Transcript #392: The votes have been counted
Return to episode page view on github00:00 Hello and welcome to Python Bytes where we deliver Python news and headlines directly
00:04 to your earbuds. This is episode 392, recorded July 17th, 2024. I'm Michael Kennedy.
00:12 And I'm Brian Okken.
00:13 This episode is brought to you by Code Comments, an original podcast from Red Hat. So thank you
00:20 to Red Hat for supporting the show. We'll tell you more about them later. You can follow us on
00:25 Fosted on. The links for Brian, me, and the show are all in the show notes. And you can also follow
00:31 us on X if you wish. I know some people have not yet made the transition. What are you waiting for
00:36 people? Come on. And finally, before we jump into it, we are super excited that people are signing
00:41 up for the newsletter. Check that out. Just go to pythonbytes.fm. Click on the big newsletter
00:45 button in the middle. Put your email in. You'll hear about cool stuff. We'll hear, get the show
00:48 notes, but you'll also get announcements that we might send out and other things, live events,
00:54 who knows. So sign up, be in the know, and we'd love to talk to you there and we won't share.
00:58 Brian.
00:59 And we were going to do a contest or something.
01:01 Yes, we're going to do a contest. The numbers are growing and we reach a monumental number.
01:08 I'm pulling up my list monk management here. Ooh, we are close. We're getting quite close here. So
01:14 yeah, we're going to do some kind of contest.
01:16 Do some giveaways.
01:16 Yeah. Some kind of giveaways. We'll see what that is.
01:19 The 2024 PSF board election and bylaw election. The election happened and the results are in
01:25 already. So it happened pretty quick. And nobody's demanded a recount yet. So that's good.
01:31 I guess we don't do that in the PSF. But so new board members, Tanya Allard,
01:37 Quan Hei Bay, and Christian Moriera-Fredes, I think. But congrats to the three new board members.
01:47 Super awesome. Should be fun for you. One of the things in this announcement was that the,
01:54 where was it? Basically it says, what's next? If there's four, here it is at the bottom.
02:00 There's four seats open again next year. So it might feel early, but if you're kind of thinking
02:06 about running for the board, it might not be early to think about it now to get ready and think about
02:11 what you want to propose and stuff. And they suggest reaching out to one or two current board
02:19 members to ask them about their experience before throwing your hat in the ring. So
02:24 it actually sounds pretty interesting. So anyway, so the three new board members, congrats.
02:30 And then also all of the PSF bylaw changes passed heartily, like with a big margin. So let's take a
02:38 look at that a little bit. So the, Oh, let's look at what they are again. So there were merging,
02:43 contributing and managing member classes. That's, it seems like a no brainer. I'm glad they're
02:48 doing that. Simplifying the voter affirmation process by treating past voting activity as
02:53 intent to continue voting. That makes sense. Yeah, I like that one. Cause in order to vote,
02:58 you have to attest that you're interested in voting for some reason now, which is funky.
03:03 Would sell. Well, well also, I mean, it makes sense for like counting it. Like, you know, if,
03:08 if, if we just send it to everybody and just what, give them three weeks to vote. I mean,
03:12 it's, it's how long do you have to wait? The, I don't know, make it's, it's all right. Now,
03:18 if you voted this year, you'll automatically be able to vote next year. That makes sense.
03:22 And then the third one of allowing for removal of fellows by a board vote in response to code
03:30 of conduct violations. That was there was a lot of controversy on the chat and stuff and in the
03:36 mailing list. However that third, third one and all of them, the third one passed like by a huge
03:43 margin. Second one, also huge margin, first huge margin. So it's, you know, smaller margin for
03:51 three, but basically still most people are for it. And I was for it too. And I, I trust our board.
03:57 So I think it's a good thing. So if you want to read more about all of these there's a link to
04:03 all the different bylaw changes so you can read more about them if you want to.
04:08 - Yeah, cool. Very cool. Hey, I do have a quick comment here. So these the, the number of people
04:14 who voted are in the hundreds, like 300, 400, something like that. There are millions of Python
04:20 developers, literally millions. There's plenty, tens of thousands of people who just listened to
04:25 this podcast who are in, in the know and interested enough. Vote guys and girls.
