:05 Yeah, but right.

06:06 Yeah, that'd be cool.

06:08 Also things like, for instance, if you've already hooked up Bandit to a project to do a Bandit testing for security,

06:17 like adding that to another product.

06:19 If you see another project that you work with, it doesn't make sense.

06:23 One of the, the one of the advice, Brian, I don't know.

06:27 If someone or something is named Bandit, do you really want to put them in charge of security?

06:31 That sounds a little sus, honestly.

06:34 No, Bandit's a cool tool. Sorry.

06:36 The other topic that he brought up that I appreciated was, we do talk about companies utilizing open source projects a lot.

06:47 So this is where it really makes sense.

06:49 A company is probably going to have some security experts, right?

06:52 A larger company.

06:54 Those people could look at the dependencies and contribute to those projects

06:57 that don't live up to their security standards.

07:01 Go ahead and contribute to help make them better.

07:05 Yeah, that's a good point.

07:06 Instead of saying this thing's not secure enough for us, and we'll do a few PRs, and then it will be.

07:10 Yeah, exactly.

07:12 Exactly.

07:13 You know what probably is up to most people's standards is uv.

07:17 Yes.

07:17 Yeah, so uv is killing it.

07:19 And a major release has been released of uv.

07:23 And so I want to give a shout out to that.

07:25 However, between the time I noticed that, there have been three more releases.

07:29 So there's actually 0.8.3 and.2 and.1 and so on.

07:36 There's a smaller change for those.

07:38 But one that's notable is you can now get Python 3.14, which I know you're going to give a little shout out to.

07:43 The release candidate, you can get that through uv, Python, or just V and V and say that, right?

07:49 But the real notable one here is the big changes from 0.8.0.

07:55 So they say, hey, since 7, v7 back in April, I'm just going to like stomp on the 0 version.

08:02 What's this version 7? No, just kidding.

08:04 0.7 back in April, they've got a bunch of changes and improvements, but they could break some workflows.

08:10 they've been kind of holding those all back and they're letting them loose in 0.8. So for example,

08:17 some, this is the one I'm most excited about the stabilization of a couple of uv Python install

08:23 features, which is also uv venv if you don't have that version of Python installed, right? Like

08:28 that's sort of implicitly happens. So one that I was asking for, and the soon as I saw that uv would

08:36 install and manage Python. I'm like, is there a way that one of these could somehow become

08:42 the Python instead of being stashed in some crazy path, right? Like, could it be in

08:47 tilde dot local slash bin, for example, right? Well, yes, now. So the new change is it will

08:55 install Python executables into a directory on the path. So you can basically manage your system Python

09:01 sort of via uv Python install. I think that's pretty cool.

09:04 Okay. Is that what that default flag does?

09:07 Yes.

09:08 Yeah. If you put, well, it used to have, so it says if you uv Python install,

09:15 now it's installs a version of Python into a directory on the path by default.

09:20 Oh, okay.

09:21 Yeah.

09:22 It does it.

09:23 Yeah.

09:23 All right.

09:24 I think it just does it, which is pretty interesting.

09:26 I'm pretty psyched about it.

09:27 It registers Python versions with the Windows registry.

09:30 I imagine that means like, you know, Python's, I'm sorry, Windows is all about the registry.

09:33 So it probably means like other tools can discover that Python is installed and so on.

09:38 It has a little bit of safety about removing virtual environments if you're going to recreate them and things like that.

09:44 There's a bunch of other changes here.

09:45 So this is like pretty serious release.

09:48 I guess the last one that's pretty interesting here, maybe two even.

09:52 One is that uv build is now the default backend of uv init, which creates a project in a pyproject.toml and those kinds of things, right?

10:01 Remember it was hatchling and then we were like, well, is it hatchling?

10:04 Like how is the build back in specified and so on?

10:07 Well, now it's uv build.

10:08 That's cool.

10:09 Yeah, it's very cool.

10:09 I've been using uv build for a long time, but just typing uv space build instead of, you know,

10:15 run that or whatever.

10:16 Okay.

10:16 And then it also sets the uv tool bin directory on Docker images.

