WEBVTT 00:00:00.020 --> 00:00:04.440 Hello and welcome to Python Bytes, where we deliver Python news and headlines directly 00:00:05.020 --> 00:00:11.240 to your earbuds. This is episode 483, recorded June 9th, 2026. I'm Michael Kennedy. 00:00:11.560 --> 00:00:12.660 I'm Calvin Hendryx-Parker. 00:00:13.120 --> 00:00:17.720 And this episode is brought to you by us, All of Our Things. We'll talk a little bit about that in 00:00:17.820 --> 00:00:21.500 the introduction bit here in just a second. If you want to follow us on social media, 00:00:21.640 --> 00:00:26.080 we're on all the socials. We'll have those in the show notes for you. Sign up for the newsletter 00:00:26.100 --> 00:00:28.320 at pythonbytes.fm/newsletter 00:00:28.440 --> 00:00:30.040 or just domain click on newsletter. 00:00:30.640 --> 00:00:32.040 You always get a bunch of interesting things 00:00:32.240 --> 00:00:33.720 as well as some extra announcements 00:00:33.980 --> 00:00:35.580 for fun stuff that we have going on. 00:00:35.980 --> 00:00:37.780 And with that, I actually, Calvin, 00:00:37.920 --> 00:00:39.900 have a pretty big announcement. 00:00:40.380 --> 00:00:42.880 So I want to say thank you to Brian Okken. 00:00:43.440 --> 00:00:46.540 The big news is that Brian has stepped back from the show. 00:00:46.900 --> 00:00:49.880 He's been working on it for almost 10 years, 00:00:50.260 --> 00:00:52.240 just a few months short of 10 years. 00:00:52.420 --> 00:00:52.960 That's incredible. 00:00:52.960 --> 00:00:53.760 That's a great run. 00:00:54.160 --> 00:00:54.920 That's an incredible run. 00:00:55.080 --> 00:00:56.240 That is an incredible run. 00:00:56.700 --> 00:00:59.620 Obviously, the world has changed a lot over the last 10 years, 00:01:00.100 --> 00:01:03.940 and Brian just needs more time to focus on some of his other projects. 00:01:04.199 --> 00:01:05.460 Not stepping away from programming. 00:01:05.620 --> 00:01:09.300 He's not going to go become like an organic farmer in Eastern Oregon. 00:01:09.440 --> 00:01:10.000 Forest ranger. 00:01:10.700 --> 00:01:11.000 Exactly. 00:01:11.140 --> 00:01:11.480 You know what? 00:01:11.540 --> 00:01:12.800 I'm retiring from tech. 00:01:13.000 --> 00:01:13.340 That's it. 00:01:14.320 --> 00:01:16.460 No, but he's moved on from the show, 00:01:16.780 --> 00:01:18.320 and I just want to take a moment and say, 00:01:18.440 --> 00:01:19.880 Brian, thank you very much. 00:01:20.320 --> 00:01:22.400 You've made the show what it is over the years, 00:01:22.600 --> 00:01:24.620 and it's been great to work with you, 00:01:24.700 --> 00:01:26.020 And it's been really, really awesome. 00:01:26.340 --> 00:01:28.560 And I know a lot of people in the audience are going to miss you. 00:01:28.800 --> 00:01:29.460 Yeah, I agree. 00:01:29.600 --> 00:01:31.360 I've gotten to know Brian over the years as well. 00:01:31.520 --> 00:01:35.940 And I really appreciate him being on the show and just being a part of the Python community. 00:01:36.160 --> 00:01:39.080 So I've enjoyed having Brian around as well. 00:01:39.380 --> 00:01:41.760 Not that he's going to go away, but he's just not here right now. 00:01:42.060 --> 00:01:44.520 Yeah, maybe we'll have him back as a guest sometime. 00:01:44.760 --> 00:01:45.280 Yes, absolutely. 00:01:45.860 --> 00:01:47.320 So Brian, thank you very much. 00:01:48.120 --> 00:01:49.980 And Calvin, welcome to the show. 00:01:50.440 --> 00:01:51.180 I'm glad to be here. 00:01:51.360 --> 00:01:51.720 I'm excited. 00:01:51.760 --> 00:01:55.320 This is a new, the next generation of Python Bytes. 00:01:55.520 --> 00:01:55.920 Let's do it. 00:01:56.100 --> 00:01:56.940 Yeah, absolutely. 00:01:57.340 --> 00:01:57.920 The next generation. 00:01:58.160 --> 00:02:04.900 So I know you have your pulse on the industry in so many ways, and you have a ton to contribute. 