Brought to you by Michael and Brian - take a Talk Python course or get Brian's pytest book


Transcript #392: The votes have been counted

Return to episode page view on github
Recorded on Wednesday, Jul 17, 2024.

00:00 Hello and welcome to Python Bytes where we deliver Python news and headlines directly

00:04 to your earbuds. This is episode 392, recorded July 17th, 2024. I'm Michael Kennedy.

00:12 And I'm Brian Okken.

00:13 This episode is brought to you by Code Comments, an original podcast from Red Hat. So thank you

00:20 to Red Hat for supporting the show. We'll tell you more about them later. You can follow us on

00:25 Fosted on. The links for Brian, me, and the show are all in the show notes. And you can also follow

00:31 us on X if you wish. I know some people have not yet made the transition. What are you waiting for

00:36 people? Come on. And finally, before we jump into it, we are super excited that people are signing

00:41 up for the newsletter. Check that out. Just go to pythonbytes.fm. Click on the big newsletter

00:45 button in the middle. Put your email in. You'll hear about cool stuff. We'll hear, get the show

00:48 notes, but you'll also get announcements that we might send out and other things, live events,

00:54 who knows. So sign up, be in the know, and we'd love to talk to you there and we won't share.

00:58 Brian.

00:59 And we were going to do a contest or something.

01:01 Yes, we're going to do a contest. The numbers are growing and we reach a monumental number.

01:08 I'm pulling up my list monk management here. Ooh, we are close. We're getting quite close here. So

01:14 yeah, we're going to do some kind of contest.

01:16 Do some giveaways.

01:16 Yeah. Some kind of giveaways. We'll see what that is.

01:19 The 2024 PSF board election and bylaw election. The election happened and the results are in

01:25 already. So it happened pretty quick. And nobody's demanded a recount yet. So that's good.

01:31 I guess we don't do that in the PSF. But so new board members, Tanya Allard,

01:37 Quan Hei Bay, and Christian Moriera-Fredes, I think. But congrats to the three new board members.

01:47 Super awesome. Should be fun for you. One of the things in this announcement was that the,

01:54 where was it? Basically it says, what's next? If there's four, here it is at the bottom.

02:00 There's four seats open again next year. So it might feel early, but if you're kind of thinking

02:06 about running for the board, it might not be early to think about it now to get ready and think about

02:11 what you want to propose and stuff. And they suggest reaching out to one or two current board

02:19 members to ask them about their experience before throwing your hat in the ring. So

02:24 it actually sounds pretty interesting. So anyway, so the three new board members, congrats.

02:30 And then also all of the PSF bylaw changes passed heartily, like with a big margin. So let's take a

02:38 look at that a little bit. So the, Oh, let's look at what they are again. So there were merging,

02:43 contributing and managing member classes. That's, it seems like a no brainer. I'm glad they're

02:48 doing that. Simplifying the voter affirmation process by treating past voting activity as

02:53 intent to continue voting. That makes sense. Yeah, I like that one. Cause in order to vote,

02:58 you have to attest that you're interested in voting for some reason now, which is funky.

03:03 Would sell. Well, well also, I mean, it makes sense for like counting it. Like, you know, if,

03:08 if, if we just send it to everybody and just what, give them three weeks to vote. I mean,

03:12 it's, it's how long do you have to wait? The, I don't know, make it's, it's all right. Now,

03:18 if you voted this year, you'll automatically be able to vote next year. That makes sense.

03:22 And then the third one of allowing for removal of fellows by a board vote in response to code

03:30 of conduct violations. That was there was a lot of controversy on the chat and stuff and in the

03:36 mailing list. However that third, third one and all of them, the third one passed like by a huge

03:43 margin. Second one, also huge margin, first huge margin. So it's, you know, smaller margin for

03:51 three, but basically still most people are for it. And I was for it too. And I, I trust our board.

03:57 So I think it's a good thing. So if you want to read more about all of these there's a link to

04:03 all the different bylaw changes so you can read more about them if you want to.

