#482: Mr. Beast's epidosde

00:00 Hello and welcome to Python Bytes, where we deliver Python news and headlines directly

00:04 to your earbuds.

00:05 This is episode 482, recorded Monday,

00:09 June 1st.

00:09 I'm Michael Kennedy.

00:10 And I'm Brian Okken.

00:12 This episode is brought to you by us and all of the Python things that we're doing.

00:16 Check out pythontest.com, get Brian's multiple courses over there,

00:20 even something to do with Lean TDD,

00:24 if you want to check that out.

00:25 I hear that an audio book is underway, which is super cool.

00:28 and got a couple new courses over at Talk Python, especially the new OWASP top 10 security plus agentic AI.

00:36 Like how do you take Claude Code or something like that?

00:39 Plus known recognized patterns like the OWASP top 10 and make your code safe.

00:43 That's what that course is about.

00:44 So check out those kinds of things.

00:46 That's what we're bringing you this week.

00:48 Also, if you want to connect with us on socials,

00:51 share, show ideas, whatever you can do.

00:53 So on all the socials, sign up for the newsletter.

00:56 We got awesome extras that come in through there.

00:58 So just do that on the website.

01:00 With that, Brian, I think it might be time.

01:03 Should we kick it off?

01:04 Speaking of security.

01:05 We have a security issue, but the issue I think is resolved.

01:09 We just, I'm highlighting an article that's about the maintainer.

01:15 So this is interesting.

01:16 So this is the CVE, I'm not going to, let's see.

01:20 CVE 2026, 48710, a maintainer's perspective.

01:25 So this is from Marcelo Trilasinski.

01:30 Cool name.

01:31 Anyway, this is about a security advisory from Starlet.

01:38 So even, so there's a, what, isn't FastAPI used Starlet, I think?

01:43 I do believe so, yeah.

01:44 And a bunch of other stuff too.

01:46 So even if you don't think that you're using Starlet, you might be using Starlet.

01:49 So the short version is you probably ought to upgrade to 1.0.1 if you haven't already.

01:55 um the that's one of the versions if if you don't care about the like the nitty-gritty of this just

02:00 do that the other part is an interesting thing about basically that this is an interesting article

02:06 it's kind of hard to cover but i wanted to bring it up because it does uh we do have more and more

02:11 ai things like attack both both trying to attack websites and also so we have to keep up on security

02:18 updates, but also a lot of these security vulnerability reports against projects.

02:25 And a lot of these projects like Starlette are not,

02:29 they're not a commercial enterprise.

02:30 It's an open source project with volunteer maintainers.

02:33 So that's really what we're talking about here is a little bit of that. And also the problem really wasn't with Starlet. And apparently

02:41 they got some bad press in a couple of places because of a vulnerability.

02:46 But this, I'm going read this interesting interesting thing the vulnerability came came from a pattern an

02:52 application pattern and the deployment never from something starlet intended and um there's a

02:58 description in the in the link about what the issue is and it i actually got lost um so it's

03:05 something about like yeah i'm not even going to try to summarize it because i got lost here um

03:10 But there's one description of the bug.

03:15 It says from Ostif, I don't know what Ostif is, but an Ostif article,

03:20 this bug is a classic responsibility gap where this maintainer didn't patch,

03:25 where if this maintainer didn't patch, then thousands of exposed projects would have to individually secure their projects.

03:33 In doing this work, they've voluntarily taken on the responsibility to protect the ecosystem

03:39 from long-term systemic harm.

03:42 As with all open source projects, they owed us nothing

03:45 and could have left it for everyone else's problem and took,

03:49 but they took the extraordinary steps of helping the ecosystem.

03:53 Please consider donating to Glutex, which is the person that wrote this article,

03:58 which is an interesting And I believe the maintainer of Starlette as well.

04:01 Okay, yeah, you're right. And also,

04:04 so apparently Ars Technica even covered it.

04:08 And we've referenced the articles a lot, you know, in the past,

04:12 sometimes some good stuff.

04:13 But apparently they reached out and said, you know,

04:17 you know, this seems to be serious.

04:19 Do you have any comments?

