Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds. This is episode 481, recorded May 25th. May 25th, 2026, not 1926. And I am Brian Okken. I'm Michael Kennedy. And this show is sponsored by us. Check out all the Talk Python training courses, the pytest course, and thanks to Patreon supporters and also we've both written books so check out books also and I'll have a little bit of news on the Lean TDD later.
We both have something fresh for people that if they want to support us
they can check it out. Something fresh, yeah.
You can, if you've got suggestions or yeah, if you've got complaints, send to Michael, but if you have suggestions, send to either of us and the info is on the show notes, but we're on Mastodon and um and blue sky and all the all the places so um also if you're listening to this and would like to like see what we look like or watch the watch the stuff or show even show up live you can go to pythonbytes.fm live where there's a link to join the audience and during the during the recording
a lot of people sometimes people drop in questions and we'll answer them on the show that's fun and And lastly, you don't have to take notes because all of these, all of the links are, the links are in the show notes, but the links and extra information are sent out in the email newsletter. So you can subscribe at pythonbytes.fm and we will send you a whole bunch of information.
If you don't quite understand what we're talking about, there's some background information there too that will fill you in. With that, let's talk about something dumb.
Dumb ways to die. Dumb ways for open source projects to die. Oh, and let me count the ways. This one is by Andrew Nesbitt. It's an article. It's a taxonomy, I suppose, is the way you would put it. Pretty interesting. I think it creates some interesting ways to talk about and think about just open source projects and supply chain, mostly not security, although a little bit security, but also just stability, right? So this taxonomy is broken into a two-level tree.
So there's things like the maintainer left and the maintainer is still there. sabotage and capture, the release pipeline broke and so on. And for each one of those, there's a bunch of sub items that are really good. So for the maintainer left, I'll give you a couple of them. They're all pretty interesting. So I won't read the whole article, but I'll read off a few of them so you'll get the sense and you can come back and use this as a resource.
So under the maintainer left, we have the ghost maintainer, the simple and most common case. The last human commit is some years ago. Issues are accumulated unanswered. The repo is not archived, so it doesn't show up in any filter that would flag it. Usually the maintainer just moved on and it wasn't important enough to formally hand it over or shut it down. And it goes on a bit.
And by the way, Andrew references this weekend that Bernie research, he did, and basically went through different packaging platforms or services or whatever, like PyPI or npm and so on, and said like, well, which one of these are in an active state, a dormant state, a dead state, unknown, and has a percent dead. And PyPI actually has a very low percent dead. Conda is better. Maven is better. But everything else is worse, like quite a few others. So that's pretty interesting.
Yeah, it goes up there at like 20%. I know, that's crazy, right? So it's kind of like, let's take those and then categorize. So we went through and did a bunch of research on these and said, okay, well, why is it dead? What ways can it be dead? So there's the, just, they ghosted, right? The maintainer just ghosted. It's fine. There could be the corporate orphan. A company built and open sourced it with a team to run it.
and then pivoted or laid off the people and nobody updated it because they just, well, they're fired. That's an interesting one. There's the thesis orphan. I created this project as a PhD or master's thesis, and then I graduated and I'm done. I'm not messing with it anymore. I actually didn't enjoy it anyway. Funding cliff, similar, like it has a grant or an NSF grant or something like that. And then when the money's gone, stop and so on. Let's go on the next category.
So this one's also really common. The maintainer's still there, but there's the burnout plateau, still active by any metric you'd run. Typo fixes and dependency bumps get merged with the occasional thanks on an issue, but anything that needs actual design work or serious debugging is open indefinitely because they're just done. Custody battle, two maintainers fighting over it.
Toxic gatekeeping, you know, the person in charge of it just doesn't really want to maintain it, but also to all new incoming work. That happens a lot, I think, actually. Yeah, I think so. there's the sabotage and capture. Captured maintainer. Commit or publish access ends up with someone hostile. XZ is an elaborate version. Remember that two-year social engineering campaign that eventually talked that person into letting the person take over, but they were actually a state actor, we believe.
Addison Ware. And then we've also covered the protest where, this is bad, seems to be more JavaScript, but there it is. The legitimate maintainer deliberately breaks their own package. Colors and Faker were sabotaged by their author in 2022. LeftPad was unpublished entirely. Remember that one was pretty bad.