00:02:05.240 --> 00:02:07.720 And so we're going to work together on Python Bytes for a while. 00:02:07.800 --> 00:02:08.899 And yeah, it's awesome. 00:02:09.160 --> 00:02:10.320 So thanks for coming on the show. 00:02:10.640 --> 00:02:12.280 It's really great to have you. 00:02:12.440 --> 00:02:13.260 Thank you, Brian, for being here. 00:02:13.520 --> 00:02:14.160 Calvin, welcome. 00:02:14.900 --> 00:02:16.680 Normally, we just kick off the show. 00:02:16.800 --> 00:02:18.560 Hey, I'm Brian, I'm Michael, or whatever. 00:02:19.100 --> 00:02:24.200 But this time, at least you've been on the show on this show before, as well as Talk Python. 00:02:24.350 --> 00:02:28.360 But just give people a real quick introduction since you're kind of new to a lot of people. 00:02:28.740 --> 00:02:29.120 Sure, sure. 00:02:29.340 --> 00:02:30.600 So I'm Calvin Hendryx-Parker. 00:02:30.680 --> 00:02:32.920 I'm co-founder and CTO of Six Feet Up. 00:02:33.140 --> 00:02:37.900 We are a Python agency that loves specializing in solving hard problems and helping impactful 00:02:38.690 --> 00:02:43.040 leaders build a better world out there and do things to benefit humankind in some way. 00:02:43.580 --> 00:02:47.100 I also am a co-founder of the IndiePy meetup here in Indianapolis. 00:02:47.320 --> 00:02:48.780 So very involved in the community. 00:02:49.740 --> 00:02:52.100 I love going to PyCon and being around all the folks. 00:02:52.540 --> 00:02:55.080 So this definitely fits well with like kind of my mission, 00:02:55.530 --> 00:02:58.960 which is to bring more to the Python community if I can. 00:02:59.440 --> 00:03:01.740 And you're also an AWS hero, is that right? 00:03:01.960 --> 00:03:02.600 Oh yeah, I am. 00:03:03.200 --> 00:03:06.520 AWS hero since 2018 or 2019, I think. 00:03:06.700 --> 00:03:06.760 Yeah. 00:03:07.060 --> 00:03:09.040 So basically means AWS thinks I'm kind of a, 00:03:09.250 --> 00:03:09.860 I guess a big deal. 00:03:09.860 --> 00:03:10.180 I don't know. 00:03:10.860 --> 00:03:12.000 He's a big deal. 00:03:12.220 --> 00:03:12.800 Yeah, right. 00:03:13.220 --> 00:03:14.520 Yeah, there's only a few of them around the globe. 00:03:14.640 --> 00:03:18.600 And it's kind of cool because you can't be an Amazon employee or employed by a competitor. 00:03:19.020 --> 00:03:23.300 And so it allows me to maintain my independence and a little bit of cloud agnosticness. 00:03:24.060 --> 00:03:28.880 Yeah. Awesome. All right. Well, with that, how about you kick off our first topic? 00:03:29.300 --> 00:03:41.640 Oh, sure. I'd love to. So we've got just yesterday, the fine folks at Astral have released some new features that are still in beta for checking for vulnerabilities and also some malware checks. 00:03:41.820 --> 00:03:44.840 So for example, they've added the new audit subcommand. 00:03:45.060 --> 00:03:48.260 So as you, this is not an unheard of thing in the community. 00:03:48.420 --> 00:03:50.000 There's existing tools like it, 00:03:50.060 --> 00:03:51.740 for example, safety and pip audit. 00:03:52.120 --> 00:03:54.020 What is different about uv offering this? 00:03:54.640 --> 00:03:55.960 They have basically said, 00:03:56.020 --> 00:03:58.260 we have an opinion like they've done in other ways. 00:03:58.520 --> 00:03:59.540 Astral has basically said, 00:03:59.560 --> 00:04:00.960 we have opinions about how things should be done. 00:04:01.340 --> 00:04:02.800 And we're trying to optimize 00:04:03.000 --> 00:04:04.460 the developer experience workflow 00:04:04.900 --> 00:04:08.260 to make this not suffer from some of the problems 00:04:08.320 --> 00:04:09.960 you get with like, for example, npm. 00:04:10.240 --> 00:04:11.160 When you do an npm install, 00:04:11.500 --> 00:04:14.560 you get this just overload of warnings for deprecations. 