Python Bytes - #224 Join us on a Python adventure back to 1977
Episode Date: March 10, 2021Topics covered in this episode: AWSimple coverage and installed packages Finding Mona Lisa in the Game of Life with JAX Python Package Index nukes 3,653 malicious libraries uploaded soon after secu...rity shortcoming highlighted python-adventure Exciting New Features in Django 3.2 Extras Joke See the full show notes for this episode on the website at pythonbytes.fm/224
Transcript
Discussion (0)
Hello and welcome to Python Bytes, where we deliver Python news and headlines directly
to your earbuds. This is episode 224, recorded March 10th, 2021. I'm Michael Kennedy.
And I'm Brian Ocken.
And I am Calvin Hendricks-Parker.
Hey, we have a special guest, Calvin. Welcome to the show.
Hey, thanks for having me.
Yeah, it's fantastic to have you here. Always great to have a fresh face. I believe it's been
about a year since you were on the show previously, is that right?
I think almost exactly a year. Yes.
Yeah.
YouTube reminded me that it was one of the first videos of this whole, um, of Python
bytes that we'd put up there before we were live streaming.
We'd record it and then put it up.
That was so last year.
I know.
I mean, Python bytes, you guys are really upped your game.
I'm super proud of y'all.
Yeah.
So 2020.
Yeah.
Yeah.
Yeah.
We got our broadcast studio working right here in Portland, Oregon.
Super, super nice. Speaking of nice, I want to do a follow-up. You know, what's nice,
Brian, so often our guests, they send us all these items and, you know, we'll mention something
and we'll think this is like the first time I've heard of this. And they're like, and here's the
10 other amazing things that you've never heard of. Right. And so this, this is a little bit of
a follow-up along that before, actually, I realized, before I get into that though, Calvin, maybe you want to
just do a quick, who are you?
It has been a year.
It has been a year.
Everyone's going to remember who you are.
Sure, sure.
I'm Calvin Hennigsparker, co-founder and CTO of Six Feet Up, and also the co-founder of
the IndiePi group here in Indianapolis, the Python user group.
And we are also the organizers of the Python web conference, which I'll talk about later.
So that's kind of a quick rundown of me.
You're that company that hands out Python jersey shirts.
Oh, yeah, we do. We do some killer swag.
Yeah, for sure. That's a cool conference. Be fun to talk about that in a little bit.
So the first thing, though, that I do want to talk about over here is AWS Simple. We talked about
Bodo type definitions, I think it was. And then someone mentioned that Bodo type definitions
has kind of been deprecated, ignored, and so on. And so they pointed us at this MyPi live generated
version that we talked about last week. And also we got a message from James Abel, who said,
hey, I built this cool library called AWS Simple. And I got it all flowed together to get all the S's to fit in there,
AWS Simple. And the idea is that it's a typed wrapper around the AWS API. And if you recall,
I kind of was harsh on the Bodo 3 API. And I can buy that because there's just zero discoverability
on how it works. There's like inconsistencies on how you pass parameters. Sometimes you pass
them by name. Sometimes you pass them as dictionaries with names in the dictionary.
Just a lot of stuff going on there.
And it's really not discoverable.
And so this one also is one of those libraries that's meant to help with that.
So it's a simple API for basic services like S3, DynamoDB, their hosted NoSQL database.
Simple notification service, simple queuing service. I don't know
if you guys have been to AWS lately, but you go to your console and it says, here's the two things
you've recently visited. See the rest. And it like, it scrolls. There's a lot. So this is clearly
not everything, but it is some common ones, especially around S3, I think. And it's also
maybe the kernel of other things, right? People often ask me, hey, what project could I contribute
to? Well, if you're like, I would really love to have simple email service and great integrated with this, like,
well, you know, it probably is easy to add like one more service. So some of the features include
a nice object oriented API on top of Boto3 with proper type definitions and classes and static
things that all the static type checkers and the editors all know about and love. You can write
really simple, like one liners to
do S3 read, write, deletes. It has automatic retry for S3. It has caching. So for example,
it will, when you get a file or upload a file, it will hash that result. And basically if you
try to get it again, it'll say, let me check the E tag. That's the way web browsers and servers
exchange. Like here's the sort of history
or the version of the file
and it'll check,
has this thing changed or not?
And so it'll not download the S3 file
if it hasn't changed.
And you ask,
it'll just use like the last version it got
since it touched it.
