Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds. This is episode 380, recorded on April 23rd, 2023. I'm Michael Kennedy. And I'm Brian Okken. And this episode is brought to you by us. Support us through our courses at Talk Python Training, the complete pytest course, Patreon supporters, links at the top of the show notes. So very much appreciate that. And while you're there, you can connect with us over on Fostadon, if you Mastadon there.
So Mastadon anywhere. But you can find us on Fostadon, at mkennedy, at Brian Okken, and at Python Bytes. Join the show live, pythonbytes.fm/live. Usually Tuesdays at 10 a.m. Pacific time now. And you can see all the older versions there if you want the video as well. And finally, Brian, a bunch of people are signing up for the newsletter that you're sending out about things from the show every week. So that's awesome.
People can just visit pythonbytes.fm, click on newsletter right in the middle of the top of the screen and put in their email. We will treat it kindly. But then we will email you stuff that we're up to, which we'd love to do. So we appreciate that. And, you know, I really want to just like maybe focus on that kind of stuff. Brian, what do you think? Let's focus, man. Let's focus. Speaking of focus, we've got NumFocus.
So NumFocus is a, you know, actually, I probably should have done a little more research. NumFocus is a collection of different resources. And let's just take a look at the about of NumFocus. So NumFocus has a mission of promoting open practices and research data and scientific computing. There's a lot of information on the NumFocus site. You can check it out. But if you take a look at the projects that are involved, this is crazy.
So the projects, sponsored projects, there's a lot of our favorites like NumPy, Pandas, Jupyter, SciPy. So many things are involved with NumFocus and collaborate with NumFocus. And I'm not, like I said, we should have had Pamphiel on to talk about it a little bit. But Pamphiel, let us know something that's going on with the NumFocus group. And it's a little, there's some changes going on. So this was suggested by Pamphiel Roy, who's in the audience right now. So thanks for showing up.
So this was an article by Paul Ivanov called NumFocus Concerns. And we'll link to it in the show notes, of course. But there has been some, there's some shakeup going on in NumFocus a little bit. There's been some problems in the past with NumFocus being able to meet the expectations of some of the projects within the NumFocus banner. And there was a town hall meeting in February announcing that there's a new direction. And it caught a lot of people by surprise.
So I'm trying to highlight it here as well so people know about it. There have, there's really, I kind of want to point people to this article and just say that there's, there's some things changing. There's apparently in the past, there was some lack of transparency of how the board was selected. So they're trying to make that a little bit more transparent. There is a, an initiated effort to elect a open board seats to try to get more people on the board.
And some proposed changes to the governance structure. And then around some of these, some of these issues, there's also some of the projects within NumFocus are pursuing alternative venues for fiscal sponsorship. So getting money in other ways. So a lot of information here. The, I thought was interesting. Some of the, some of the different alternatives to, there's like open source collective or some of the, some of the ways to get money.
There's different, I mean, money is important to try to get some of the projects, some people working on it. So if you'd like to get more involved or just know, have more information about what's going on with NumFocus. This is a, this is a really great write-up. So thanks for passing this along. Excellent. I, you know, NumFocus is interesting. It's, it's really one of the bigger ways that funds Python open source and outside of Python as well. But there's not many other organizations like that.
So keeping it, keeping it healthy is definitely important. Yeah. And I'm, I'm, I'm glad it's a, it got, there's some attention drawn, being drawn to it before it, you know, kind of implodes. So I don't think it will. I think we'll, we'll see NumFocus for quite a while. So definitely. All right. Speaking of shining a little bit of light on something, let's talk about leaping. Python, this, right. This, this, this, high test project should be one that you're focusing on, but I'm, I beat you to it.
So here we go. Have you heard of this leaping? I have not. Okay. Well, it's because the description is so wait, no, there's no description. This is a small project that does, it's got 238 stars. So it's not a huge thing. But I want to give it a bit of a shout out because I think this is cool and I would love to hear your take, Brian. So leaping is a py test debugger. Simple, fast, lightweight for Python tests.