04:21 How severe is it?

04:21 And they didn't.

04:22 They sent that request out two hours before publication.

04:25 And since they didn't get a response, they posted that.

04:29 They didn't.

04:30 They asked, but didn't get a reply from Starlette.

04:32 And two hours?

04:35 Anyway.

04:36 The article goes on to talk about the burden of triaging,

04:40 how many security advisories come in, all the work that's involved.

04:43 And also that places like Ars Technica and others treat open source projects as if they're a for-profit corporation and expect like a PR department and stuff.

04:56 And there's not.

04:57 It's just people.

04:58 So anyway.

05:00 Yeah.

05:00 Do you have anything else to add to this or just interesting?

05:03 Yeah, it's just interesting.

05:04 I don't know.

05:06 It doesn't look like a super dangerous vulnerability,

05:09 I don't think, but definitely go out and patch.

05:11 And it's a 1.0.0 to 1.0.1 bump.

05:15 So it's not like you've got to jump a major version.

05:17 Yeah, definitely patch.

05:18 But also, I think it's, I don't know how to get out of this, but because we have a lot of these open source projects that big companies are relying on,

05:27 and they want the reaction times of a paid product.

05:31 And they just, yeah.

05:32 And actually.

05:32 You know what?

05:33 They could do that by maybe putting the maintainer on a healthy retainer,

05:38 making the project sustainable and say, look, we'll pay you $2,000 a month and we probably won't ask you anything for a long time.

05:44 But if we need you, we need you to jump in and we'll then pay you out earlier.

05:47 I don't know, something like that, right?

05:48 That would, if you get five companies doing that,

05:50 I bet you can get some response time out of that.

05:52 Yeah.

05:53 But the ironic reverse thing is actual paid products are really slow to patch anything.

05:58 So we actually get usually faster response times from open source projects.

06:02 So anyway.

06:04 Indeed, indeed.

06:05 All right, let's go and chat a bit about the Daily Stars Explorer.

06:11 This is a fun project, Brian.

06:13 So what this is, this is a web app that's open source on GitHub.

06:17 What is it built with?

06:18 Scrolling.

06:19 It's built with JavaScript and Go.

06:20 So, but it doesn't matter because it's not about the internals.

06:23 It's about the information you get about different projects,

06:26 including Python ones.

06:27 So it's an app that you can put in a repository, and it will give you just basically historical information about the stars sliced and diced in all these statistical ways.

06:38 Ooh, neat.

06:39 So it has full star history, hourly stars.

06:42 You can compare side-by-side repos, activity timelines of like show me the commits over time,

06:48 which is kind of interesting.

06:49 You can favorite them and so on.

06:51 You can see when the repos were mentioned on Hacker News,

06:54 Reddit, YouTube, and GitHub,

06:56 and you download the data for feeding to your AI or feeding to your data science stack.

07:01 So I think this is pretty cool.

07:02 And let's just do this by, let me first find the Flask repo.

07:08 One second.

07:09 All right, so let's go and open up the little demo.

07:11 So it's a web app, which means you have to self-host it.

07:14 However, if you just want to try it out, I think just use the demo and put whatever you want in there.

07:21 Unless you want to save your history and stuff.

07:23 But let's go over and put Flask in.

07:24 And it thinks for a moment.

07:25 The first time you get one in there, I put a repo in there.

07:28 It takes a minute to download all the data from GitHub.

07:30 But because I put that in there before, it kind of goes more quickly.

07:34 So you can see right now Flask has 71,598 stars.

07:39 And you can have different themes, of course, for the thing.

07:42 It shows you the total stars over time.

07:45 So you've got this graph, this orange line, if you pull it up,

07:50 is the integral or something like that.

07:53 And here's the stars per day, like 13,

07:57 15, whatever.

07:58 And then the scales are different.

08:00 One goes up to 80,000, another goes to 30.

08:02 But you take the integral of the top curve, you get the bottom curve.

08:05 Sum up all the stars.

08:07 It's very cool.

08:08 You can break it down by over five years, quarterly,

08:11 years a day.