Things like that.
Some DynamoDB full table scans,
secondary indexes and pagination.
So there's some simple examples
like my S3 access.
And then maybe if you could maybe if
you could do DynamoDB, create a DynamoDB access and just put an item or get an item and off it
goes. Really, really simple. You know, as you would imagine something with a name like AWS Simple has.
But, you know, it's just one more thing around AWS APIs that I think is pretty interesting.
What do you guys think? I kind of expected a bullet to bury in there saying AWS Simple is not simple
because this is a massive undertaking
to try and make something like this simple.
Yeah, absolutely.
I totally agree with that.
I mean, it's pretty neat.
Over in their documentation,
they've got a little more examples
and a quick start guide and how to use it and so on.
But yeah, it's pretty easy.
You just do like S3, create bucket,
S3, write string to this key, go on.
It's quite easy so uh
if you're struggling with the aws apis this is a cool project and again it's i think it's pretty
limited to just a couple of the services so it's somewhere that if you got your favorite service
and you want something like this for it you know reach out james and add it yeah and all of the
services could be added and then aw simple could be as complex as everything else exactly like i can
barely install this thing anymore it's really legit yeah they're trying to become the aws apis
for humans kind of like requests for http you know url lib yeah maybe um i mean boto3 was kind
of like that too right well s3 again the s3 apis they've changed names they're inconsistent it's
really hard to like parse. Sometimes as a human,
like the uploading process
of like multi-part uploads,
if you're not into the web,
this could be really daunting.
Sounds like this is a great way
to enter this space
and not have to learn all that stuff.
I can't just do this thing.
I got to create a waiter
and I got to wait on the thing
and so on.
Yeah, absolutely.
Dean Langtham up there
in the live stream said,
it's amazing to me
how many of the most accessed APIs in the world
need third-party packaging to make them useful.
Yeah.
I mean, if it weren't such a small little rinky-dink company,
if they could hire a bunch of developers to work on this.
Like, oh, wait, no, it's Amazon.
No, I totally agree with you, Dean.
That's funny.
All right.
Yeah, so AWS and Bold, check it out if that appeals to you.
Brian, what you got for us?
Well, I was going to, how do we do this? Oh, yep. We both clicked. Sorry about that appeals to you. Brian, what you got for us? Well, I was going to...
How do we do this?
Oh, yep.
We both clicked.
Sorry about that.
It was a race car.
So I learned something new the other day.
And I learned something new about something old.
So I've used Coverage.py a lot over the past several years.
And I've even covered it a lot on the Test and Code podcast a couple times.
Covered it on the podcast.
Yep, that's a meta joke.
Anyway, there's something I missed the whole time.
So there's a source thing.
So you can tell coverage where the source code is,
where the source is for whatever you're covering.
And hidden in here is the source can be uh the sources either
directories or packages it's the or packages i never saw before so that's why why this is
significant and apparently this has been here the whole time and i just missed it um is there was a
workaround so if i if i'm testing uh if i've got if I'm developing a package and I want to test it as an installed package,
I install it and then I run the tests against the installed package.
But how do I run coverage against that?
And there was an old trick to, and I guess it still works, is to use the paths option
within coverage to say these two paths are identical. So you could say the actual source code
directory is identical to the site packages directory so that it kind of lines everything
up. And then it reports, even though it's measuring the coverage on the installed package,
it reports it as if it was sitting in the source directory. And so I've been doing that in the past. And that still
is a good idea so that the output is readable, but it isn't required. You can just pass in the
name of your package without the dot pi or anything, or if it's just a file, but just the
name of the package and it just reports it. And yeah, anyway, I just figured that maybe some people
out there have missed that also it's very handy well
you might wonder like why are you testing packages i i don't need the coverage of requests when i use
it i just know that i use it and we're all good well if you're developing requests you might want
to come yes exactly or you know it may well be that you're building your application out of
several packages that you control and you kind of want to keep them separate for reuse but you might also want to know like how much am i interacting with that one right
oh that's a cool use to say really what how how much am i interacting with the package you could
run coverage on that yeah if it's zero take it out of your uh requirements that would be super nice
yeah this is really cool yeah also uh i guess when one of the the reasons why that might be
handy is if if they change drastically change an api like go to a new dot you know like a three dot
something to four dot something um what is the api change and you could check to see if you're
even using that api um or that entry point that might be that's interesting yeah yeah that part
was like a breaking change but but I don't care.