04:31 - Yeah. Yeah. Be part of the community by voting. It's a, it's a good way to every voice heard.
04:37 I also really enjoyed this year, like, and I do this every year of actually reading about the
04:42 different, reading all the different board candidates and what they've done. It's kind
04:47 of a neat way just to like catch up on some people and what the, what their contributions
04:51 to Python are. So. - Catch a little zeitgeist. Where, where's the whole community going in a sense?
04:57 - Yeah. - But not as much as if you listen to Python Bytes every week, because then it's like
05:01 the rapids of zeitgeist. You can barely stand it. Speaking of barely standing it, imagine if you
05:06 were on Saturn doing, doing data science. - Well. - Okay. So we obviously know about Jupyter, which
05:14 is our biggest planet, clearly, but Saturn is pretty big too. And it's cool. It's got cooler
05:19 rings than Jupyter. So better for data science. I don't know. Okay. Seriously, this is Saturn and
05:25 it's a modern Jupyter desktop application for macOS. - Cool. - Pretty cool. So it's like super
05:33 minimal. It has a bit of a, not a JupyterLab. That's too close to the real Jupyter, but just
05:38 the Jupyter notebook style, like straightforward. It's supposed to be real minimalist, right? It's
05:43 a nice and clean. It has a command palette. So you can, you know, command K or command shift P,
05:50 whatever the hot key is. I don't know yet. I haven't tried it. So you just download it and
05:54 you get going. I think it might come bundled with Python and you don't have to set up virtual
05:58 environments and stuff, but you can connect it to so-called kernels or basically virtual
06:02 environments that you would like there. All right. So very nice. You just download it and get started.
06:08 It has a built-in LLM. So you can ask it LLM things like describe the plot above and then plot
06:15 it using or describe the data above and use a plot using a plot using lines and scatter and boom,
06:20 it'll go and do that sort of thing. Pretty cool. It's very minimalist. If like I said,
06:25 if that's your vibe and then this is it, there's a command palette you can use. I don't know what
06:28 the hockey is. It again comes with black built-in. So you get automatic formatting, just press F
06:34 apparently and boom, your whole notebook is formatted, which is really nice. I feel like
06:38 that's one of the things kind of missing from notebooks is like a real nice sort of management
06:43 of code in general. Like the auto-complete is not that great. I know you can hit, there's like,
06:47 you can press some hotkeys to trigger auto-complete, but it just doesn't happen as you type.
06:51 Like many editors, you can also do cool things like copy, just go to a graph, copy, and just
06:56 paste it straight into a, it's got a little copy button for the data tables and for the graphs and
07:02 things like that. Yeah. So all super neat. Check it out. And my final thought here is download the
07:10 alpha. There's no link to github. So presumably this is not an open source thing, although perhaps
07:16 it is. I just haven't found it, but there's no link to get up and there's no business model
07:21 expressed here. So will this be a paid product? Is it just not yet out on GitHub? You know what I
07:28 mean? Like, I don't know. So buyer beware. And by buyer, I mean, person who downloads for free.
07:34 Yeah. But it looks really promising to me. I really like the vibe here.
07:40 Oh, okay. Okay. Go up. Oh, this is the rough thing. Let's see.
07:43 We do have a blog. You can check it out, but it has literally one entry that says integrating the
07:49 rough language server, which is, you know, like an engineering cool. That's fun, but it doesn't
07:54 tell you anything about it. It doesn't add any information to what I was just talking about.
07:59 You know what I mean? Yeah. And it doesn't have the Saturn as a link to the, an editor,
08:03 one repo, but it isn't the Saturn repo. We'll see. But you know, I look, if somebody makes
08:09 something that you pay money for, there's a super nice data science app and it's not out of control.
08:14 I'm not saying that's a negative thing. I'm just saying it's not clear what its status is, you know?
08:17 Yeah. But also if one of the, if anybody that's part of this, like, Jack Hodkinson or
08:24 anybody else on Saturn team, let us know. Yeah. Shoot us an email. Speaking of stuff,
08:29 we want to let people know about, I bet there's some code comments in this Saturn code there.
