Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds. This is episode 429, recorded April 21st, 2025. And I am Brian Okken. And I am Michael Kennedy. And this episode is sponsored by the folks at Posit Workbench. Thank you, Posit. Also, listen to them later in the show, of course. If you'd like to connect with us, please do so on BlueSky or Mastodon. We have all of those links in the show notes. We'd love to hear from you.
Love to hear new topics that you think we might want to cover. And if you'd like to listen to us live, head on over to pythonbytes.fm/live. Usually Mondays at 10 Pacific time. But you can also use that link just to find the YouTube channel to watch older episodes too. And finally, you don't need to write anything down while you're listening because we'll just send it to you. So head on over to pythonbytes.fm.
join the mailing list or the newsletter list, and you'll just get an email sent every week with all the links, but it also has backup information of what you need to know to understand the story. So really nice, and we don't use it for spamming or anything like that. Michael, what do you got for us? I might have a problem. I like to self-host stuff too much. It means I end up with things that I have to take care of rather than just have a login somewhere. But I'm going to make a recommendation.
nonetheless. So if you find yourself using Slack, I think even Zoom maybe, if you're using Jira, if you're using Notion, and you would like that all in one place rather than a bunch of different apps that you pay for, for free, for open source, self-hosted, or paid as hosted if you really want to do it that way, there's a project or tool or platform, whatever, called HULY, H-U-L-Y, An open source platform that serves as an all-in-one replacement for Linear, Jira, Slack, and Notion.
How cool is that? Okay. Okay. So maybe you want to have some place to do chat conversations. Or you want to store your documents. Or you want to do project management and sync it with your GitHub issues. Or do planning. So all of this stuff is super cool, I think. And even has video meetings. So if you want to also get rid of Microsoft Teams or Zoom or whatever, it gives you a nice private way to do all that, right? And I don't know.
It just, that really resonates with me as just like, here's this cool open source thing that we can do and we can run it. And we don't have to have all these different services. And I don't know about the others. I honestly don't know the pricing for Jira. I've never paid for Jira. But Slack is out of control. Slack is super expensive for what you get from it and things like that. And so having this with a bunch of dashboards, and it even has a nice self-hosting option.
So if you are a person who does Docker Compose, guess what? You just Docker Compose up, dash D, you have your whole platform running, which I think is pretty excellent. So that's how a lot of these self-hosted things are shared and maintained. So you don't even have to figure out how to put it into Docker. It's already there and set up. So you just run it and you're good to go. Just make sure you do backups. Pretty neat, I think. That's pretty cool. Yeah. And it also syncs both ways with GitHub.
So if you've got GitHub issues, it will sync with the issues. And if you have GitHub projects, it'll sync with those projects. So its project management tools and its issue management, like its JRO replacement stuff, is mirrored on GitHub. So not everybody has to use it. Like you can have internal people on this and external people just perceiving it as GitHub. I have GitHub issues. I was just talking to my therapist about it the other day.
Yes, indeed. And John Outer says, this is why I love the podcast. Thanks for the holy recommendation. And loves self-hosting as much as I do. So awesome. Thanks, John. Yeah, holy self-hosting, Batman. Anyway. Holy self-hosting. Indeed, yeah. The problem is you can end up with, you're like, well, now I've got 12 apps to back up and maintain. But it is super cool to be able to say, we don't have to worry about data privacy.
We don't have to worry about sharing things or if those places get hacked or if they change their business model or if they go out of business. You know, you've got a self-hosted open source thing that you can fork and just run. And there's something cool about that. I wonder if anybody's got like, because this sounds great, but I don't really want to do that work. So I wonder if there's a self-hosting as a service service. I think there actually is. I'm forgetting the name of it right now.
But yes, there basically is a self-hosting as a service. Yes, it's amazing. Okay. What an interesting idea. All right, that's it for this one. Over to you. Okay. Well, I am going to talk about critical, oh, what are those called again? CVEs? Common, I should have practiced this, common vulnerability and exposures. So CVEs, we're used to talking about these when there's like really wide-scale attacks, but they kind of happen all the time, like vulnerability problems.
