Transcript #293: And if I pull this open source Jenga block...
Return to episode page view on github00:00 Hello and welcome to Python Bytes where we deliver Python news and headlines directly to your earbuds. This is episode 293, recorded July 11, 2022. And I am Brian Okken.
00:12 Hey, I'm Michael Kennedy.
00:13 And I'm Ashley Anderson.
00:15 Well, welcome, Ashley. Before we jump in, tell us a little bit about who you are.
00:19 about who you are.
00:19 - Yeah, I'm a software developer.
00:21 I work for a relatively small, but sometimes growing startup out here.
00:26 We make a portable MRI machine.
00:28 So I'm one of these software developers that came from a academic background.
00:32 I studied biomedical engineering and medical physics, and then this is kind of my first full-time software gig.
00:39 But I think in research, everyone's doing software these days, so a lot of people are kind of making that jump, and this was a perfect opportunity for it.
00:45 - A portable MRI, that's gotta be fascinating.
00:48 - Cool, very cool.
00:49 How do you find the transition from this more researchy side over to this maybe more formal dev role?
00:55 - Yeah, it's like just such a better fit for me, I think.
00:59 Like in my research labs and stuff, I was often like way more interested in helping build tools and stuff to help accelerate other people's work rather than diving into the research myself.
01:09 I often found that to be very frustrating and maybe I wasn't the best at it or something like that.
01:14 So this has just been a much better fit for me.
01:16 - Right on, cool.
01:17 Well, let's jump into your first topic.
01:19 What do you got for us?
01:21 - Sure, yeah, the first thing I wanted to talk about was, I think this is kind of the big news since Friday.
01:26 The PSF and the PyPI announced that they're giving away 4,000 of these two-factor hardware keys.
01:34 That's maybe kind of gotten washed out in this, but it's kind of a cool effort.
01:38 I saw this from Dustin Ingram's Twitter, and I know he's been involved in a lot of the, been interested in kind of outlining a lot of the security concerns about supply chain vulnerabilities and stuff in the past. I thought this was a really interesting idea for helping with supply chain vulnerabilities, or at least kind of taking a step in that direction. And I think it's just the PyPI, you know, sort of first step in this direction. They announced some other stuff in the past about maybe having private packages or organizations on there and namespace packages and stuff. But this was a pretty cool thing to do. It looks like they're going to roll out two factor as a requirement probably eventually for everybody. The way they're starting it now is kind of for some of the most popular packages. And for people who have those popular packages, I'm not one of them. They're offering codes to get some of these hardware keys to help that.
02:31 Interesting.
02:32 Yeah, there's been a bit of a backlash to this actually, which on two levels, some people just expressing a little bit of frustration and others more so.
02:41 See item two coming up.
02:43 One thing I think is interesting about this, this whole side of things is like the original thing that you brought up, Ashley is people I think are focusing on their hardware keys and I, while that's a cool idea, I think the bigger story is just 2FA forget hardware keys.
03:00 Like hardware keys are one way to do 2FA.
03:02 Yeah.
03:03 Right.
03:03 But if you look at the actual giveaway, I think it's limited to certain locations, right?
03:08 Like I can't remember what all the locations were.
03:10 I feel like it's kind of North America, Europe and Australia or something in that general realm.
03:16 And you could entirely have a popular, what is now known as a critical Python package and not live in those locations, right?
03:23 - Yeah, for sure.
03:24 I mean, I suspect a lot of them, a lot of the maintainers of those packages are not in some of those locations.
03:29 I think those are probably dictated by like export rules on certain cryptography, but I had thought about that.
03:35 I thought it was just a shipping thing, but you're probably right about that.
03:37 Actually.
03:38 Yeah.
03:38 Oh yeah.
03:39 So the, there's a little bit of a pushback and like, Hey, I'm doing this for free.
03:45 Why are you making me do this extra work?
03:47 Setting up these keys.
03:48 And that's kind of why I've, I said, I feel like it's, it's kind of the headline has missed the point here because to say, Oh, I've got to get this hardware key and set it up is not technically true.
03:58 You just have to use two of a, of some form, right.
04:01 It could be with like the standard 2FA you have with your phone or maybe it even SMS would work.
04:06 Although SMS is a sketchy, but better than nothing form of 2FA.
04:10 Like if I'm going to go get a bank account.
04:13 If I'm going to.
04:13 Some people.
04:14 Yeah, go ahead.
04:14 Sorry.
04:15 Some people say that SMS really is like a pretty insecure version of 2FA.
04:19 So I think having some type of key.
04:22 And they say like, yeah, it would be better.
04:25 But like at the same time, if you don't have any 2FA, there's still another step.
04:29 They've got to hack your SMS.
04:30 (laughs)
04:31 somehow to get through the SMS stuff, which is better than just like, they just guess your password or they get it from a password breach.
04:37 So it's even for all the criticisms of SMS as a 2FA, it's still not a negative, it's just not nearly as good as the other option.
04:46 - I'm just chuckling 'cause I just got an email last week about from, was it on the 8th of July, saying, "Hey, you're a maintainer of a critical project." and they want me to set up to UFA and I just haven't read it yet.
05:04 So I like, this is news to me.
05:08 And it's a pytest plugin I've got that supposedly is a critical project.
05:12 Go figure.
05:13 - Oh, that's awesome.
05:14 The definition, people are wondering, I saw Will McGugan asking on Twitter, like, does anybody know what this means?
05:19 I got this too.
05:21 The definition from what I understand is you are in the top 1% of downloads for a moving six month window.
05:28 So in the last six months, your project is in the top 1% of most used, most downloaded packages.
05:34 So congratulations, that's awesome, Brian.
05:36 (laughing)
05:38 - Cool, I guess I'll read the email more closely now.
05:42 - Yeah, perhaps.
05:43 Actually, do you know what happens if you just are like Brian, like I don't, spam, doesn't matter to me, just ignore it?
05:50 - That's a good question.
