Brought to you by Michael and Brian - take a Talk Python course or get Brian's pytest book

« Return to show page

Transcript for Episode #249:
All of Linux as a Python API

Recorded on Thursday, Sep 9, 2021.

00:00 Hey there. Thanks for listening. Before we jump into this episode, I just want to remind you that this episode is brought to you by us over at talk Python training, and Brian through his pi test book. So if you want to get hands on and learn something with Python, be sure to consider our courses over at talk Python training, visit them via Python binds FM slash courses. And if you're looking to do testing and get better with PI tests, check out Brian's book at Python slash pi test. Enjoy the episode. Hello, and welcome to Python bites where we deliver news and headlines directly to your earbuds. This is Episode 249, recorded September 8 2021. And I am Brian knockin. Hey, I'm Michael Kennedy, and I am eating sounds. Hey, Eric, thanks for joining us today. Yeah, thank you so much for having me. So tell us a little bit about who you're. So first of all, I'm a longtime listener to the show. I just told Michael, while I'm listening since Episode One of this podcast, actually, wow, also listening to Michael's podcast, obviously. And then once I get to node I started listening to you focus as well. So basically everything that's out there, I'm listening, what I'm doing. I'm currently leading the competence center for AI and data science at data drivers, which is a consultancy firm from Hamburg, Germany, our focuses mainly on building Big Data platforms and applications, mostly using cloud native services. And we try to apply best DevOps and ml ops practices to where we are. Do you have a favorite cloud? And all honesty from the Google Cloud? Gotta say it. Yeah. Nice. Well, Michael wants to kick us off with our first item. Yeah, this one's a little fickle comes to us from Ollie, he sent that in Thank you, Ollie, and sort of indirectly from Patrick gray over at risky business, which is a cool security, focus, podcast, Python support security, they talk about over there. So you've heard of pickles, obviously pickling in Python. It's like, I want to take this binary, this binary Python object graph and turn it into a blob that I can stash away, and then later, get it back, right? Sometimes it's real simple, stash it and read it. And other systems can pull it out real quick as a cache, maybe save it to a file, but where it's become really popular as a means of data exchange is actually in machine learning. Okay, so the people who built this thing, I'm going to tell you about what really built it around, focusing on the machine learning use case, because people are hanging around these models, these pre trained models and like, here's the model loaded up and roll, and loaded up and roll may mean, you have an amazing artificial intelligence that drives a car. Or it may mean that you have a virus, because pickles can contain all sorts of bad things. Alright, so this thing I'm gonna tell you about is called fickling. Like pickling. It's a decompiler, a static analyzer and a bytecode rewriter for Python, pickle object serialization. So you take these pickle files, these object graphs of Python things, and you can pull them apart, look at them, you can ask questions like, Is it a virus, and you can even say things like, let's put a virus in it. So all of these are possible with this tool. And it's made by a security pentesting company called trilobites for basically that purpose, right? So it's kind of either side,

03:19 the attacking pentesting side or the defensive side of the store. So works on three, six and above. And you can see it's super simple. You say, basically, you pick up stuff, and you say, from fickling, dot pickle, import pickled, and then you can kind of as if you would use the disk module to disassemble Python code, you can do that with this pickled library. And it'll print out something that's kind of like an abstract syntax tree of the pickle. And they've got a real simple example, on the GitHub repo. It's like a list of four numbers 1234. And then it just shows you look, we're assigning the results of creating a list and setting these constants in it. Another thing that is nice about this is it's not specifically built for Python developers. So it's also kind of something you can integrate into other tooling and say, continuous integration and stuff like that. So you can run it off the command line, as well, just on the terminal, just type fickling and give it the data and then outcomes from answer. The one that people might want to do is the dash dash check safety. And that will try to look and see if it's doing bad things like for example, talking to OS dot system, or doing other malicious stuff like that. So that's good, but I wouldn't trust that entirely, like how well is it checking, right? If you, for example, were to encode Python code and then decode it, and then take that decoded stuff and it did or something right, and feed that to evaluate whatever, there's all sorts of layers here, right? So it can check for obvious things, but you know, it's it's not like an absolute guarantee. And then finally, you can inject arbitrary Python code that will run on pickling into an existing

05:00 pickle file with dash dash injects. seems fine, right? Everything's fine. That's the fun part. Yeah. If there's no malicious code present, here you go. Yeah, exactly. So maybe I'm in bad imagining something like a little thing that count that I print out in like flashing bright colors. We told you, you shouldn't unpick all untrusted data, don't do it.