08:34 What do you think? I think probably. Probably. This episode is brought to you by Code Comments,
08:39 an original podcast from Red Hat. You know, when you're working on a project and you leave behind
08:43 a small comment in the code, maybe you're hoping to help others learn what isn't clear at first.
08:48 Sometimes that code comment tells a story of a challenging journey to the current state of the
08:54 project. Code Comments, the podcast features technologists who've been through tough tech
08:59 transitions, and they share how their teams survived that journey. The host, Jamie Parker,
09:04 is a Red Hatter and an experienced engineer. In each episode, Jamie recounts the stories of
09:09 technologists from across the industry who've been on a journey implementing new technologies.
09:15 I recently listened to an episode about DevOps from the folks at Worldwide Technology. The
09:19 hardest challenge turned out to be getting buy-in on the new tech stack rather than using that tech
09:25 stack directly. It's a message that we can all relate to, and I'm sure you can take some hard
09:29 won lessons back to your own team. Give Code Comments a listen. Search for Code Comments in
09:34 your podcast player or just use our link, pythonbytes.fm/code-comments. The link is in
09:40 your podcast player's show notes. Thank you to Code Comments for supporting the show. Back over
09:44 to you. I want to talk about something bad that happened on PyPI, but it could have been worse,
09:51 but it's not, but it could have been, but it wasn't bad. Anyway, what happened was,
09:57 and I'm going to link to a couple blog posts. One of them is on the PyPI.org blog from E. Durbin.
10:06 Incident report leaked GitHub personal access token. What happened was, and E. just go ahead
10:13 and writes out the timeline of events. It was something that he was working on, something
10:18 called Cabotage. The gist of it is, he was trying to debug something and ran into some problems with
10:29 timeouts for GitHub access tokens for the generic ones or the community ones or whatever. He used
10:39 his own personal one for a while while he was developing it, then he switched back,
10:43 but his personal access token got saved into a PYC file that made it to a Docker image that
10:49 got published. This is bad because it would have given access to a whole bunch of PyPI and core
10:58 stuff, including Python. Probably not good. What happened, how this was found though, was JFrog
11:07 does a regular binary scan of a lot of packages or open source projects that we rely on,
11:15 including Python and stuff. They found this problem and they notified the security team on PyPI.
11:25 The security team from PyPI revoked the token within 17 minutes of getting notified. This is
11:32 like amazingly, blazingly fast, I think. JFrog even points this out, that this is,
11:38 research team identified it, reported to PyPI and it was revoked in a mere 17 minutes,
11:45 which is super cool. Anyway, it was revoked, it was fixed. Then afterwards, a scan was done to
11:53 find out if that access token was used for anything and it wasn't. It wasn't exploited at all.
12:00 But there are some good takeaways that, and there's in the original blog post, it does talk
12:07 about a little bit more about the details about how this showed up in the Docker file. But the
12:13 takeaways are a few of them. There's three of them. First, set aggressive expiration dates for API
12:21 tokens. If you are going to use an API token, only have it for as long as you need it and have it,
12:28 consider the timeout because if it escapes, you have to deal with that. Also treat PYC files as
12:34 if they were source code. Normally I don't think about that because we don't publish PYC files,
12:41 but if they're in a Docker image, it's going to get published. The other note was only release
12:50 builds from automated systems on like use a CI system with a clean source only. So some great
12:58 reminders that PYC files are really something to be careful about also and be very careful
13:03 with access tokens. Yeah, pretty scary. Pretty scary. The TechRadar folks, TechRadar is in the
13:12 right place. I really like their writing. They phrase it as a GitHub token leak could have put
13:16 the entire Python language at risk. What if Python itself was malicious? Right? Because I mean, it
13:22 gave anyone who wanted to get a hold of that right access to the CPython repo and other parts of
13:28 deployment. It's not ideal. Yeah. But it sounds like it was caught. So it's really good. Could
13:32 have been very bad. So yes, another bullet dodged. Another bullet dodged. But both posts are
13:39 interesting reads. The JFrog one also has quite a bit of good information about how to protect from
13:45 this and some of the some of the actions, some of the new GitHub access tokens have a way they're
13:51 easier to scan than they used to be able. They're easier to find because there's like a prefix that
13:56 you can scan for within binary. So that's pretty cool. Oh, right, right, right. Yeah, they've
14:00 changed that format. That's good. Yeah. I would like to go on a bit of an extra, extra, extra.