05:51 I guess eventually they'll probably not let you upload if you don't enable it.
05:55 Like next time you go to log in or upload a package, it'll just say, hey, you have to turn on 2FA.
06:00 'Cause like you said, you don't have to have the key, you just have to have 2FA on.
06:04 - So I clicked on the manage and it says, I've got a little big banner up.
06:09 I'll just pop to it right now.
06:12 Oh, where's it on here?
06:14 We'll go ahead and show this.
06:15 I get, this project is included in the two factor mandate for critical projects.
06:21 In the future, you will be unable to perform this action without enabling two factor auth.
06:26 So I think you're right.
06:28 I think it's just going to kick me out of being able to do anything with the project if I don't enable this.
06:35 >> Yeah.
06:35 >> Interesting.
06:36 >> Interesting. This is cool, Brian.
06:38 One, I think Teddy's right out there, like congrats, Brian's on fire.
06:43 High-test check by the way, people listening is the plugin.
06:46 But it's cool to see it live, to see what's happening.
06:48 So this apparently is what maintainers get.
06:51 I'm with you, I think what's going to happen is you won't be able to upload with Twine anymore, you won't be able to log in, you won't be able to make changes.
06:59 It'll just force you down a 2FA path.
07:01 >> Yeah, I read that you still can upload because people want to do, I know there were some people initially concerned about like, how do I do automatic uploads from my CI system or whatever?
07:09 You can do it if you get a token, but you have to generate one of those tokens with your 2FA enabled account to do that.
07:15 >> Right. That happens with all the 2FA accounts.
07:18 You can no longer use your GitHub password for on a CLI.
07:23 Once you set up GitHub 2FA, then all of a sudden you've got to go create an app, give it a name and get it like an API token for it and stuff like that, right?
07:30 I think that's OK.
07:32 Yeah. So, Brian, let's ask you, like, how do you feel about that?
07:35 Does this seem like a big burden to you?
07:36 Are you OK with this or?
07:37 You know, I was I'm OK with it because I I think it's securing the supply chain.
07:43 I mean, I've already enabled the two factor authentication on GitHub, and I've got, you know, a bunch of banking stuff that I have on, you know, multi-factor authentication and stuff.
07:54 So I'm waiting for 12 factor authentication, but that might be a bit extreme.
08:01 All right.
08:02 Now you put your small pinky toe onto the key reader over there, and then you hold down this key with your other finger and then put your face up.
08:09 Yeah.
08:10 An optic scan, a blood scan.
08:13 You got to have, you know, deposit a urine scan and all sorts of stuff you got to do.
08:18 Good night.
08:19 No, I'm not.
08:20 I've drawn the line there.
08:21 I'm not doing it.
08:22 So, no, but I'm, I'm fine with it.
08:26 I, I don't know the details yet though.
08:29 if, if I got to get a hardware key though, I'm going to be a little upset.
08:32 I think, I don't know.
08:33 Well, they might give you one for free, but yeah, even, even, even getting one for free, I feel like I'd be like, if I'm not a hardware key guide, I don't know.
08:40 Yeah.
08:41 Well, what if I lose it?
08:42 so yes.
08:43 first of all, let me preface the statement with, please don't email me.
08:47 It's if we disagree on this, it's fine.
08:51 Just don't email me.
08:52 We can just agree to disagree, but I am personally not a fan of 2FA hardware keys.
08:57 Because what if you lose it?
08:59 It's really bad.
09:01 Now all of a sudden, what if I'm traveling and the website is down and I've got to log into the ISP, the cloud system to make a change.
09:11 What if I forgot to bring the key?
09:13 Or what if I do bring it, then I lose it?
09:15 The act of having a physical key that has to always be with you.
09:19 Do you take it with you when you go swimming?
09:21 I mean, that's a little extreme, but like, if you're going to go to the beach and you might need it, what are you going to do?
09:25 And then if I only have my phone, I can't plug the key into the phone.
09:28 I don't know.
09:29 It just, it seems like I certainly know why you would have it at like, if I worked at a bank and I needed to get on the VPN and I needed to have that permanently stuck in my computer.
09:38 Fine.
09:38 But as a broad based solution, I feel like things like Authy, Google Authenticator, the Microsoft, whatever it's called, all those things.
09:47 I think they still provide a pretty strong level of security while being able to travel with you and being able to synchronize across devices that you might not always have them with you.
09:55 So, yeah.
09:57 When people say, "Oh, it's such a hassle to get these keys," like, you could just set up Authy.
10:00 You know what I mean?
10:02 Yeah, I use Authy too.
10:04 I'm also, I'm a little freaked out by the hardware keys.
10:06 I did find it interesting in the giveaway actually, I think they give you a coupon to get two so that, like, you could get two in case you lose one.
10:14 but that to me just is exactly why I don't want one.
10:17 (laughing)
10:19 - Exactly, well, okay, so I've got one plugged into my computer and I put one into the closet.
10:24 If the house burns down, what am I gonna do?
10:27 I mean, I'll probably, I'll grab my phone and run, maybe if I can get to it, but I'm not gonna go rooting around for a hardware key.
10:32 I'm just gonna get out, you know what I mean?
10:34 There's just all these like sort of weird edge cases that to me, I'm just like, I don't really wanna end on one of these hardware keys.
10:41 - Yeah, Brian's gonna have to go to the bank in his safe deposit box just to upload a new pytest check.
10:46 (laughing)
10:47 - Yeah, exactly.
10:48 - All right, I turned both keys to the right on three, two, one, chink, okay.
10:52 V1.2 is out.
10:54 Yeah, okay.
10:55 - But I would just point out the article here from Armin Rodofar, which was super interesting, I think.
11:02 And this kind of gets into, it'll probably lead us into the next topic here of why there was a little bit of controversy around this.
11:08 And I think it wasn't so much that people are resistant to two-factor.
11:12 It's more this designation of packages as critical.
