#481: Ways to die

00:00 Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds.

00:05 This is episode 481, recorded May 25th.

00:09 May 25th, 2026, not 1926.

00:13 And I am Brian Okken.

00:14 I'm Michael Kennedy.

00:15 And this show is sponsored by us.

00:20 Check out all the Talk Python training courses, the pytest course,

00:26 and thanks to Patreon supporters and also we've both written books

00:30 so check out books also and I'll have a little bit of news on the Lean TDD

00:34 later.

00:34 We both have something fresh for people that if they want to support us

00:38 they can check it out. Something fresh, yeah.

00:40 You can, if you've got suggestions or

00:44 yeah, if you've got complaints, send

00:46 to Michael, but if you have suggestions, send to either

00:48 of us and the info is on the show notes,

00:52 but we're on Mastodon and um and blue sky and all the all the places so um also if you're listening to this and would like to

01:03 like see what we look like or watch the watch the stuff or show even show up live you can go to

01:08 pythonbytes.fm live where there's a link to join the audience and during the during the recording

01:15 a lot of people sometimes people drop in questions and we'll answer them on the show that's fun and

01:20 And lastly, you don't have to take notes because all of these,

01:24 all of the links are, the links are in the show notes, but the links and extra information are sent out in the email newsletter.

01:31 So you can subscribe at pythonbytes.fm and we will send you a whole bunch of information.

01:37 If you don't quite understand what we're talking about, there's some background information

01:41 there too that will fill you in.

01:43 With that, let's talk about something dumb.

01:45 Dumb ways to die.

01:46 Dumb ways for open source projects to die.

01:48 Oh, and let me count the ways.

01:50 This one is by Andrew Nesbitt.

01:51 It's an article.

01:52 It's a taxonomy, I suppose, is the way you would put it.

01:55 Pretty interesting.

01:56 I think it creates some interesting ways to talk about and think about just open source

02:02 projects and supply chain, mostly not security, although a little bit security,

02:07 but also just stability, right?

02:10 So this taxonomy is broken into a two-level tree.

02:15 So there's things like the maintainer left and the maintainer is still there.

02:19 sabotage and capture, the release pipeline broke and so on.

02:22 And for each one of those, there's a bunch of sub items that are really good.

02:26 So for the maintainer left, I'll give you a couple of

02:29 them. They're all pretty interesting.

02:31 So I won't read the whole article, but I'll read off a few

02:33 of them so you'll get the sense and you can come back and use this as a resource.

02:36 So under the maintainer left, we have the ghost maintainer,

02:39 the simple and most common case.

02:41 The last human commit is some years ago.

02:43 Issues are accumulated unanswered. The repo is not archived,

02:47 so it doesn't show up in any filter that would flag it.

02:50 Usually the maintainer just moved on and it wasn't important

02:53 enough to formally hand it over or shut it down.

02:55 And it goes on a bit.

02:56 And by the way, Andrew references this weekend that Bernie research,

03:01 he did, and basically went through

03:04 different packaging platforms or services or whatever, like PyPI or npm and so on,

03:09 and said like, well, which one of these are in an active state, a dormant state, a dead state, unknown,

03:14 and has a percent dead.

03:16 And PyPI actually has a very low percent dead.

03:19 Conda is better.

03:20 Maven is better.

03:21 But everything else is worse, like quite a few others.

03:23 So that's pretty interesting.

03:24 Yeah, it goes up there at like 20%.

03:27 I know, that's crazy, right?

03:28 So it's kind of like, let's take those and then categorize.

03:31 So we went through and did a bunch of research on these and said,

03:34 okay, well, why is it dead?

03:36 What ways can it be dead?

03:37 So there's the, just, they ghosted, right?

03:39 The maintainer just ghosted.

03:40 It's fine.

03:40 There could be the corporate orphan.

03:42 A company built and open sourced it with a team to run it.

03:44 and then pivoted or laid off the people and nobody updated it because they just,

03:48 well, they're fired.

03:49 That's an interesting one.

03:50 There's the thesis orphan.

03:52 I created this project as a PhD or master's thesis, and then I graduated and I'm done.

03:57 I'm not messing with it anymore.

03:59 I actually didn't enjoy it anyway.