04:08 - Yeah, cool. Very cool. Hey, I do have a quick comment here. So these the, the number of people

04:14 who voted are in the hundreds, like 300, 400, something like that. There are millions of Python

04:20 developers, literally millions. There's plenty, tens of thousands of people who just listened to

04:25 this podcast who are in, in the know and interested enough. Vote guys and girls.

04:31 - Yeah. Yeah. Be part of the community by voting. It's a, it's a good way to every voice heard.

04:37 I also really enjoyed this year, like, and I do this every year of actually reading about the

04:42 different, reading all the different board candidates and what they've done. It's kind

04:47 of a neat way just to like catch up on some people and what the, what their contributions

04:51 to Python are. So. - Catch a little zeitgeist. Where, where's the whole community going in a sense?

04:57 - Yeah. - But not as much as if you listen to Python Bytes every week, because then it's like

05:01 the rapids of zeitgeist. You can barely stand it. Speaking of barely standing it, imagine if you

05:06 were on Saturn doing, doing data science. - Well. - Okay. So we obviously know about Jupyter, which

05:14 is our biggest planet, clearly, but Saturn is pretty big too. And it's cool. It's got cooler

05:19 rings than Jupyter. So better for data science. I don't know. Okay. Seriously, this is Saturn and

05:25 it's a modern Jupyter desktop application for macOS. - Cool. - Pretty cool. So it's like super

05:33 minimal. It has a bit of a, not a JupyterLab. That's too close to the real Jupyter, but just

05:38 the Jupyter notebook style, like straightforward. It's supposed to be real minimalist, right? It's

05:43 a nice and clean. It has a command palette. So you can, you know, command K or command shift P,

05:50 whatever the hot key is. I don't know yet. I haven't tried it. So you just download it and

05:54 you get going. I think it might come bundled with Python and you don't have to set up virtual

05:58 environments and stuff, but you can connect it to so-called kernels or basically virtual

06:02 environments that you would like there. All right. So very nice. You just download it and get started.

06:08 It has a built-in LLM. So you can ask it LLM things like describe the plot above and then plot

06:15 it using or describe the data above and use a plot using a plot using lines and scatter and boom,

06:20 it'll go and do that sort of thing. Pretty cool. It's very minimalist. If like I said,

06:25 if that's your vibe and then this is it, there's a command palette you can use. I don't know what

06:28 the hockey is. It again comes with black built-in. So you get automatic formatting, just press F

06:34 apparently and boom, your whole notebook is formatted, which is really nice. I feel like

06:38 that's one of the things kind of missing from notebooks is like a real nice sort of management

06:43 of code in general. Like the auto-complete is not that great. I know you can hit, there's like,

06:47 you can press some hotkeys to trigger auto-complete, but it just doesn't happen as you type.

06:51 Like many editors, you can also do cool things like copy, just go to a graph, copy, and just

06:56 paste it straight into a, it's got a little copy button for the data tables and for the graphs and

07:02 things like that. Yeah. So all super neat. Check it out. And my final thought here is download the

07:10 alpha. There's no link to github. So presumably this is not an open source thing, although perhaps

07:16 it is. I just haven't found it, but there's no link to get up and there's no business model

07:21 expressed here. So will this be a paid product? Is it just not yet out on GitHub? You know what I

07:28 mean? Like, I don't know. So buyer beware. And by buyer, I mean, person who downloads for free.

07:34 Yeah. But it looks really promising to me. I really like the vibe here.

07:40 Oh, okay. Okay. Go up. Oh, this is the rough thing. Let's see.

07:43 We do have a blog. You can check it out, but it has literally one entry that says integrating the

07:49 rough language server, which is, you know, like an engineering cool. That's fun, but it doesn't

07:54 tell you anything about it. It doesn't add any information to what I was just talking about.

07:59 You know what I mean? Yeah. And it doesn't have the Saturn as a link to the, an editor,

08:03 one repo, but it isn't the Saturn repo. We'll see. But you know, I look, if somebody makes

08:09 something that you pay money for, there's a super nice data science app and it's not out of control.

08:14 I'm not saying that's a negative thing. I'm just saying it's not clear what its status is, you know?