14:05 This was not the intention. I had some other topic and I'm like, and another extra, another extra.
14:09 I'm like, all right, this is this is out of control. So you ready? Extra, extra, extra.
14:13 Hear all about it. Yeah, I'm ready. Let's do it. Number one, first extra pretty quick. Here's
14:20 Python 313 beta three has been released. This was a couple of days ago. It's not like, why would you
14:27 put the data at the bottom? I don't know. Anyway, I know it's at the top, June 27th. So it's actually
14:32 been a little bit of time, but there's no other beta and people should be checking out. This is
14:37 the third of four beta releases. So this is basically the last chance to make potential
14:43 changes before it's completely just down to bug fixes. Right. Okay. Yeah. Okay. So the Python
14:49 folks strongly encourage maintainers of third party Python packages to test with 313 during
14:55 the beta phase and report any found issues to the Python bug tracker ASAP. It will be feature
15:00 complete while the release is planned to be feature complete entering the beta phase as
15:04 possible to get modified or changed based on how serious any problems might be. Anyway, 313 beta
15:10 three. Awesome. Mini bar ice. I told you guys about this when there was the bartender. I was
15:16 such a fan of bartender recommend everywhere. And then bartender went a little funky. It's not that
15:22 it was sold to someone else. That's the problem is that it was sold. And the fact that it was sold
15:26 was obscured. That's the problem. Right. Talked about that previously. So I switched to ice and
15:31 ice was like, it kind of does the thing that bartender used to, but it's yeah. Hides menu.
15:37 Like it doesn't seem to show everything reliably. And anyway, it was really kind of janky, but this
15:42 thing, I think got a ton of attention since all that happened. It's got a lot of contributions.
15:46 So new release, a lot of bug fixes, primarily like a cool little dropdown that like shows all
15:51 your stuff in a second. Like if you click on it, it'll show you a little second window. Really
15:56 nice. So I can more strongly recommend open source free ice and before links in the show notes,
16:02 you got a lot of stuff up there, man. That's why I need this thing. It's out of control, man.
16:05 I'm telling you it's a problem. All right. Last time you mentioned the article, I will pile drive
16:11 you if you say AI again, and it resonated strongly with me. All right. Yeah. So, the primogen guy
16:19 did a one hour primary acts to the, I will pile drive you article and it is gold. So check out
16:26 this. If you just want to like sit back and listen to it, the background, this is a really good
16:31 video. it's worth your hour of time. So check that out. I listened to an interview. I don't
16:36 have the link right off the bat, but I listened to a podcast episode, somebody interviewing the
16:41 guy also. Okay. Interesting. Yeah. He does a good stream sort of thing. All right. Next up,
16:47 we talked about polyfill, I think a couple of episodes ago, right? Polyfill IO and all that.
