Page de couverture de Python Bytes

Python Bytes

Python Bytes

Auteur(s): Michael Kennedy and Brian Okken
Écouter gratuitement

À propos de cet audio

 Python Bytes is a weekly podcast hosted by Michael Kennedy and Brian Okken. The show is a short discussion on the headlines and noteworthy news in the Python, developer, and data science space.Copyright 2016-2026 Politique
Épisodes
  • #475 Haunted warehouses

    #475 Haunted warehouses
    Mar 30 2026
    Topics covered in this episode: Lock the GhostFence for SandboxingMALUS: Liberate Open SourceHarden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldownsExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest Course**Patreon SupportersConnect with the hosts**Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Lock the Ghost The five core takeaways: PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them.uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way.This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews.Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed.Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live. Brian #2: Fence for Sandboxing Suggested by Martin Häcker“Some coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.”“JY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.”Source code on GitHub: https://github.com/Use-Tusk/fenceRelated: Simon Willison lethal trifecta for AI agents article from June 2025Claude Code Sandboxing Michael #3: MALUS: Liberate Open Source via Paul BauerThe service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules.AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software.Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright? Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns Matthias SchoettleAvoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far Extras Brian: GitHub is asking to spy on us, that’s nice Michael: Michael’s new SaaS for podcasters: InterviewCueDigitalOcean’s Spaces cold storage for infrequently accessed dataMinor issue about my fire and forget post, was a latent bug?Fire and Forget at Textual follow up article Joke: Can you?
    Voir plus Voir moins
    41 min
  • #474 Astral to join OpenAI

    #474 Astral to join OpenAI
    Mar 23 2026
    Topics covered in this episode: Starlette 1.0.0Astral to join OpenAIuv auditFire and forget (or never) with Python’s asyncioExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest CoursePatreon Supporters Connect with the hostsMichael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Starlette 1.0.0 As a reminder, Starlette is the foundation for FastAPIStarlette 1.0 is here! - fun blog post from Marcello Trylesinski“The changes in 1.0 were limited to removing old deprecated code that had been on the way out for years, along with a few bug fixes. From now on we'll follow SemVer strictly.”Fun comment in the “What’s next?” section: “Oh, and Sebastián, Starlette is now out of your way to release FastAPI 1.0. 😉”Related: Experimenting with Starlette 1.0 with Claude skills Simon Willisonexample of the new lifespan mechanism, very pytest fixture-like @contextlib.asynccontextmanager async def lifespan(app): async with some_async_resource(): print("Run at startup!") yield print("Run on shutdown!") app = Starlette( routes=routes, lifespan=lifespan ) Michael #2: Astral to join OpenAI via John Hagen, thanksAstral has agreed to join OpenAI as part of the Codex teamCongrats Charlie and teamSeems like **Ruff** and uv play an important roll.Perhaps ty holds the most value to directly boost Codex (understanding codebases for the AI)All that said, these were open source so there is way more to the motivations than just using the tools.After joining the Codex team, we'll continue building our open source tools.Simon Willison has thoughtsdiscuss.python.org also has thoughtsThe Ars Technica article has interesting comments tooIt’s probably the death pyx Simon points out “pyx is notably absent from both the Astral and OpenAI announcement posts.” Brian #3: uv audit Submitted by Owen LemontPieces of uv audit have been trickling in. uv 0.10.12 exposes it to the cli helpHere’s the roadmap for uv auditI tried it out on a package and found a security issue with a dependency not of the project, but of the testing dependenciesbut only if using Python < 3.10, even though I’m using 3.14Kinda coolLooks like it generates a uv.lock file, which includes dependencies for all project supported versions of Python and systems, which is a very thorough way to check for vulnerabilities.But also, maybe some pointers on how to fix the problem would be good. No --fix yet. Michael #4: Fire and forget (or never) with Python’s asyncio Python’s asyncio.create_task() can silently garbage collect your fire-and-forget tasks starting in Python 3.12Formerly fine async code can now stop working, so heads upThe fix? Use a set to upgrade to a strong ref and a callback to remove itIs there a chance of task-based memory leaks? Yeah, maybe. Extras Brian: Nobody Gets Promoted for Simplicity - interesting read and unfortunate truth in too many places.pytest-check - All built-in check helper functions in this list also accept an optional xfail reason. example: check.equal(actual, expected, xfail="known issue #123")Allows some checks to still cause a failure to happen because you no longer have to mark the whole test as xfail Michael:TurboAPI - FastAPI + Pydantic compatible framework in Zig (see follow up)Pyramid 2.1 is out (yes really! :) first release in 3 years)Vivaldi 7.9 adds minimalist hide mode.Migrated pythonbytes.fm and talkpython.fm to Raw+DC design patternRobyn + Chameleon package Joke: We now have translation services
    Voir plus Voir moins
    46 min
  • #473 A clean room rewrite?