08:17 Yeah. But also if one of the, if anybody that's part of this, like, Jack Hodkinson or

08:24 anybody else on Saturn team, let us know. Yeah. Shoot us an email. Speaking of stuff,

08:29 we want to let people know about, I bet there's some code comments in this Saturn code there.

08:34 What do you think? I think probably. Probably. This episode is brought to you by Code Comments,

08:39 an original podcast from Red Hat. You know, when you're working on a project and you leave behind

08:43 a small comment in the code, maybe you're hoping to help others learn what isn't clear at first.

08:48 Sometimes that code comment tells a story of a challenging journey to the current state of the

08:54 project. Code Comments, the podcast features technologists who've been through tough tech

08:59 transitions, and they share how their teams survived that journey. The host, Jamie Parker,

09:04 is a Red Hatter and an experienced engineer. In each episode, Jamie recounts the stories of

09:09 technologists from across the industry who've been on a journey implementing new technologies.

09:15 I recently listened to an episode about DevOps from the folks at Worldwide Technology. The

09:19 hardest challenge turned out to be getting buy-in on the new tech stack rather than using that tech

09:25 stack directly. It's a message that we can all relate to, and I'm sure you can take some hard

09:29 won lessons back to your own team. Give Code Comments a listen. Search for Code Comments in

09:34 your podcast player or just use our link, pythonbytes.fm/code-comments. The link is in

09:40 your podcast player's show notes. Thank you to Code Comments for supporting the show. Back over

09:44 to you. I want to talk about something bad that happened on PyPI, but it could have been worse,

09:51 but it's not, but it could have been, but it wasn't bad. Anyway, what happened was,

09:57 and I'm going to link to a couple blog posts. One of them is on the PyPI.org blog from E. Durbin.

10:06 Incident report leaked GitHub personal access token. What happened was, and E. just go ahead

10:13 and writes out the timeline of events. It was something that he was working on, something

10:18 called Cabotage. The gist of it is, he was trying to debug something and ran into some problems with

10:29 timeouts for GitHub access tokens for the generic ones or the community ones or whatever. He used

10:39 his own personal one for a while while he was developing it, then he switched back,

10:43 but his personal access token got saved into a PYC file that made it to a Docker image that

10:49 got published. This is bad because it would have given access to a whole bunch of PyPI and core

10:58 stuff, including Python. Probably not good. What happened, how this was found though, was JFrog

11:07 does a regular binary scan of a lot of packages or open source projects that we rely on,

11:15 including Python and stuff. They found this problem and they notified the security team on PyPI.

11:25 The security team from PyPI revoked the token within 17 minutes of getting notified. This is

11:32 like amazingly, blazingly fast, I think. JFrog even points this out, that this is,

11:38 research team identified it, reported to PyPI and it was revoked in a mere 17 minutes,

11:45 which is super cool. Anyway, it was revoked, it was fixed. Then afterwards, a scan was done to

11:53 find out if that access token was used for anything and it wasn't. It wasn't exploited at all.

12:00 But there are some good takeaways that, and there's in the original blog post, it does talk

12:07 about a little bit more about the details about how this showed up in the Docker file. But the

12:13 takeaways are a few of them. There's three of them. First, set aggressive expiration dates for API

12:21 tokens. If you are going to use an API token, only have it for as long as you need it and have it,

12:28 consider the timeout because if it escapes, you have to deal with that. Also treat PYC files as

12:34 if they were source code. Normally I don't think about that because we don't publish PYC files,

12:41 but if they're in a Docker image, it's going to get published. The other note was only release

12:50 builds from automated systems on like use a CI system with a clean source only. So some great

12:58 reminders that PYC files are really something to be careful about also and be very careful

13:03 with access tokens. Yeah, pretty scary. Pretty scary. The TechRadar folks, TechRadar is in the

13:12 right place. I really like their writing. They phrase it as a GitHub token leak could have put

13:16 the entire Python language at risk. What if Python itself was malicious? Right? Because I mean, it

13:22 gave anyone who wanted to get a hold of that right access to the CPython repo and other parts of

13:28 deployment. It's not ideal. Yeah. But it sounds like it was caught. So it's really good. Could

13:32 have been very bad. So yes, another bullet dodged. Another bullet dodged. But both posts are

13:39 interesting reads. The JFrog one also has quite a bit of good information about how to protect from

13:45 this and some of the some of the actions, some of the new GitHub access tokens have a way they're

13:51 easier to scan than they used to be able. They're easier to find because there's like a prefix that

13:56 you can scan for within binary. So that's pretty cool. Oh, right, right, right. Yeah, they've

14:00 changed that format. That's good. Yeah. I would like to go on a bit of an extra, extra, extra.