That was funny.
Why is there an entire package that just LeftPad's a string? Like, that's all it does. You know, it's just too fine-grained. All right. The release pipeline broke, a bunch of stuff around that. Force majeure, like, sanctions. Some people's accounts have been shut down or blocked because they've been frozen under export controls or other things like that, or taken down because of DMCA. The world moved on. This one we know well from the Python world.
The platform got stranded, like chained to an end-of-the-life runtime. Python 2 only, or requires a certain node version or whatever. And related to that is the transit of death. So the project's fine, the maintainer's present willing, but something two or three levels down in its own dependency tree can't be swapped out without a rewrite, like think Python 2, right? Why did a lot of stuff not upgrade to Python 3? because something it depended upon was Python 2 only.
And so there's no way to get there. You know what I mean?
Yeah.
API rug pull. I've seen this like, hey, I depended upon, I wrote something that wraps, like let's say the Reddit's API or Twitter API. And then those APIs go away. And guess what? Your app or library doesn't work. Or it's just superseded, right? Like there's no reason to do a thing if it's now part of the language or something like that. Project split. Yeah, that's pretty much it. Licensing. So what do you think? That's pretty neat, right?
Yeah. And one of the things that's unfortunate is because a lot of the open source, I don't know, there's a lot of projects, or there at least have been enough projects that has been painful that have had a lot of users and like something happened and it's not maintained anymore. And it's not, there isn't a really good way to transition away or to something else. And it gets messy. I mean, we had, I had a, like, even at work, we had a project that we were depending on that was by Python 2 only.
And it's one of those things of, like, we could have thrown money at it and just had a corporate, you know, a corporate entity could convert it. But we waited until a university, some university students did it. But, you know, that seems dumb. Why not throw money at it? I think for a lot of, a lot of these.
You could just pay the person, hey, I know it's on this old version, but would $5,000 make it work on the new version too? A lot of times people say, heck yeah. Or I've wanted to do it, but I don't have the time or energy, right?
Or get your own people to do the conversion work, take it over.
Honestly, I'd rather see companies support the maintainers and get it upgraded. But if that's not an option, Claude could probably upgrade it too.
Well, I mean, in the case where somebody just moved on, they're not interested in the project anymore, throwing money at them is probably not the right option.
Yeah, that's true. It depends on the situation. I'll give you two examples of these in the Python space that both make me say, well, one's in the front end CSS space is Bulma. I really like Bulma. Super cool project. It sells itself as a modern CSS framework and all these things. But let's see, when was the last release? Oh yeah, about a year and a half ago.
Really?
Weird. Which is really sad. Like there was a commit for something super, like, so this, I think this is an absolute telltale sign of this. So people out there thinking about projects they want to depend upon. This is a mega sign for it. So three months ago, the maintainer of this fixed issue 4000. What is issue 4000? The footer has a broken logo on the website. Meanwhile, it's got 50,000 GitHub stars, 4,000 forks. And that's fine. Like this guy, he doesn't owe the world anything.
If he built it, it's amazing. I actually use this. I love Bulma and I decided to keep using it even though it's basically dead in the water because I looked around and all the other stuff. It's like Tailwind, but way less complicated. And it's going to keep working. And in five years, I'll find something else. But right now I
could see it though. So you've got 10 minutes to work. Maybe you've got a half an hour on the weekend to work on it. You open this up and you see 346 issues and 175 pull requests. I just close my laptop and go outside and mow the lawn or something. I know.
No, I know. And so the guy doesn't owe the world anything. He created something cool and that's fine. He doesn't have to do, but there, here's something that bugs me. And I would just like to put this out there for, for people. And you know, I, if I have projects like this, I consider myself same and nothing. I have nothing of the scale.
But for example, if I go to the pull request section, I understand what you're saying, Brian, like, oh God, there's so much work here, but he should put some kind of message that says, Hey, listen, I just can't right now. So please don't submit any PR. I don't go do work that I won't even look at.
So if you look at the PRs, like there's one, one on February 20th, one on January 20th, and there's 175 PRs without even a response to them going back, you know, way, I don't know, how far do they go back? You got a page to it, right? Like 2018. You know what I mean? And so I just feel like it kind of bugs me that there's all these people out in the world go, oh, I'm going to help improve this project.