16:53 So polyfill was a polyfill.io used to be run by some financial publication. I can't remember
17:00 exactly. I don't want to misattribute them. And then they were sold. They were like a CDN for
17:04 JavaScript stuff. And they were sold to a Chinese company, which in itself is not necessarily bad,
17:09 but then the Chinese company started sending malicious code instead of regular Jason polyfills
17:15 to its users. But in a super select way, like, Oh, are you doing a, an authentication at this
17:20 third party identity as a service thing? Well, maybe now you're getting the bad
17:25 JavaScript or whatever, you know? So really, really tricky stuff. And the polyfill.io domain
17:32 was on not unregistered. It was basically blocked by its registrar, which I think was name cheap,
17:38 but there are four other domains that it turns out that they're also using as CDNs. I don't know
17:43 what happened to them. Maybe they've been dealt with by now, but maybe not. But also what if
17:47 polyfill.io just re-register somewhere else eventually? Is this possible? I don't actually
17:51 know. So I posted a thing on, posted on it on Twitter saying, Hey, if you have some kind of
17:58 fancy DNS, you might want to put blocks in for all these domains. So static file.org, static
18:02 file.net, bootcss.com, bootcdn.net and polyfill.io. Those are all blocked in my next DNS, which is
18:09 awesome, which is like a pie hole, but you get access to it anywhere, not just while you're at
18:15 your house, which is better, I think. Cool. Yeah. So if you care about that stuff, this is one way
18:20 to say you can now surf the web. And even if you go to a vulnerable website, it won't load these
18:26 things. So that's always good. All right. Nice. Next up, we have the JetBrains Developer Ecosystem
18:33 Survey 2024. The survey is now open. It's pretty intense. Takes like 25 minutes, but you can,
18:39 if you want to complete it, contribute to sort of, you know, what editor is popular,
18:44 what frameworks are you using? Do you like databases, et cetera. For this, you may win
18:48 a MacBook Pro 16, an NVIDIA GeForce, some phones and so on and so on. A bunch of stuff. You can win
18:55 potentially. Coding the Castle in October, October 5 to 12th in Tuscany, still has some seats open.
19:02 So check that out at hawkpython.fm/castle. And if you're interested, a week of half Python
19:08 learning, half excursions in Tuscany. So check that out as well. And that concludes my extra,
19:14 extra, extra here all about it. So do you need somebody to help like, you know, carry your
19:19 equipment? Yeah, sure. I mean, I'm going to bring a MacBook Air, so that is pretty heavy. Would you
19:24 like to help? Yeah. Yeah. If you want to pay for my trip, I would definitely help you out. Yeah.
19:28 Awesome. I appreciate that. No, it looks like fun. I'm excited to hear about that when you get back.
19:35 Yeah, I am too. I figured of doing a couple of days of motorcycle riding, there's like some
19:39 off-road enduro tours you can do there. Like it's pretty close. If I can link those together,
19:43 then I'll need help carrying like all the motorcycle gear that will like,
19:46 Are you going to try to check your motorcycle as a, as a, No, you can rent motorcycles there. Yeah. Check it. I'll just ship it ahead. It'll,
19:55 it'll be there waiting for me. Yeah. Awesome. How about your extras? Got anything?
19:59 Yeah. So I wanted to let's see. I I'm working on a new pytest course. So already on talk,
20:06 Python training, there is the getting started with pytest course. It is three and a half hours long.
20:10 So it's kind of the, it's not, it's pretty quick. Covers a lot of the basics of pytest. I also have
20:17 the complete pytest course over on courses.pythontest.com. This little, I mean, the 162
20:24 lessons might freak people out, but a lot of the lessons it's it's basically the entire Python
20:30 testing with pytest book. And a lot of the videos are chopped up into like three, you know, three
20:34 minutes, four minutes. So as they should be. Yeah. So, but I do notice that there's, there's a,
20:40 there's a gap. So I'm I'm the new course I'm working on is a really introduction to pytest
20:47 introduction to testing concepts. And this is, and I really want it to be something that somebody
20:53 could really watch in half a day, easy, or even just a little bit. And I'm targeting, I'm hoping
20:59 to be under an hour to introduce a lot of these great concepts. And, and this would be intended
21:06 for people for the entire team. Like my idea would be everybody on the team, including the manager,
21:11 would take this little mini course. And then you'd have a couple of experts, a couple of people that
21:16 want to be the pytest experts, take the complete course or something, or, or the one on talk,
21:20 Python training to be more, more in depth. And, and so that I think there's a gap there for the
21:27 little quick intro. So I'm working on that. Awesome. That'll be fun. I agree with you,
21:32 by the way, that do you think there's probably a good gap there as well?
21:34 Yeah. Also, and I'm, I'm kind of wanting that for my internal, for my own company of like,
21:39 I don't, I don't think I can tell people to go watch an eight hour video. I don't remember if
21:44 it's eight hours or not, but it's well also, okay. I want to have people not freak out too much.