08:12 you can go and say, I want to transform this by, I want to just look at trend lines,

08:16 or I want to look at monthly bend stars, or maybe I want to normalize the stars across

08:22 and have like a little, you know, lines.

08:25 What else?

08:25 We've got the running median and week over week growth.

08:29 Neat, right?

08:30 Shows you how old the repository is.

08:31 16 years, one month, 26 days, 68 stars the last day.

08:36 So I don't know.

08:36 A lot of times you maybe want to think about what project do I actually want to work on or base my project upon?

08:44 And obviously stars are not everything, but it's certainly something.

08:49 Could we pull up here? Come on now, get away.

08:51 You're right about this auto-hide stuff, right?

08:53 So where can I find?

08:56 Yeah, I don't know where to pull up the commits from this one right off the top of my head.

09:00 But anyway, it'd be cool to see the commits because that would let you answer some interesting questions as well,

09:05 right?

09:05 Like if you see the commits just come to a stop two years ago, you're like,

09:09 oh, I see.

09:10 So where's the work happening?

09:12 Like where is it?

09:12 Is it getting this data from in the browser or where's, when's the?

09:17 There's a, there's a Go based web app running on someone's server that these,

09:21 you know, that they've got up here that I believe.

09:23 And then it just, it happens over there.

09:25 If I pulled up a different one, you would see it grind away for maybe 10, 15 seconds.

09:31 Well, that's a lot of data and a lot of graphs.

09:34 I'm just, the pickiness in me, I'm like, well, what graph doesn't it have?

09:38 I don't see any candlestick bar graphs.

09:42 Sorry.

09:43 Yeah, I know.

09:44 It's pretty neat, though, if you want to explore some repos.

09:47 It's cool.

09:48 I haven't seen people include YouTube references before and something like that.

09:53 Oh, yeah, and there's all this side stuff over here.

09:55 You can compare.

09:56 Here's the commits.

09:57 So give it a moment.

09:58 See, now it's grinding because I didn't ask for the commits on Flask earlier today.

10:02 You can see PRs, issues, forks.

10:04 Like, that's pretty neat.

10:05 It's kind of hidden in this little hamburger menu on the left,

10:07 but if you expand it out.

10:09 Yeah.

10:09 But it'll probably take, this should be interesting, I think.

10:12 I've got some ideas.

10:14 But I don't know, it'll take maybe 30 seconds.

10:16 There you go.

10:17 So year over, or all time, you can see there's quite a few commits

10:21 and trending downward.

10:22 It's kind of a, honestly, kind of a done product,

10:24 you know.

10:25 I don't mean that in a positive or negative way.

10:27 There's a few things left that I think Flask could do.

10:30 Primarily, I think one of the, there's probably two things to work on.

10:33 I think primarily you could work on maybe some performance stuff to make Flask better.

10:37 And you could unify the true async court and the sort of pseudo async, regular Flask async functionality.

10:45 I know David and Phillip are like working towards making those just one thing.

10:49 But you know, that could be a lot of work right there.

10:51 That could be happening.

10:52 But other than that, I kind of feel like Flask is sort of done.

10:55 Yeah.

10:55 Anyway, this is not about Flask.

10:58 It's Flask as an example.

10:59 It's about the Daily Stars Explorer, which I think is pretty cool.

11:02 Just a link to us from last week.

11:05 No project's ever done because you have to test on new Python versions every year.

11:09 Yeah.

11:10 And if it completely gets read as done, then it starts to get really badly.

11:13 Because it's dust and stuff.

11:15 All right.

11:15 Exactly.

11:16 It gets read as if it were dead.

11:18 How about something to markdown?

11:20 Maybe document it?

11:20 Write a book about it?

11:22 Yeah.

11:23 So I like a lot of markdown.

11:26 I use it a lot of all the time.

11:28 I'm actually writing, I wrote the Python testing with pytest in Markdown.

11:33 I'm writing LeanTDD in Markdown.

11:35 Use it for blog posts.

11:36 Use it for everything.

11:37 So what's new about this?

11:40 What's new is I just learned about a tool called Types.

11:44 I think it's type.

11:46 It even says how to pronounce it, and I didn't look.