I'm like, I'm going to add the view CLI. Like, no, you're not, because it's not going to get responded to and so on. And also there's 36 people sponsoring the project, like paying money monthly to support it. Like, I just feel like at some point you're like, just please use it, please enjoy it, but don't do extra work to it because I'm not in a space where I want to or able to work on this right now. You know, I don't know. What are you thinking on that?
Well, I think that sometimes you're optimistic when you originally like write up a contributor guideline, but need to update it to say, Yeah, I'm not going to accept contributions, I guess.
Yeah, exactly. I think one sentence on the readme, like, hey, look, I just can't, like a big, bold, I can't right now, folks. So please just hold your thoughts, you know, and so on. Because anyway, so the other one is disk cache, which I use and love. What? That's abandoned? Last commit two years ago. Maybe it just works, though. Yeah. But here's the thing. Well, I mean, there's 20 pull requests, 50 issues, no responses. The guy Grant, I don't know him. I don't know his background.
But I noticed that he was hired by OpenAI almost exactly just a little bit after the last release. So he's just, I don't know if this was captured in the taxonomy, but like I've been, it is actually, I can't remember which one, but there's like one of them where, hey, if you get hired at a company that doesn't let you do open source, your projects kind of like de facto die, unless you can get someone else to do it. You know what I mean?
Or you did open source to try to be well-known enough hired by OpenAI.
I'm not saying there's a negative outcome. Probably an amazing outcome for Grant. So congrats to him. And again, he doesn't know the world or anything. I think this is a little bit different because it's really a wrapper on SQLite and SQLite is constantly being maintained and updated. So I feel less worried about it. Anyway, dumb ways for open source projects that I, there's just two examples. I think this is important, especially for newcomers to open source and Python.
When you add something to your project as a requirement, you should know,
the consequences of doing that right um i want to add one more thing there's a there are a lot of packages that really don't need that a lot that many updates um even if even if they have issues in pull requests they might be just maybe the maintainer's not that great at saying you know i don't feel like it or something um but one way to keep it like to to keep it noted that it's alive is once a year update your tests to the new python version um then it's at least a year old and you
know it's being tested on the latest Python. And that's the bare minimum, I think.
Yeah. Change your classifier. What are those things called? Your classifier to just say, take out the old Python, put in the new Python, something like that. You have a classifier in here and you're good to go. Yeah. But projects can be done. They definitely can be done. It's just, they don't need more changes. But I think it's all pretty interesting, but let's take us on to more packaging talk.
Yeah. Okay. So the, I wanted to talk, this is a brief one, but, um, this is a Tim Hopper article on how to create a PyLock Toml file. And, um, I just kind of forgot that these were sort of rolling in at different times.
And as of May, um, now of 2026, there's now three ways to create these these guys so uh he he covers um using uv pip and pdm and notes that uv is the only one that says it's in stable status uh the pip lock uh piloc tunnel generation is experimental and so is pdm experimental i didn't know pdm did it i'm not really a pdm user um but the uh yeah just uh sort of sort of running down uh how to how to create lock files with the all these tools and it's kind of just a general neat tutorial with the
recommendation of why not just use uv because it works the incantations a little magic it's uv export --format by lock Tomo with an output of pilot all hmm seems you're done I wonder if there's there are I think there's a
global config for uv I wonder if you could put it in there that'd be
interesting I don't know and if you the he also has apparently a companion page of how to install and the how to install is the short version is use -r because every they all the tools treat it like a requirements file so oh not completely interesting no depths oh you know no dependencies okay anyway yeah just creating by like toml files I'm and yeah it's kind of the way we were moving so
That's it. It sure is. Very interesting. Now, let's talk about lifeguard. So lifeguard, we've talked about... That was a good summer topic. Exactly. A lot of places, at least in the U.S., public pools open on Memorial Day and all the lifeguards go back to work and you need a lifeguard job. And it's often a rite of passage of high school to work as a lifeguard. So this works for lazy imports. Remember, lazy imports are coming in Python, which is going to be really nice.
And I was pretty interested in before, but then I did that work where, and I wrote it up, said, we talked about it here, cutting Python web app memory by 31%. A lot of that had to do with imports and changing imports and only using heavyweight libraries when they actually executed the code that needed them. But so lazy imports, good, I think. However, lazy imports also can have incompatibilities in other issues. So this lifeguard library will go through and find those issues.