11:15 And I don't know if that's just because like critical is a bit of a loaded term or it ended up feeling a little bit like a popularity contest, but yeah, I think it's pretty clear to me that PyPI wants to, you know, which is an open source project itself, right?
11:27 wants to eventually probably roll this out to everybody and maybe doesn't have the capacity for that right now or something.
11:32 Yeah, I totally agree.
11:34 And Armin is quite interesting and he comes down a little bit, you know, on the middle like I see the value but also I see why people are a little bit frustrated with this. He does talk about this thing that the Rust community has you know hat tip towards topic four as well called cargo vet which is the idea of vetted packages and unvetted packages so if you when you pip install something you could say something like do I only want to allow like the higher vetted packages. IPI doesn't have this at the moment but other package indexes do. To To me, again, coming back to the hardware thing, I feel like people saw this and they thought, I've got to go to this hardware key.
12:14 Like this seems like, I can't believe you're forcing this on me.
12:17 If you're a software developer in 2022 and you don't have any form of 2FA set up, that's, I feel like those are the people who got really frustrated.
12:24 But at the same time, like what are you doing on the internet in 2022 without at least a few things on 2FA?
12:32 My Authy account has something like 46 different 2FAs in there.
12:37 and password has like a thousand accounts.
12:39 I don't know.
12:40 It doesn't seem like a huge burden to hold up your phone, scan a QR code and carry on.
12:45 But if you're not in the 2FA space, and especially if you perceive that to mean I gotta get into the hardware 2FA space, I can see why people would see this as frustrating.
12:54 And with that, maybe it's time to just move to the next topic, number two, which is IPI moved to require 2FA for critical projects, which is this here.
13:03 But what's really interesting is there's sort of talking about the challenges.
13:07 And one of the things that happened is there's this project called Atomic Writes, which was designated as critical.
13:15 Atomics Writes, what it actually does, it's pretty straightforward, is it lets you use a context manager to write to files atomically.
13:25 So you can write to the file, write to the file.
13:27 If there's some kind of rash or mistake or bug or something, it won't actually change the file.
13:34 So normally you would just do like while true start writing.
13:39 And if something crashes, like you'll have a half written file.
13:42 So this is kind of cool.
13:43 It says, what are you going to do is use a context manager, open a file, we're going to write to a temp file.
13:47 And then when you exit the context manager successfully, we're going to apply all those changes by doing an overwrite move type of operation at the OS level.
13:56 I don't know how truly atomic it is, but it sure is better than writing line by line, right?
14:00 And certainly it has the data safety aspect, which is pretty cool.
14:04 Anyway, apparently people use this as in 127,839 packages.
14:10 Maybe that number was higher not long ago.
14:13 Packages, projects on GitHub use this.
14:16 I guess not packages, but projects, many of which were packages themselves.
14:20 So this guy, Markus Unterwalzer, said, you know what, this is really frustrating to me.
14:30 I don't want to set up 2FA.
14:31 So I'm just going to unpublish this, take it down.
14:35 And so don't know exactly what the chain of events was.
14:39 I think something happened to the GitHub repository getting deleted, which then triggered, maybe also somehow triggered a delete of all of the historical PyPI packages.
14:50 Whatever the steps were, it erased all the historical PyPI packages.
14:56 So imagine your project has a dependency on atomic rights and your requirements.txt or pyproject.toml or whatever says equal equal, what version are we on?
15:06 We've got some releases here.
15:08 There's no releases anymore, so I can't tell you.
15:10 But if you had like some concrete number there, it would say, pip would say, can't find that, sorry.
15:15 And so all sorts of started breaking.
15:18 Continuous deployment, continuous integration, a bunch of PyPI, pytest package tests and automation and stuff.
15:26 Brian, maybe you saw some people going, what's going on with this thing?
15:29 I didn't really notice it, but.
15:31 - You'd only notice if you depended upon this head setup automation, right?
15:36 Like basically check out your code, install the dependencies, run pytest.
15:40 But people were like, these tests used to pass.
15:42 Why are they no longer passing?
15:43 And it's 'cause pip couldn't install this project that Marcus got a little frustrated with and deleted out of PyPI.
15:50 So that's interesting, right?
15:52 Like, did he have done that?
15:53 I don't know.
15:54 Here's his sort of comment saying, here's what you got, and it says, IPI just told me to enable 2FA to keep uploading this package because I thought it was annoying and entitled to guarantee the software compliance for a handful of companies.
16:07 Basically, his take was, you're making me secure the supply chain so that large banks and other companies that care about it will feel better.
16:16 And you're making me do extra work, again, that I think the confusion about hardware, moving to hardware 2FA versus just scanning the QR code with your phone.
16:25 Anyway, you're making me do extra work, And so I deleted the packages.
16:28 Apparently, I deleted all the old versions, sorry.
16:32 Those have been restored by directly working with, I believe, Dustin Ingram from PyPI.
16:38 So if you go down here somewhere, it says, no, sorry, Donald Stuff, just the one here.
16:43 But yeah, it shows you, I guess, unintended consequences.
16:47 Hey, we're gonna make atomic rights a little safer.
16:49 Maintainer of atomic rights doesn't like that.
16:51 Deletes it, makes everything break.
16:53 Ashley, what's your take on this?
16:54 You've been tracking it.
16:56 Yeah, I mean, I find it really interesting.
16:58 It gets to the whole, you know, what is the sustainability of this giant open-source ecosystem that we have?
17:04 I know, I think in the show notes, you refer to this as Python's left pad incident or something like that, which is sort of a throwback to a very similar thing that happened in NPM recently.
17:15 And there was another one recently, like at the start of the Ukraine war, basically, where someone, I think, pulled their package and put in something that was like protest wear or something like that.
17:27 It tried to delete all the data off the hard drives if it detected you are in certain countries or something, which is a pretty, pretty rough and pretty extreme measure.
17:39 Right. What what if you were working to collect data about trying to help Ukraine, but you happen to be in this other country?