And this propped up this last week rather urgently because the CVE system, the entire system is sort of built on top of a non-for-profit called MITRE. And the entire system, but there was a contract with the U.S. government to maintain this database of CVEs. However, and this has been around for 25 years, it ran the risk of possibly going away because of all of the cost-cutting that our current lovely administration is doing. And so the – It's a waste. It's government waste, I tell you, Ryan.
Like what? And it's not – it doesn't even – like a lot of people involved in this are volunteers anyway. That's just nuts. Anyway, so a 25-year-old CVE program ran the risk of going away. There was a letter that came out from the vice president of MITRE, gave notice of potential halt of operations. And apparently they had been worried about this for some time.
So there's this, in order to deal with this and possibly make sure that we don't have this risk in the future, There is now a CVE Foundation. So there's been an announcement as of April 16th that the CVE Foundation has been formally established to ensure long-term viability, stability, and independence of the CVE program. This is really cool. It isn't something they just suddenly did. They've been thinking about it for a while and planning it.
And there's an announcement at thecvefoundation.org, and they're going to release information about, you know, the transition, what its structure is, the transition planning, opportunities for involvement later. But right now there's just an announcement. But this is pretty crazy that we would, like, run the risk of losing this. This is how we talk about vulnerabilities. But apparently there was an announcement also, I couldn't find the link to it, that they did not lose funding.
So it's okay for now, but it's still the for now part. So the foundation wants to make sure that it's not a just for now. I still think it's something that we should fund as a government, but, you know, it is what it is, I guess.
I think we should fund it, but also I feel like maybe that should be more of like kind of in the style of Python or Mozilla Foundation or, you know, that it's tied to the U.S. government rather than just an international organization of people who are really committed to tracking security issues. It doesn't take insane amounts of funding to track these things, you know what I mean? Yeah, I have no idea what the work is involved for this.
Yeah, I don't know what the work is, but it's not like there's a lot of server infrastructure. It's not running like AI farms or something. Yeah, and it probably, the funding probably should be coming from like all the ISPs and big companies and stuff that are benefiting from this. I think so too, but hey, I'm not against the U.S. government. I'm glad they were doing it, but it just puts it in a weird situation these days. Yeah. Yeah, and Python became a CVE authority not too long ago.
the PSF so they can announce their own CVEs around things in the Python space without going through an external, not convincing some other participant to allow them to list their CVE for Python and so on. So there's a bit of a distributed aspect of it. Now, before we jump on to thinking our sponsor, Ryan, the thing that I was thinking of is Alestio, E-L-E-S-T-I-O, and it says fully managed DevOps or your cloud and open source software. And I've not used this.
It's not a recommendation, but we, as in they, deploy and manage open source software to your cloud provider of choice. So create a Hetzner server, point it at it, and then pick the various self-hosted things that you want and they will self-host them there for you. I believe that's how it works. Awesome. Self-hosting as a service. Who knew? Who knew? Well, I guess you did. But we also have Posit doing pretty awesome stuff. Why don't you tell them about it?
This portion of Python Bytes is brought to you by the folks at Posit. Posit has been making huge investments in the Python community lately. Known originally for our studio, they've been building out a suite of tools and services for Team Python. Have you thought of all the things that go into a Python data science project? You need your notebook or IDE for sure, but you also need a server or cloud environment to run it. A version of Python, packages, access to your databases, and internal APIs.
That's a lot to set up. And if you change any of these things when you return to your project months down the road, you might get different results. Wouldn't it be nice to have all of this set up for you in one easy-to-access place whenever you want to get work done? That's the goal of Posit Workbench. Posit Workbench allows data scientists to code in Python within their preferred development environment without any additional strain or on IT.
It gives data scientists access to all the development environments they love, including Jupyter Nobix, JupyterLab, Positron, and VS Code. And yet it helps ensure reproducibility. Here's how it works. You or your team set up Posit Workbench on a powerful, dedicated server within your organization or on the same cloud service that is hosting your most important data sources, such as AWS, SageMaker, Azure, GCP, Kubernetes, or pretty much anywhere.