00:04:14.680 --> 00:04:16.600 And so you just kind of start ignoring it 00:04:16.600 --> 00:04:17.720 and not paying attention to it. 00:04:17.940 --> 00:04:19.500 The idea is to be explicit 00:04:19.900 --> 00:04:23.800 and call it when you want to have these kind of scans run. 00:04:23.840 --> 00:04:25.700 So you could put it into a pre-commit hook, for example, 00:04:25.720 --> 00:04:27.880 you can obviously run it in your CI pipeline, 00:04:28.000 --> 00:04:30.000 but it's meant for the developers to run locally as well. 00:04:30.500 --> 00:04:33.840 And the add command and sync commands have been updated. 00:04:34.120 --> 00:04:36.060 Well, optionally right now, they're not enabled, 00:04:36.240 --> 00:04:38.000 but if you enable the uv malware check, 00:04:38.420 --> 00:04:40.559 the add and sync commands will proactively tell you 00:04:40.580 --> 00:04:43.180 if you're adding a potential malware package 00:04:43.400 --> 00:04:46.080 to your project right now. 00:04:46.420 --> 00:04:47.240 I actually tried it out today. 00:04:47.400 --> 00:04:48.320 I actually love that. 00:04:48.520 --> 00:04:49.320 Yeah, that's really cool. 00:04:49.520 --> 00:04:51.680 I literally did it today because I was like, 00:04:51.690 --> 00:04:53.940 oh, I should go check out my last FastAPI project 00:04:53.970 --> 00:04:55.440 to make sure I'm up to date on things. 00:04:55.530 --> 00:04:57.800 And I ran the uv audit, again, super fast, 00:04:57.970 --> 00:05:00.160 as you would expect most of the tools from Astral to be. 00:05:00.760 --> 00:05:04.180 And I had my Pi coding agent go and fix all the problems. 00:05:04.410 --> 00:05:06.340 And I released a new prod release just this morning 00:05:06.950 --> 00:05:08.040 because of the uv audit tool. 00:05:08.760 --> 00:05:09.700 It seems really, really nice. 00:05:09.880 --> 00:05:10.780 I'm really excited about it. 00:05:10.920 --> 00:05:11.180 Awesome. 00:05:11.500 --> 00:05:14.380 I have been, I talked about it maybe six months ago or so, 00:05:14.680 --> 00:05:18.680 a couple of security things you can do for the supply chain vulnerability. 00:05:19.120 --> 00:05:21.980 And it's just super scary, right? 00:05:22.100 --> 00:05:25.260 Because you're just working normally on your projects. 00:05:25.480 --> 00:05:28.600 And if you time it wrong, well, bad things happen. 00:05:28.700 --> 00:05:30.280 And they have happened to people, right? 00:05:30.560 --> 00:05:34.220 Not in great numbers in the Python world, but still enough, you know, 00:05:34.480 --> 00:05:37.780 some of the LLM tools I can think of were pretty, that was a pretty bad one. 00:05:38.020 --> 00:05:38.960 Well, we're paying attention now. 00:05:39.140 --> 00:05:40.920 I think folks are hopefully paying more attention 00:05:41.070 --> 00:05:43.700 and tools like this make it easier to pay attention 00:05:44.060 --> 00:05:45.980 and less friction to be safe. 00:05:46.420 --> 00:05:47.920 I think it's got options, for example, 00:05:48.120 --> 00:05:50.060 not to install the latest version of a package. 00:05:50.380 --> 00:05:52.760 Maybe you want to like a cool off period to say, 00:05:52.840 --> 00:05:54.880 I think that was already built in to uv, 00:05:55.120 --> 00:05:56.360 which does have a cool off period. 00:05:56.460 --> 00:05:57.380 That's a smart thing to do. 00:05:57.490 --> 00:05:59.380 You don't want the package that was released today 00:05:59.640 --> 00:06:00.860 because it might have a vulnerability 00:06:01.110 --> 00:06:02.900 from a supply chain attack in there. 00:06:02.990 --> 00:06:03.800 And you want to make sure, 00:06:04.080 --> 00:06:05.500 usually in a few days, those are shook out. 00:06:05.770 --> 00:06:07.980 And so grabbing a seven day old version of it, 00:06:08.240 --> 00:06:09.760 probably the safe thing to do, for example. 