05:23 Beginning hard drive format has a like a loud beeping sound I was three to one and just like,

05:30 obviously not really do it. But like that would get your attention. Right? That'd be a mean, I mean trick. But absolutely. This, this is interesting. And, you know, I didn't really put it together with the ML data exchange model exchange story, until I heard the folks talking about it over on risky business. So it seems like, especially in the ML story, you want to have a look at these kinds of things. Yeah. So I thought about the use case before, actually, but I didn't know that somebody would, would solve it in this way. So pretty nice. Yeah. I mean, Eric, this is sort of your world, right? The machine learning stuff. So how does this sit with you? What do you think? Yeah. So it comes up all the time that you pick up some random model that someone has built. So as security issues become more prevalent, this might be a thing? Yeah. What? better ways to store Yeah, is there better ways to store it like JSON or something else? So even though they don't have to exist that way, do they? Yeah, I mean, even if there was there are there are some projects that focus on building like some reusable interface across all these different frameworks and stuff. But in reality, people just use pickle. Really? Yeah, they do. I just didn't know anybody was really using it for much mas. It's absolutely coming from within like say cyclone, which is probably most use library ever.

06:50 Just use pick it on whatever. store your files. Yeah. All right. Well, cool. So this is a useful library from trilobites. People can check out and we're going to start with everything is fine. And we'll end with everything is fine as well, Brian, but

07:04 over to you. Okay. Well, um, this is something, it's a blast from the past a little bit about a year ago. Anyway, I want to talk about virtual environments, and directories. So and there's an article from Munich is called Python project, local virtual, virtual envy management. It's, that's a mouthful. But the idea, and we've talked about in the morning this before, is to be able to deal with it. Yeah. So just to go when, if I've got several projects going on, whenever I like CD into the, into a directory with this project, I just want the Act, the personal environment activate automatically. And then when I leave it and go to another one, it's just automatically switched. Apparently, that already works. And we've already covered it, but I missed it. So actually, in Episode 185, you brought up durin. And in part of it, it's, it's the ability to you can have per project isolated development environments. But I didn't pick that up yet. But I just said, this is how you do it. And how you do it really is just you just have you have to have you have to install dir for first. And then you put a dot E and V RC file in a directory and say layout Python, and then what Python version so like layout, Python, python 3.9. And then that's it. That's all you got to do. And I I'm like, that can't be that easy. And it was I did it this morning. And I was like, Man, this is great. So on my Mac, it's all solved. And but it doesn't work on Windows. So Oh.

08:55 Let Linux subsystem for Windows or Windows subsystem for Linux. wsl. I guess it is. Okay. Yeah. So I mean, that sort of semi solves it. Yeah. Yeah. So I really, probably have this need more within Windows than I have in in on my Mac, but I have it in both places. So, um, I'm gonna start using it. It's great. Um, plus, like you covered last time. You can also have a bonus you can put environmental variables in there, too. So that in the project you've got your like your perhaps your secrets, or,

09:28 or just different environmental settings you want to use. Yeah, I think people will look in your.rc whatever your bash RC csh RC whatever files for your secrets, but I suspect it's much less likely to go hunting through virtual environments and looking for their activate scripts and see what's in them. You know, people know about fewer people know that stuff gets stashed in there, so that's probably good. Right? So, um, I guess mainly the story is, oh, I knew that you could do it, but I didn't realize how easy it was. So this is it's super simple.

10:00 It just took a little bit. And then my second thought was, it isn't. It's not that hard to create virtual environments, though this is saving any time, I still got to create this file and put this stuff in it. That actually is more typing a little bit more. But it didn't take me long to realize that it's when you're switching between different directories, you save a ton of time. So yes, they're going back and forth between projects, right? Yeah. So that's it, really just kind of eat

10:27 bread out in the live streams got a comment for us. If he's pi, E and V, you can run pi envy, local envy name and your project folder and get this behavior as well. How do you do that? How do you get it to activate by just changing directory into it? Just what I'm not totally sure. Yeah.