Yeah.
I can really see the,
there's a huge use case here though
for old code bases
where the developers aren't there anymore
and there's been dependencies brought in
and you don't know exactly what's being used.
So this is like super nice to be able to do that.
Yeah, and of course, as a reminder,
you can have as many of these as you want to.
So if you're wanting to measure several packages,
you can add multiple source flags. And if you're wanting to measure several packages you can add
multiple source the flags and if you're using pytest dash cov it's the cov flag so you which
is identical i'm not sure why they used cov and dash cov instead of dash source but there you go
interesting okay yeah yeah super cool super cool so calvin i didn't know that you were uh an artist
i wish uh maybe more machine more of a machine learning artist.
But machine learning artist.
This really interesting article came up on my news feed last week, which was finding
Mona Lisa in the Game of Life with Jax.
And so there's three interesting things there, like Mona Lisa, Game of Life, and then Jax.
The author was attempting to find if he could start with a starting set of points on a game of life uh if
you're not familiar with game of life there's whole wikipedia articles about that but if you
could basically seed uh an initial game of life and after so many generations have it show you a
picture so he actually started with the uh mona lisa and kind of went through what it would take
to go from you know a game of life running all the kind of constraints that happen in that. But this seems like a really interesting machine learning
problem. And that's cool. So it like are it randomly runs the game of life, but then the
ML says, Oh, that's starting to look like Mona Lisa more of that. Well, it's more of, uh, I'm
going to run a generation of game of life and then reset. I'm going to invert some pixels again and go again until I can generate what is my target picture.
And it took a lot of CPU cycles.
He basically wrote a simple single threaded version of this in Python.
And there's Python notebooks included with the GitHub links in here.
But it took days of CPU time for him to run the initial four generations to see if we could even make this be possible and then kind of went
and if with any machine learning project it's really important to understand like the preparation
of your data before you kind of go dive in so what i also thought was interesting in here is
he talks about the preparation of data uh kind of down here pre-processing you know using pill to
understand how to generate that target first yeah give it the game of life algorithms a chance of getting
it correct came into like you know really half tones would work better because there's some
constraints around game of life that the whites can't be contiguous too contiguous because they'll
they'll kill each other and it ends up being all black uh and but at the end the kind of goal of
this was how fast can we now do it take the single single threaded Python example, which took hours or days of CPU,
can we actually do it on a GPU? And so there's a JAX library, which is a machine learning library
in Python that allows you to actually like super parallelize the problem. So if you can actually
slice the problem up, show this kind of example here in pictures, which is kind of nice for a
person who doesn't do a lot of machine learning. They actually kind of show you what the process
looks like and hyper parallelize this. Basically in 40 he went from days of cpu time down to 40 seconds to get uh
through the first um what was the final time 40 seconds uh yeah yeah it was ridiculous it's like
so a thousand iterations so the first one was four four generations took days the next one where he
did it with jacks was a thousand iterations took 40 seconds on a Google Colab GPU.
So JAX is basically a Python library.
I've got a quick little quick start over here.
Neat library that actually you kind of have to alter your brain to a little bit to how you code so that you can code in a way that can be hyper parallelized across all the GPUs.
I mean, for people who aren't familiar with GPUs, which you may not be because good luck getting a GPU right now, they're unobtainium at this point. But if you
did have a GPU, you can take advantage of those, you know, how many cores are in some of these
modern GPUs, like thousands in the new, like NVIDIA ones. Every time that I try to think about
and try to conceptualize like how fast and how much these things can do, I'm like, whatever that
is, it's probably off by 10 or many, many more.
Yeah.
Factor of 10, just like ramp that up
to beyond what you can think is reasonable.
It's when you think of,
we've got a half a million polygons on the screen
and we're going to draw that.
Oh, we're actually going to do that 200 times a second.
Right.
So what's interesting is if you are doing
some machine learning experimentations,
learning a tool like JAX
may actually help you speed up your iteration so you actually can get some useful results out of it. Because a lot some machine learning experimentations, learning a tool like JAX may actually help you speed up your iteration. So you actually can get some useful results out of it. Because a lot of
machine learning is kind of picking out what your algorithm algorithm based algorithm is going to be,
but you have to run it enough to know whether your algorithm is getting you the results you expect.
