Page de couverture de Python Bytes

Python Bytes

Python Bytes

Auteur(s): Michael Kennedy and Brian Okken
Écouter gratuitement

À propos de cet audio

 Python Bytes is a weekly podcast hosted by Michael Kennedy and Brian Okken. The show is a short discussion on the headlines and noteworthy news in the Python, developer, and data science space.Copyright 2016-2026 Politique
Épisodes
  • #476 Common themes

    #476 Common themes
    Apr 6 2026
    Topics covered in this episode: Migrating from mypy to ty: Lessons from FastAPIOxyde ORMTypeshedded CPython docsRaw+DC Database Pattern: A RetrospectiveExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest CoursePatreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Migrating from mypy to ty: Lessons from FastAPI Tim HopperI saw this post by Sebastián Ramírez about all of his projects switching to ty FastAPI, Typer, SQLModel, Asyncer, FastAPI CLISqlModel is already ty only - mypy removedThis signals that ty is ready to useTim lists some steps to apply ty to your own projects Add ty alongside mypySet error-on-warning = trueAccept the double-ignore commentsPick a smaller project to cut over firstDrop mypy when the noise exceeds the signalAdd ty alongside mypyRelated anecdote: I had tried out ty with pytest-check in the past with difficultyTried it again this morning, only a few areas where mypy was happy but ty reported issuesAt least one ty warning was a potential problem for people running pre-releases of pytest,Not really related: packaging.version.parse is awesome Michael #2: Oxyde ORM Oxyde ORM is a type-safe, Pydantic-centric asynchronous ORM with a high-performance Rust core.Note: Oxyde is a young project under active development. The API may evolve between minor versions.No sync wrappers or thread pools. Oxyde is async from the ground upIncludes oxyde-adminFeatures Django-style API - Familiar Model.objects.filter() syntaxPydantic v2 models - Full validation, type hints, serializationAsync-first - Built for modern async Python with asyncioRust performance - SQL generation and execution in native RustMulti-database - PostgreSQL, SQLite, MySQL supportTransactions - transaction.atomic() context manager with savepointsMigrations - Django-style makemigrations and migrate CLI Brian #3: Typeshedded CPython docs Thanks emmatyping for the suggestionDocumentation for Python with typeshed typesSource: typeshedding_cpython_docs Michael #4: Raw+DC Database Pattern: A Retrospective A new design pattern I’m seeing gain traction in the software space: Raw+DC: The ORM pattern of 2026I’ve had a chance to migrate three of my most important web app.Thrilled to report that yes, the web app is much faster using Raw+DCPlus, this was part of the journey to move from 1.3 GB memory usage to 0.45 GB (more on this next week) Extras Brian: Lean TDD 0.5 update Significant rewrite and focus Michael: pytest-just (for just command file testing), by Michael BoothSomething going on with Encode httpx: Anyone know what's up with HTTPX? And forkedstarlette and uvicorn: Transfer of Uvicorn & Starlettemkdocs: The Slow Collapse of MkDocsdjango-rest-framework: Move to django commons?Certificates at Talk Python Training Joke: Neue Rich
    Voir plus Voir moins
    32 min
  • #475 Haunted warehouses

    #475 Haunted warehouses
    Mar 30 2026
    Topics covered in this episode: Lock the GhostFence for SandboxingMALUS: Liberate Open SourceHarden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldownsExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest Course**Patreon SupportersConnect with the hosts**Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Lock the Ghost The five core takeaways: PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them.uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way.This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews.Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed.Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live. Brian #2: Fence for Sandboxing Suggested by Martin Häcker“Some coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.”“JY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.”Source code on GitHub: https://github.com/Use-Tusk/fenceRelated: Simon Willison lethal trifecta for AI agents article from June 2025Claude Code Sandboxing Michael #3: MALUS: Liberate Open Source via Paul BauerThe service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules.AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software.Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright? Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns Matthias SchoettleAvoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far Extras Brian: GitHub is asking to spy on us, that’s nice Michael: Michael’s new SaaS for podcasters: InterviewCueDigitalOcean’s Spaces cold storage for infrequently accessed dataMinor issue about my fire and forget post, was a latent bug?Fire and Forget at Textual follow up article Joke: Can you?
    Voir plus Voir moins
    41 min
  • #474 Astral to join OpenAI

    #474 Astral to join OpenAI
    Mar 23 2026
    Topics covered in this episode: Starlette 1.0.0Astral to join OpenAIuv auditFire and forget (or never) with Python’s asyncioExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest CoursePatreon Supporters Connect with the hostsMichael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Starlette 1.0.0 As a reminder, Starlette is the foundation for FastAPIStarlette 1.0 is here! - fun blog post from Marcello Trylesinski“The changes in 1.0 were limited to removing old deprecated code that had been on the way out for years, along with a few bug fixes. From now on we'll follow SemVer strictly.”Fun comment in the “What’s next?” section: “Oh, and Sebastián, Starlette is now out of your way to release FastAPI 1.0. 😉”Related: Experimenting with Starlette 1.0 with Claude skills Simon Willisonexample of the new lifespan mechanism, very pytest fixture-like @contextlib.asynccontextmanager async def lifespan(app): async with some_async_resource(): print("Run at startup!") yield print("Run on shutdown!") app = Starlette( routes=routes, lifespan=lifespan ) Michael #2: Astral to join OpenAI via John Hagen, thanksAstral has agreed to join OpenAI as part of the Codex teamCongrats Charlie and teamSeems like **Ruff** and uv play an important roll.Perhaps ty holds the most value to directly boost Codex (understanding codebases for the AI)All that said, these were open source so there is way more to the motivations than just using the tools.After joining the Codex team, we'll continue building our open source tools.Simon Willison has thoughtsdiscuss.python.org also has thoughtsThe Ars Technica article has interesting comments tooIt’s probably the death pyx Simon points out “pyx is notably absent from both the Astral and OpenAI announcement posts.” Brian #3: uv audit Submitted by Owen LemontPieces of uv audit have been trickling in. uv 0.10.12 exposes it to the cli helpHere’s the roadmap for uv auditI tried it out on a package and found a security issue with a dependency not of the project, but of the testing dependenciesbut only if using Python < 3.10, even though I’m using 3.14Kinda coolLooks like it generates a uv.lock file, which includes dependencies for all project supported versions of Python and systems, which is a very thorough way to check for vulnerabilities.But also, maybe some pointers on how to fix the problem would be good. No --fix yet. Michael #4: Fire and forget (or never) with Python’s asyncio Python’s asyncio.create_task() can silently garbage collect your fire-and-forget tasks starting in Python 3.12Formerly fine async code can now stop working, so heads upThe fix? Use a set to upgrade to a strong ref and a callback to remove itIs there a chance of task-based memory leaks? Yeah, maybe. Extras Brian: Nobody Gets Promoted for Simplicity - interesting read and unfortunate truth in too many places.pytest-check - All built-in check helper functions in this list also accept an optional xfail reason. example: check.equal(actual, expected, xfail="known issue #123")Allows some checks to still cause a failure to happen because you no longer have to mark the whole test as xfail Michael:TurboAPI - FastAPI + Pydantic compatible framework in Zig (see follow up)Pyramid 2.1 is out (yes really! :) first release in 3 years)Vivaldi 7.9 adds minimalist hide mode.Migrated pythonbytes.fm and talkpython.fm to Raw+DC design patternRobyn + Chameleon package Joke: We now have translation services
    Voir plus Voir moins
    46 min
Pas encore de commentaire