10:45 It wasn't that way. Right. But not the actual virtual environment? Yeah, possibly, if you if you've installed Python through pi, E and V as well. Yeah. And then David has a comment back. The first topic out there in a live stream. Hey, David, the irony of legacy object serialization being used on cutting edge machine learning, like that fun. Yeah. And then Teddy at the live stream? It did he just does it work with an ID I changes the interpreter based on the folder you're in within a workspace in this case, for example, that I don't know. But I was going to add the personal comment that I don't need this nearly as much as I felt like I used to, because the way I jumped between projects is usually jump, open them up in PI charm and jump between them there. And that always activates if you go to the terminal in PI charm, it activates that environment for that project. I'm on the command line all the time. So definitely, yeah, yeah. If you're on the command line Buzz buzz around a lot, then that's then both Brett and Alvaro have a follow up pi e and V adds a shim that intercepts the calls to Python. So yeah, very good. So it must be that you have to install Python through pi v. But then it'll also do this very cool. Did you know I didn't know though. But Me too. Yeah. Nice. All right, Eric, first one for you. Yeah, so I brought so with me the test containers Python library, which means like, let me quote this one from the description, because I think it's a pretty good summarization. So test containers. Python is a port for test containers, Java, that allows Docker containers for functional integration testing, it provides capabilities to spin up Docker containers, such as databases sitting in web browsers, and any other containers for testing. So maybe not that many new things in here. But we use this in a project lately. And especially,

12:38 we use this integration pipelines using cloud native services. So there's a container for Google Cloud pops up, for example, which is pretty amazing. Also foreign like your Kafka. This is originally a Java project. So there's still a lot to do for the Python community in order to catch up a bunch of interfaces that need to be implemented and stuff.

12:59 One example, it is here, let me just show you that one of this. And it is in the repo where you can find

13:11 an example of how to use this within your ci pipeline. So what's happening here is actually, that if you have like a standard ci in the pipeline for your integration test, which consists of Docker containers that we use Docker in Docker to actually run the integration tests. So all your standard 2021 stuff in here, I guess? Yeah, this is super cool. And the way you do it is just create a context manager, right, exactly like with MySQL container. Here's a connection string. And then you can just do your database stuff over to it. Yeah. Yeah. So it integrates perfectly fine with PI test, which we did that a lot.

13:51 So yeah, the syntax is pretty cool. It's super easy to use. The integration with the C ICD works fine. So yeah, john Bryan, we could we could use this with a test fixture and a little yield action, something like that. Yeah. Yeah. I can't wait to try to play with something like this. Yeah, we talked about this way. Long ago, I brought this up, I believe, but I'm glad you brought it back here, because it's really useful. And it's really neat. And there's more stuff than actually is listed on the readme for some reason. Exactly. Like, if you flip through the actual documentation, you can see that there's other containers, right. For example, I believe there's there's a MongoDB one, for example, but that's not listed in the documentation. And then the cloud emulators are probably neat for you for testing. I

14:38 mean, that's one of the things that I find off putting from, like cloud native type stuff is, if you don't have access to the cloud, you're dead in the water, right? Like, and that can be a problem for continuous integration and for all sorts of things. So things like this are pretty neat. It's definitely challenging. So stuff like this. Yeah. You know, to me, it's, it's an interesting trade off because on one hand, sure, you can mock

15:00 Your database, and then just test against your test data. But then if your data model in the database changes, but you don't think to update the test data, well, then your codes gonna, like SQL alchemy, for example, will freak out and crash if the schema is not a perfect match. Whereas you wouldn't find that in testing if you weren't letting it talk a little bit to the database. And like, there's just interesting things like this. Brian even had an episode about not maxing out your database, didn't you?