And it traces the execution of your code and then allows you, so you run a test session, you know, py test dot whatever. And then you can retroactively ask questions about how your py test session went using natural language. Okay. Okay. So like, well, what would you possibly ask it? So it does this by keeping track of the variable changes at variables changing over time and other sources of non-determinism within your code. So you would just say py test --leaping.
If you install that and it runs. You can ask questions like, why am I not hitting this function? Why was this variable set to this value? What is the value of a variable at this point? And what changes can I make to my code to make this test pass even? Stuff like that. I assume this is pretty neat. You know, I don't have any experience with it, but it sounds pretty creative. It says it's based on both Olama and GPT-4. You can pick which model you would like.
And, you know, those are both pretty powerful. So. Why leaping? Leaping llamas? I don't. Yeah, that's. Well, typically llamas do leap a lot. No, I don't think they do actually. Maybe a little bit. Okay. I don't know. I can't tell you why. Maybe. I think it might come from a larger project that here, but I don't really know. Well, I'll play with it and maybe we could get somebody on to tell us or I'll ask somebody why leaping. Anyway, I thought this was kind of interesting.
So I want to shine a little light on. Thanks for giving me some homework to work on. Yes, of course. Last one we gave. Was it Mike Fiedler? We gave homework this time. I'm giving you homework. Yeah. Haven't heard back from Mike, though. What's up, Mike? Yeah. Where's that article, man? Yeah. Over to you. So, okay. So I've got an extras, extras, extras section because I kind of got down a rabbit hole.
So on the last discussion of this NumFocus concerns, I was looking at, well, anyway, one of the other topics that Penfield passed over is that there's a 2024 developer summit going on. So I'll just get started. 2024 developer summit happening in Seattle, June 3rd to 5th. This is an invite-only thing. So I'm just announcing it because it's cool. Don't try to sign up because you can't, but that's okay.
It's still neat that we have one of the reasons why I wanted to bring it up is not to try to promote it, but to say with some of the, it was the XZ or something, that bug that went by recently. XVX. I can't remember. XZ. XZ. The near downfall of all the internet. Well, one of the problems was this discussion that people in a project don't talk to each other that much. So, and there's a lot of times where you can't really get away from that. from that.
But the scientific Python development summit is one place where a lot of the people from these Python scientific projects get together. other than that. And it's pretty neat. And it's pretty neat. Last year was the first. And they did a bunch of things. And they did a whole bunch of cool things last year, including some, yeah, a bunch of planning implemented. They had a working group on sparse arrays. specs were worked on. And even some pytest stuff.
So community building, lots of great resources to try to get some of these core things together. And some, even some pytest plugins, which is pretty neat. And so one of the things here was like another pytest plugin. I'm like, cool. What's that do? So popped over. This is pytest regex. And well, if you've got a large, especially parameterized, but really a large pytest code, test code base, sometimes you've got like quite a few tests coming in. And how do you specify?
One of the ways you can pick out a subset of tests is to use the dash K option to say, hey, I just want to use something that has tests like underscore 3D in it to try to get those. But that might still be a long list. And what this is, is it has the ability and there is some logic in the dash K. So if you don't know about the logic of the dash K, definitely read my book or take my course. But it isn't as powerful as a regular expression.
But with this plugin, you can use a regular expression to select the test names, which is kind of awesome. I think it's kind of awesome. It's also kind of scary to think of using regular expressions in test selection. You're going to need to write a test for your command line. Yeah. Okay. So pytest Regex is one of my extra, extra extras. The next one on the list is this write up called by J. Carlos Roldan, I think. My latest today I learned about Python. And a lot of these are fun.
But the thing that I wanted to highlight, oh, I guess I always just forget that underscores are a thing for long numbers. And it's very handy for constants. Okay. The thing that I thought was neat was this, what was it? There was an example of a decorator with just a class. You don't have to import anything or decorator stuff. If you just have a class with a dundra in it and a dundra call, you can implement your own decorator. And I didn't realize that it was that easy.
So kind of a cool, small example. All right. Next up on our extras is, and last, is Ruff got a little faster. So version 0.4 of Ruff is supposedly greater than two times faster, which is 20 to 40% speed up. So these are pretty neat numbers. So it was already pretty zippy already. So it's pretty cool. Anyway, those are my extras. Yeah. Very cool. That was 0.4.0. Yeah? Yeah. Okay. I think that's not out yet, but it's going to be or something. That's awesome.