So be able to run through those algorithms quicker with a tool like JAX, I think would
be super beneficial. Yeah, absolutely. That's, that's super neat. And I think the biggest
takeaway here is JAX actually. Yeah. That was, yeah, that was that's super neat and i think the biggest takeaway here
is jacks actually yeah that was that was yeah that was the end goal was like yeah can we talk
about jacks because that's a really cool library well and a cool logo by the way yeah yeah yeah i
love the logo is super cool actually i like it yeah but definitely and i think they they have
support for tensor processing units as well so not only gpus but if you're doing like tensor flow
stuff tensor gpus or tensor processing units so you can take advantage of those as well. So not only GPUs, but if you're doing like TensorFlow stuff, TensorFlow GPUs, or tensor processing units, so you can take advantage of those as well.
Yeah, okay. Super neat. Super neat. I want to talk about something that's not as neat,
maybe it'll get you excited, but in the wrong way. This one was sent over by my friend Mark Little,
fellow Portlander, and a follow up related one sent over by Tony. So link into a couple of
articles here. And recall, we talked about Google
coming on as the visionary sponsor. One of their primary goals that they wanted was to improve
the package security. You think about, you know, you think about some of the things that have
happened recently that are super scary. One, the Outlook catastrophe that, you know, 60,000
companies have been like taken over. And then the SolarWinds one
as well. And I think they're somewhat related, even though they're not the same origin or the
same type of hack. The SolarWinds one is one of these supply chain vulnerabilities and these
breaches, right? It's one thing to say, I'm going to protect against somebody breaking into my
website. I'm going to run the proper firewalls, low privileges, everything's patched, et cetera,
et cetera. That might still not be enough, but that's like a good start.
But do you think about, well, next time you install the new version of package, whatever,
what if it was influenced with some kind of negative package that had some vulnerability
that then got into your servers and then went on?
The supply chain story around all of these package management places is scary, I think.
That's not what happened to SolarWinds.
They just had the password SolarWinds123.
That's a different type of problem.
Those aren't interns.
Exactly, exactly.
But the problem that it might be untrustworthy to install all of our beautiful open source things.
I don't know.
It's very scary.
Like, what do you guys think about this?
It seemed like this went even a level deeper.
There wasn't even scary to install the open source things.
It was dangerous to install your own private package names
if someone knew about them
and had put them into a public repository
with a newer version.
Yeah.
So let me read the titles here for people who are listening.
The Python Package Index Nukes 3,653 Malicious Libraries
Uploaded Soon After a Security Shortcoming is highlighted.
And the other one is Poison Packages, Supply Chain Risks,
Users Hit Python Community with 4,000 Fake Modules.
And these are basically the same.
I don't know if like one's rounding up or whatever,
or one's counting multiple incidents.
But the idea is there's this form of type squatting
that's pretty sketchy.
So we've covered this before where if you have,
maybe I want to use the audio library, asteroid singular,
but then somebody puts asteroids plural, that is a virus.
And it could just as well have exactly the same code
plus the virus.
So it looks like it works.
You wouldn't even know that it's not working, right?
Yeah. And that's quite the problem. But here the highlight is what's it called? Like one thing was calling it evil twin. Another, um, this is a research by Alex Pearson. And basically
there's a lot of people who are using private package repositories, right? Like dev pie and
things like that. Artifactory, where you have
a local one. But if you ask for something public, you can just ask your local one and the local one
will go out and ask the public one. So as you were handing that Calvin, the problem is what if I just
have like data layer or e-commerce or like some random thing that might be an internal package
name? Maybe if it's what I think the real problem was,
they were saying, if you don't secure your server, right, you just post a higher version
on the public one than on on the local one. And it'll go, Oh, well, there's a newer one over
there. I better get that. And we'll just go grab the virus. I'm also surprised that folks aren't
pinning the versions of their internal packages as well. Because I would this would satisfy
solving that problem
is if you had, like we use pip tools,
pip compile to make sure we got hashes
and versions for every dependent package.
But yeah, if you didn't do that,
you were absolutely susceptible to this.
Yeah, so just people check this out.
It looks a little scary.
You guys, you too, tell me if you think I'm crazy.
I'm getting to the point where I'm really freaked out
about these kinds of things.
And especially, people send us stuff.
They're like, oh, check this out.
Here you go.
I'm not pip installing those things locally and trying them.
No way, right?
I'm going to install them in some isolated environment.