It's, I don't know if we, it's kind of an interesting juxtaposition. It has 56 GitHub stars. So it's kind of like brand new, which is fine. It's just like a linter type thing made by Facebook. So it's probably something that meta used internally and they just open sourced, you know, a couple months ago. So that's all good. Looks like it is a Rust based thing because it as a cargo folder. And that was two months ago when it was created.
I don't know when it actually came out public on GitHub, right? Because you can have a private repo and then flip it to public at some point. Anyway, it says, what are lazy points? We talked about that in ports. But it says, the idea is obviously, especially in large code bases, this both increases startup time and lowers memory usage, which is great. However, sometimes it doesn't work because there's certain Python patterns that require these things to execute immediately.
So module level side effects, like a module that registers a handler or modifies global state at import time will behave differently if its import is deferred. Think about something that sets sysstat at exit, right? So it wants to run some code at exit to unravel something. But that's only there if you call the function that causes the lazy import to load and so on, right? As opposed to the way it does now. The registry pattern. So dependency injection, I'm guessing.
A module registers itself added to a global dict that when imported will silently fail under lazy imports. Sys.modules manipulations. Code that reads and writes Sys.modules assumes that prior imports have already executed. Interesting. And metaclasses. Class creation side effects may depend on. So you can just run this against your project and it'll tell you how safe are your lazy imports. And you can't be lazy. It's a lifeguard. Looks out for you. So you don't, I guess, drown in lazy imports.
Yeah. Anyway, I just want to put that out there for people because this is coming in Python 3.15. And it's always better to go, hey, let's test our package or our application on this new version before it's actually released. Especially if you have a package other people use, right?
Yeah. And I guess that I think like testing is often pretty safe to do lazy imports. So I just want to throw out, I don't have a link or anything, but a reminder to people that if you're loading something fairly large for testing purposes and you have a big suite, You can throw that into a conf test or not a conf test. We could do me in a conf test, but you can throw the import into a fixture and even an auto use fixture and it'll, it'll load at runtime instead of test collection time then.
So it's a lot faster.
That's very good. You're focusing on just some category test or something like that. You don't have to do it. All right, let's log it.
Let's log it. So there's a, I ran across this article called choosing a Python library log, choosing a Python logging library in 2026. And this just kind of came up at the right time because I've got a project that I'm switching to use. My plan is to switch it to use Logaroo. Logaroo? I don't know. Logaroo. L-O-G-U-R-U. And the, but so I was looking at this just because it's interesting. So the comparison is to the straight logging module, struct log, Logaroo, logbook, and Pico logging.
And it looks like they sort of gave up on some of those. But one of the interesting things about using straight logging was that doing structured output like JSON, like logging JSON information, is a little bit difficult. So their recommendation right off the bat is to use a project called Python JSON Logger, which I didn't know about, which you can use with the standard logging module. And it just makes logging easier.
They even have a, the same, same people that wrote the original article have a setup guide, a practical guide to setting up the JSON logger. So that's, that's cool. And especially I was thinking like, especially for API endpoints or entry points or whatever, that's important, but there's, he's JSON all over the place. So, but so just talking about comparing them all and they didn't really give an example. They actually talked about, well, they have examples, but they didn't recommend anything.
Actually, the recommendation really was use the standard logging module unless you have a reason not to because it's being supported everywhere. But I really liked the Logguru example of just how easy it looks to set up. And we've covered this before, but especially if you have a lot of people that are, you know, logging kind of looks complicated. And if you've got a small team that all understand it, that's great.
But if you have a large team, it might be easier just to have an easier logging system. And that's where I'm kind of leaning. And the setting up JSON output, you can say serialized equals true. Now, I don't know. I think that means that converts every log record to a JSON output. So that might not be. It's not logging JSON stuff. It's actually the output is a JSON thing. So you can read it somewhere else, which also might be kind of cool. But I probably won't do that.
Yeah, you could have two logs. You could set up a logger to a file that logs without serialize and one that logs. Oh, yeah. Right? So you have like a parallel, like a structured and an unstructured version. And when you just say log, it just hits all the attached destinations or whatever.