14:05 This was not the intention. I had some other topic and I'm like, and another extra, another extra.

14:09 I'm like, all right, this is this is out of control. So you ready? Extra, extra, extra.

14:13 Hear all about it. Yeah, I'm ready. Let's do it. Number one, first extra pretty quick. Here's

14:20 Python 313 beta three has been released. This was a couple of days ago. It's not like, why would you

14:27 put the data at the bottom? I don't know. Anyway, I know it's at the top, June 27th. So it's actually

14:32 been a little bit of time, but there's no other beta and people should be checking out. This is

14:37 the third of four beta releases. So this is basically the last chance to make potential

14:43 changes before it's completely just down to bug fixes. Right. Okay. Yeah. Okay. So the Python

14:49 folks strongly encourage maintainers of third party Python packages to test with 313 during

14:55 the beta phase and report any found issues to the Python bug tracker ASAP. It will be feature

15:00 complete while the release is planned to be feature complete entering the beta phase as

15:04 possible to get modified or changed based on how serious any problems might be. Anyway, 313 beta

15:10 three. Awesome. Mini bar ice. I told you guys about this when there was the bartender. I was

15:16 such a fan of bartender recommend everywhere. And then bartender went a little funky. It's not that

15:22 it was sold to someone else. That's the problem is that it was sold. And the fact that it was sold

15:26 was obscured. That's the problem. Right. Talked about that previously. So I switched to ice and

15:31 ice was like, it kind of does the thing that bartender used to, but it's yeah. Hides menu.

15:37 Like it doesn't seem to show everything reliably. And anyway, it was really kind of janky, but this

15:42 thing, I think got a ton of attention since all that happened. It's got a lot of contributions.

15:46 So new release, a lot of bug fixes, primarily like a cool little dropdown that like shows all

15:51 your stuff in a second. Like if you click on it, it'll show you a little second window. Really

15:56 nice. So I can more strongly recommend open source free ice and before links in the show notes,

16:02 you got a lot of stuff up there, man. That's why I need this thing. It's out of control, man.

16:05 I'm telling you it's a problem. All right. Last time you mentioned the article, I will pile drive

16:11 you if you say AI again, and it resonated strongly with me. All right. Yeah. So, the primogen guy

16:19 did a one hour primary acts to the, I will pile drive you article and it is gold. So check out

16:26 this. If you just want to like sit back and listen to it, the background, this is a really good

16:31 video. it's worth your hour of time. So check that out. I listened to an interview. I don't

16:36 have the link right off the bat, but I listened to a podcast episode, somebody interviewing the

16:41 guy also. Okay. Interesting. Yeah. He does a good stream sort of thing. All right. Next up,

16:47 we talked about polyfill, I think a couple of episodes ago, right? Polyfill IO and all that.

16:53 So polyfill was a polyfill.io used to be run by some financial publication. I can't remember

17:00 exactly. I don't want to misattribute them. And then they were sold. They were like a CDN for

17:04 JavaScript stuff. And they were sold to a Chinese company, which in itself is not necessarily bad,

17:09 but then the Chinese company started sending malicious code instead of regular Jason polyfills

17:15 to its users. But in a super select way, like, Oh, are you doing a, an authentication at this

17:20 third party identity as a service thing? Well, maybe now you're getting the bad

17:25 JavaScript or whatever, you know? So really, really tricky stuff. And the polyfill.io domain

17:32 was on not unregistered. It was basically blocked by its registrar, which I think was name cheap,

17:38 but there are four other domains that it turns out that they're also using as CDNs. I don't know

17:43 what happened to them. Maybe they've been dealt with by now, but maybe not. But also what if