04:01 Funding cliff, similar, like it has a grant or an NSF grant or something like that.

04:06 And then when the money's gone, stop and so on.

04:09 Let's go on the next category.

04:10 So this one's also really common.

04:12 The maintainer's still there, but there's the burnout plateau,

04:15 still active by any metric you'd run.

04:17 Typo fixes and dependency bumps get merged with the occasional thanks on an issue,

04:21 but anything that needs actual design work or serious debugging is open indefinitely because they're just done.

04:29 Custody battle, two maintainers fighting over it.

04:32 Toxic gatekeeping, you know, the person in charge of it just doesn't really want to maintain it,

04:36 but also to all new incoming work.

04:39 That happens a lot, I think, actually.

04:40 Yeah, I think so.

04:42 there's the sabotage and capture.

04:44 Captured maintainer.

04:46 Commit or publish access ends up with someone hostile.

04:49 XZ is an elaborate version.

04:51 Remember that two-year social engineering campaign that eventually talked that person into letting the person take over,

04:57 but they were actually a state actor, we believe.

05:00 Addison Ware.

05:01 And then we've also covered the protest where, this is bad,

05:04 seems to be more JavaScript, but there it is.

05:06 The legitimate maintainer deliberately breaks their own package.

05:10 Colors and Faker were sabotaged by their author in 2022.

05:14 LeftPad was unpublished entirely.

05:16 Remember that one was pretty bad.

05:19 That was funny.

05:20 Why is there an entire package that just LeftPad's a string?

05:23 Like, that's all it does.

05:24 You know, it's just too fine-grained.

05:27 All right.

05:27 The release pipeline broke, a bunch of stuff around that.

05:30 Force majeure, like, sanctions.

05:32 Some people's accounts have been shut down or blocked

05:34 because they've been frozen under export controls or other things like that,

05:38 or taken down because of DMCA.

05:40 The world moved on.

05:41 This one we know well from the Python world.

05:44 The platform got stranded, like chained to an end-of-the-life runtime.

05:49 Python 2 only, or requires a certain node version or whatever.

05:53 And related to that is the transit of death.

05:55 So the project's fine, the maintainer's present willing,

05:57 but something two or three levels down in its own dependency tree

06:00 can't be swapped out without a rewrite, like think Python 2,

06:03 right?

06:04 Why did a lot of stuff not upgrade to Python 3?

06:06 because something it depended upon was Python 2 only.

06:09 And so there's no way to get there.

06:11 You know what I mean?

06:12 Yeah.

06:12 API rug pull.

06:13 I've seen this like, hey, I depended upon,

06:15 I wrote something that wraps, like let's say the Reddit's API or Twitter API.

06:19 And then those APIs go away.

06:20 And guess what?

06:21 Your app or library doesn't work.

06:23 Or it's just superseded, right?

06:24 Like there's no reason to do a thing if it's now part of the language or something like that.

06:29 Project split.

06:31 Yeah, that's pretty much it.

06:32 Licensing.

06:33 So what do you think?

06:34 That's pretty neat, right?

06:34 Yeah.

06:36 And one of the things that's unfortunate is because a lot of the open source,

06:40 I don't know, there's a lot of projects, or there at least have been enough projects that has been painful that have had a lot of users and like something happened and it's not maintained anymore.

06:53 And it's not, there isn't a really good way to transition away or to something else.

06:57 And it gets messy.

06:59 I mean, we had, I had a, like, even at work,

07:03 we had a project that we were depending on that was by Python 2 only.

07:07 And it's one of those things of, like, we could have thrown money at it and just had

07:11 a corporate, you know, a corporate entity could convert it.

07:14 But we waited until a university, some university students did it.

07:18 But, you know, that seems dumb.

07:20 Why not throw money at it?

07:21 I think for a lot of, a lot of these.

07:23 You could just pay the person, hey, I know it's on this old version,

07:26 but would $5,000 make it work on the new version too?

07:29 A lot of times people say, heck yeah.

07:31 Or I've wanted to do it, but I don't have the time or energy,

07:33 right?

07:34 Or get your own people to do the conversion work, take it over.

07:39 Honestly, I'd rather see companies support the maintainers and get it upgraded.