17:47 I mean, this is.
17:48 Yeah, it's just overstepping, I think, a little bit unintended consequences.
17:52 Yeah, but this is like, I mean, we're working in industry and having to pin our packages and stuff.
17:56 This is something that, you know, we kind of already protect for by mirroring, you know, I think most people with, I'm going to use critical not in the way that's being used here, but like when you have a project and you're using all these dependencies, it's kind of also on you to know that like, well, the supply chain, I mean, PyPI doesn't have a permanent retention policy.
18:14 Maybe it should, but that is going to lead to, you know, potentially much even bigger hosting costs and everything for what's already a really expensive project.
18:21 We run into the same thing with like packages from Ubuntu and stuff like that as well.
18:26 Not that they get pulled in this way, but they'll bump versions on us that, you know, and especially in a regulated industry, we can't just update dependencies whenever they come out.
18:35 So, yeah.
18:36 It wouldn't surprise me to see IPI become immutable.
18:39 Once it goes up there, like you can't change it.
18:41 Yeah, or more so, right?
18:43 Yeah, I would expect it to be more of a request thing.
18:45 You put in a request and say, hey, I want it, this is mine, I want to take it down.
18:49 and some review happens or something because people depend on it.
18:54 I get both sides of it.
18:57 I get that it's my thing, I should have complete control over it.
19:01 But I don't have complete control over GitHub, I don't have complete control over PyPI or the PSF, and I use those services.
19:11 The PSF for instance, they purge all of your accounts once a year or something like that, You have to re-login or recreate your account.
19:22 Projects and services change their policies every once in a while.
19:28 This is a change in policy that for some projects we're going to require 2FA.
19:33 They can do that. If I want to continue to use it, I have to.
19:37 Now, if I don't want to continue to use it, I guess that's where we're getting the question in, is what ramifications are there?
19:46 Can somebody take their stuff off of PyPI or not?
19:51 Don't know.
19:52 >> Yeah. I think if you read a lot of the conversations here, maybe we'll just close up this whole section on that.
19:58 It comes down to two different beliefs.
20:00 One, it's my code, I wrote it, I can do whatever I want.
20:04 If I don't like it, I can just delete it.
20:06 If I want to stop, I can stop.
20:08 The other one says, once you put it out there on GitHub and you've put it out to the world as here's a library that you can use and depend upon, and you publish it to the index with a clear intention of sharing it, you have a minuscule responsibility not to keep working on it, but to not destroy it for other people who are building on what you previously did.
20:28 - Yeah, I think there's a difference there too between like writing and publishing the code and publishing a package or distributing a package that's intended to be, you know, conveniently downloaded in CI and stuff like that, where you're kind of making a little bit more of a promise there.
20:41 But also, I mean, going back to Marcus's post here, it sounds like his intention wasn't to break, you know, people's existing workflows and stuff like that.
20:48 It was really, he just didn't want to be the maintainer of a critical package.
20:52 (laughing)
20:53 - Exactly, he's like, I deleted it, that fixed it.
20:55 - Yeah, and then became, I think, the sort of poster of this controversy, so yeah.
21:02 - Yeah, yeah, yeah.
21:03 If you read Marcus's Twitter, you can go back and sort of, you kind of get a sense that he's the kind of person that would not want to take that kind of stuff being put upon him or whatever.
21:12 Let's wrap it up with Teddy's comment out in the audience.
21:14 Feels like a small step to enable 2FA.
21:17 I wonder why it creates so much debate.
21:18 Feels a bit political, especially today where 2FA is required almost everywhere.
21:22 Yeah, I agree.
21:24 I think, again, I think people saw the, here's your hard work key.
21:27 Like, I don't want a hard work key.
21:28 This is so much work.
21:30 Let's move on, Brian.
21:31 That was a good one, but let's fast.
21:33 Let's get out of there.
21:34 - Yeah, fast, a harsh transition.
21:36 Yeah, let's just talk about FastAPI.
21:39 You know, anyway, don't know how to transition from that.
21:42 So that's good.
21:43 FastAPI filter came up, it was suggested by Arthur Ryo, who is also the creator of it.
21:51 And it looks pretty cool.
21:53 So he said in a tweet, "I loved using Django filter with Django REST framework, and I wanted an equivalent for FastAPI." So what this is, is this is a package you add to a project that uses FastAPI.
22:08 And with it, you get, like when you're going through the cool debug user interface stuff, you can filter stuff.
22:16 So you can, you know, it'll look at your schema and then you can, you know, filter different items and only see part of it.
22:26 And it's just pretty neat.
22:28 He also, it also has things like the filters support operators, like greater than, greater than equal, less than, not in, and things like that.
22:39 So it's kind of a fun way to just filter when you're looking at your data, filter it.
22:44 And in his read me, he mentions that he's got a video and you kind of need a big screen for this, but he does have a video to show it in action, which is kind of cool.
22:56 He shows filtering some of the data and then seeing the different data output.
23:01 Anyway, just kind of a neat, nice debugging tool if you're using FastAPI.
23:05 - That's really awesome.
23:07 - So- - Actually, do you do anything with FastAPI?
23:09 Unfortunately, no, this just makes me more jealous, I think, of the people who get to use FastAPI, 'cause it's got all these cool, I mean, as a developer, I've played around with it, but it's got all these cool debug and min interfaces, and then you see even more stuff like this kind of built on top of that.
23:25 It's really awesome.
23:26 - Yeah, absolutely.
23:27 - Yeah.
23:28 - This is a fun one.
23:29 - I'm planning on learning more about FastAPI on Michael's upcoming course, so.
23:34 - Yeah, are you gonna be able to make it, Brian?
23:38 - I'm gonna make sure I make it.
23:40 Yeah. - Awesome.
23:41 - I'm looking forward to that.
23:42 - Yeah, that's the live in-person FastAPI course.
23:45 I'm doing it about a month from now.