00:06:10.100 --> 00:06:12.040 Yeah, and that's what motivated me 00:06:12.070 --> 00:06:14.000 to start down that whole path of talking about those things. 00:06:14.090 --> 00:06:18.180 I'm like, oh, they just shipped no earlier than whatever it was. 00:06:18.350 --> 00:06:20.440 And so that was really excellent. 00:06:20.530 --> 00:06:22.620 And then I started using pip Audit as well 00:06:22.690 --> 00:06:25.260 and even like share how you bring that into like a Docker world. 00:06:25.740 --> 00:06:26.160 And that's great. 00:06:26.720 --> 00:06:28.180 I'm feeling like that needs to be, for me, 00:06:28.460 --> 00:06:30.900 updated to use uv Audit instead of pip Audit, 00:06:31.010 --> 00:06:33.320 which just because like one of the things I see on the screen 00:06:33.400 --> 00:06:34.480 is four to 10 times faster. 00:06:34.820 --> 00:06:36.200 Everything else I'm doing with uv, 00:06:36.400 --> 00:06:38.240 but I just couldn't because it didn't support this, right? 00:06:38.440 --> 00:06:39.420 There's an asterisk there. 00:06:40.160 --> 00:06:42.660 PIP audit with a fully primed cache is probably about as fast. 00:06:43.060 --> 00:06:44.820 But if you're going from a CI pipeline, 00:06:45.360 --> 00:06:47.080 you're going to get the 4 to 10x speed up. 00:06:47.120 --> 00:06:49.300 So those are the, again, creature comforts 00:06:49.360 --> 00:06:52.360 that I believe the astral folks have brought to the game. 00:06:52.600 --> 00:06:54.020 They've just said, we're going to be opinionated. 00:06:54.160 --> 00:06:55.000 This is how we're going to do it. 00:06:55.140 --> 00:06:56.740 And we're going to make it better for everybody, hopefully. 00:06:57.140 --> 00:06:58.500 So if you like those opinions, it's good for you. 00:06:58.820 --> 00:07:01.040 If you had other opinions, well, this is probably better. 00:07:01.660 --> 00:07:01.960 Yeah. 00:07:03.180 --> 00:07:03.700 Yes, exactly. 00:07:04.280 --> 00:07:05.380 So out in the audience, Mike. 00:07:05.640 --> 00:07:05.960 Hey, Mike. 00:07:06.220 --> 00:07:11.500 points out that this weekend's Miasma Hades attack is timely. 00:07:11.860 --> 00:07:13.240 I don't know about it, but okay. 00:07:13.700 --> 00:07:14.920 I have to research it. 00:07:15.340 --> 00:07:17.400 If you had a CI pipeline running on the weekend 00:07:17.700 --> 00:07:19.100 and got that version over the weekend, 00:07:19.460 --> 00:07:21.580 and these things always happen on a Friday late on a weekend 00:07:21.960 --> 00:07:22.480 because no one's looking, 00:07:23.040 --> 00:07:25.220 that's exactly the timing that these kind of things happen. 00:07:25.320 --> 00:07:27.440 So make sure you've got that cool off period in there. 00:07:27.680 --> 00:07:28.140 Yeah, exactly. 00:07:28.640 --> 00:07:32.440 So I made the mistake of actually going on vacation for the weekend, 00:07:32.680 --> 00:07:33.980 and so I wasn't paying enough attention. 00:07:34.400 --> 00:07:35.700 So I got to research this. 00:07:35.880 --> 00:07:37.240 Wait, you actually took a couple days off? 00:07:37.500 --> 00:07:37.600 Yeah. 00:07:37.880 --> 00:07:39.860 I sat by the ocean. 00:07:40.000 --> 00:07:40.640 It wasn't terrible. 00:07:41.540 --> 00:07:41.780 Nice. 00:07:43.060 --> 00:07:43.380 All right. 00:07:43.820 --> 00:07:49.120 Let's talk about, I think this relates a little bit back to the supply chain, but not necessarily 00:07:49.160 --> 00:07:50.260 in a vulnerability way. 00:07:50.860 --> 00:07:53.000 You also mentioned your Pi coding agent. 00:07:53.060 --> 00:07:54.480 We need to speak about this a little bit. 00:07:54.600 --> 00:07:54.980 Yeah, we should. 00:07:55.240 --> 00:07:55.960 Yeah, absolutely. 00:07:57.020 --> 00:07:58.780 This is going to have to be one of your whole topics sometime. 00:07:58.940 --> 00:08:06.020 But it seems to me like a lot of the projects that people depend upon have these very shallow dependencies. 