One thing I've been thinking about doing
is setting up my own DevPi server,
which is exactly the problem sort of
that we're talking about so that doesn't necessarily solve it but what you can get with your
dev pi servers you can get dev pi constrained which will let you not blacklist stuff or exclude
stuff but you have to whitelist things so you're like all right i'm going to try to install set up
this project and when it tells me i need these things and they're failing i'll make sure they're
good make sure they're used a lot i'll put them in the whitelist and then I'll be happy to just pip install versions,
no versions, whatever.
Right.
But but sort of being
more protective about this.
I don't know.
Maybe I'm just paranoid,
but this stuff is
it's creeping me out.
I'm still just having it.
Let me I'm still sinking in.
I don't not sure
how I react to it.
Yeah.
My reaction is I think
there's still more infrastructure
security wise
that has to happen
in the community.
And there's there's efforts to do signed packages or support in the latest version of pip for signed
packages. And there's also some good hygiene behaviors. But it's true, if you want to just
try out a package and you just did pip install from your command line, you're typically not
going to specify a specific version and you're going to get whatever just comes off of PyPy with
it. Yeah, we've gone around and around about it internally as well, talking about this because we want to make sure we're not susceptible to this kind of an attack
and i think good practices like the pip tools you know using that and having pin versions has
pretty much given us a comfort level with we're pretty safe i mean no one's 100 safe that doesn't
exist but we're feeling pretty good because of the practices yeah yeah i know that sounds good i mean
there's only so much you can do, but layers
are good, right? Layers are good. Anyway,
if you are running, I want to highlight this.
The ultimate problem highlighted here
is that if you have a private PyPI server
that there were ways to
typosquat on your internal
names, not on the public name. And there's
no way for the public stuff to go, well, you can't
have that because it looks too close to this, right?
It might not exist publicly.
So just be really careful about the versions.
Be really careful about like whitelisting things if you're doing your own private PyPI.
And it's important to also note, this is not a Python specific problem.
So I think some folks may have blown it up a portion, but like other packaging distribution
tooling all have some similar problems.
Yeah.
And I just saw a message.
He was on Twitter or somewhere.
Yeah. This, I mean, obviously NPM has this problem.
RubyGems, all these places, NuGet,
whatnot. Somebody who was involved
in, like, diagnosing and solving
these problems was like, please don't go post
another 4,000 packages to prove
your point. Just, we are already aware.
Just send us a message. You're causing
a lot of work that is, like,
distracting us from addressing this problem. So, you know, we don't need more examples. We need just maybe a message. You're causing a lot of work that is distracting us from addressing this problem.
So we don't need more examples.
We need just maybe a notification.
Yeah, I guess one of the other things is that it is typo squatting.
So in our organization, we try to minimize individuals having to install anything, really.
All of our projects have requirements files with pinned versions.
So they're not going to type,
uh,
the name of anything.
It's going to have to be in a requirements file first.
Yeah.
All right.
Well,
check out the articles.
There's more details in,
in both of them.
Brian,
what you got for us?
Oh,
my turn again.
Okay.
Um,
I want to,
I wanted to talk about,
uh,
something new,
uh,
adventure tech space,
adventure games. Have you heard of these? I love, I used to play, I used to talk about something new, text-based adventure games.
Have you heard of these?
I love.
I used to play MUDS when I was quite younger.
Those were so fun.
They were so magical, even though they were just text.
So I actually never got into this, but I had entered adventure games.
What was it called? The Dungeons oforath uh was a game that i had on
the uh trs80 and it was it wasn't um text-based but the graphics were just lines so it was
go through a cave and uh and stuff like that but anyway um a little bit before that so we're
talking uh in early 70s so 75 to 77 was a game called adventure um and then our colossal cave adventure so you can
play colossal cave adventure because brandon rhodes has python adventure and this is just
awesome i played this the other day it's so well i don't know if so fun maybe like overselling it
um but it's kind of neat um it's a faithful port of the adventure game to python 3
from the original 1977 fortran code wow and sounds awesome so if i get distracted it's because i've
actually pip installed this and i'm playing it right now it's uh lets you explore colossal cave
where others have found fortunes and treasure and gold though it is rumored that some who enter never seen from again like maybe calvin um but one of the things that i loved is i played in both
modes so you can um there's two modes you can play you can uh in a python console you can just
kind of run it um but you can also um i'm gonna show for the people watching kind of what it
looks like um you import adventure and then you say adventure.play
and uh it has gives you instructions and you have to type things like east uh west get lamp things
like that oh it's even like function call style well it's function call style if you do the import
on the the repl i see um if you if you go through the uh there's traditional mode. Okay, got it. The traditional mode is you do Python-M adventure,
and then it's traditional mode.