There, you create dedicated, pre-configured environments to run your code and notebooks. And importantly, you also configure access to proprietary databases and internal APIs. When it's time to onboard a new data scientist or start a new project, you just fire it up in Workbench, and it's fully configured and ready to go, including the infrastructure side things. All of this is securely administered by your organization.
If you work on a data science team where consistency matters, you owe it to you and your org to check out Posit Workbench. Visit pythonbytes.fm/workbench today and get a three-month free trial to see if it's a good fit. That's pythonbytes.fm/workbench. The link is in your podcast player show notes. Thank you to Posit for supporting Python Bytes. Indeed. All right, you ready for the next one? Yeah. Database. Database things.
So here's a really interesting free web app, I guess it is, that lets you draw and import and export and visualize database diagrams. So either you've got your own projects or where I see this being super useful is you're put onto a new project or you're a consultant. And they're like, and welcome for the two weeks. Here's the database and here's the app. Please fix it by now. And you're like, how do I even get started? What is here, right?
So this thing called drawdb.app allows you to draw, copy, and paste database diagrams. And if you go there, you can see there's really nice graphics, and the UI is quite nice for interacting with it. So it says you can try this for yourself for free. And what's interesting is it asks you to choose your database, as in like SQLite or Postgres or SQL Server or whatever, because it imports and exports SQL statements.
and those different databases have different database SQL dialects, which in and of itself is annoying. But let's just say, I don't know, I'll do Postgres, right? And you come in here, you can add a little table and you can then like edit that thing, give it a column, multiple columns, different data types, and create a second one.
Then you can say like grab one column from one database or one table rather, and then drag it and drop it in a field on another column and that'll create a foreign key relationship automatically, for example. And you can go over and you can say file, export SQL or import from SQL. And that'll generate the data definition language, DDL stuff, create scripts and create the indexes and columns.
Or if you got a database, you can export it and then load up this diagram based on what was in your database. And then visualize it, tweak it, save it, or just try to understand it. That's really cool. Yeah. And as far as I can tell, it's free. I don't know. Maybe there's some point where I pay for it, but I don't think so. So anyway, I think it's a great little app and people should check it out if they have databases they want to visualize.
And, you know, I'm usually starting with a drawing anyway, like drawing it on paper. So why not just draw it in something like this? Exactly, because then you could say generate my table from this. Yeah, yeah, that's cool. Cool. So not much more to it, but there it is. All right. Well, my last item is a, and I'm only going to cover part of this, but it is a blog post by Edward Lee called 14 Advanced Python Features.
And, you know, it's a listicle sort of a thing, but there's a lot of those like advanced Python features, and he even talks about this, that are really, really not that advanced. They're just stuff that people should know and some fun things for, you know, advanced for beginners, but not really. But I kind of really like this because there are things in this list that I really wish I would have learned earlier. And so anyway, I'll just jump in. There's a few things I wanted to pick out.
First off is typing overloads. And this is something that I just learned while reading this article. I didn't know you could do this. So within the typing module, you can say from typing import overload. And then one of the things you can do then is you can essentially list overloaded operations, overloaded definitions for a function call. And it's not really like full function overloading like we have in C or something like that. However, there's return types.
So let's say there's an example here that if you only pass in, if you pass in a certain type, then you're always going to get a list of strings. And if you're passing in a different type, then you always get a single string back. Those sorts of things are nice to have for typing or return types. And that's something that we don't really have in Python. You can't have a difference in just return type. So having that in place is kind of neat. I'm going to play with this like right away.
So that's pretty cool. Overloading functions with the typing. So I'll have to try that. Next up is something I've been using a lot lately is keyword only and positional only arguments. And specifically, so we now have these, a star or a slash that you can separate the parameters to a function, the parameter definition. And the asterisk or star means that everything after that is keyword-only parameters. And then the slash is positional-only parameters, and that's everything before.
So one of them is before and one of them is after. So in his example, he's got A, B, and then slash, C, D, star, E, F. So that means A and B are positional-only. C and D can be positional or keyword, and then ENF have to be keyword only.
And the thing that I'm doing a lot is why I'm using the keyword only one a lot is for functions that have, and these are all not usually API functions, but internal functions that have a lot of parameters that have defaults, And you would almost hardly ever pass it like just positional only because the defaults are, it doesn't really matter the order. It's just they all have defaults and there's a bunch of them.