00:08:06.720 --> 00:08:15.680 And by that, I mean, like, yeah, I'm sure I'm using this library that lets me give, I don't know, a zip code and it gives me the state back or something like that. 00:08:15.760 --> 00:08:17.440 Right. But I only call the one function. 00:08:17.900 --> 00:08:18.660 You know what I mean? 00:08:19.600 --> 00:08:23.380 would it be possible to just have some kind of coding agent 00:08:23.540 --> 00:08:26.120 or even you just write that into your project 00:08:26.360 --> 00:08:28.500 instead of adding maybe that dependency 00:08:28.720 --> 00:08:30.100 and three other dependencies it has, 00:08:30.200 --> 00:08:31.680 then you're worried about like cool down periods 00:08:32.080 --> 00:08:34.380 and supply chain and just like, 00:08:34.620 --> 00:08:36.020 oh, this one only works on 3.14. 00:08:36.280 --> 00:08:38.140 This one only works or lower 00:08:38.280 --> 00:08:40.039 and this other one only works in 3.15 and above. 00:08:40.140 --> 00:08:40.800 Like, what do I do? 00:08:41.479 --> 00:08:42.320 You know, those kinds of issues. 00:08:42.780 --> 00:08:45.060 So I want to highlight this article called 00:08:45.560 --> 00:08:48.240 HTTP GET requests with Python standard library. 00:08:48.600 --> 00:08:56.380 by Alex Chan. And so Alex basically says, there's been all this stuff going on with HTTPX. I'm going 00:08:56.380 --> 00:09:01.020 to talk about that at the end of the show a little bit more. But we've also got requests, we've got 00:09:01.100 --> 00:09:10.800 URLib, we've got NyQuest, which is a little bit like a modernized request compatible API. But, 00:09:11.100 --> 00:09:16.199 you know, built into the library, we've got URLib requests, could we just put the three or four 00:09:16.200 --> 00:09:22.640 functions that we want to write but turn that and just instead of having actually htpx or requests 00:09:23.020 --> 00:09:28.160 just have it use the built-ins right so build a little facade adapter layer on top of stuff that's 00:09:28.320 --> 00:09:32.240 already there what do you think of that idea i think that's smart kind of a little bit of shift 00:09:32.360 --> 00:09:36.860 left or first principles like if you don't need to bring along those whole packages you don't bring 00:09:36.910 --> 00:09:41.480 along a lot of complexity frameworks are nice when they solve you know they usually do like an 80 00:09:41.770 --> 00:09:46.180 kind of problem if you get a 10 kind of problem i wouldn't bring those kind of dependencies 00:09:46.200 --> 00:09:48.300 into your project because now you're on the treadmill. 00:09:48.840 --> 00:09:51.180 You've got to keep up with the release cycles 00:09:51.420 --> 00:09:53.040 and security vulnerabilities, et cetera, 00:09:53.580 --> 00:09:55.380 versus if you're controlling your own fate here 00:09:55.600 --> 00:09:57.180 for just a couple little things you need, 00:09:57.580 --> 00:10:01.900 it's probably cleaner and more explicit than implicit. 00:10:02.200 --> 00:10:04.400 You're just not subject to have to deal with 00:10:04.820 --> 00:10:06.280 all the stuff that goes with it, right? 00:10:06.380 --> 00:10:08.600 And put security aside, just the, 00:10:08.900 --> 00:10:11.400 they released a new version or they decided 00:10:11.420 --> 00:10:12.600 they were going to do a breaking change 00:10:12.920 --> 00:10:14.060 and that's probably worthwhile, 00:10:14.460 --> 00:10:16.220 but then you've got to deal with the breaking change. 00:10:16.580 --> 00:10:19.640 You know, like if the thing you're doing is not going to change really, 00:10:20.000 --> 00:10:20.860 and it's pretty straightforward, 00:10:21.440 --> 00:10:23.740 you could just ask Claude or Pyre or whatever, 00:10:24.240 --> 00:10:27.220 hey, see this thing, could you just give me the two functions I'm using? 