Page de couverture de Python Bytes

Python Bytes

Python Bytes

Auteur(s): Michael Kennedy and Brian Okken
Écouter gratuitement

Python Bytes is a weekly podcast hosted by Michael Kennedy and Brian Okken. The show is a short discussion on the headlines and noteworthy news in the Python, developer, and data science space.Copyright 2016-2026 Politique
Épisodes
  • #482 Mr. Beast's episode

    #482 Mr. Beast's episode
    Jun 1 2026
    Topics covered in this episode: CVE-2026-48710: A Maintainer's Perspectivedaily-stars-explorerMarkdown to pdf with pandoc and typstpostman2pytestExtrasJokeWatch on YouTube About the show Brian #1: CVE-2026-48710: A Maintainer's Perspective Marcelo Trylesinskisuggested by Lee LuocksShort version: users of Starlette: upgrade to Starlette 1.0.1security professionals: we can’t treat open source projects like corporationsThis top link is a Starlette security advisory with the title Missing Host header validation poisons request.url.path, bypassing path-based security checksThe CVE apparently caused some negative press targeting starlette.However, “the vulnerability came from the application pattern and the deployment, never from something Starlette intended.”A quote from an OSTIF article: “This bug is a classic “responsibility gap” where if this maintainer didn’t patch, thousands of exposed projects would have to individually secure their projects. In doing this work, they’ve voluntarily taken on the responsibility to protect the ecosystem from long-term systemic harm. As with all open source projects, they owed us nothing and could have left this to be everyone else’s problem and took the extraordinary steps of helping the ecosystem.”Both X40 D-Sec and Ars Technica expected immediate fixes and responses from Starlette.That’s not good. We can do better. Michael #2: daily-stars-explorer Explore the full history of any GitHub repository.📈 Full Star History - Complete daily star counts for any repo⏰ Hourly Stars - Hour-by-hour activity with timezone support🔀 Compare Repos - Side-by-side comparison of any two repositories📊 Activity Timelines - Commits, PRs, Issues, Forks, Contributors over time📌 Pin Favorites - Bookmark repos for quick access without retyping📰 Feed Mentions - See when repos were mentioned on HN, Reddit, YouTube, GitHub💾 Export Data - Download as CSV or JSON🌙 Dark Mode - Easy on the eyesTry/use it online at emanuelef.github.io/daily-stars-explorer or install it for yourself. Brian #3: Markdown to pdf with pandoc and typst typst suggestion from Matt HarrisonMarkdown is awesomePandoc is great for converting markdown to tons of stuff but for pdf, it goes through LaTeX, which is … yuk (my opinion)Pandoc also can convert to typstAnd typst creates beautiful pdfs and is way easier (my opinion) to deal with than LaTeX.New tools brew upgrade pandocbrew install typstNow convert pandoc something.md --to typst -o something.typtypst compile something.typ something.pdf Michael #4: postman2pytest via MikhailBased on postman appConvert Postman Collection v2.1 JSON into executable pytest test suitesPostman collections document your API. postman2pytest turns that documentation into executable regression tests that run in CI. No manual rewriting, no drift. Extras: New blog, who dis? - testandcode.org is now on .org and a blog and soon to be a “publisher”. Joke: Centering a div
    Voir plus Voir moins
    24 min
  • #481 Ways to die