07:44 But if that's not an option, Claude could probably upgrade it too.

07:48 Well, I mean, in the case where somebody just moved on, they're not interested in the project anymore,

07:53 throwing money at them is probably not the right option.

07:57 Yeah, that's true.

07:58 It depends on the situation.

07:59 I'll give you two examples of these in the Python space that both make me say, well,

08:03 one's in the front end CSS space is Bulma.

08:05 I really like Bulma.

08:06 Super cool project.

08:08 It sells itself as a modern CSS framework and all these things.

08:11 But let's see, when was the last release?

08:14 Oh yeah, about a year and a half ago.

08:16 Really?

08:16 Weird.

08:17 Which is really sad.

08:18 Like there was a commit for something super, like, so this,

08:22 I think this is an absolute telltale sign of this.

08:25 So people out there thinking about projects they want to depend upon.

08:27 This is a mega sign for it.

08:29 So three months ago, the maintainer of this fixed issue 4000.

08:34 What is issue 4000?

08:35 The footer has a broken logo on the website.

08:43 Meanwhile, it's got 50,000 GitHub stars, 4,000 forks.

08:47 And that's fine.

08:48 Like this guy, he doesn't owe the world anything.

08:51 If he built it, it's amazing.

08:52 I actually use this.

08:54 I love Bulma and I decided to keep using it even though it's basically dead in the water

08:59 because I looked around and all the other stuff.

09:00 It's like Tailwind, but way less complicated.

09:03 And it's going to keep working.

09:04 And in five years, I'll find something else.

09:06 But right now I could see it though. So

09:08 you've got 10 minutes to work. Maybe you've got a half an hour on the weekend to work on it. You

09:12 open this up and you see 346 issues and 175 pull requests.

09:17 I just close my laptop and go outside and mow the lawn or something.

09:20 I know.

09:22 No, I know.

09:23 And so the guy doesn't owe the world anything.

09:25 He created something cool and that's fine.

09:27 He doesn't have to do, but there, here's something that bugs me.

09:30 And I would just like to put this out there for, for people.

09:32 And you know, I, if I have projects like this,

09:34 I consider myself same and nothing.

09:36 I have nothing of the scale.

09:37 But for example, if I go to the pull request section,

09:39 I understand what you're saying, Brian, like, oh God,

09:41 there's so much work here, but he should put some kind of message

09:44 that says, Hey, listen, I just can't right now.

09:47 So please don't submit any PR.

09:49 I don't go do work that I won't even look at.

09:53 So if you look at the PRs, like there's one, one on February 20th, one on January 20th,

09:57 and there's 175 PRs without even a response to them going back,

10:04 you know, way, I don't know,

10:05 how far do they go back?

10:06 You got a page to it, right?

10:08 Like 2018.

10:10 You know what I mean? And so I just feel like it kind of bugs me that there's all these people out in the world go, oh, I'm going

10:15 to help improve this project.

10:16 I'm like, I'm going to add the view CLI. Like, no, you're not,

10:18 because it's not going to get responded to and so on.

10:21 And also there's 36 people sponsoring the project, like paying money monthly to support it.

10:27 Like, I just feel like at some point you're like, just please use it, please enjoy it,

10:31 but don't do extra work to it because I'm not in a space where I want to

10:36 or able to work on this right now.

10:37 You know, I don't know.

10:38 What are you thinking on that?

10:39 Well, I think that sometimes you're optimistic when you originally like write up a contributor guideline,

10:46 but need to update it to say, Yeah, I'm not going to accept contributions,

10:50 I guess.

10:51 Yeah, exactly.

10:52 I think one sentence on the readme, like, hey, look, I just can't, like a big, bold, I can't right now,

10:56 folks.

10:57 So please just hold your thoughts, you know,

11:00 and so on.

11:01 Because anyway, so the other one is disk cache, which I use and love.

11:05 What?

11:06 That's abandoned?

11:07 Last commit two years ago.

11:09 Maybe it just works, though.

11:10 Yeah.

11:11 But here's the thing.

11:12 Well, I mean, there's 20 pull requests,

11:14 50 issues, no responses.

11:16 The guy Grant, I don't know him.

11:18 I don't know his background.