You say get lamp with a space between the get and the lamp.
And that's how I played it.
But the fun part about this, the traditional mode,
it's a 1200 baud.
So you have to wait for this to type its message to you.
You may have to explain that to some of our listeners.
I don't know if I can it's slow so it sort of ticker tapes out the message to you and you're waiting for it wow that's impressive i used to be able to identify by sound the speed of the
connection i would get i could tell you is that 9600 is like 32 whatever or is it 56 and whether and whether the error correcting
kicked in or not exactly you hear it but i don't think i even remember what that sounded like that
was some slow business one of the things um so okay so a little bit tie into the my own personal
nerdiness um i was curious how this related to zork. So Zork, I never played either.
It was a little bit after Adventure.
But there was a TV show called Chuck that I really liked.
And one of the premises is Chuck and his buddy used to play this game.
And he met this other guy by both of them being Zork nerds.
And they did their own port of Zork.
And I'm like, is that a made up thing or real?
And apparently it is real.
Zork was a follow on to Adventure from 77 to 79.
So anyway, so I'm going to ask Brandon.
So Brandon, can we get a port of Zork also for Python?
That would be great.
And we'll get our little IoT devices that we can play these adventure games on, like a little Nintendo Switch, but super old school, like low baud rate.
That would be great.
I want this totally for my Oculus Quest so I can do a text adventure in full VR.
Well, the baud slow down thing is entertaining for about 10 seconds.
And then I'm like, can I get faster now?
Yeah, you had the true retro though
that was cool very nice cool awesome all right uh so for those of you who are django knots in the
audience there is a new long-term support release coming up for django 3.2 that's a big deal because
long-term support ones are the ones you want oh my gosh and django's community is really good about
that long-term support i mean and they have a very good security policy and release revision policy.
It's very clear, very, very well documented. So the next one coming up, which is going to be
released here in April is going to be 3.2. This post specifically that I linked to is actually
an overview of some highlights of interesting features that you may not have noticed. You can
go read the main Django 3.2 release page and see kind of the overall new features are going to be coming in. But this post specifically covered some
things that I thought were also interesting. A lot of them are performance and kind of
protections against hurting yourself when you're programming. So things like covering indexes for
Postgres, so you can actually avoid full table scans and do index scans and Postgres.
Indexes are magic yeah and then and
so this is enabling even more the nice magic of those indexes inside of django yeah i think it's
really cool that it's the ltls release uh 3.2 is coming out i think there's also some async and
await stuff in here coming along which is pretty exciting uh i know that one of the areas that's
still pending to get really the async and await stuff properly, like full stack is the ORM stuff.
ORM.
Yeah.
Because 3.2 was supposed to be.
If you wait on the database, that's the thing you need async for more than anything else.
Yeah.
And that's kind of one of the notable missing items for me in 3.2.
I mean, the team is doing an amazing job of implementing all the async features for Django.
I mean, 3.0, 3.1, you started off with the routing,
then you got the views.
3.2 was supposed to be, I think, the ORM included,
but maybe just due to the fact
that we are talking about a long-term support release
that that was maybe too risky of a feature
to get included here.
But look for that coming soon,
like in 3.3 or 3.4 for the ORM,
which will be a big, big deal.
The other things that are included in this 3.2 release,
again, kind of focusing on security and safety and performance time zones. You know, it's probably
one of the two hardest things in programming is the time zones and character encoding and off by
one errors. So there are going to be some trunk date stuff in here that actually, you know, helps
you assign a default time zone in case you didn't put one. There's gonna be some cool stuff for
people who like unstructured data, the JSON object DB functions.
So you'll actually be able to assign some DB functions
that can produce JSON mapping type objects
or key value pairs
where you pass in database functions to operate on it.
There's going to be some cool stuff around signals.
There's a SYN robust, which didn't log exceptions,
but now will, so you don't have to.
Are there themes for the admin section?
Is that coming in this one?
I know that's something they're working on.