11:49 So T-Y-P-S-T.

11:51 So I needed a new formatting thing because I'm trying to self-publish LeanTDD,

11:56 and I didn't like the book, the print book versions of output that I have available.

12:02 So I wanted to customize that.

12:04 So I reached out to all of our good friend, Matt Harrison,

12:09 because he self-published and said, Matt, what do you use?

12:12 And he's using types now.

12:14 So I tried to check it out.

12:17 So the gist is that Pandoc converts to PDF, but it does it through LaTeX.

12:24 And I don't really like LaTeX.

12:26 And you have to download something extra anyway to get Pandoc to convert it.

12:30 So, and then, but there's types.

12:33 It's actually quite a pain.

12:34 It's not just a, it's like three or four libraries.

12:36 They're all, I don't know.

12:37 They're just, it's weird.

12:38 It's not great.

12:39 Okay.

12:39 So I'll jump to the punchline is I've got a convert script now that does,

12:44 converts Pandoc to type, TYP.

12:48 And I don't know what the official extension is, but I just named it.

12:52 So you say two types in for Pandoc, but it's a fairly recent Pandoc that,

12:56 There's been updates recently, so you'll want to upgrade your Pandoc first,

13:00 then convert your markdown, and then take the type TYP output,

13:06 and you do types to compile, and then the output.

13:10 And I did a little example, so it's just a normal markdown, and it just converts it to some nice PDF.

13:18 So there's a whole bunch of cool...

13:18 Oh, and it has syntax highlighting as well?

13:21 Oh, yeah.

13:21 It does syntax highlighting, and there's so much that it does.

13:26 It has mathematical symbols.

13:28 It is a replacement for LaTeX, for one, but it's very much simpler.

13:33 And I, in like an hour of twiddling with it, I have a fairly decent book template for the new book.

13:44 And yeah, so I'm pretty happy with it.

13:49 And this has been around for a while, and I just didn't know about it.

13:53 So that's why I'm bringing it up.

13:55 And installing wise, just brew.

13:57 For a Mac, brew.

13:59 On Windows, there was some other process I did,

14:01 but it's so much easier than the LaTeX chain to install.

14:06 So I'm pretty happy with this tool.

14:09 So thanks.

14:10 So I was so happy with it.

14:12 I did a little blog post to share with people.

14:16 Excellent.

14:17 Excellent.

14:17 That is really interesting.

14:19 I might start using that because right now I'm doing just straight markdown

14:24 to Pandoc for Talk Python in production.

14:27 And it's really good for EPUB, but it's kind of janky for PDF

14:31 and it's kind of janky for Kindle because Kindle can't read it quite right.

14:36 So I have to do like remove a few little niceties for Kindle.

14:39 So anyway, certainly worth considering.

14:41 Really?

14:41 Thanks, yeah.

14:42 Oh, I'm not having, I guess I haven't tried.

14:45 I'll have to try the Kindle version.

14:47 The problem that I run into with Kindle is somehow the way that Pandoc

14:53 is doing code syntax highlighting breaks the display on Kindle

14:58 because, I don't know, there's something about new lines or spans

15:00 or something that get treated differently, and then the spacing gets really weird.

15:04 It's annoying.

15:05 Okay.

15:05 I will definitely...

15:07 Give it a look and see what it looks like.

15:08 I'll have to try that.

15:10 And, yeah, so I'll try that probably today.

15:14 Yeah.

15:14 I mean, the books are identical for me other than the Kindle ones don't have syntax highlighting,

15:19 which is generally okay because most Kindles are black and white,

15:21 but I know some are not.

15:23 Oh, okay.

15:23 So on black and white, Kindle, it looks okay?

15:27 If I compile a separate version, a separate Kindle EPUB that disables syntax highlighting in Pandoc, yes.

15:35 Oh, okay.

15:36 Yeah.

15:36 I'll have to look at that.

15:37 So that was the fix.

15:38 I'm just like, all right, well, dash, dash,

15:39 no, whatever the syntax is.

15:41 I don't know.

15:41 It's been a while since I wrote the alias that just does it, you know?

15:44 Okay.