11:19 But I noticed that he was hired by OpenAI almost exactly just a little bit after the last release.

11:26 So he's just, I don't know if this was captured in the taxonomy,

11:29 but like I've been, it is actually,

11:31 I can't remember which one, but there's like one of them where, hey,

11:34 if you get hired at a company that doesn't let you do open source,

11:37 your projects kind of like de facto die, unless you can get someone else to do it.

11:41 You know what I mean?

11:42 Or you did open source to try to be well-known enough hired by OpenAI.

11:48 I'm not saying there's a negative outcome.

11:49 Probably an amazing outcome for Grant.

11:52 So congrats to him.

11:53 And again, he doesn't know the world or anything. I think this is a little

11:55 bit different because it's really a wrapper on SQLite and SQLite is constantly being maintained

12:00 and updated.

12:01 So I feel less worried about it.

12:04 Anyway, dumb ways for open source projects that I,

12:07 there's just two examples.

12:08 I think this is important, especially for newcomers to open

12:10 source and Python.

12:11 When you add something to your project as a requirement,

12:15 you should know, the consequences of doing that right um i want to add one more thing there's a there are a lot of

12:21 packages that really don't need that a lot that many updates um even if even if they have issues

12:26 in pull requests they might be just maybe the maintainer's not that great at saying you know i

12:31 don't feel like it or something um but one way to keep it like to to keep it noted that it's alive

12:38 is once a year update your tests to the new python version um then it's at least a year old and you

12:43 know it's being tested on the latest Python.

12:45 And that's the bare minimum, I think.

12:49 Yeah.

12:49 Change your classifier.

12:51 What are those things called?

12:52 Your classifier to just say, take out the old Python, put in the new Python,

12:56 something like that. You have a classifier in here and you're good to go.

12:58 Yeah. But projects can be done.

13:00 They definitely can be done.

13:01 It's just, they don't need more changes. But I think it's all pretty interesting,

13:05 but let's take us on to more packaging talk.

13:10 Yeah.

13:11 Okay.

13:11 So the, I wanted to talk, this is a brief one, but,

13:15 um, this is a Tim Hopper article on how to create a PyLock Toml file.

13:21 And, um, I just kind of forgot that these were sort of rolling in at different times.

13:26 And as of May, um, now of 2026,

13:31 there's now three ways to create these these guys so uh he he covers um using uv pip and pdm and notes that

13:40 uv is the only one that says it's in stable status uh the pip lock uh piloc tunnel generation

13:47 is experimental and so is pdm experimental i didn't know pdm did it i'm not really a pdm user

13:53 um but the uh yeah just uh sort of sort of running down uh how to how to create lock files with the

13:59 all these tools and it's kind of just a general neat tutorial with the

14:05 recommendation of why not just use uv because it works the incantations a

14:10 little magic it's uv export --format by lock Tomo with an output of

14:15 pilot all hmm seems you're done I wonder if there's there are I think there's a

14:19 global config for uv I wonder if you could put it in there that'd be

14:22 interesting I don't know and if you the he also has apparently a companion page

14:27 of how to install and the how to install is the short version is use -r because

14:34 every they all the tools treat it like a requirements file so oh not completely

14:39 interesting no depths oh you know no dependencies okay anyway yeah just

14:45 creating by like toml files I'm and yeah it's kind of the way we were moving so

14:50 That's it.

14:51 It sure is.

14:52 Very interesting.

14:53 Now, let's talk about lifeguard.

14:57 So lifeguard, we've talked about... That was a good summer topic.

15:00 Exactly.

15:01 A lot of places, at least in the U.S., public pools open on Memorial Day and all the lifeguards go back to work and you need a lifeguard

15:09 job. And it's often a rite of passage of high school to work as a lifeguard.

15:14 So this works for lazy imports.

15:17 Remember, lazy imports are coming in Python,

15:20 which is going to be really nice.

15:21 And I was pretty interested in before, but then I did that work where,

15:25 and I wrote it up, said, we talked about it here,

15:27 cutting Python web app memory by 31%. A lot of that had to do with

15:32 imports and changing imports and only using heavyweight libraries when they actually executed

15:37 the code that needed them.

15:38 But so lazy imports, good, I think.