00:10:28.340 --> 00:10:31.240 If there's enough foundational stuff in the standard library, right? 00:10:31.360 --> 00:10:34.360 So I think this is a pretty interesting thing for people to think through. 00:10:34.770 --> 00:10:36.580 I was going down this path. 00:10:36.590 --> 00:10:37.560 I'm like, this is pretty cool. 00:10:37.780 --> 00:10:41.820 What if I could just make, I think I use three functions from HTTPX. 00:10:42.140 --> 00:10:46.780 What if I could do this for HTTPX instead of the thing that they were basing theirs on? 00:10:47.160 --> 00:10:49.480 How hard would that be with a little bit of Claude help, right? 00:10:49.680 --> 00:10:58.300 And it turns out that the standard library's HTTP call stuff does not have any async support whatsoever. 00:10:59.060 --> 00:11:00.800 I was going to ask if that was a thing. 00:11:01.759 --> 00:11:02.760 No, it's not. 00:11:02.860 --> 00:11:06.260 I'm like, wait, what are the use cases for asyncio? 00:11:06.920 --> 00:11:09.600 Database, HTTP, API. 00:11:10.400 --> 00:11:10.900 Hitting a network. 00:11:11.300 --> 00:11:11.680 Hitting a network. 00:11:11.960 --> 00:11:16.700 Wait, it's had that since 3.4, I believe, 00:11:16.770 --> 00:11:18.020 is when async was in. 00:11:18.110 --> 00:11:20.820 And then async and await came in at 3.5. 00:11:21.080 --> 00:11:22.440 Michael, you need to submit a PEP now. 00:11:23.080 --> 00:11:23.520 You know what? 00:11:23.720 --> 00:11:25.720 Very insightful thought. 00:11:25.860 --> 00:11:28.020 I actually wrote Brett Cannon a message about this. 00:11:28.140 --> 00:11:31.540 Said, hey, what would the steps to be actually submitting a PEP for this? 00:11:32.040 --> 00:11:33.680 And he sent me back some stuff. 00:11:33.690 --> 00:11:35.840 And Brett, I haven't had it just because I sent that message 00:11:35.910 --> 00:11:36.580 and went straight on vacation. 00:11:37.110 --> 00:11:38.840 I haven't had a chance to respond, 00:11:39.040 --> 00:11:41.660 but it looks like there's some work to be done. 00:11:41.960 --> 00:11:42.780 and research to be done. 00:11:42.980 --> 00:11:46.160 But I do think that that's a totally reasonable thing. 00:11:46.280 --> 00:11:49.600 And DBAPI itself also surely does not support async, 00:11:49.720 --> 00:11:50.460 but should, you know? 00:11:50.680 --> 00:11:52.420 Like, I think there's a few really clear places. 00:11:52.740 --> 00:11:53.700 Yeah, there's still some hard problems 00:11:53.820 --> 00:11:54.660 left in the Python core. 00:11:55.080 --> 00:11:56.220 Yeah, we thought it was all done. 00:11:56.400 --> 00:11:56.700 It's not. 00:11:56.960 --> 00:11:57.120 Yeah, yeah. 00:11:57.480 --> 00:11:59.280 Although it is nice when you've got like HTTPX2 00:11:59.460 --> 00:12:00.780 and you can just drop in and replace. 00:12:01.240 --> 00:12:01.660 Yep, exactly. 00:12:02.240 --> 00:12:02.300 Yeah. 00:12:02.380 --> 00:12:02.580 Nice. 00:12:03.020 --> 00:12:05.360 Yeah, we talked about that from the Pydantic folks 00:12:05.400 --> 00:12:06.740 and we're going to talk about that some more. 00:12:07.220 --> 00:12:08.320 Yep, yep, sounds good. 00:12:08.580 --> 00:12:09.920 All right, over to you, Calvin, for the next one. 00:12:10.200 --> 00:12:14.340 So this one's a little bit of a double-edged mixed bag. 00:12:16.290 --> 00:12:21.480 The bad host vulnerability is a critical vulnerability in Starlet, which is an ASCII framework, 00:12:21.800 --> 00:12:26.160 underlies a lot of very popular projects right now that are, if you're doing MCP or if you're 00:12:26.160 --> 00:12:32.800 doing FastAPI, it basically is kind of a core layer for the asynchronous HTTP traffic for 00:12:33.100 --> 00:12:33.900 building an API server. 00:12:34.320 --> 00:12:37.500 So this vulnerability was reported. 