But the easy setup is what I'm looking for. But there are some caveats. Like it's harder to have multiple loggers apparently, or at least multiple configurations of different loggers. I don't know if that's true or not, but that's what the article says. One of the things that I, that I didn't know about with this is that there's a logger catch and a logger exception.
So there's different ways the logger catches a decorator to, uh, to log exceptions, uh, nicely or into your, into whatever log file you have set up. Um, so, or logging stream or whatever. Um, and that looks neat because usually, you know, Michael does no exceptions, but if there is an exception, uh, be able to, might be nice to look at that. Anyway, kind of a good rundown of what the logging libraries look like right now and now how to do structured output.
There was a performance benchmark, which was interesting, that it compared the standard lib plus the JSON stuff with struct log and Logaroo. And Logaroo is about the same as the standard lib with JSON. And struct log is about twice as fast as in some cases. So that's interesting.
Well, I use Logaroo by default these days. I really like it. But I've also used Logbook. I don't really use the built-in logging. It just seems complicated than needed to me.
I've been doing the built-in logging mostly lately. And I figured, you know, once I figure out like some, and I think I'm like with a lot of people that use it, I figured out one way that works for me, and I just copy and paste and do that. All right. Well, those are our items. Do you have any extras you want to talk about? Sure do.
I sure do. Hold on. I have two fun things. So first of all, let's do this in order. A while ago, I told everyone that I have German subtitles available for all 283 hours of courses over at Talk Python. Training, the courses we got. Well, now we have Spanish as well. So I'm very excited to announce if Spanish is your language and you want Spanish subtitles to accompany the English spoken version. Well, click on Espanol and you'll be good to go right there. How about that? That's cool.
We took two and a half weeks of just grinding on translations to get it done, but there it is. I think it's going to be really great.
So what do you, what, you have German and Spanish now? Is that?
German and Spanish. Okay, nice. Now I'm working on Portuguese. Actually, I've done a lot of research and I feel like Portuguese will be the most beneficial for the tech folks. Because you got to intersect, you got to look at two things. You got to look at how confident is the group of people who speak a certain language in English, right? So for example, German, I did German first because I speak some German, so I could kind of spot check it a little bit and it made some sense to me, you know?
But German people are pretty good at English, especially tech-oriented ones. And so I was looking around and it turns out that I think Portuguese people are a little less comfortable with English than maybe German folks or I don't know, French. So I'm like, all right, then subtitles in their native language would be more helpful than not. So anyway, that's the kind of thing I'm trying to balance. So Portuguese is next.
Apparently there's a lot of like Python is one of is super popular in Brazil and other places. So excited for that. All right. So that's, that's one Spanish subtitles, not Portuguese, but Portuguese maybe in three or four weeks, something like that. And a brand new course. I'm super excited about this. Python web security is the course. And it comes in two components.
The OWASP top 10. So it goes through every one of the OWASP top 10 categories with two to three examples, sometimes in Flask, sometimes in Django, sometimes in FastAPI, the bad version, the good version, just purely learning the security issues. And then we turn it into an agentic AI course and start searching for bugs in your own code using agentic AI.
So we talked about how Mozilla found a bunch of bugs with Cloud, similar to that with some really custom OWASP and Python web app focused things. Yeah. So if you're publishing web apps or APIs on the internet, you definitely want to look at this because it basically gives you tooling and a blueprint on how to completely check your app for OWASP violations and beyond using things like Claude Code and others.
So you can, instead of hiring pen testers, you can do a first pass with this and then maybe find just a few more things. If, if you're that kind of company that can afford $25,000 or whatever for a pen test, or, you know, you could at least do this if you were going to do nothing. So I think it's really helpful. Thanks. All right. That's it for me.
Okay. I, I noticed this, there's an article that was on NPR or planet money, but I noticed it because on blue sky, shout out to where I got the information from. if my tabs work. Savannah Ostrowski. So posted this, said it was surprising. This is a disturbing article, actually. It's what happened to women in computer science. And I didn't realize this was going on so long. So basically, modern computer science is dominated by men. The percent of women in computer science was...
And also in the percent compared with other fields, like other physical sciences, law school, medical school. So it's an interesting comparison. But in the mid 80s, it was at its height at like 36% or something were women. And it's just been going down since then. And, you know, it's leveled off in like around 2008 or something like that. But this isn't good. And so I think we need more women in computer science.