    #473 A clean room rewrite?
    Mar 16 2026
    Topics covered in this episode: chardet ,AI, and licensingrefined-githubpgdog: PostgreSQL connection pooler, load balancer and database sharderAgentic Engineering PatternsExtrasJokeWatch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python TrainingThe Complete pytest CoursePatreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)Brian: @brianokken@fosstodon.org / @brianokken.bsky.socialShow: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: chardet ,AI, and licensing Thanks Ian LessingWow, where to start?A bit of legal precedence research.Chardet dispute shows how AI will kill software licensing, argues Bruce Perens on the RegisterAlso see this GitHub issue.Dan Blanchard, maintainer of a Python character encoding detection library called chardet, released a new version of the library under a new software license. (LGPL → MIT)Dan is allowed to make this change because v7 is a complete “clean room” rewrite using AIBTW, v7 is WAY better: The result is a 48x increase in detection speed for a project that lives in the hot loops of many projects. That will lead to noticeable performance increases for literally millions of users (the package gets ~130M downloads per month).It paves a path towards inclusion in the standard library (assuming they don’t institute policies against using AI tools).Thread-safe detect() and detect_all() with no measurable overhead; scales on free-threaded Python 3.13t+An individual claiming to be Mark Pilgrim, the original creator of the library, opened an issue in the project's GitHub repo arguing that Blanchard had no right to change the software license, citing the LPGL requirement that the license remain unchanged.A 'complete rewrite' is irrelevant, since they had ample exposure to the originally licensed code (i.e. this is not a 'clean room' implementation).Blanchard disagreed, citing how version 7.0.0 and 6.0.0 compare when subjected to JPlag, a library for detecting plagiarism.Blanchard told The Register he had wanted to get chardet added to the Python standard library for more than a decade since it’s a core dependency to most Python projects. Brian #2: refined-github Suggested by Matthias SchöttleA browser plugin that improves the GitHub experienceA sampling Adds a build/CI status icon next to the repo’s name.Adds a link back to the PR that ran the workflow.Enables tab and shift tab for indentation in comment fields.Auto-resizes comment fields to fit their content and no longer show scroll bars.Highlights the most useful comment in issues.Changes the default sort order of issues/PRs to Recently updated.But really, it’s a huge list of improvements Michael #3: pgdog: PostgreSQL connection pooler, load balancer and database sharder PgDog is a proxy for scaling PostgreSQL.It supports connection pooling, load balancing queries and sharding entire databases.Written in Rust, PgDog is fast, secure and can manage thousands of connections on commodity hardware.Features PgDog is an application layer load balancer for PostgreSQLHealth Checks: PgDog maintains a real-time list of healthy hosts. When a database fails a health check, it's removed from the active rotation and queries are re-routed to other replicasSingle Endpoint: PgDog can detect writes (e.g. INSERT, UPDATE, CREATE TABLE, etc.) and send them to the primary, leaving the replicas to serve readsFailover: PgDog monitors Postgres replication state and can automatically redirect writes to a different database if a replica is promotedSharding: PgDog is able to manage databases with multiple shards Brian #4: Agentic Engineering Patterns Simon WillisonSo much great stuff here, especially Anti-patterns: things to avoidAnd 3 sections on testing Red/green TDDFirst run the testAgentic manual testing Extras Brian: uv python upgrade will upgrade all versions of Python installed with uv to latest patch release suggested by John HagenCoding After Coders: The End of Computer Programming as We Know It NY Times ArticleSuggested by ChristopherBest quote: “Pushing code that fails pytest is unacceptable and embarrassing.” Michael: Talk Python Training users get a better account dashboardPackage Managers Need to Cool DownWill AI Kill Open Source, article + videoMy Always activate the venv is now a zsh-plugin, sorta. Joke: Ergonomic keyboard Also pretty good and related: Claude Code Mandated Links legal precedence researchChardet dispute shows how AI will kill software licensing, argues Bruce Perensthis GitHub issuecitingJPlagrefined-githubAgentic Engineering PatternsAnti-patterns: things to avoidRed/green ...
    Voir plus Voir moins
    46 min
Pas encore de commentaire