15:27 Yeah, I think it as little as you can guess, let's do the reverse. As close as you can have to the real environment, the better. And this is when people are deploying on containers. testing with containers makes total sense. Yeah, absolutely. Absolutely. All right. Want to talk a little more infrastructure? Yeah. All right. So I have the one it's gotta be the shortest named thing for a featured item, JC two letters, AC. So JC comes to us from Garrett, thank you for sending that in. And at first, I was like, I don't know if this is relevant to me, or if this is interesting, but the more I looked at it, I'm like, yeah, this is actually pretty awesome. To me. Let me I'll read what JC describes itself as in a moment. But to me, what this is it as basically what web scraping is to the web, JC is to Linux. So there's not a nice API for it. But I'd like to somehow wrap a little Python magic around it, and then have an API for it. Okay, so his official story is it's a COI tool and Python library that converts the output of popular command line tools and file types to JSON. And it allows piping one thing to the next, obviously, because it's Linux like to the idea is, you know, the example they have on their site, there's dig. So dig is a command that will give you information about a domain. So you could do something like Digg, pipe JC and then you tell JC what it's expecting output from just whatever the print output to the terminal is in dig, and it will parse that and turn it into a Python dictionary, right? So I could sub process run, dig, but then I just get a huge blob of text. And I've got to basically go through it, try to understand it, and so on. And this knows the exact format and turns it into, like structured data to think of all these different Linux commands you may run, you find a whole bunch of them, they're like a huge list down here. So airport, ARP, crontab, date, CSV, fre, D, U, hash history, hosts, IP, config, netstat, all those types of commands just control. So for example, if you're automating daemons and stuff like that, you can now do that from Python. And then instead of getting just a text blob and an exit code, you get a dictionary back that you can then check out and program against. What do you think? Well, that's pretty cool. Yeah. Um, yeah, it was it's, there's a bunch of built ins, if

17:57 hopefully, hopefully, the thing you're looking for is one of these. Yeah, exactly. I suspect it's not extraordinarily hard to do to add another one. Yeah, yeah. But you can also run it on the command line, you don't have to use it in Python, which is what I was scrolling around looking for. So if you want to, like, let's suppose I want to go and run Digg, and I just want to go to the answers and get the data, which would be the IP address of some domain, you can say, JC run this thing. And then Jq dash R, or there's like a way to just pass over a string. And basically, the string you pass in is the object dereferencing, the traversal of the dictionary? So dot bracket, dot answer, bracket data, and it'll go and pull that all apart, which is pretty neat. Yeah, it's got a cool command line, terminal automation aspect, just like pickle. This is a nice wizard effect. So that if you know how to do this well, and people come over and watch you do this, they will be amazed. Yeah. So yeah. Just make sure you spin up your like third or fourth terminal while you do that. Yeah, exactly. Equity thing. Yeah. So sounds like I found something that I can put, like, my usual Sunday afternoon. Time into so I play around with this. Yeah, exactly. Yeah, every time that I want to do some sub process thing, and it needs to call out some kind of Linux command. I'm like, Ah, what am I gonna do? I'm just gonna check the status code, the return code and hope it works. And then just say didn't work if it didn't work? Or, you know, you could do so much more with this. Sorry, Brian. Well, there's some stuff that that may that's less unique see that other people might need like, you can part part. You can parse PIP list and PIP show and, and YAML and XML with this as well. So that's pretty cool. Yeah, yeah. Very cool. All right. How about some ellipses or I don't know how else to say a dot dot.

20:00 That the next thing do say more.

20:05 So, I, this was a surprise to me, I guess I haven't run into this yet. Or maybe just a forgot. But, um, Python has ellipses, and it has the keyword ellipses, ellipses, ellipses, ellipses, ellipses, and upsi.

20:23 And it's an actual object within Python. Who knew. And then also, you can just do dot dot dot, and that's a, that's a valid thing.