10:21 This is kind of a pain because if you install stuff, a lot of times the Docker images don't have access.

10:26 So if you're not paying attention, you'll like try to build a Docker image.

10:29 And then the next step in the build is run, run one of the tools you've installed to make something happen.

10:36 And it'll say, can't find this tool.

10:37 You're like, where is it?

10:38 You know what I mean?

10:39 So you got to set the path and so on.

10:41 So now you can, that's a little easier.

10:42 And so on and so on.

10:43 Like, look at all these changes for just 0.7 to 0.8.

10:48 It's the second digit may as well be the major digit.

10:52 Yeah, that's why I was calling it version 7 and version 8.

10:54 I'm like, these are just major versions.

10:55 They're just not committed to majorness.

10:59 Anyway, fun stuff.

11:01 All right.

11:01 Back to you.

11:02 Okay.

11:03 I've got a bunch.

11:04 I couldn't decide.

11:06 So I'm going to do a bunch of extras.

11:09 So first up, Python 3.14, release candidate.

11:12 One is a go.

11:13 This is from Hugo.

11:16 So, yeah, I guess that's it.

11:17 I guess this was six days ago.

11:19 So we may have already covered it last year or last week.

11:22 I don't remember.

11:23 So 3.14.

11:24 I don't think we covered it.

11:25 I think this is new news.

11:27 And this is a big deal.

11:27 The release candidate means, I mean, beta is supposed to mean that it's,

11:31 Yeah.

11:32 No features, no changes.

11:34 But now it's very, very close to what we're going to see in October or whenever it comes out.

11:39 So people could maybe start testing with it.

11:41 Yeah, so that's where the call to action comes, is we strongly encourage maintainers of third-party Python projects

11:49 to prepare their projects for 3.14.

11:54 And so if you've got CI pipelines for testing, now's the time to turn it on.

11:59 if your project doesn't work with 3.14, this is now that, I mean, actually you should have brought it up sooner,

12:06 but you can bring it up now to say, hey, there's an issue.

12:10 And so there's a link to the Python bug tracker and then a list of all the different features

12:16 and whatnot, build changes, incompatibilities on here.

12:19 So that's first.

12:21 So yeah, please test everything.

12:24 And okay, so that's my first item.

12:26 Second item is f-strings, WTF.

12:29 So this is brought to us by Armin Ronecker, encouraged by Lucas Lange and Yuri.

12:39 So this is, I took this, have you taken this yet, Michael?

12:42 No, I haven't.

12:43 And by the way, fstrings.wtf is the domain name.

12:46 Yes.

12:48 Yeah.

12:49 So this must, the top level domain of WTF, gotta love it.

12:54 So it's just a little quiz thing.

12:56 The first question is awesome.

12:58 So if you print F hello world, what do you get?

13:02 It really doesn't matter what you answer.

13:04 No, what you get is a linting error.

13:09 So it's, you know, correct.

13:11 f-strings are working exactly as you'd expect anything.

13:13 But you got to go through, there's 26 questions.

13:17 And it's a little, it's tricky right off the bat.

13:21 Like I know that the ellipses object is a thing.

13:26 So what happens if I do that?

13:27 well there's no there's no curly braces so of course it's just anyway um it's a fun thing i

13:32 thought i was going to do great since i do f strings all the time and i got like half of them

13:37 right so i learned a lot in uh going through this so i highly recommend well you're going to make me

13:42 have to do it now as well yeah um so this is uh this is good plus some of the um some of the

13:49 descriptions and uh and you know no phone funny business here we just a literal string with three

13:55 dots there's there's some good commentary within the within the quiz also so i highly recommend

14:01 django turns 20 uh happy birthday django um so we're going to link to birthday 20 django project

14:08 dot com uh this there's a whole bunch of celebrations planned uh and it's uh so this

14:14 is kind of fun there's a there's a map event of like if there's a party near you kind of fun to

14:19 go for a Django person.

14:21 Where's the closest one to me?

14:23 Looks like in October 17th, I could go down to San Francisco if I wanted to.

14:29 So at PyBay.

