Brought to you by Michael and Brian - take a Talk Python course or get Brian's pytest book

#47: PyPy now works with way more C-extensions and parking your package safely

Published Thu, Oct 12, 2017, recorded Wed, Oct 11, 2017

Sponsored by DigitalOcean. They just launched Spaces, get started today with a free 2 month trial of Spaces by going to do.co/python

Brian #1: PyPy v5.9 Released, Now Supports Pandas, NumPy

  • NumPy and Pandas work on PyPy2.7 v5.9
  • Cython 0.27.1 (released very recently) supports more projects with PyPy, both on PyPy2.7 and PyPy3.5 beta
  • Optimized JSON parser for both memory and speed.
  • CFFI updated
  • Nice to see continued improvements and work on PyPy

Michael #2: WTF Python?

  • Python, being awesome by design high-level and interpreter-based programming language, provides us with many features for the programmer's comfort.
  • But sometimes, the outcomes of a Python snippet may not seem obvious to a regular user at first sight.
  • Here is a fun project attempting to collect such classic and tricky examples of unexpected behaviors in Python and discuss what exactly is happening under the hood!
  • Examples:
  • I’m thinking of doing some fun follow on projects with this. More on that later.

Brian #3: Python Exercises

  • “… focus on the language itself and the standard library.”
  • Some non-obvious Python exercises to help hone your Python skills, and possibly use in coding exercises of a job interview or maybe pre-interview screen.
  • Topics
    • Basic syntax
    • Text Processing
    • OS Integration
    • Functions
    • Decorators & Generators
    • Classes, Modules,
    • Exceptions, Lists, Dictionaries, Multiprocessing
    • & Testing! always including testing when ~~interviewing someone~~ practicing your coding.

Michael #4: Exploiting misuse of Python's "pickle"

  • If you program in Python, you’re probably familiar with the pickle serialization library, which provides for efficient binary serialization and loading of Python datatypes.
  • Hopefully, you’re also familiar with the warning printed prominently near the start of pickle’s documentation:

Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

  • this blog post will describe exactly how trivial it is to exploit such a service, using a simplified version of the code I recently encountered as an example.
  • Executing Code: So, what can we do with a vulnerable service? Well, pickle is supposed to allow us to represent arbitrary objects. An obvious target is Python’s subprocess.Popen objects!

Brian #5: A Complete Beginner's Guide to Django

  • Lots of Django tutorials already, but this may appeal to folks with a more academic bent.
  • Complete with wireframes, UML class hierarchies and use case diagrams.
  • Series with 6 parts done, a 7th part planned, which will be the last part.
  • Some fun comic like drawings, and lots of screenshots.

Michael #6: pypi-parker

  • Helper tooling for parking PyPI namespaces to combat typosquatting.
  • pypi-parker lets you easily park package names on PyPI to protect users of your packages from typosquatting.
  • Typosquatting is a problem: in general, but also on PyPI.
  • There are efforts being taken by pypa to protect core library names, but this does not (and really cannot and probably should not attempt to) help individual package owners.
  • For example, reqeusts rather than requests, or crytpography rather than cryptography.
  • Why? Self-serve is a good thing. Let's not try and get rid of that. Work with it instead.
  • What? pypi-parker provides a custom distutils command park that interprets a provided config file to generate empty Python package source distributables. These packages will always throw an ImportError when someone tries to install them. You can customize the ImportError message to help guide users to the correct package.

Our news

Michael:


Want to go deeper? Check our projects