23:47 So should be fun. - Okay.
23:49 - Before we move on, I do wanna talk about our sponsor for this week, Microsoft for Startups Founders Hub.
23:56 They're doing super cool stuff.
23:58 As someone who has started his own small business, it is a lot of work, there's a lot of uncertainty, and knowing how to get help and having support of people who have experience is really, really valuable.
24:11 Starting business is hard.
24:12 They say that by some estimates, 90% of all the startups will go out of business in the first year, which is tough, but that's how it is.
24:19 With that in mind, Microsoft for Startups set out to understand what startups need to be successful and create a digital platform to help overcome those challenges, and that's where they got their Founders Hub.
24:30 So Microsoft for Startups Founders Hub provides all founders at any stage with free resources to help them solve startup challenges.
24:38 You get technology benefits, access to expert guidance and skilled resources, mentorship, networking connections, and so much more.
24:46 So, and unlike a lot of other similar programs in the industry, it doesn't require startups to be investor backed or third party validated to participate.
24:55 Founders Hub is just open to everyone.
24:57 So what do you get?
24:58 You get, you can speed up your development with free access to GitHub and Microsoft Cloud resources that have a bunch of credits to unlock over time so you can grow without worrying about paying for stuff.
25:09 They also help startups innovate.
25:11 They're partnering with companies like OpenAI, AI research and deployment company to get extra benefits through their partners as well.
25:19 So with the Founders Hub, it's not really about who you know.
25:21 You have this access to this mentorship network.
25:24 So you get access to a pool of hundreds of mentors across a range of disciplines, areas like idea validation, fundraising, management and coaching, sales and marketing, and specific technical stress points.
25:36 I think that might be the most valuable, honestly, is, "Hey, I need to talk to this person or somebody.
25:40 Is this a good idea?
25:41 Is this how I should be doing?" and so on.
25:42 So you can book a one-on-one meeting with mentors, many of whom are founders themselves.
25:47 Make your idea a reality today with critical support that you'll get from Microsoft for Startups Founders Hub.
25:53 During the program, visit pythonbytes.fm/foundershub to click the link in your show notes.
25:58 And yeah, thanks to Microsoft for supporting the show.
26:01 - Nice. - Indeed.
26:03 So what do you got for us next, Michael?
26:05 >> Ashley's next. I'm letting him go next.
26:07 >> Oh, right.
26:08 >> Okay.
26:08 >> Yeah, we'll scroll down to mine then.
26:10 Yeah, so I guess I think the reason I'm here, I emailed you guys after there was some discussion on the podcast a few weeks ago about, hey, we're seeing a lot more stuff built in Rust, and you had some good points about why we're seeing that.
26:25 But I thought super relevant to this podcast is this project, And in fact, this whole organization, Py03 on GitHub, has a number of projects in here that are super relevant to Python developers, obviously.
26:39 So the main one, I think, is Py03, which is Rust bindings.
26:43 And basically what I emailed you guys was that my hypothesis is the tooling around building extensions for Python in Rust or calling Python from Rust is getting so good and so easy that for me, I find this preferable to writing C extensions, for example.
26:59 Not even necessarily because of Rust, although Rust is a really great language I've been getting into over the last year.
27:06 But just that tooling aspect of it is really great.
27:09 So the experience is pretty awesome based on these separate projects.
27:14 So there's Py03, which is the bindings.
27:16 And this allows you to basically use these type of things.
27:20 It's almost like a function decorator.
27:22 These are called procedural macros.
27:24 They're kind of tricky to write, but they're really easy to use.
27:27 So you just put this on there and then use this one to create a module, add your function to the module, and then if you build this file, you can import it in Python and run this function.
27:36 So the combination of the ease of writing this, and then there's another project in here called Maturin.
27:43 - Before you move on real quick, maybe for people listening, if you go back just real quick to that section you had there.
27:50 So the idea is what you do is you write some Rust code, and then you put, do you call it a decorator an attribute or what do you call that hash?
27:59 - It's called a macro.
28:01 Yeah, a procedural macro, but you can just call it a macro, yeah.
28:04 - Yeah, so you put the macro onto functions.
28:07 There's one function that defines the module.
28:09 And then in there you just say, here are basically all the things I'm exporting from Rust over to Python.
28:15 And those are just the ones you wrap with the macro, right?
28:17 - Mm-hmm, yep, yeah, exactly.
28:18 - Assuming that writing Rust for you is straightforward.
28:22 This is a really simple addition.
28:23 - Yeah, and I think, you know, once you have this kind of, You know, there's a little bit of boilerplate in here, but the, these macros reduce the boilerplate so much that once you're in the function, in fact, I think this is like a really cool way to get started with Rust because.
28:35 some of the really steep learning curve in Rust is when you're building larger projects and you have to deal with, you know, strict typing and lifetimes and all these scary things that, you know, Rust can do, but like you're, you're limited to just a function scope, cause that's what you're calling from, from Python.
28:50 I think it's a kind of a cool way to get started and just get familiar with the syntax.
28:54 Interesting.
28:54 Yeah.
28:55 Yeah.
28:55 And yeah, I think part of the reason these tools are so great is like the whole Rust community puts a lot of value on Tooling it's a like a relatively young language. So from the start I think it had this sort of you know attitude of Building good ergonomics for developers having good, you know A single command-line tool kind of that can do all these different things And so this group that that maintains pi oh three has also created this tool called mature in Which feels to me a lot like flit with you know, like the super lightweight wheel builder.
29:26 And so you see here, you just run mature and develop with this project structure in here.
29:30 It also has like a mature init, I think, which will create a new project for you.
29:34 And then you see here this develop will actually give you some output, whatever, 'cause it builds a wheel and then installs it in your virtual environment.
29:42 And so you can see here, you just call into that code and then this is calling Rust code for you already.
29:47 - Oh, cool.
29:48 - That's really nice.
29:49 So have you built things that you've released or are backed by Rust?