15:41 However, lazy imports also can have

15:43 incompatibilities in other issues.

15:46 So this lifeguard library will go through and find those issues.

15:50 It's, I don't know if we, it's kind of an interesting juxtaposition.

15:54 It has 56 GitHub stars. So it's kind of like brand new,

15:57 which is fine. It's just like a linter type thing made by

16:01 Facebook.

16:02 So it's probably something that meta used internally and they just open sourced, you

16:06 know, a couple months ago.

16:08 So that's all good.

16:09 Looks like it is a Rust based thing because it as a cargo folder.

16:12 And that was two months ago when it was created.

16:15 I don't know when it actually came out public on GitHub,

16:17 right?

16:17 Because you can have a private repo and then flip it to public at some point.

16:20 Anyway, it says, what are lazy points?

16:22 We talked about that in ports.

16:24 But it says, the idea is obviously,

16:27 especially in large code bases, this

16:29 both increases startup time and lowers memory usage, which

16:32 is great.

16:33 However, sometimes it doesn't work

16:35 because there's certain Python patterns that require these things to execute immediately.

16:40 So module level side effects, like a module that registers a handler or

16:46 modifies global state at import time will behave differently if its import is deferred.

16:51 Think about something that sets sysstat at exit, right?

16:55 So it wants to run some code at exit to unravel something.

16:58 But that's only there if you call the function that causes the lazy import to load and so

17:03 on, right?

17:04 As opposed to the way it does now.

17:05 The registry pattern.

17:06 So dependency injection, I'm guessing.

17:08 A module registers itself added to a global dict that when imported will silently fail under lazy imports.

17:15 Sys.modules manipulations.

17:16 Code that reads and writes Sys.modules assumes that prior imports have already executed.

17:21 Interesting.

17:22 And metaclasses.

17:23 Class creation side effects may depend on.

17:25 So you can just run this against your project and it'll tell you how safe are your lazy imports.

17:30 And you can't be lazy.

17:31 It's a lifeguard.

17:32 Looks out for you.

17:32 So you don't, I guess, drown in lazy imports.

17:36 Yeah.

17:37 Anyway, I just want to put that out there for people because this is coming in Python 3.15.

17:41 And it's always better to go, hey, let's test our package or our application on this new version before it's actually released.

17:49 Especially if you have a package other people use, right?

17:51 Yeah.

17:52 And I guess that I think like testing is often pretty safe to do lazy imports.

17:56 So I just want to throw out, I don't have a link or anything,

17:59 but a reminder to people that if you're loading something fairly large for testing purposes and you have a big suite,

18:06 You can throw that into a conf test or not a conf test.

18:09 We could do me in a conf test, but you can throw the import into a fixture and even an auto use fixture and

18:15 it'll, it'll load at runtime instead of test collection time then.

18:19 So it's a lot faster.

18:20 That's very good.

18:20 You're focusing on just some category test or something like that.

18:23 You don't have to do it.

18:24 All right, let's log it.

18:26 Let's log it.

18:28 So there's a, I ran across this article called choosing a Python library log,

18:32 choosing a Python logging library in 2026.

18:36 And this just kind of came up at the right time because I've got a project that I'm switching to use.

18:43 My plan is to switch it to use Logaroo.

18:45 Logaroo?

18:46 I don't know.

18:47 Logaroo.

18:48 L-O-G-U-R-U.

18:50 And the, but so I was looking at this just because it's interesting.

18:54 So the comparison is to the straight logging module, struct log, Logaroo,

18:59 logbook, and Pico logging.

19:01 And it looks like they sort of gave up on some of those.

19:05 But one of the interesting things about using straight logging was that doing structured output like JSON,

19:12 like logging JSON information, is a little bit difficult.

19:17 So their recommendation right off the bat is to use a project called Python JSON Logger,

19:24 which I didn't know about, which you can use with the standard logging module.

19:30 And it just makes logging easier.

19:32 They even have a, the same, same people that wrote the original article have a setup guide,

19:37 a practical guide to setting up the JSON logger.

19:40 So that's, that's cool.

19:41 And especially I was thinking like, especially for API endpoints or entry points or whatever,

19:46 that's important, but there's, he's JSON all over the place.