14:31 Nice.

14:31 So anyway, there's that.

14:34 MakeDocs redirect.

14:35 I've been using MakeDocs lately a lot for documenting a bunch of stuff.

14:40 I like MakeDocs.

14:41 But sometimes, and I'm actually doing some fairly big websites, documentation websites with MakeDocs.

14:48 It works pretty good.

14:49 but sometimes I put things in the wrong place right um you and with Hugo I've been used to um

14:56 used to being able to to like move things around and have both links work like if you move it

15:01 somewhere else but have the old link still work that doesn't work right off out of the box

15:05 with make docs there's not a thing so there's a make docs redirects plug-in that allows you to

15:11 have the old name and the new name so I haven't actually tried this yet but I need it so I'm

15:16 going to try it today yeah and my my last extra that i wanted to bring up is just an article that

15:22 i enjoyed um called uh by patty carver saying i'm tired of talking about ai and um and actually

15:30 even if you're not tired of tech talking about ai i think this is a good thing to like read through

15:35 because there's some things that i think that a lot of people are feeling like should i

15:40 because i've heard a lot of there's a lot of comments in here and reactions to comments like

15:45 if you don't start now, you won't be able to find work soon. That's scary, especially if I don't

15:51 have time to work on this right now. And I know that the commentary often is, well, you don't have

15:56 time because you're not using AI to free up your time. That's a tedious discussion. But there's a,

16:06 I think there's a, there's a, some of the cool reaction here is this just doesn't make sense.

16:11 We're telling people that AI is going to help them.

16:16 Pretty soon, anybody off the street can be a coder with AI.

16:19 Well, if that's true, then why is it so important for me to learn it today?

16:23 Can't I learn it next week when I really need it?

16:26 I don't agree with everything in this article, but there's some great logic in here.

16:31 I like it.

16:32 Plus, great writing.

16:34 That's all of my extras.

16:36 Awesome.

16:36 Awesome.

16:38 All right.

16:38 What have I got?

16:39 So I want to talk about Toad the Wet Sprocket.

16:45 Yeah, Toad the Wet Sprocket.

16:46 By the way, one of the best bands from the 90s.

16:48 Come on, Toad the Wet Sprocket.

16:50 It was amazing.

16:51 So this one comes to us from Will McGuggan.

16:54 I see out in the audience, Will is providing the perfect transition here for us.

17:00 AI fatigue is very real.

17:02 Yes, I agree.

17:03 I agree, Will.

17:04 But he is also helping, contributing both to this.

17:08 Thank you, Will.

17:09 Yeah, thanks a lot, Will.

17:10 Yeah, this project's called Toad, which originally was going to be called Textual Code,

17:18 but became Toad, is an improvement on the terminal-based agentic AI sort of programming story.

17:28 So Cloud Code and Gemini and all those types of things, they've got really pretty poor terminal experiences,

17:34 even though that's their only user interface, which is interesting.

17:38 Like, for example, if you resize the terminal after you get an output, it can, like, screw up the formatting and stuff, which is weird.

17:44 All sorts of things.

17:45 So he came up with this cool project that has basically taken advantage of Textual

17:51 to create a really nice terminal experience.

17:54 And so, yeah, the idea is that it's supposed to be a universal front end for AI in the terminal.

18:00 And you can even go and watch, like, a little demo that he's put together,

18:04 uv Run Toad, which is pretty fun.

18:07 And, you know, I think this is an agentic example.

18:09 He says, write a Python code to display the Mandelbrot set.

18:12 And then, boom, just off it goes.

18:14 Write it in the terminal with code formatted nicely and syntax highlighting and all that.

18:20 Then you can say, run it.

18:21 You can say, explain it.

18:22 You get the modal dialogues.

18:24 All the things you would get from Textual, right?

18:26 So Will says this is not yet a thing you can just go grab.

18:30 But down at the bottom, you can say, code isn't quite ready for public release.

18:35 It remains a tadpole for now, incubating in a private little pond of a repository.

18:40 But you know, he's all about Voss.

18:42 So it will be out soon enough.