    #481 Ways to die
    May 25 2026
    Topics covered in this episode: Dumb Ways for an Open Source Project to DieHow to create a pylock.toml lockfilehttps://github.com/facebook/LifeguardChoosing a Python Logging Library in 2026ExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest CoursePatreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Dumb Ways for an Open Source Project to Die Core categories The maintainer leftThe maintainer is still thereSabotage and captureThe release pipeline brokeForce majeureThe world moved onThe project split - Examples Bulma PRs still from 2023, issues and PRs with no maintainer response for years, last release 1.5 years agodiskcache Similar, got hired by OpenAI, crickets after that Brian #2: How to create a pylock.toml lockfile Tim HopperTim walks through using uv, pip and pdm to create pylock.toml files.Recommendation: use uv export --format pylock.toml -o pylock.tomlHe also has How to install from a pylock.toml lockfile with pip but the short version is: use -r because tools treat it like a requirements file Michael #3: https://github.com/facebook/Lifeguard Lifeguard is a static analyzer to detect Lazy Imports incompatibilities and ease the adoption overhead for Lazy Imports in Python.I’m more excited about lazy imports after my Cutting Python Web App Memory Over 31% experienceSome Python patterns depend on imports executing immediately. For example: Module-level side effects — a module that registers a handler or modifies global state at import time will behave differently if that import is deferred.The registry pattern — a module that registers itself (e.g., adding to a global dict) when imported will silently fail to register under Lazy Imports.sys.modules manipulation — code that reads or writes sys.modules assumes prior imports have already executed.Metaclasses and __init_subclass__ — class creation side effects may depend on imports being resolved.Project Stage: Beta Lifeguard is in active development. We are aiming to be ready for general use by the Python 3.15 final release. Brian #4: Choosing a Python Logging Library in 2026 Ayooluwa Isaiah" which libraries matter, how they compare, where they overlap with the standard module, and when each one makes sense.”The slant with this article is the need to log json output, which seems reasonable as things like API entry and exit point logging will include json.Covered libraries standard library logging with a hat tip to python-json-logger Same site has a guide to setting up python-json-loggerstructlogLoguruLogbookpicologgingSome benchmarks with structlog, stdlib+json, and Loguru, with structlog coming out fasterI liked the Loguru example I’m going to have to try @logger.catch and logger.exception() for easily logging exceptions and serialize=True to enable JSON output. Extras Brian: When Women Stopped Coding - Planet Money segment , spotted on BlueSky from Savannah OstrowskiLean TDD is now leaner Still working on audio version, but some great changes in 0.7.1 version Ch 6, TDD Interpretations, move ATDD and some of BDD to chapterCh 7, Change name to TDD with Teams: BDD and ATDDCh 9, Lean TDD, streamline steps and chapterCh 10, Change name to Lean TDD with Teams: Lean ATDDCh 11, Lean TDD with AI, Add short discussion about guardrails and security Michael: New course: Python Web Security: OWASP Top 10 with Agentic AIAll courses now with Spanish subtitles, see announcement Joke: Stop texting me
    Voir plus Voir moins
    33 min
  • #480 Proud Parents

    #480 Proud Parents
    May 18 2026
    Topics covered in this episode: Using Django Tasks in productionCo-authored with Claude?PyPI packages are increasing rapidlyhttpx2ExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest CoursePatreon Supporters Connect with the hostsMichael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Using Django Tasks in production Tim Schilling shares how the Djangonaut Space website has been using Django’s new tasks framework and some of the info missing from the official Django docs.Tasks require a third party package, django-tasks-db to actually run the tasks.Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example.With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors.Some wishes for the community to implement new tutorial in the Django docsDjango Debug toolbar panel for taskstest/mock backendGreat title for wish list: Thinks I’d like to see, but I’m too lazy to implement myself. Michael #2: Co-authored with Claude? Via Nik T.We don’t put “executed on macOS”, “edited with PyCharm”, etc. in our commits. Why Claude?Seems like a growth hack to me, that I don’t really care to participate in.Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open SourceAdjust to turn off in ~/.claude/settings.json see the docs. { "attribution": { "commit": "", "pr": "" } } Brian #3: PyPI packages are increasing rapidly Artem GolubinThere’s been an increase of published packages per week on PyPIA pretty big increase in the last handful of months.30% increase since 2025, clearly due to AIArtem is building hexora, a malicious Python code detector.Cool package too, it can: Audit project dependencies to catch potential supply-chain attacksDetect malicious scripts found on platforms like Pastebin, GitHub, or open directoriesAnalyze IoC files from past security incidentsAudit new packages uploaded to PyPi.Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocess Side note: I don’t think that’s necessarily a false positive. Not malicious, but maybe a stupid-code-detector?Lots are LLM related, Lots have bots contributing codePublishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a featureBrian’s proposal, PyPI should limit releases per day for any package to something a sane human would do, even if they make a mistake on a release, to maybe like 2-3, definitely under 10, in a day. And if the repo has obvious agent contributors listed, maybe lower to the limit to 1-2 a day? Honestly, “move fast and break things” doesn’t apply to breaking the commons. Michael #4: httpx2 More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2.Michiel says “while we think httpxyz was definitely needed, we welcome httpx2 and think it should be the ‘blessed’ fork.”Kludex, who is among other things maintainer of Starlette, was considering a forkAs it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too.Also they already made some smart decisions: they are switching from certifi to truststorethey are switching to compression.zstd on Python 3.14+, enabling zstd compression by defaultthey merged httpcore and vendored it in their repositoryDiscussion on Hacker News Extras Brian: The Four Horsemen of the LLM Apocalypse - AnarcatDjango/JetBrains 2026 developer survey is openPyrefly 1.0 : “meaning we are confident that Pyrefly is ready for production use.” Michael:Just about ready to release Python Web Security: OWASP Top 10 with Agentic AI course. Be sure to be on the courses newsletter to get notified. Joke: Proud Parents
    Voir plus Voir moins
    33 min
adbl_web_anon_alc_button_suppression_t1
Pas encore de commentaire