20:33 A, an identifier, so it's a special value. And but you can use it for all sorts of stuff. Like the Oh, by the way, I'm referencing an article called what is the Python? What is pythons ellipses object from Florian dalitz. Thanks, Florian Burnett. Um, so it's important that Python, or the definition really is, it's the same, the, the ellipsis literal is the same as the literal dot, dot dot, it's a special value used most, mostly in conjunction with extended slicing syntax for user defined container data types. I don't know. What does that mean? I guess pandas uses it, maybe. But the the article comes up, okay. It has some some interesting things. You can use it in place of pass, because it is a valid has a valid value, you can kind of do a def dictionary or a function definition. And it's does the same pass, just do three dots. And that's valid Python. I'm kind of liking that. I'm sure. It's, it's cool. We like what are you doing, but at the same time, it's like, that's really what you want to put down there is like, I just don't want to put anything but Python won't work unless I kind of close this off. So here's a pass. Right? Well, also, one of the things I was thinking about is not I would probably use pass all the time, when when in that case, but when writing documentation, and you really want to have a working code example, but you want to just indicate there's going to be more code there. That's a cool thing to put in. Anyway. So there's that. And then there's also using it in type information. So with type information, for instance, apparently, like let's say I've got a function that returns a tupple, or tuple, I'm got these words today. Anyway, a tuple. With two integers, you can just say a tuple, with two int to the indent. But if you don't know how many integers are going to be there, you can do the three dots. And apparently that works with typing. That's, that's neat. That's, um, there's not a lot apparently, it's used also within fast API and typer. But it's there. And if you want, if you want to use to implement a certain feature, where that might make sense, it is a is a thing that's available to you. Like maybe you could have an operator dot dot dot operator on your something.

22:57 I learned this just the other day from a tweet from Raymond hatchett, where he was asking people like, how would you do this? And he brought up the exact same example, I'm using the documentation and the pass or the ellipses instead. And I didn't even know that this was a Python object. I knew from the typing. But so the question is, um, can you can you pass this object around? Can you like return from a function value? Like dot A dot? I imagine? I don't know. Right? It should work. Yeah, it should work. Yeah. Nice.

23:35 Well, we're, we're we go on to the next topic. Yeah, that's that one. Surprise me. Well, then Florian. Yeah, so the last one that I brought with me. Actually, since I lead the data science and AI team, I gotta bring something with me that has to do with it. So I brought with me the pytorch forecasting library. So

23:58 Michael, you just used this analogy in a couple of minutes ago. So I'm going to use an analogy now. So for me pytorch forecasting looks like

23:58 that what fast AI does for computer vision and natural language processing, it does for time series forecasting, because there was like a lack of a deep learning for for type series forecasting, time series forecasting. And, actually, I think that pytorch forecasting is gonna close this gap. So it comes in with a bunch of important features, actually. So it's built on top of pytorch lightning, which allows training on CPUs, single and multiple GPUs basically out of the box. So there's, there's been a lot, a lot of software engineering involved for the data scientists in the past and this library just makes it makes it pretty simple. So

23:58 you have to

23:58 work very hard in order to mess things up with this library, I guess. So. And what it also brings is a implementation of a model that is called the temporal fusion transformers. So this is from Google research. And actually, there's also a TensorFlow based implementation.

23:58 I'm going to put the link to the paper in the show notes. This is a very interesting model that has performed pretty well on a dozen

23:58 prominent benchmarks and various very lately, and it has a very huge, huge benefit, which is that it is pretty interpretable. So you can count it does actually calculate feature importance for you. So this is in the real world applications. Very important. Because whenever you stick your data into these models, and something good comes out, people will always act as past you. So okay, so what was the important part? The data is how does it influence the model and the outcome? So for temporary fusion transformers, they do this for you. Also, the pytorch forecasting comes with op tuner, which is a popular library for hyper parameter tuning, which is also implemented.