19:48 So, but so just talking about comparing them all and they didn't really give an example.

19:55 They actually talked about, well, they have examples,

19:57 but they didn't recommend anything.

20:00 Actually, the recommendation really was use the standard logging module unless you have a reason not to because it's being supported everywhere.

20:09 But I really liked the Logguru example of just how easy it looks to set up.

20:17 And we've covered this before, but especially if you have a lot of people that are,

20:21 you know, logging kind of looks complicated.

20:24 And if you've got a small team that all understand it, that's great.

20:28 But if you have a large team, it might be easier just to have an easier logging system.

20:33 And that's where I'm kind of leaning.

20:35 And the setting up JSON output, you can say serialized equals true.

20:41 Now, I don't know.

20:42 I think that means that converts every log record to a JSON output.

20:46 So that might not be.

20:47 It's not logging JSON stuff.

20:49 It's actually the output is a JSON thing.

20:52 So you can read it somewhere else, which also might be kind of cool.

20:55 But I probably won't do that.

20:56 Yeah, you could have two logs.

20:57 You could set up a logger to a file that logs without serialize and one that logs.

21:02 Oh, yeah.

21:02 Right?

21:03 So you have like a parallel, like a structured and an unstructured version.

21:07 And when you just say log, it just hits all the attached destinations or whatever.

21:10 But the easy setup is what I'm looking for.

21:15 But there are some caveats.

21:16 Like it's harder to have multiple loggers apparently, or at least multiple configurations of different loggers.

21:22 I don't know if that's true or not, but that's what the article says.

21:26 One of the things that I, that I didn't know about with this is that there's a logger catch

21:30 and a logger exception.

21:32 So there's different ways the logger catches a decorator to,

21:35 uh, to log exceptions, uh, nicely or into your,

21:40 into whatever log file you have set up.

21:42 so, or logging stream or whatever.

21:44 and that looks neat because usually, you know,

21:48 Michael does no exceptions, but if there is an exception,

21:51 uh, be able to, might be nice to look at that.

21:53 Anyway, kind of a good rundown of what the logging libraries look like right now

21:58 and now how to do structured output.

22:00 There was a performance benchmark, which was interesting,

22:03 that it compared the standard lib plus the JSON stuff with struct log and Logaroo.

22:09 And Logaroo is about the same as the standard lib with JSON.

22:13 And struct log is about twice as fast as in some cases.

22:19 So that's interesting.

22:20 Well, I use Logaroo by default these days.

22:23 I really like it.

22:24 But I've also used Logbook.

22:25 I don't really use the built-in logging.

22:27 It just seems complicated than needed to me.

22:30 I've been doing the built-in logging mostly lately.

22:34 And I figured, you know, once I figure out like some,

22:37 and I think I'm like with a lot of people that use it, I figured out one way that works for me,

22:41 and I just copy and paste and do that.

22:44 All right.

22:45 Well, those are our items.

22:48 Do you have any extras you want to talk about?

22:49 Sure do.

22:50 I sure do.

22:52 Hold on.

22:53 I have two fun things.

22:54 So first of all, let's do this in order.

22:57 A while ago, I told everyone that I have German subtitles available for all 283 hours of courses

23:03 over at Talk Python.

23:04 Training, the courses we got. Well,

23:07 now we have Spanish as well.

23:09 So I'm very excited to announce if Spanish is your language and you want Spanish subtitles to accompany the

23:16 English spoken version.

23:18 Well, click on Espanol and you'll be good to go right there.

23:21 How about that?

23:21 That's cool.

23:22 We took two and a half weeks of just grinding on translations to get it done,

23:26 but there it is.

23:27 I think it's going to be really great.

23:28 So what do you, what, you have German and Spanish now? Is that?

23:31 German and Spanish.

23:32 Okay, nice.

23:33 Now I'm working on Portuguese.

23:35 Actually, I've done a lot of research and I feel like Portuguese

23:37 will be the most beneficial for the tech folks.

23:41 Because you got to intersect, you got to look at

23:42 two things. You got to look at how confident is the group of people who speak a certain language

23:47 in English, right?

23:49 So for example, German, I did German first because I speak some German,

23:52 so I could kind of spot check it a little bit and it made some sense to me, you know?