29:54 Not released, but I've done some hobbyist things and then also some stuff for work as well.
30:03 Some small pieces of, mostly I work in, I came from a scientific background and I now work for this, like I said, a portable MRI startup, so our whole thing is like Python from top to bottom, which is really cool.
30:15 But for those performance-critical numerical computing things, we use a ton of NumPy and TensorFlow, but then also some C extensions, and I've been just kind of playing around with converting those to Rust, and this Rust NumPy is another one of their projects here that makes it really easy to write a function that'll take a NumPy array, basically, and do some calculations on it.
30:36 - Oh, fantastic.
30:37 Rust NumPy.
30:39 Is it like an interoperability layer between Rust and NumPy?
30:43 - Yeah, it pretty much just lets you take NumPy arrays from Python into your Rust functions that you're creating with Py03, and then also create NumPy arrays and return them from those functions.
30:56 And it depends heavily on ndarray, which is a pure Rust project here for n-dimensional arrays and computation, so which is probably more analogous to what actually NumPy itself is, but in the Rust ecosystem.
31:08 - Okay, very cool. - That's pretty cool.
31:10 - So why Rust over C?
31:14 - I mean, I think it's, I was mentioning to you before, like, you know, the Rust community is really excited about Rust.
31:21 Like everyone who tries it likes it, I think.
31:23 It's topping the charts in all these most loved programming language surveys and stuff like that from Stack Overflow and everything.
31:30 It guarantees, it provides some more stronger guarantees around memory safety while still maintaining high performance, so that comes at a cost of a little bit of complexity and learning curve.
31:43 It also happens to, with those memory safety things, come with what they call fearless concurrency, where the typing system can prevent you from creating race conditions and actually warn you about them or fail to compile at compile time.
31:57 And so I find the trade-offs between memory safety and performance and ease of use to be really interesting between Rust and Python.
32:06 They make completely different choices, but both sort of with similar things in mind.
32:12 Python sacrifices some performance for ease of development, but still wants to be memory safe, right?
32:16 Like if you're getting a seg fault in Python, you're calling into something and doing something wrong.
32:21 It's hard to do that with pure Python code, right?
32:23 And same is true of Rust.
32:24 It's like if you're not writing what they call unsafe code, where you have to kind of wrap it in a block that's actually called unsafe, you shouldn't end up with those type of problems.
32:33 So it's kind of cool to see those two things.
32:36 And then when you really do need performance, you can drop into this sort of lower level language.
32:40 Maybe it's a little bit steeper learning curve, but you'll get the performance and you don't have to sacrifice that memory safety to get it.
32:46 - Yeah, fantastic.
32:47 Brian, you do more C stuff than I do these days.
32:50 What do you think?
32:51 - There's some bottleneck stuff, things that I use Python for that we do have like large amounts of data passing back and forth.
32:59 And I don't, I mean, normally Python isn't the bottleneck, but sometimes it is.
33:05 And there are cases where I'm, I was just Googling some stuff right now trying to figure out if I can apply Rust to some of these things.
33:13 Because actually, I think that's what Ashley pointed out is fascinating, is this might be a really great way to learn Rust is to try to solve one of your bottleneck problems in Python with Rust.
33:28 And I mean, I'm comfortable with C as well, but even though I've been using it for decades, I'd rather, if I can use something else, I would like to try.
33:39 >> Something a little more modern.
33:40 I totally agree.
33:42 - And yeah, you're right that, oh, I need to implement these three functions in Rust and then plug them into Python.
33:48 That's different than I need to completely learn Rust so I can just do this whole project in Rust.
33:53 - Yeah, it's a narrow scope, kind of a cool way to try to learn something.
33:58 - Yeah, and these projects have a ton of great examples.
34:01 A few of them have user guides and stuff like that.
34:04 So plenty of material there to get you started.
34:07 - Nice. - Cool.
34:08 - Cool, yeah, very good one.
34:09 Thanks, Ashley.
34:10 - Right, have you ever heard that regular expressions are easy?
34:13 - Yeah.
34:13 (laughing)
34:14 - Yeah, not me.
34:15 But here, Brian, let me type something.
34:17 I'm gonna type this.
34:18 I'm gonna say, okay, I want a dot plus, and then I want, I'm gonna write the word fun.
34:24 I'm gonna write, is it backslash D plus?
34:29 I don't even know if that's a proper regular expression, but what does it do?
34:32 So I wanna introduce you to this site called AutoregX, and this comes to us from Jason Washburn.
34:39 Thank you, Jason, for sending this over.
34:41 And the idea is I can put a regex in here and hit go.
34:45 Wait, hold on.
34:46 Let me just do this one.
34:48 Do a simple one for a second.
34:50 What am I missing here?
34:51 - I think you have that it's backwards.
34:53 You're going English to regex.
34:54 - Yeah, yeah, yeah.
34:55 So why was it doing that?
34:56 That was, yeah, so first of all, yeah.
34:59 Okay, so let's start with that direction.
35:00 That's the default direction it pulls up.
35:01 So what I can do is say, I want a regex that starts with fun, then any number, right that, okay.
35:09 And so then it says, well, you know what?
35:12 What you want is, caret fun dot star regex.
35:17 Mm-hmm.
35:19 Is that right?
35:19 It's not quite right.
35:22 Well, this is start.
35:23 Starts with.
35:24 But dot star, I think, is any character, right?
35:26 Yeah.
35:27 Oh, then how about-- yeah, it's not perfect.
35:30 Then the same numbers.
35:31 There you go.
35:32 Oh, there you go.
35:33 Yeah, you've got to-- it's not perfect at understanding English.
35:36 But I wrote an English sentence to it.
35:38 And it came up with a regular expression.
35:40 It says, disclaimer, all outputs are generated by OpenAI's GTP3.
35:45 Sometimes it makes sense, sometimes it doesn't.
35:47 But you could also do the reverse.