23:58 Right, there might be so this does, like multivariate time series multivariable. Time series. Yes. So, so the moving part of it is pretty important, actually. So go ahead, sir. I'd say so the hyper parameter tuning might say this part actually doesn't make any difference in the prediction, but this other part does. So pay attention to that, right. Yeah, absolutely. Yeah. Yeah, this looks really good. Yeah. So if you want to predict the future, about sales, on prices, yeah, heart rate, whatever. comes up all the time, comes up all the time. And I know from a couple of guys who work for the, for the Google clouds of this world, and the AWS that within these software services, or these API's that they provide for, like, say, a demand forecast to use this temporary fusion Transformers under the hood. So yeah, this looks great. Just spin it up and use it. Yeah. Great recommendation. Follow from the previous one, Brian? Well, mcgugan a will. the live stream says it's the data dot ellipsis sometimes is used as a sentinel value to mean no value when none is a valid value. So yeah, yeah. And also, yes, you can return it from a function. So

23:58 that's fine. And then let's see someone out in the livestream asked if it has methods does have methods or anything that you can do to it. That was Teddy. Yes, but only the built ins. Right. I don't think from object I don't think it does anything interesting besides just be dot, dot dot.

23:58 And then Anderson Hey, interested in so it's a pity that ecosystem is moving towards pytorch. Lightning, the separation of concerns, there's not very nice, in my opinion, pytorch ignite does a better job in that aspect. Eric, that's all you is. Yeah, fair enough. But fair enough. Still, I mean, one thing that you got to keep in mind. So speaking of separation of concerns, right, there's so many data scientists out there that feel throw like separations of concerns at them, they just answer like, yeah, here's my model. So what is separation of concerns? This sense, right? So if this works, if people use it, it's probably good. Yeah. Cool. Right? Extra, extra is, Oh, I just wanted to bring up the python 310. Rc two is out. So the release candidate, the second release candidate for Python 310 is out so people can play with it. Apparently, we're like maybe a month away from getting 310. So let me say that. Yeah, that's me. Very nice. That's awesome. All right. I got a couple of throw out there. really remember? Imagine? Can you imagine So remember, we talked about several things. I talked about

23:58 how I turned off all of the tracking stuff, and all those things on the website, which I think is good, because so many people run ad blockers they were it was like pretty inconsistent data anyway, inaccurate. Then I mentioned go I said, that'd be cool. Maybe we should apply it. I ended up writing a ton of automation to apply this to Python by a sock Python, within training all the things. And it's pretty cool. I built some automation that will download all the engine x log files, some of which are text, some of which are g zipped and then run this thing across it and we'll build like one giant monthly log thing that can go access can then turn into nice, beautiful reports. So very excited to have go access working well. And instead of running on the server, I actually just download and then run it on like a monthly report locally, which I think is kind of cool. Alright, one, we had some feedback about caffeinate. Remember caffeinate you could even type caffeinate on the Mac OS terminal and it will keep your system alive.

23:58 Nathan Henry said, you mentioned over Mac OS, the caffeinate tool says, you can follow it with a long running command to keep awake. So you can see like caffeinate, Python dash c, import time dot sleep, or so give it some kind of so you can say caffeinate, Python and some script you want to run. So you could reverse it. If that script doesn't use, keep awake or think that's what it was. Right? So you get to apply caffeinate to your Python code and just say, No, stay awake while you're doing this. Or you can even apply it to a running process using a pod. So it just stays awake. While that process is running, then yeah, and then it'll go away. Yeah. Okay. Nice. Yeah. So it's like the reverse of what we talked about then. Then Sean tapper from teaching, Python said, Isn't this what we were asking for? Remember, we were talking about the keyboards keyboard. And here's a Python one. This is a m 60, mechanical keyboard, the open source USB ble, Bluetooth Low Energy five hot swappable 60%. keyboard, powered by Python. So this one comes with Python built in, which is pretty Excellent. So people want to play that they can. The next one I want to throw out there real quick, comes to us from Mark little friend of mine in Portland. And basically the subtitle is that this is an article from CNBC finance news, that open source is booming. So the headline has to do with MongoDB. But it's more broad. So people are interested in kind of following up on that. It's kind of cool. So MongoDB surged on Friday, which was last Friday, is now worth as much as IBM paid for Red Hat data, bricks, raise private financing round being at $30 billion valuation. And just you know, these are the mega open source companies. But it's pretty interesting. to just give you a sense, like, I read this article I got it's pretty interesting. These numbers kind of just like bounce off me. But the one that made it stick for me was MongoDB was a private company for a while then it became an IPO. Right? It had VC money than IP owed, do you have a sense, either you have a sense for how much it IP owed for seemed crazy, right? Like, like a 1.2 $1.4 billion MongoDB is worth 30 billion now. Right? So even after like the crazy IPO 1.2 billion to start, and now over 30 billion. So that is an insane amount of growth in these. And then they talk about confluent and j frog and a bunch of other elastic, if you kind of want to dig into the business side of open source. That's pretty interesting. Alright, two more, I've been doing a ton of video encoding lately, I use FFmpeg for some of the audio processing and other types of things around both the podcast and the courses. So attribution here, this is from Jim Anderson send this over. Thanks, Jim. FFmpeg dot wasum. So here's FFmpeg, which is a very popular tool in that world. But as a webassembly mapping, which is pretty awesome. And