23:57 But German people are pretty good at English, especially tech-oriented ones.

24:02 And so I was looking around and it turns out that I think Portuguese people are a little less comfortable

24:08 with English than maybe German folks or I don't know,

24:12 French.

24:12 So I'm like, all right, then subtitles in their native language would be more helpful than not. So anyway, that's the kind of

24:19 thing I'm trying to balance.

24:19 So Portuguese is next.

24:21 Apparently there's a lot of like Python is one of is super popular in Brazil and other places.

24:27 So excited for that.

24:28 All right. So that's, that's one Spanish subtitles,

24:31 not Portuguese, but Portuguese maybe in three or four weeks, something like that.

24:34 And a brand new course.

24:35 I'm super excited about this.

24:37 Python web security is the course.

24:39 And it comes in two components.

24:42 The OWASP top 10.

24:44 So it goes through every one of the OWASP top 10 categories with two to three examples,

24:49 sometimes in Flask, sometimes in Django, sometimes in FastAPI,

24:53 the bad version, the good version, just purely learning the security issues.

24:57 And then we turn it into an agentic AI course and start searching for bugs in your own code

25:03 using agentic AI.

25:05 So we talked about how Mozilla found a bunch of bugs with Cloud,

25:08 similar to that with some really custom OWASP and Python web app focused things.

25:13 Yeah.

25:14 So if you're publishing web apps or APIs on the internet, you definitely want to look at this because it basically gives

25:21 you tooling and a blueprint on how to completely check your app for OWASP violations and beyond

25:28 using things like Claude Code and others.

25:30 So you can, instead of hiring pen testers,

25:32 you can do a first pass with this and then maybe find just a few more things.

25:35 If, if you're that kind of company that can afford $25,000 or whatever for a pen

25:40 test, or, you know,

25:41 you could at least do this if you were going to do nothing.

25:43 So I think it's really helpful.

25:44 Thanks.

25:45 All right.

25:45 That's it for me.

25:46 Okay.

25:47 I, I noticed this, there's an article that was on NPR or planet money,

25:55 but I noticed it because on blue sky, shout out to where I got the information from.

26:01 if my tabs work.

26:03 Savannah Ostrowski.

26:04 So posted this, said it was surprising.

26:07 This is a disturbing article, actually.

26:11 It's what happened to women in computer science.

26:14 And I didn't realize this was going on so long.

26:19 So basically, modern computer science is dominated by men.

26:22 The percent of women in computer science was...

26:27 And also in the percent compared with other fields, like other physical sciences,

26:33 law school, medical school.

26:35 So it's an interesting comparison.

26:36 But in the mid 80s, it was at its height at like 36% or something were women.

26:45 And it's just been going down since then.

26:47 And, you know, it's leveled off in like around 2008 or something like that.

26:53 But this isn't good.

26:55 And so I think we need more women in computer science.

26:58 And the analysis of this was really thought that this was because of the personal computers showing up in homes.

27:09 And I guess families and teachers encouraging boys to play with computers more than they taught girls.

27:16 And also a commentary from one woman that when she first went into her first computer science class,

27:23 she asked a question.

27:25 And the professor stopped and looked at her and said, you should know that by now.

27:29 But it was like the first class.

27:31 And so I actually, my wife had the same experience.

27:36 She took CS101 or something like that, or a basic class in high school.

27:43 And all the rest of the kids had already played with it on their Macs at home or something like that.

27:50 And she was an intro.

27:51 So I think we need to change this.

27:54 I think hopefully it's changing because I think there's less actual personal computers in homes now than there were in the 90s.

28:03 So I think maybe, hopefully it's leveled the playing field.

28:07 But who knows?

28:09 I'm glad that my daughter has already taken my, has taken some Python in school,

28:14 but this is bad.

28:16 I mean, software is not a boys or girls thing.

28:18 If anything, the women started it.

28:20 So we're, we're late comers to the, to the,

28:23 to the game.

28:24 Anyway, we need to fix this as a community.

28:26 So the, the next thing, the other thing I want to share is that I am.

28:32 A field report, Brian.