35:49 - Yeah, let's do the reverse.
35:50 - All right, I'm gonna make, I'll try to go back to my other one.
35:52 I'll say, caret, then dot plus, and then fun, then backslash, let's try that, and do it in reverse.
36:01 So, I'll run it again, and you wait for a second.
36:03 It says, the regular expression means the string must start with any character, then there must be one or more characters before the substring fun, and then there may be any number of digits after the substring fun.
36:14 What do you think about that?
36:15 It's not quite right.
36:16 I think it only matches one number.
36:17 - Yeah, maybe it only matches one.
36:18 - Yeah, yeah, but still.
36:20 - The trick for me too is that regular expressions are like different depending on your platform.
36:24 That's what always tricks me up.
36:25 I'm like, which one is this?
36:27 - So this is a really cool tool to almost understand regular expressions.
36:31 - Yeah, so here's how I would perceive this.
36:34 I would say, I wouldn't use this and just go writing all my regular expressions.
36:39 But if I'm like, I really don't know how to get a regular expression to do that.
36:43 You could go write the English sentence and it might come up with either the right answer or something close enough that it's like, you know, okay, I see where it's going now.
36:52 It's not quite matching, but let me, I would call this more of a guide or like a signpost along the way, not the tool to build it.
37:01 - I could see it being super useful with like, I think there's a site, Regex or something like that where you can basically write a bunch of test cases and then your regex and have it run against them all in your browser and see it right there.
37:14 And that's like, when I have to write regular expressions, that's how I do it.
37:18 Like write a bunch of tests in here and get it to work.
37:21 I maybe should be writing the tests in my own code and actually putting them in as tests, but I do it in this.
37:26 But yeah, if you kind of integrate those two tools together, I could see this being useful.
37:30 - Okay, yeah, for sure.
37:31 We take the example one over here And we could put it into this there and see what it says.
37:36 So the regex is create a group that is a word and then you got a piece, at least some white space there.
37:42 What do we get if we run that?
37:43 The regular expression matches any word that begins with an uppercase letter.
37:46 That's pretty cool. - Pretty cool.
37:47 - It does. - Yeah.
37:49 - Anyway, fun, people can check it out.
37:51 More regex fun, thank Jason for sending that in.
37:54 And then Ashley, you also pointed out that Simon Wilson wrote an article on this.
37:58 I don't know anything about this.
37:59 I just saw this in the notes.
38:00 - Yeah, he was actually, so it's sort of related 'cause it's GPT-3 and code, and I mean, even this first one has some regular expression stuff in it, but I guess there's a mode with GPT-3, I haven't really played with this, but you can like paste in code and then start asking it questions about it, like in a sort of conversational manner.
38:17 And his blog post I thought was really cool.
38:20 One thing I did see pointed out was similar to what we were just talking about is apparently the AI model, like the chatbot, can be very scarily confident in its answers, and sometimes it's very confidently wrong.
38:32 So you have to not be lulled into the false sense of security there.
38:36 Yeah, for sure.
38:37 Cool.
38:38 You definitely do have to take it with a grain of salt.
38:39 All right, Brian, close us out here.
38:42 Okay, so Philippe sent us this next topic and he's working for Python Anywhere.
38:51 So anyway, he's one of the insiders.
38:54 Anaconda acquires Python Anywhere to expand the Python team collaboration in the cloud.
39:00 So not expand the team, expand Python team collaboration.
39:05 So this is an interesting, we're linking to an article from Anaconda press release just saying, yeah, we bought Python anywhere or, you know, acquired them.
39:17 So it's interesting.
39:19 I think I'm going to jump to another thing before I guess give my feedback.
39:25 One of the things here it says from the announcement, the acquisition comes on the heels of Anaconda.
39:30 release of Pyscript, an open source framework for running Python applications with HTML. We've covered that. The Python Anywhere acquisition and the development of Pyscript are central to Anaconda's focus on democratizing Python and data science. So I'm going to be optimistic and not pessimistic on this. I think hopefully it's a good thing. And then on the Python Anywhere side blog there's a FAQ about the acquisition and kind of goes through the whole process of it kind of goes through from the customer standpoint, will this affect my account, will the billing change?
40:07 Basically, they're going to keep everything the same, at least for now.
40:11 But hopefully, it will expand its services and stuff and make things better.
40:15 My personal take on it is that I'm hoping-- Python Anywhere is a cool idea, but I haven't seen much from them lately.
40:23 So I'm hoping this will breathe some life into Python Anywhere.
40:27 I'm not saying it's dead, but I just, it'd be cool to see it grow.
40:31 - Fun fact, Talk Python itself started out on Python Anywhere for a month or so, because I'm like, I want to get this up, and it's kind of complicated to figure out all the Linux, Nginx stuff, and it seems real easy to just fire it up over here, and it worked great for a while, but eventually moved off as like, you know, started doing 15 terabytes of traffic a month.
40:51 Yeah, so anyway, I'd love to see that coming along.
40:55 That seems great.
40:56 Let me share also one more other thing.
40:58 So on the screen I have python.org and it shows you a code sample.
41:02 Has anyone clicked this little thing up here on the right?
41:05 This little shell looking thing?
41:08 - Yeah, I have before, but I don't remember what it does.
41:10 - Watch.
41:11 - Oh, nice.
41:13 - So it opens up a Python REPL.
41:15 That Python REPL is running on Python Anywhere.
41:18 - Yeah, and one of the cool things about Python Anywhere is this ability, this ability to just like run it from any device.
41:23 So you can run this from a tablet or Chromebook or something without installing anything.
41:29 And that's neat.
41:31 I'd like to see that expand.
41:33 Cool idea.
41:34 - Yeah, it sure is.
41:35 And I can see how this pairs with PyScript.
41:36 So this is in my browser, I can just run Python and get a view into a REPL.
41:42 But with PyScript, I maybe just move the execution to the front end as well.
41:45 So they're kind of related in that regard.