15:45 Yeah, I'll take a look.

15:46 Hmm.

15:46 All right.

15:48 Well, this one, Brian, this should be yours.

15:50 This should be yours, but no, I got it.

15:51 This one is mine.

15:52 So I want to talk about Postman to pytest.

15:57 Okay.

15:57 This is a cool project.

15:58 It comes to us from Mikhail, and people might be familiar with the Postman app.

16:04 I'm a big fan of the Postman app.

16:05 It's pretty neat.

16:06 Do you use it?

16:06 Do you know it?

16:07 Yeah.

16:08 Yeah, so the way it works is you create these collections

16:10 that are like groups of different API calls that in aggregate demonstrate or test some kind of API,

16:20 right?

16:20 You can organize them into folders, but also you can do collections and then share these collections with teammates

16:26 and team collections.

16:28 I did that notably for the Talk Python Horses app that's in the Mac,

16:33 not the Mac, the app, the iOS and the Google Play Store.

16:37 So I need all the APIs that I'm creating for this to be tested,

16:41 documented, clear.

16:43 You can do stuff that should pass, stuff that should fail, and so on.

16:46 So if your team uses Postman, then this project here you might like

16:52 It converts Postman collections, which I just described, into executable Python test suite,

16:58 a pytest test suite.

16:59 Nice.

17:00 Yeah.

17:01 And it's super simple.

17:02 So all you do is you just say, you know, you install it, probably uv if it says pip install, but come on now.

17:09 uv tool install.

17:10 Let's go.

17:10 So it says Postman to pytest --collection.

17:13 Give it some collection.

17:15 And then you say output this Python test file.

17:19 And that's it.

17:20 And then run Python.

17:22 not right, run pytest to run it.

17:24 So that's pretty neat.

17:25 That will actually set the environment so that things like the base URL,

17:29 which can vary depending on configs like dev versus prod or whatever,

17:33 and then it just runs it through pytest.

17:35 And what's cool is you could version this test file and then just rerun this to regenerate it when it's time.

17:42 Yeah.

17:42 Yeah.

17:44 Also, if you did that, if you versioned it, then you could rerun it and do the diffs

17:49 to see what changed in your collections.

17:52 yeah that's right yeah you could regenerate it and just go oh i see we've got this or this

17:56 api actually changed because now it takes this additional header and that's why the test was

17:59 failing i don't know something like that so if i mean this is a big if if you use postman but

18:05 i think this is a really handy and it's just like hey i've got this stuff locked into this app

18:10 and it can run things it can do test type things but really you probably want it in py test land

18:14 and this uh cool little app and this cool little utility does it so good work miko yeah one of the

18:20 things that he mentioned to us when he shared this project was, which I thought was interesting,

18:25 is the division of a whole bunch of developers and then that use Postman during development,

18:32 which is common, right? I think.

18:35 And then a smaller quality assurance team or part-time person, I think it was him,

18:45 that needs to support some of this stuff.

18:48 And so you've got the same source.

18:52 You've got the developers developing what they think is the right thing.

18:55 And to be able to take that and convert it to something that a smaller test team can maintain.

19:02 And that's a cool model to do that with. So one source of truth.

19:06 Nice.

19:06 Yeah, it's almost like treating like a database,

19:09 right?

19:09 Yeah.

19:10 Yeah.

19:10 Do you have extras?

19:11 I have one extra for today.

19:14 And my extra is that I snuck this in for the last blog post that I shared was actually on testandcode.org.

19:24 So I am writing, I'm going to start writing there, I think a little bit.

19:28 So I'm linking to new blog, who dis?

19:32 There is not much there yet since I just put it online, but I'll link to the

19:37 other stuff uh one of the funny things that happened to me last night was i went to uh publish

19:43 this at testandcode.com and i had let it expire because the old podcast was dead so um so what

19:51 happened i just uh i'm like uh well somebody else grabbed it some squatter sitting on it now so i

19:57 just uh registered.org that works um and i and i the important thing i could just keep blogging on

20:03 Python test, but I do want to, I want to use this testing code name as the publisher for Lean TDD.