17:47 polyfill.io just re-register somewhere else eventually? Is this possible? I don't actually

17:51 know. So I posted a thing on, posted on it on Twitter saying, Hey, if you have some kind of

17:58 fancy DNS, you might want to put blocks in for all these domains. So static file.org, static

18:02 file.net, bootcss.com, bootcdn.net and polyfill.io. Those are all blocked in my next DNS, which is

18:09 awesome, which is like a pie hole, but you get access to it anywhere, not just while you're at

18:15 your house, which is better, I think. Cool. Yeah. So if you care about that stuff, this is one way

18:20 to say you can now surf the web. And even if you go to a vulnerable website, it won't load these

18:26 things. So that's always good. All right. Nice. Next up, we have the JetBrains Developer Ecosystem

18:33 Survey 2024. The survey is now open. It's pretty intense. Takes like 25 minutes, but you can,

18:39 if you want to complete it, contribute to sort of, you know, what editor is popular,

18:44 what frameworks are you using? Do you like databases, et cetera. For this, you may win

18:48 a MacBook Pro 16, an NVIDIA GeForce, some phones and so on and so on. A bunch of stuff. You can win

18:55 potentially. Coding the Castle in October, October 5 to 12th in Tuscany, still has some seats open.

19:02 So check that out at hawkpython.fm/castle. And if you're interested, a week of half Python

19:08 learning, half excursions in Tuscany. So check that out as well. And that concludes my extra,

19:14 extra, extra here all about it. So do you need somebody to help like, you know, carry your

19:19 equipment? Yeah, sure. I mean, I'm going to bring a MacBook Air, so that is pretty heavy. Would you

19:24 like to help? Yeah. Yeah. If you want to pay for my trip, I would definitely help you out. Yeah.

19:28 Awesome. I appreciate that. No, it looks like fun. I'm excited to hear about that when you get back.

19:35 Yeah, I am too. I figured of doing a couple of days of motorcycle riding, there's like some

19:39 off-road enduro tours you can do there. Like it's pretty close. If I can link those together,

19:43 then I'll need help carrying like all the motorcycle gear that will like,

19:46 Are you going to try to check your motorcycle as a, as a, No, you can rent motorcycles there. Yeah. Check it. I'll just ship it ahead. It'll,

19:55 it'll be there waiting for me. Yeah. Awesome. How about your extras? Got anything?

19:59 Yeah. So I wanted to let's see. I I'm working on a new pytest course. So already on talk,

20:06 Python training, there is the getting started with pytest course. It is three and a half hours long.

20:10 So it's kind of the, it's not, it's pretty quick. Covers a lot of the basics of pytest. I also have

20:17 the complete pytest course over on courses.pythontest.com. This little, I mean, the 162

20:24 lessons might freak people out, but a lot of the lessons it's it's basically the entire Python

20:30 testing with pytest book. And a lot of the videos are chopped up into like three, you know, three

20:34 minutes, four minutes. So as they should be. Yeah. So, but I do notice that there's, there's a,

20:40 there's a gap. So I'm I'm the new course I'm working on is a really introduction to pytest

20:47 introduction to testing concepts. And this is, and I really want it to be something that somebody

20:53 could really watch in half a day, easy, or even just a little bit. And I'm targeting, I'm hoping

20:59 to be under an hour to introduce a lot of these great concepts. And, and this would be intended

21:06 for people for the entire team. Like my idea would be everybody on the team, including the manager,

21:11 would take this little mini course. And then you'd have a couple of experts, a couple of people that

21:16 want to be the pytest experts, take the complete course or something, or, or the one on talk,

21:20 Python training to be more, more in depth. And, and so that I think there's a gap there for the

21:27 little quick intro. So I'm working on that. Awesome. That'll be fun. I agree with you,

21:32 by the way, that do you think there's probably a good gap there as well?

21:34 Yeah. Also, and I'm, I'm kind of wanting that for my internal, for my own company of like,

21:39 I don't, I don't think I can tell people to go watch an eight hour video. I don't remember if

21:44 it's eight hours or not, but it's well also, okay. I want to have people not freak out too much.