23:58 trying to remember what the name of the library was. But over in we did talk about on Python bytes, I think with sessile. Philip on one time, maybe it was even him that brought it up. But there's a Python library that will run web assemblies, so not run webassembly in their browser, or put Python in the browser, but reverse it like I have a webassembly library that does cool stuff, put it in my Python code and run it here. So you could take FFmpeg that was awesome and pure Python and have like a no dependency or audio video processing tool in Python, which I think is pretty cool. Cool. Alright, last one. I told you it start with everything is fine. We're going to end with everything is fine. credit cards, stealing backdoored packages found in PI pythons pi pi library hub. That's not good. This, this is not good. This is not good.

23:58 When you hear people talk about remote code execution, typically is bad. Like I'm on the internet. People send me bad stuff. Now they have my computer. And I don't even necessarily know it. So apparently in addition to this, these were found and removed. It was something what was in it was something around the line of Noblesse in OBL e, s, s, e, and a couple of variations on that spelling. That was the problem. So I'm happy to see I didn't install that. But this doesn't make me happy. It looks like it's fixed. So the Pi Pi team also just patched a remote code execution hole in their platform, which potentially could have been exploited to hijack the entirety of pi pi. That one makes me way more nervous than typosquatting, another weirdness. And it was a vulnerability in the way that they were doing GitHub actions with pi pi, which allowed a malicious pull request to execute arbitrary code over there, which is not ideal. Nice. Yeah, but I'm glad to hear that fix anyway. Everything's fine.

23:58 Doesn't feel fine. No, not at all.

23:58 Be honest. Yeah, to be honest, Eric, anything else you want to share with us? Oh, no, just thank you guys again for having me on the show. Pretty fun. And make sure that you guys follow me on Twitter. And, yeah, awesome.

23:58 I'll put a link in the show notes for your Twitter. No, we are done. Are we Ryan? Oh, we know. One thing is missing. Yeah, it's important to this one is more of a non ml one is more of a web Web API type type thing. So so often people will write web API's and just return some kind of message in a JavaScript dictionary that says things like bad response or whatever. But you're supposed to use HTTP status codes, right? Like, if there's a bad request, you should return the status code 400. If it's not found, as an entity, you should return 404 or whatever. So here's a like two kids at school, exchanging messages and has server on one of them client on the other and 200 on the message exchange here. And then at the bottom, the message reads the JavaScript is a status code 400 detail bad requests. He's like, why did you do this?

23:58 This is good. Yeah, this like little bottle. Let let this be a lesson to you. You don't pass messages like that. Go on. Suck. It's so true. It's totally true. totally true. All right. Well, that's it for our jokes and everything, Brian? Yeah. Awesome. Another fun Wednesday on Python nights. Absolutely. Thanks, X ray. Yeah, thanks for being fixed off, guys. See you around. Bye. Bye. Thanks for listening to Python bytes. Follow the show on Twitter via at Python bytes. Bent Python bytes as in BYT s. Get the full show notes over at Python by sarafem. If you have a news item we should cover just visit by them by sarafem and click Submit in the nav bar. We're always on the lookout for sharing something cool. If you want to join us for the live recording. Just visit the website and click live stream to get notified of when our next episode goes live. That's usually happening at noon Pacific on Wednesdays over at YouTube on behalf of myself and Brian arkin. This is Michael Kennedy. Thank you for listening and sharing this podcast with your friends and colleagues.

Back to show page