41:47 - Yeah, there's a few things--
41:48 - Go, Brian.
41:49 - No, there's a few things I'd really love to see Python Anywhere change with this is the currently Python Anywhere doesn't support Python 3.10.
41:58 Hopefully, we can get that updated.
42:01 It doesn't, you can run Whiskey apps but you cannot run ASCII right now.
42:07 No FastAPI on there.
42:10 Hopefully, that will be fixed.
42:12 Then also the free plan doesn't allow you to do Jupyter Notebooks.
42:18 I'm guessing with Anaconda in there that might be changing.
42:21 - Probably will.
42:23 I suspect it would.
42:24 All right, how about extras?
42:25 Got just a couple minutes left for those.
42:28 - I've got nothing.
42:29 Ashley? - Nothing?
42:30 - I had a couple in here.
42:32 Not a whole lot to say about them, but that's I guess why they're extras.
42:36 PEP 691, there's a new JSON-based simple API for PyPI, so more PyPI news there.
42:43 This is like for tools like pip, I guess, that are sort of indexing packages and stuff like that, or going to search for packages.
42:50 will now be able to parse JSON instead of, I guess up until now they've been parsing HTML, which was a surprise to me.
42:55 - You can go to somewhere, yeah, you go somewhere on pipi.org/something simple, and you just get a wall of links, and you get like 350,000 links, which is not an ideal way to, like it doesn't seem like the best stage format.
43:09 - It's cool 'cause I guess it can be like, it can serve those as static files, right?
43:13 So that's why, like instead of having, you know, dynamic web app, you have to worry about load and all this stuff, it's just like an Nginx server pointed at a huge directory.
43:20 but this allows those same servers, I guess, to serve Jason instead of HTML is neat.
43:25 Yeah.
43:26 Great.
43:26 And then rich codecs is a tool for like automatically creating these terminal screenshots from stuff in your documentation, mostly.
43:36 I thought we can't have a Python Biceps episode without something related to rich.
43:40 Right.
43:41 So, that's right.
43:42 That's right.
43:43 Check this out.
43:43 If you've got, if you're using rich or, and, and wanna, you know, make some screenshots that stay up to date with your code.
43:50 - Yeah, some color coded code blocks in your markdown.
43:54 Yeah, for sure, very nice.
43:55 All right, I just have a quick one for an extra here.
43:59 There's an article on DevJobs Scanner, the top eight most in demand programming languages.
44:05 So we've got JavaScript, TypeScript is number one, but Python number two.
44:09 I bring this up because I was doing a live stream on Talk Python and somebody came along and said, "Hey, should I still be learning Python?
44:15 "I heard that it's really hard to get a job and there's not a lot of interest in that.
44:19 So, yeah, well, anyway.
44:21 I'm not sure what else you choose.
44:23 And again, this JavaScript stuff, it's like being a full stack CSS developer.
44:29 You might have to have JavaScript skills to do Python stuff, or to do ASP.NET, or to do whatever else, right?
44:37 JavaScript is unique in the sense that a lot of times it's paired with other things, whereas those other things are often more standalone.
44:44 You know what I mean?
44:46 maybe the fact that JavaScript is up there 'cause like every other language below it also needs JavaScript plus, I'm not exactly sure what the metric is here if this is like how you pull that out.
44:56 But anyway, take it with a bit of grain of salt, but I think this is pretty good.
45:00 All right, are you all ready for a joke?
45:02 'Cause Brian, you have started something.
45:04 - I have, okay.
45:05 - You have.
45:06 So remember we had the, don't remember what the exact topic was, but we talked about this, Oh, this was what is the junior dev see themselves doing in five years and senior dev.
45:18 So this woman, Netta, she has just an amazing set of jokes.
45:25 And so you're going to be hearing more than one of these.
45:28 But let's look at this one.
45:30 They're so good.
45:31 They're so good. I'm obviously linking to the show notes.
45:33 So here's an example of people.
45:36 I think what the story is here is these two women, they live in this apartment complex and they're in an elevator with some of their neighbors.
45:46 There's this older woman says, "So what do you girls do for a living?" One of the women says, "I'm an architect." Oh, and Netta, she's a programmer.
45:54 You just see the crap emoji, like, "Oh, no." Later on, Netta receives a knock at the door, and this old woman is like, "There's a problem with my phone." Then there's another guy with a beard that shows up, which is showing the laptop to her.
46:08 Then there's a whole line of people with printers, and all kinds of stuff.
46:13 Just basically, oh, you're our tech support now.
46:16 - I so have lived this.
46:18 - Yeah, I have too.
46:20 Ashley?
46:20 Oh, go ahead, Brian, sorry.
46:22 - Yeah, no, Ashley, do you get this?
46:25 - Not so much anymore, I guess.
46:27 But this was definitely my experience in the dorms, I remember.
46:32 - Well, I mean, now you could say, I work on MRI machines and nobody will ask you.
46:35 They don't want you to fix it.
46:37 They don't have one, so.
46:38 - No, they'll start telling you their medical problems and stuff like that.
46:42 - So my first job out of college was with HP.
46:45 I was working with satellite test systems, but everybody just heard HP and wanted me to figure out how to configure their computer or their printer.
46:56 Can you get my printer on my network?
46:57 - Brian, and it's really gotten slow lately.
46:59 I get a lot of pop-ups.
47:01 - Like, no, I don't know how to fix that.
47:04 - On purpose.
47:07 I don't know how to fix that.
47:10 - Awesome, well, that's all I got, Brian.
47:12 - Okay, well, thanks for the joke.
47:15 I love that one.
47:16 We could have more of these, yeah.
47:17 And thanks, Ashley, for joining us.
47:20 And I really appreciate you talking about the Rust Python stuff.
47:27 We've been curious about that.
47:29 It's cool. - Cool, yeah.
47:29 Really happy to be here.
47:30 Thanks for having me on.
47:31 - All right, well, bye, everybody.