00:12:37.960 --> 00:12:39.320 The community responded. 00:12:39.340 --> 00:12:45.100 there was a little bit of a back and forth but I think that the exploit is trivial for example 00:12:45.240 --> 00:12:52.160 injecting a single character into an HTTP host header can bypass path-based authentication now 00:12:52.460 --> 00:12:56.460 there's this is where this gets a little more interesting is that maybe that's not a great 00:12:56.680 --> 00:13:00.680 pattern for you to do which is path-based authentication that was kind of the pushback 00:13:00.880 --> 00:13:06.719 from the Starlette maintainers which is this is not really a intended use case for Starlet 00:13:06.740 --> 00:13:11.760 it is a vulnerability. It has been patched, has been fixed, but I believe they got a little bit of 00:13:12.510 --> 00:13:19.380 a bum deal from the journalists who are covering it. So actually, in addition to this post here, 00:13:19.620 --> 00:13:24.380 there's also the maintainer's perspective, which I thought was a very interesting view into both 00:13:24.560 --> 00:13:29.020 sides of the situation. Not often do you get to see when there's a vulnerability or a CVE announced 00:13:29.420 --> 00:13:33.079 that the maintainers get to kind of post their response. And I think they post the response 00:13:33.120 --> 00:13:34.740 and it's well written, well thought out, 00:13:35.400 --> 00:13:38.000 explaining why this is probably not something that's common. 00:13:38.560 --> 00:13:39.860 Many people probably weren't as vulnerable 00:13:40.120 --> 00:13:41.460 as they thought they might be, 00:13:41.680 --> 00:13:43.520 but it would affect some really major projects. 00:13:43.650 --> 00:13:45.200 And if major projects were doing a pattern 00:13:45.350 --> 00:13:46.740 that was not originally intended 00:13:46.830 --> 00:13:47.960 by the maintainers of Starlet, 00:13:48.090 --> 00:13:49.100 then you end up in this bad spot. 00:13:49.340 --> 00:13:51.660 And it could end up in remote code execution 00:13:52.340 --> 00:13:56.040 as a worst case scenario or data exfiltration 00:13:56.160 --> 00:13:57.760 that you weren't expecting because of this, 00:13:58.000 --> 00:13:58.700 but it probably wasn't the way 00:13:58.700 --> 00:14:00.480 you should be architecting your application. 00:14:01.240 --> 00:14:05.220 They also got a little bit of a complaint against the Ars Technica reporter. 00:14:06.080 --> 00:14:11.140 Basically, they asked really demanding questions and wanted an immediate response. 00:14:11.420 --> 00:14:14.140 That's back here down at the bottom, which was kind of rude. 00:14:14.560 --> 00:14:19.940 They were very demanding, and they only gave them, I don't know, hours, maybe an hour or 00:14:20.040 --> 00:14:23.160 two notice that they were going to publish this article on the website. 00:14:23.620 --> 00:14:27.040 And the website went on, the Ars Technica website went on to say that they had contacted 00:14:27.120 --> 00:14:28.400 the maintainers but hadn't heard back. 00:14:28.620 --> 00:14:32.840 There was no comment from the maintainers, which people can read into that how they want. 00:14:32.860 --> 00:14:33.240 So I'm glad. 00:14:33.420 --> 00:14:34.500 Yeah, it sounds really bad. 00:14:34.700 --> 00:14:38.860 Like Marcello is just going to go, ah, forget you. 00:14:38.960 --> 00:14:40.220 I have no comment, right? 00:14:40.260 --> 00:14:42.880 Because these are open source maintainers who are doing this for the community. 00:14:42.980 --> 00:14:50.400 They don't have a security team under the covers waiting to respond to journalists and security researchers. 00:14:51.060 --> 00:14:52.840 I mean, they did work with the security researchers. 00:14:52.960 --> 00:14:57.560 They did negotiate a shared disclosure or a mutual disclosure timeframe. 