21:50 It's split into three parts and you really, the intent of the entire book wasn't to read

21:55 everything it's to read the first part and then use the rest of it as resources as necessary. So

22:00 same with the course. Okay. I've got other stuff going on too. I've got a couple of these other

22:05 couple of podcasts, Python people. I thought it was a great idea, but I just haven't had time.

22:10 So it hasn't been updated since May. I'm just going to officially say it's kind of indefinitely

22:15 on hold. I don't know what's going to happen with it, but I'm not working on it. Okay. And

22:20 Python test, it was testing code and it's still like this, still the little icon is still testing

22:26 code and now it's Python test for 14 episodes, 14 out of 221. I am going to flip flop and probably

22:33 switch back to testing code because there's a series I want to do about test driven development.

22:39 And it's really pipe. It's not, it's language agnostic. So it doesn't really make sense to

22:43 have it be under the Python banner. And I probably, I can't, I want to say, I promised to not switch

22:50 it again, but you know, who knows? It's, it's whatever. So yeah, that's, those are my extras.

22:56 I'll probably get back to record. I'm still roughing out the ideas for the series. It'll

23:01 probably come out in August or September. So excellent. Well, I look forward to it. Very cool.

23:06 But that wasn't very funny though. No, it was not. It was not. Good thing about podcasts. If people

23:11 subscribe to them and in a year later, you're like, all right, I'm ready for more Python people.

23:15 It'll just start showing up in their players again. Yeah. And I'll talk, you know, follow

23:18 Python bites. We're, we're not going to stop Python bites anytime. well, there's no plan on it. So

23:24 there's definitely no plan on it. All right. Let's, let's get something a little bit funny.

23:28 Now. I know there's been a lot of talk about AI, although I'm frightened of being piled or I've,

23:32 I don't know if people know this wrestling term, but it's disturbing. Anyway, I'm a little worried

23:37 about it, but this is not, this is not helping you code with AI. This is just straight up editor

23:43 help that I also consider super important. It's entitled. I need my IntelliSense. Are you a fan

23:48 of Scooby-Doo Brian? yeah. Did you watch Scooby-Doo the cartoon growing up? So here's,

23:53 what's the woman's name with reddish hair? Did I, I still catch up. I still keep up on all the

23:58 Scooby-Doo's. Awesome. So she has glasses and she lost them, obviously like the picture. She's lost.

24:04 I've lost my glasses in this like scary house or whatever, but the caption is my IntelliSense. I

24:10 can't code without my IntelliSense. Oh, I, I really, that's pretty funny. Yeah. Yeah. Anyway,

24:17 I thought that would resonate with some folks out there. What I have to actually look up what the

24:21 parameters are. That's just barbaric. It's totally barbaric. And it's a segment of your mind that

24:27 doesn't need to be filled with those details. You just type and let it flow. One of the things

24:32 though that I, the, all the pop-ups that happen to help you out. Like it's great, except

24:38 for if you like, I'm in, I wish there was a toggle that I could just turn everything off or on

24:43 because when I'm developing, I like those on, but when I'm recording a course or something,

24:47 I don't want all those popping up all the time. So do you turn them off for your courses and stuff?

24:53 No, I have them on. I try, I try to show people like, look, here's your options. This is the one

24:57 you pick out of the list though. Yeah. I leave them on. Yeah. I don't want to lose my glasses.

25:02 All right. Well, I'll try that. So indeed. All right. I think there's also ways you can just

25:10 set the aggressiveness of it, which I think it sounds like something you might want, like in

25:14 a serious way. So you can set it. So if you just press a dot boom, like the list comes up or you

25:19 can set it. So there's some other key like control dot or something you've got to like choose,

25:25 which you wouldn't normally hit in the course of typing to trigger that kind of stuff. So look

25:29 into that. Yeah. I think there's a delay too. You can say like, if I'm, if I'm just going to

25:34 start typing, don't pop that stuff up. Yeah. Yeah, indeed. Anyway. Cool. All right. Well,

25:39 thanks for another fun show. Thanks everyone for listening. Thank you. Bye.

Back to show page