And the analysis of this was really thought that this was because of the personal computers showing up in homes. And I guess families and teachers encouraging boys to play with computers more than they taught girls. And also a commentary from one woman that when she first went into her first computer science class, she asked a question. And the professor stopped and looked at her and said, you should know that by now. But it was like the first class.
And so I actually, my wife had the same experience. She took CS101 or something like that, or a basic class in high school. And all the rest of the kids had already played with it on their Macs at home or something like that. And she was an intro. So I think we need to change this. I think hopefully it's changing because I think there's less actual personal computers in homes now than there were in the 90s. So I think maybe, hopefully it's leveled the playing field. But who knows?
I'm glad that my daughter has already taken my, has taken some Python in school, but this is bad. I mean, software is not a boys or girls thing. If anything, the women started it. So we're, we're late comers to the, to the, to the game. Anyway, we need to fix this as a community. So the, the next thing, the other thing I want to share is that I am.
A field report, Brian. So at PyCon, I spoke to, I was speaking to several women and they, said just talking to each other something like there is a very good representation of women at this conference now and 10 years ago it wasn't like that and i i feel that's great and it's so it's really encouraging at least in the python space but in general i agree that the graph
is bad and it doesn't need to be that way i also wonder like a lot we get a lot of uh programmers from other fields though not necessarily computer science so i wonder if um maybe we need to but it It does say physical sciences. Maybe we're getting a lot of our women coders from other fields. I don't know.
I do think so. You know, my daughter was learning to do like data science-y stuff in her psychology field. And psychology, I think, has more women than men in it, right? And so to the extent that like the data science side brings people in, I think there's a really interesting, Python is super interesting because it brings people in from all these different disciplines. And it's not just a, unlike, let's say, Go or See, right? That's like a straight path.
You start in programming and you end in this location, right? Whereas with Python, it's got a much more diversity of sources, not necessarily people or genders, but like a diversity of different backgrounds that you come from to get into it. So I think that might have something to do with it as well, which is good.
Different generational things too.
I know we need to move on, but I remember when I was doing teaching at university, having some of the older students come in and not knowing i would i i was guilty of just expecting a lot of people to know a lot of the basics um know how to do word or excel or something like that and um and you don't people don't necessarily do that you can't assume anything really so yeah anyway um i am still working on the audio version of the uh the lean tdd book um and it's uh it's
coming along well but during in the process of doing a lot of the audio i've made some changes to the actual book. That's why I'm holding off on the official release because I want the audio and the official release to match. But a lot of changes have come in. Just, I published this morning, one of the things is separating out TDD with teams because the team aspects are different.
So I both have an emphasis on acceptance tester and development and then also how to apply those sorts of ATDD stuff to the lean concept. I also beefed up the AI chapter to talk about guardrails and security. So just a little bit. Anyway, it's coming along well. And I don't know. Who knows how long it'll take? My original plan was last January. So we'll see. Or, you know, January a few months ago. Congrats. That's awesome. Thanks. So it's still going.
Thanks to everybody that's contributed and helped out.
What skill do you need to be an author? Persistence.
yes humble humbleness yes uh speaking of persistence our joke is titled stop texting me so it's just a um just a screenshot of a chat conversation somebody has clawed in their they've clawed in their iphone i think it's an i it's an iphone um on their their messages right it says claude build a one billion dollar b2b sass platform from scratch make no mistake then it says red dude for the thousandth time this is Claude from the pickleball league i am not ai
ah that's funny and then of course there's comments there are definitely comments so instead it doesn't i think i said it this way but it's not spelled out dude for the thousand time this is Claude it's not the thousandth time so someone comments is it a legal requirement that someone named Claude should be able to spell correctly. And then, yeah, I don't know. It just goes on and on. This is funny. Yeah, anyway, comments are kind of fun too.
But for the thousandth time, this is Claude from the Pickleball League. I am not AI building this.
That's funny. I would totally build them a really crappy B2B SaaS and just charge them a billion dollars. I can give you a billion dollar company. You pay me a billion dollars, I'll give you something that earns at least a dollar.
Just because you spend a lot of money building the company doesn't mean it's going to make a lot of money. Exactly. There's no guarantees there. Yeah. But anyway, as always, it's fun. And we'll talk to you later. Yep. Thanks. Bye.