00:14:58.420 --> 00:15:03.120 This ended up for the best for everyone involved, except how he got portrayed. 00:15:03.210 --> 00:15:06.400 Now, luckily, I think folks in the comments stood up for Marcelo and the team. 00:15:06.920 --> 00:15:08.980 So I think people in the community understand. 00:15:09.440 --> 00:15:14.800 But someone who's just coming to that article on Ars Technica may think differently of that project. 00:15:15.250 --> 00:15:17.880 And I think they should read this article as a response to that. 00:15:18.100 --> 00:15:18.700 Very interesting. 00:15:19.040 --> 00:15:22.220 I generally enjoy reading Dan Gooden's work, and I like Ars Technica. 00:15:22.570 --> 00:15:23.120 Yeah, I was surprised. 00:15:24.080 --> 00:15:24.640 I was surprised. 00:15:24.940 --> 00:15:27.640 You can just see the incentives at play here. 00:15:27.900 --> 00:15:29.540 Like, hey, you got to do an article this week, 00:15:29.720 --> 00:15:31.620 or we got to be the first to publish on this. 00:15:32.440 --> 00:15:35.100 Well, and I think because MCP servers were the prime target. 00:15:35.400 --> 00:15:37.320 If you're running an MCP server, 00:15:37.400 --> 00:15:40.800 you were probably using a Starlet-based framework under the covers. 00:15:41.200 --> 00:15:43.340 And so a lot of credentials are stored in there. 00:15:44.140 --> 00:15:48.440 And if they were slop-coded, vibe-coded versions of those servers out there, 00:15:48.760 --> 00:15:50.920 they could have used a path-based protection like this. 00:15:51.280 --> 00:15:51.460 Sure. 00:15:51.700 --> 00:15:54.720 And probably, I don't know how it links back to FastMCP, 00:15:54.980 --> 00:15:57.060 but I think that's probably based on Starlet. 00:15:57.260 --> 00:15:58.060 That's what I was thinking too. 00:15:58.200 --> 00:15:59.400 I didn't go double check that though. 00:15:59.700 --> 00:16:03.060 Yeah, I will leave that as a exercise to the audience. 00:16:03.260 --> 00:16:03.940 But I think it is. 00:16:04.060 --> 00:16:05.160 These open source maintainers 00:16:05.180 --> 00:16:07.280 are getting near daily security reports, 00:16:07.540 --> 00:16:09.280 especially when you're seeing projects 00:16:09.440 --> 00:16:10.820 like Mythos being released. 00:16:11.060 --> 00:16:12.880 I think this volume is only going to increase. 00:16:13.680 --> 00:16:15.340 So a lot of it's AI generated noise 00:16:15.800 --> 00:16:17.100 and they have to be able to deal with it. 00:16:17.120 --> 00:16:18.380 So you're seeing a lot of pushback 00:16:18.540 --> 00:16:19.400 from the open source communities 00:16:19.660 --> 00:16:22.860 against AI pull requests and security posts. 00:16:23.160 --> 00:16:23.480 Absolutely. 00:16:24.060 --> 00:16:24.120 Yep. 00:16:24.980 --> 00:16:26.580 We could go down that a lot, but let's instead. 00:16:26.680 --> 00:16:27.160 Yeah, yeah, yeah, I know. 00:16:27.220 --> 00:16:28.720 Let's talk about merges. 00:16:29.300 --> 00:16:29.660 Merges. 00:16:30.060 --> 00:16:30.660 Let's talk about merging. 00:16:31.080 --> 00:16:33.660 So are you an Alembic sort of person? 00:16:33.940 --> 00:16:34.440 Do you Alembic? 00:16:34.710 --> 00:16:36.320 Do you, SQLAlchemy is really the question. 00:16:36.330 --> 00:16:37.080 I do, actually. 00:16:37.490 --> 00:16:40.200 On that FastAPI project that I was mentioning from this morning, 00:16:40.290 --> 00:16:41.740 I have Alembic in there. 00:16:42.080 --> 00:16:43.100 Okay, very interesting. 00:16:43.250 --> 00:16:44.640 Yeah, I think FastAPI, sorry. 00:16:44.810 --> 00:16:47.260 I think SQLAlchemy is pretty neat. 00:16:47.420 --> 00:16:50.140 And this project, you know, Julian Fianjo 00:16:51.140 --> 00:16:52.500 also does this quite a bit. 00:16:53.120 --> 00:16:55.700 So he is one of the founders of Mergeify, 00:16:56.280 --> 00:16:59.680 which is all about making sure that merges, 00:17:00.700 --> 00:17:01.840