18:43 In the meantime, you can, there's ways to get early access to it.

18:47 For example, sponsor him.

18:48 So cool project, Will.

18:49 I want to just give that a shout out.

18:51 Yeah, definitely.

18:52 I always pay attention if Will's doing something.

18:54 Exactly.

18:55 So I guess you probably don't have any extras since you just talked about your extras, right?

18:59 I do.

19:00 Yeah, I don't have any extras.

19:01 You don't have an extra extras.

19:03 Let's say that.

19:03 No more extra extras.

19:05 So I'm going to be releasing a new course really soon.

19:07 So make sure you are a friend of the show.

19:10 That could be Python Bytes or Talk Python gets a little bit, send a few more emails over there that might be talking about it.

19:18 So if you go to talkpython.fm, click on newsletter, share your name and email, and I'll let you know.

19:24 But very soon, I have an excellent course coming out that I think people are really going to enjoy.

19:28 All right, with that, shall we joke, make a joke?

19:31 Yes.

19:32 If one joke were good, wouldn't two be better?

19:34 sure you'd think yeah you would think that's true for for a while until at some point like okay

19:42 either i'm tired of jokes or my my cheeks are whatever stop all right so here's the first one

19:46 what are the heaviest objects in the universe and it's got this um like uh eisen um like general

19:53 relativity sort of space-time curve continuum thing so we've got the sun and it it bends space-time a

19:59 little the neutron star obviously super big much deeper than the sun the black hole is almost a

20:05 singularity but what is more singularity than black holes node modules the node underscore modules

20:13 folder from when you create a new project it's just like I tried to use two libraries in npm

20:18 install them or yarn install them and why are there 250 things in node modules pretty fun this

20:25 This is good, this is a short little one.

20:27 But even better, we have Azure's Cloud Appy.

20:32 Cloud Architect, senior platform engineer.

20:37 This is a very fun video.

20:40 And I'm not sure if I got the right link, I have to update that potentially.

20:43 Anyway, this comes from us, I believe this is from Programmers Are Also Human.

20:47 And it is a six minute video that is just hilarious.

20:52 - This dude is on fire, I love all those videos.

20:54 Yeah, he's the same guy that did the vibe coding YouTube jokes.

20:58 And so this is a YouTube video, obviously.

20:59 We're not going to go through it.

21:00 But if you need to laugh, watch it.

21:04 Let's read the titles of the books on this desk, though.

21:08 Go for it.

21:09 So we've got how to do cloud and what?

21:13 How to move back on-prem.

21:16 Right next to each other.

21:17 Right next to each other.

21:17 Yeah, exactly.

21:18 Right next to each other.

21:19 We also have introduction to guesstimates.

21:22 Introduction to guesstimates.

21:24 And then he has a coffee cup that says, DevOps agile with root access.

21:30 Yeah.

21:30 But yeah, it's really good.

21:31 He's like, and it's in this Einstein type of character that also has a bit of a Greek accent, I believe.

21:39 It's really good.

21:39 It says, they send us our cloud bills in scientific notation because they're so big.

21:45 It's really good.

21:46 He also gets a phone call during the interview and he answers it and he goes, what?

21:50 No, no, it's probably DNS.

21:52 Man, it's always DNS.

21:53 He goes, yeah, this guy just called.

21:55 Somehow he has root access, but I don't know who that was.

21:58 Just kidding.

21:59 Nice.

22:00 It's really good.

22:01 If you like one-liners, it's just like a stirring of them.

22:03 It's great.

22:04 Yeah, very good.

22:06 Might be not safe for work.

22:07 Not because there's anything explicit in there, but you're not going to be able to watch it and not laugh out loud.

22:15 Exactly.

22:16 Yeah.

22:17 If you're in a serious environment, you might need to wait till lunch.

22:21 Yeah.

22:22 All right.

22:22 They don't need to wait till lunch to listen to our show.

22:25 No, we're not that funny.

22:29 Fair enough.

22:29 All right.

22:30 Thank you everyone for watching, for being here.

22:32 Talk to y'all later.

22:32 Bye, Ryan.