20:10 So it's self-published through me, but it's kind of, I don't know,

20:14 it's not fake. It just looks kind of fun to have a different publisher than my name or Amazon or something like that. So

20:21 that's what I want to do.

20:22 Anyway, that's my extra.

20:24 How about something funny?

20:25 I think it's time for something funny.

20:26 Indeed.

20:27 Let's jump over.

20:29 So this joke is called centering a div and it's it's based on mr beast you know you do do you know mr beast no but yes yes i know

20:40 it's it's certainly not a thing that i would watch on youtube however sure no i would watch animal

20:46 fails come on uh it's i really don't watch mr beast it's kind of annoying to me it's but what

20:52 a phenomenon right so for people who don't know done by this guy jimmy donald james jimmy john

20:57 Donaldson and his net worth from his YouTube projects and beyond,

21:02 you know, it's $2.6 billion.

21:04 It's ridiculous.

21:05 So it basically, it follows a theme, like we're going to put you in some crazy

21:09 situation and throughout the situation.

21:12 And at the end, whoever kind of completes it gets some

21:15 ridiculous amount of money. Like, Hey, we're all going to hang onto a car,

21:19 like a Tesla and whoever hangs onto it long enough gets a Tesla.

21:22 Oh, by the way, the person who doesn't go to the bathroom,

21:24 The longest gets an extra $100,000.

21:26 You know, like ridiculous stuff like that, right?

21:28 So, queued up.

21:30 Here's the joke.

21:31 Centering a div.

21:32 Mr.

21:34 Beast plans to trap a thousand vibe coders in a room without Claude.

21:38 First person to center a div manually wins $1 million.

21:43 It's not fair.

21:44 Nobody will get it.

21:45 I know, exactly.

21:46 It's like, it's impossible.

21:47 Can't be done.

21:49 And then down here, one of them is center horizontally,

21:54 vertically or both like oh oh oh vertically it's just impossible now i don't even know if it's hard

22:02 anymore actually it just it used to be hard but i don't know if it is i think it depends how you

22:08 write it like if you did a flex box you know but if you did old school way it's a little harder yeah

22:13 that's sort of funny to think about though because the uh the did the vibe i don't vibe code but i

22:19 i also don't write css by hand anymore uh i use use something else to do it for me so anyway

22:26 ah funny um one of the things i actually was at a dinner party the other day and um uh somebody

22:33 said they wanted to start they take a lot of videos and i said oh cool can i watch them somewhere

22:37 and he's like well um i was gonna i said you should like throw them up on instagram or something

22:42 uh whatever and he's like well i'm gonna start doing on youtube because you know that mr beast

22:47 makes like millions of dollars and one of the things i i mean the i don't watch these videos

22:53 and maybe they're funny maybe they're not i don't know it's not my thing but one of the things that's

22:58 unfortunate is it kind of an it makes some people believe that they can do that also and i don't i

23:04 think this is a one-off random thing i think it's it's just you know it was at the right time right

23:10 place it was its own thing yeah and how much did he make for the first three years he was doing it i

23:15 I don't know.

23:16 I don't even mind it lost money.

23:17 I'm not sure.

23:17 He would just go up to random people, give him $1,000 for stuff.

23:21 I don't know where he got the $1,000 to start this idea with.

23:24 Is that how it started at the beginning?

23:27 It was always like this?

23:28 I think so.

23:30 You know, the beginning, I don't know.

23:32 But for a long time, it's been like that.

23:34 But it used to be lower scale, and it goes up.

23:37 Because my daughter watched him a lot for a while.

23:39 Not so much anymore, but for a while.

23:41 And so it would kind of be on in the background, while I'm on the couch or whatever, you know?

23:45 Weird.

23:45 Okay, whatever.

23:46 Yeah.

23:47 But this is his new amazing one.

23:50 Trap a thousand vibe coders in a room without Claude.

23:53 Ask them to do things.

23:54 Let's go.

23:55 Yeah, that's funny.

23:56 It is.

23:57 All right.

23:58 Thanks for the show, Brian.

23:59 Thanks for everyone for listening.

24:00 All right, bye.

24:01 Bye.