I just did my pipx upgrade all, which is a really cool command. Just go find all the things that uses Python command line tools and upgrade them. And I got 1.3.0.1.37. But very cool. All right. Well, that's a lot of extra. All right. Well, yeah. So. Not the end of extra, I'm thinking, but a lot of extra. Yeah. So let's talk about PyPI and packages.
Now, I've covered this a fair number of times where we've talked about, oh, there's somebody uploading some horrible package that if you install it, bad thing happened. Bad things happen. But this has nothing to do with that. Not directly, anyway. Even though it might sound like it. PyPI has completed its first security audit. Okay. So this is an article, I believe by, no, Dustin Ingram.
And it says, who's part of the Python packaging group authority, says, we're proud to announce that PyPI has completed its first ever external security audit. The work is funded in partnership with the Open Technology Fund. And they've done previous security stuff there. And they selected Trail of Bits, which is a very well-known security pen testing company, to work on it. And they spent, so if you've ever thought, like, should I have a security audit done on my project?
Maybe. But Trail of Bits spent 10 engineering weeks of effort going, trying to break into the systems and break them and look at the code and making sure everything is good. That's a lot of, I don't know what that costs, but that can't be cheap. So, you know, it's really cool that that was funded to make that happen. The other important part is the scope.
So this has to do specifically with what's called warehouse, which is when you go to pypi.org, that thing, that website, the APIs, the stuff behind the scenes that people create accounts at that they upload packages to, right? Like that infrastructure, not pip, not the packages stored in pip, but like the infrastructure that provides the website and the APIs.
As well as something called, cabotage, custom open source container orchestration framework that they created to deploy warehouse, which sounds interesting. And I know nothing about this, but those are the two things which were, and the really nice part, everything's pretty much fine. They decided that they didn't have any significant problems. They found 29 different advisories. 14 were informational. Six were low priority. Eight were medium and zero were high priority issues discovered.
So that's pretty awesome, right? That is pretty cool. Yeah. So there's multiple articles and details published as follow up. So like all of the stuff that they did there, it's all public and you can check it out if you wish, but I feel like that's, it's enough to give people the idea there. So thanks Dustin for writing that up. And very good to hear that at least the infrastructure of PyPI is solid. Cabotage sounds like a soup or something. Had a lovely cabotage last night for dinner. It does.
All right. Well, that's our main items, Brian. How are you feeling about it? Got any more extras in there for us? I have some personal extras. So I wanted to shout out or just to highlight some personal extras. So on the pytest course that I have, the community was based on Slack, mostly people trying to use Slack, but Slack has this 90 day limitation thing on large communities. So, and it deletes stuff.
So I'm, I'm trying out, I'm going to try out Podia community for the community feature of pytest courses. So I was just kind of hoping to reach out and say, has anybody tried pytest community or not pytest that? Has anybody tried Podia community features and have a community set up on that? How's it going? If you, if you, if you have, and you have some feedback for me, go ahead and try, contact me at, at, on Mastodon. I'm at Brian Ockin at Fosstodon.
Let me know if you have a cool community that I can check out. That'd be neat. And if you're interested in joining the pytest community itself, you can of course buy a course, but you can also, I'm going to try to open it up to other people. And if, when I do make changes, I'll announce it both through our newsletter. So become a friend of the show at Python Bytes, or you can sign up for the newsletter at Python Test Podcast also. I'll, I'll announce it on both of those things. So that's it.
Do you have any extras? Excellent. Ah, yeah. Let's see what we got here. I have some extras actually, but I got to set it up. I don't want to spoil the joke. It almost got the joke out there first. So the first thing is, recently had a lot of fun hanging out with Cecil Phillip and Brian Clark. Those guys wrote the VS Code course at Talk Python, which is an awesome course. Check it out at talkpython.fm. Click on courses, it's right at the top.