So I really want all the callers of that, every place we're calling the function, to list which variable or which parameter they're defining as they call the function. And you can do that with the asterisks. Super cool. Yeah, that's really cool. Another thing that I think is really useful for that is if it's the same. A lot of times you're going to give it like numbers or true and false where you don't have a variable that you're passing in, but you have just some kind of constant.
Because if it goes 7, 7, 5, true, true, false, you're like, whoa, whoa, whoa. What are these? It's not like variable names are there where like X, Y, Z, like, oh, those are the dimensions. No, it just goes 7, 7, 5, like, hmm, which is which? You know what I mean? Especially true, true, false, true, something like that. If you force keyword arguments on it, then it's a much more readable thing at the call site.
Yeah, things that are generic, like you're just adding things, it doesn't really matter that your add function is A and B, but for true and false, you really want, what do those mean? I like those. It's a good addition. Last thing I want to come to is there's a list of, he said number nine is Python nitpicks, which is really a few topics around it, but it's listed as a nitpick because it's a bummer when people aren't utilizing this.
So the for else statement, and this is, I think, probably still controversial, is maybe a little bit, is whether or not you should utilize the else clause in for statements. And kind of, you know, it's like often before the else clause or without using it, you might have to say, Like something, his example is like a found flag to say, you know, whether or not you actually found the item you were looking for while you're iterating the for loop. And then you can check that later.
But there's else you could just say, you know, if you didn't find, if you never hit anything inside the for loop, you can else out. It's still a little weird, though. I still find it very, very good to make sure that you comment that to say what's going on in the else. They're using what you're doing in there. So, okay. I'm anti-else. I'm definitely anti-else. And, by the way, Guido, I heard him quoted at one point that said, if I had to do it over again, there would be no else statement.
I think it's just weird. It's like, does it happen when it breaks or does it happen when it doesn't break? Like, is break the thing you're looking for and else is the other? Or is break something weird and it was supposed to go? Like, it's just, I don't know. I know you can save one line of code, but it's too ambiguous to me. It's too weird. So else is if you didn't break, right? I think so. Yeah. Anyway. I think so.
Anyway, the fact that you got us, like, we got out of this discussion is like, I don't know, it makes it weird. For me, I'm out. I know I could do it, but I don't do it. Okay. Also, the Walrus operator, it's been around since 3.8, and 3.8's already deprecated or like end of life. So we can start using, definitely use the Walrus operator. Again, it's just saving one line of code, but I like it. How about Walrus?
I'm a fan of wall I created the wall we're just operating this weekend I believe for me I like it because it's the locality of definition like I'm creating it for this if block and I'm going to use it in this if block if I need it otherwise it's kind of like it's part of this thing not something that might make sense later down the line probably for me I like it a couple more short circuit evaluation I don't really care I'm fine with a bunch of if-else's actually, if that's all you can do.
But the short circuit, which means using or, utilizing or to say, if you're going to do one thing or the other, you can use or short circuits. So once you hit one of them that's true, anything after that's not going to get ran. And you can kind of go crazy with that though and actually put logic in there. and I'm really not a fan of putting logic in the short-circuiting or operation, but that's just me.
But I am a fan of operator chaining and I often see this with people coming from different languages. They don't know you can do operator chaining. So I'll see like if zero is less than X and X is less than 10, you don't have to do that in Python. Just put them together and say zero less than X less than 10. So operating chaining is right. But also I think that we should have been a little more strict with operator chaining. And I don't think it, like, you can put anything in there, right?
But I don't think you should, like, for numbers, it should be less than. You should not be doing, like, greater than operator chaining. It's just weird. The number line is small to big. So please do that. That's all I wanted to cover for that. But there's a bunch of other great stuff in here. So definitely check out this article. Here's the full list. So LRU cash. Love it. Love it. f-strings. Love it. Nitpicks. I have some nitpicks with that statement. But you know what? It's fine.