28:34 So at PyCon, I spoke to, I was speaking to several women and they,

28:39 said just talking to each other something like there is a very good representation of women at

28:46 this conference now and 10 years ago it wasn't like that and i i feel that's great and it's so

28:52 it's really encouraging at least in the python space but in general i agree that the graph

28:58 is bad and it doesn't need to be that way i also wonder like a lot we get a lot of uh programmers

29:03 from other fields though not necessarily computer science so i wonder if um maybe we need to but it

29:08 It does say physical sciences.

29:10 Maybe we're getting a lot of our women coders from other fields.

29:14 I don't know.

29:14 I do think so.

29:15 You know, my daughter was learning to do like data science-y stuff in her psychology field.

29:23 And psychology, I think, has more women than men in it,

29:26 right?

29:26 And so to the extent that like the data science side brings people in, I think there's a really

29:31 interesting, Python is super interesting because it brings people in from all these different

29:34 disciplines.

29:34 And it's not just a, unlike, let's say, Go or See,

29:38 right?

29:38 That's like a straight path.

29:40 You start in programming and you end in this location, right?

29:42 Whereas with Python, it's got a much more diversity of sources,

29:47 not necessarily people or genders, but like a diversity of different backgrounds that you come from to get into it.

29:53 So I think that might have something to do with it as well, which is good.

29:55 Different generational things too.

29:57 I know we need to move on, but I remember when I was doing teaching at university,

30:06 having some of the older students come in and not knowing i would i i was guilty of just expecting

30:11 a lot of people to know a lot of the basics um know how to do word or excel or something like

30:16 that and um and you don't people don't necessarily do that you can't assume anything really so yeah

30:23 anyway um i am still working on the audio version of the uh the lean tdd book um and it's uh it's

30:30 coming along well but during in the process of doing a lot of the audio i've made some changes

30:34 to the actual book.

30:36 That's why I'm holding off on the official release because I want the audio

30:40 and the official release to match.

30:43 But a lot of changes have come in.

30:46 Just, I published this morning, one of the things is separating out TDD with teams

30:52 because the team aspects are different.

30:56 So I both have an emphasis on acceptance tester and development

31:00 and then also how to apply those sorts of ATDD stuff to the lean concept.

31:05 I also beefed up the AI chapter to talk about guardrails and security.

31:10 So just a little bit.

31:11 Anyway, it's coming along well.

31:13 And I don't know.

31:15 Who knows how long it'll take?

31:17 My original plan was last January.

31:18 So we'll see.

31:20 Or, you know, January a few months ago.

31:22 Congrats.

31:23 That's awesome.

31:24 Thanks.

31:25 So it's still going.

31:27 Thanks to everybody that's contributed and helped out.

31:31 What skill do you need to be an author?

31:33 Persistence.

31:34 yes humble humbleness yes uh speaking of persistence our joke is titled stop texting me

31:40 so it's just a um just a screenshot of a chat conversation somebody has clawed in their they've

31:49 clawed in their iphone i think it's an i it's an iphone um on their their messages right it says

31:55 claude build a one billion dollar b2b sass platform from scratch make no mistake then it says red

32:00 dude for the thousandth time this is Claude from the pickleball league i am not ai

32:07 ah that's funny and then of course there's comments there are definitely comments so

32:14 instead it doesn't i think i said it this way but it's not spelled out dude for the thousand

32:18 time this is Claude it's not the thousandth time so someone comments is it a legal requirement

32:24 that someone named Claude should be able to spell correctly.

32:29 And then, yeah, I don't know.

32:31 It just goes on and on.

32:32 This is funny.

32:33 Yeah, anyway, comments are kind of fun too.

32:35 But for the thousandth time, this is Claude from the Pickleball League.

32:39 I am not AI building this.

32:42 That's funny.

32:42 I would totally build them a really crappy B2B SaaS and just charge them a billion dollars.

32:50 I can give you a billion dollar company.

32:52 You pay me a billion dollars, I'll give you something that earns at least a dollar.

32:55 Just because you spend a lot of money building the company doesn't mean it's going to make a lot of money.

32:59 Exactly.

33:00 There's no guarantees there.

33:01 Yeah.

33:02 But anyway, as always, it's fun.

33:06 And we'll talk to you later.

33:08 Yep.

33:08 Thanks.

33:09 Bye.