21:50 It's split into three parts and you really, the intent of the entire book wasn't to read
21:55 everything it's to read the first part and then use the rest of it as resources as necessary. So
22:00 same with the course. Okay. I've got other stuff going on too. I've got a couple of these other
22:05 couple of podcasts, Python people. I thought it was a great idea, but I just haven't had time.
22:10 So it hasn't been updated since May. I'm just going to officially say it's kind of indefinitely
22:15 on hold. I don't know what's going to happen with it, but I'm not working on it. Okay. And
22:20 Python test, it was testing code and it's still like this, still the little icon is still testing
22:26 code and now it's Python test for 14 episodes, 14 out of 221. I am going to flip flop and probably
22:33 switch back to testing code because there's a series I want to do about test driven development.
22:39 And it's really pipe. It's not, it's language agnostic. So it doesn't really make sense to
22:43 have it be under the Python banner. And I probably, I can't, I want to say, I promised to not switch
22:50 it again, but you know, who knows? It's, it's whatever. So yeah, that's, those are my extras.
22:56 I'll probably get back to record. I'm still roughing out the ideas for the series. It'll
23:01 probably come out in August or September. So excellent. Well, I look forward to it. Very cool.
23:06 But that wasn't very funny though. No, it was not. It was not. Good thing about podcasts. If people
23:11 subscribe to them and in a year later, you're like, all right, I'm ready for more Python people.
23:15 It'll just start showing up in their players again. Yeah. And I'll talk, you know, follow
23:18 Python bites. We're, we're not going to stop Python bites anytime. well, there's no plan on it. So
23:24 there's definitely no plan on it. All right. Let's, let's get something a little bit funny.
23:28 Now. I know there's been a lot of talk about AI, although I'm frightened of being piled or I've,
23:32 I don't know if people know this wrestling term, but it's disturbing. Anyway, I'm a little worried
23:37 about it, but this is not, this is not helping you code with AI. This is just straight up editor
23:43 help that I also consider super important. It's entitled. I need my IntelliSense. Are you a fan
23:48 of Scooby-Doo Brian? yeah. Did you watch Scooby-Doo the cartoon growing up? So here's,
23:53 what's the woman's name with reddish hair? Did I, I still catch up. I still keep up on all the
23:58 Scooby-Doo's. Awesome. So she has glasses and she lost them, obviously like the picture. She's lost.
24:04 I've lost my glasses in this like scary house or whatever, but the caption is my IntelliSense. I
24:10 can't code without my IntelliSense. Oh, I, I really, that's pretty funny. Yeah. Yeah. Anyway,
24:17 I thought that would resonate with some folks out there. What I have to actually look up what the
24:21 parameters are. That's just barbaric. It's totally barbaric. And it's a segment of your mind that
24:27 doesn't need to be filled with those details. You just type and let it flow. One of the things
24:32 though that I, the, all the pop-ups that happen to help you out. Like it's great, except
24:38 for if you like, I'm in, I wish there was a toggle that I could just turn everything off or on
24:43 because when I'm developing, I like those on, but when I'm recording a course or something,
24:47 I don't want all those popping up all the time. So do you turn them off for your courses and stuff?
24:53 No, I have them on. I try, I try to show people like, look, here's your options. This is the one
24:57 you pick out of the list though. Yeah. I leave them on. Yeah. I don't want to lose my glasses.
25:02 All right. Well, I'll try that. So indeed. All right. I think there's also ways you can just
25:10 set the aggressiveness of it, which I think it sounds like something you might want, like in
25:14 a serious way. So you can set it. So if you just press a dot boom, like the list comes up or you
25:19 can set it. So there's some other key like control dot or something you've got to like choose,
25:25 which you wouldn't normally hit in the course of typing to trigger that kind of stuff. So look
25:29 into that. Yeah. I think there's a delay too. You can say like, if I'm, if I'm just going to
25:34 start typing, don't pop that stuff up. Yeah. Yeah, indeed. Anyway. Cool. All right. Well,
25:39 thanks for another fun show. Thanks everyone for listening. Thank you. Bye.