Good, good, good find there, Brian. All right. Well, we're done with our main topics and I don't have any extras, Michael, but do you have any extras? Well, I thought the answer was no, but it turns out to be yes. Okay. Because something I just heard about right before was, oh gosh, assuming on this is all weird.
so there's remember i wrote this article that said unsolicited advice for mozilla or firefox or something like that saying you know what stuff that you guys are doing is does not lead me in the right path and here are five ideas that you might write try as a business to exist down the line please do that and so they're actually coming i mean i really doubt they gave a crap about what i said but they are introducing this um this new suite of services how about that so thunderbird all seems to be based around Thunderbird, their email client, and Thundermail, which is a really interesting term. But they're offering like Thunderbird appointment, which is kind of like Calendly or TidyCal or whatever. Thunderbird Send for private file sharing. I used to love Firefox Send, but it got abused by hackers and other badness. And so then it stopped working. But you could put just like, here's a URL, here's a password. The whole file just goes away in three days, give it to someone, and then they could have it. It was really great. It's all end-to-end did all that kind of stuff. Also, some AI thing because of course there's an AI thing. And then Thunderbird Mail, hosted Thunderbird Mail, all that. Anyway, I think this is a cool idea. Thunder Mail.
Thunder. Thunder. Thunderbird. Oh. So, very cool. That's all I got for my extra. You can't spell mail without AI. That's right. Yeah, well, I'll tell you what, that seems to be what they think in their features that every mail client I find is like. And now we have some terrible AI thing that will just erase all your formatting and make you have to rewrite your mail if you try to use it. But it's here, and it's great. No, it's not. Anyway, shall we?
You know, Brian, we try to make it not too political here, but I got a political joke, in a sense. Okay, awesome. Are you ready for it? Yeah. So, this one came to us by many people, so thank you to everyone who sent us this in. Have you noticed, I don't watch the news a ton, but have you noticed that there's some talks about tariffs lately? Yeah. I mean, look, I think genuinely it's fair to say, like, let's discuss tariffs.
And if other countries have tariffs on us, does it make sense for us to not? I don't know. Whatever. I think there's a debate that can be had. But the way that it's been done is so just chaotic and random and on and off again and so on. But somebody decided that if that's a good idea for a global trade, boy, oh boy, wouldn't that be a cool idea for Python and for program languages and particularly for these pesky external outside of the standard library packages.
Yeah. So I present to you tariff, a Python package that imposes tariffs on Python import statements. And no, it's not just a joke. It's literally version one. It's not even zero anymore. And it is released on PyPI. So you can literally pip install tariff. What does it do? Well, boom, fire, fist emoji, fire emoji. A little reference back to Signal. The greatest, most tremendous Python package that makes importing great again.
Tariff is a fantastic tool that lets you impose import tariffs on Python packages. We're going to bring manufacturing back to your code base by making foreign imports more expensive. And so all you got to do is import it. You set your rate on the different libraries. like 50% tariff on NumPy, 200% tariff on Pandos and so on. And then when you import NumPy, it's literally 50% slower. It takes 50% longer than before. What do you think? That'll teach them. Yeah. That'll teach them.
Yeah. We're going straight back to self-hosted vendoring it in. Yeah. But what's not is it works. Like, you know, it's not just a weird joke idea, but somebody made it. It's open source. And the hat. The hat is good. Why tariff, you may ask? Because foreign packages have been stealing our CPU cycles for too long. It's time to put America first and make importing fair and balanced again. Obviously a parity package. Use it at your own risk. Yeah, other people stealing our CPUs.
We need to steal our own CPUs. Exactly. That is how we're going to do it. Yeah. Well, that's what I got for you. Is it funny? I don't know, but I think it is certainly amusing. It's not. when I look at my 401k, it is not funny, but, you gotta laugh. You gotta cry. Those are one of your two reactions. Might as well laugh. Glad I like my job. Cause I'm going to be here for a while. Uh, anyway, thanks. Thanks for everything, Michael. Thanks for the joke. Thanks to everybody that shared them.
Um, like we said, a lot of people, sent that in, but that is not a waste. That also gives us a signal that we, we might want to cover it if a lot of people are thinking about it. So, so thanks. Yeah. Thank you. All right. Bye. Bye Brian. Bye everyone.