But as sort of a follow-up to that, we had a VS Code AMA. And so I had Brian and Cecil there, but also Luciana, who's been on the show before, and Karthik from the Python VS Code team. And we spent 35 minutes and 44 seconds taking questions from the audience and talking about features and direction of Python and VS Code. And that was a lot of fun. So people can check that out. It's on YouTube. And just, you know, go check it out if they want. Next, do you G Unicorn? Not Goonicorn.
Because the icon is a green unicorn. So G Unicorn has a CVE, which is not ideal. CVE means there is some problem worth giving a number and a record to. So this is CVE 2024-1135. And it's a waiting analysis, it seems. But G Unicorn fails to properly validate transfer encoding headers. Leading to HTTP request smuggling vulnerabilities. You don't want smugglers in your web app, do you, Brian?
No. No. By crafting requests with conflicting transfer encoding headers, attackers can bypass security restrictions and access restricted endpoints. So I would say maybe you don't want to do that. Hmm. Okay. Yeah. Yeah. It doesn't sound incredibly dangerous, but it is a 7.5. It is high in the danger level. So I guess it depends. To me, it just depends on how is, how are you actually restricting those things?
And what part of G Unicorn versus what part of your own code is actually checking whether something has access to a thing and so on. So, yeah. But I want to put that out there because you might want to update your G Unicorn. Next up, another announcement. You had the Sci-Fi one. So PyCon South Africa, PyCon ZA, is going to be a hybrid event. And right now, the big news is that the talk submissions are open.
They prefer them in person, but they can be given remotely as well or recorded, I believe. So you can possibly submit a talk. If you're interested, the main conference is in October. So there's that. And speaking of conferences, this one was sent in by Philip Jones. Brian, what would happen if you had like a stealth conference that invaded some other conference? Like a symbiote. Sub. Yeah. So there's FlaskCon inside PyCon this year. Okay. So on Friday, they will be having FlaskCon 2024.
And, you know, the Friday, which is May 17th, PyCon US. And call for proposals are live. Basically, they give you some ideas of things they might find interesting and so on. But, yeah, there's a whole series of events and introduction from David Lord, who leads the Palette's project, which manages Flask, among other things. But, yeah, there's a whole from 11 a.m. till 7 p.m. Maybe till 6 p.m., depending on what you call a conference. Series just focused on Flask.
So I think that's pretty interesting. I'm most interested to just see how this logistically works out. But if you're going to be there anyway, that's cool. Yeah. Actually, it's kind of an interesting idea. It's on Friday, which I'm normally like, you know, going to other talks and other stuff on Fridays. I'd be curious to see some other piggyback things because at PyCon, there's the tutorial section before and then there's the sprints after.
But there's also, like, there's a lot less people in there. So there might be opportunities to do some other piggyback subconferences before or after as well in the future. Yeah. Interesting. Absolutely. All right. Are you ready to close this out with a debugging joke? Yeah, sure. Okay. We've got to do a little role playing here. Okay. So this is a conversation. You want to be the developer or you want to be the person curious about how developers work it out? I'll be the developer.
Okay. You do the green bubble. So here's a text exchange between somebody who's sitting next to a software developer on a train or something like that. And then texting with their developer friend, go make this make sense. Right. Okay. So here's the non-developer. Is it common for software engineers to take out their laptops on the train only to stare at them without doing anything? Well, yes. Legally, you have to or you lose your license as a software engineer. Oh, but seriously.
He just shut his laptop, opened it back up, pressed a button, and resumed staring at it. Oh, yeah. And now he's browsing his phone while staring. It's called debugging. You stare at the code until it works again. Why do you guys get paid so much? Pretty good, right? Yeah. Well, it's further than that. I mean, after staring at it for a while, I often bring in other people to stare at it with me. Can we just stare at this together for a while? Because my staring is ineffective.
It's called cold reviews. Exactly. Sometimes AI will also stare at it with you. It could also propose new ways to break it. Yes, that's right. Yeah. All right. Well, lots of fun. Well, if I had pytest leaping, I could just ask it why it's not working. Exactly. Come on. Why is my code going? Leap into action. What's happening here? All right. Well, thanks for being here, Brian. Thank you to everyone for listening. Bye.