I don't know on the themes,
but I know for the admin section,
and this is a common thing I've done in the admin
is sometimes you want to put computed fields
into the admin pages for like your objects.
There's going to be a new, what is it?
There's a new value, not a value expression
of the display decorator so you can
actually make creating admin fields a lot cleaner the the kind of syntax for it previously was just
a little convoluted if you were not used to it and so as a new person you may not figure out how to
do it very easily so there's a new decorator that actually makes that super super easy to do
uh there's some other performance things around the database with query sets with aliases so you
can actually create like reusable aliases for things that you're selecting against.
So you can use them as like filters
or like kind of combined statements.
So it doesn't do two sub queries
instead of it'll do just one.
A lot of cool performance.
And again, these were kind of the less notable,
but really kind of important features
that are coming into Django 3.2.
Yeah, very cool.
Yeah, and like I say, you can see all the other stuff.
There's a zillion things coming up in 3.2. These are just some of the small ones, but there's some of the important ones.2. Yeah. Very cool. Yeah. And next year you can, you can see all the other stuff. There's, there's a zillion things coming up in 3.2.
These are just some of the small ones,
but there's some of the important ones.
That's cool.
Yeah.
When,
when is this coming out?
April.
So we should see it next month.
Very soon.
Yeah.
Awesome.
That's great.
If you're into Django,
that sounds really like a big deal.
It is.
It is.
It is.
All right.
Brian,
anything else that you'd like to throw out?
Those are all of our items.
Anything extra?
No, I don't have anything extra this week.
How about you?
Oh, I've got a couple of things I would like to touch on.
I heard some amazing stuff.
I heard that Python open source stuff is on Mars.
Yeah.
But what I want to say is,
Python is on Mars, question mark.
Because what I found is,
if you go look at,
there's this thing called F Prime
that NASA open sourced. Awesome. And if you go look at, there's this thing called F prime that NASA open sourced.
Awesome.
And if you go over here and you look at it,
this is the flight control thing that is for embedded flying,
including that little helicopter.
Awesome.
It has 16% Python and 44% C++.
But if you look at the Python bits,
so much of it seems to be around the,
like the training pipeline
so my theory is i i didn't see any stuff in like the real like running regular bits i'm thinking
maybe it's framed with python locally and then the models are put on the helicopter and flown
with c++ if if somebody knows for sure that python is on mars you know with details let me
know that would be awesome but i still think it's cool that Python's involved here.
Yeah.
All right.
So that's one quick one.
Number two, just released a new course.
And this one is a little different.
So it's full web apps with FastAPI.
And FastAPI is awesome for building APIs,
but there's like three or four features of FastAPI
when put together in the right combination,
make it sort of a equivalent framework
to what you would get with Flask. So if you're thinking, I would love to use this beautiful API with really nice decorators,
with really nice async support, with Pydantic and all those awesome things that it has, but I want
to build a web app with it. Well, launch a course on that, that people can check that out. That's
really awesome. Like basically I've built some APIs with fast API and I need like four or five
more pages to round out the app.
Do I have to have a Django plus FastAPI multi-deploy thing?
Like, no, actually.
And this is all about how you do that.
So people can check that out.
That's fun.
Super excited about that.
That's cool.
Yeah.
Yeah, thanks.
Over on TalkPython, I'm giving away five tickets to PyCon, one a week for five weeks.
So if people want to win a free ticket to PyCon this year, it's virtual. So you can attend
from anywhere. There's not the challenge of, well, I got the ticket, but I need the thousand dollars
for the hotel, right? Like that's not a problem this year. So I think it's really cool. Decided
to run a thing on a contest on that. The link is in the show notes. We got a couple of questions
saying, Hey, we, we heard about this live stream because we're listening to the podcast. How do
we get to this live stream? This is awesome. I think it's fun, Brian. I'm enjoying doing the
live stream. What do you think? Yeah, it makes it a lot more
fun. Yeah, we get our listeners who come in and give us comments and all that stuff is great.
So if you just go to pythonbytes.fm slash YouTube, right at the top, there'll be upcoming live
streams. And you can say, click the button to remind me of it and so on. So that's how you do
that. Last thing I was on, I got a chance to talk to the medical community and the medical
research community around python over on this podcast called finding genius podcast and it was
just a lot of fun to speak about the advantages of python for like medical researchers and folks
like that so i'll link to that podcast as well all right yeah calvin anything else you want to
throw out i know you um i do i wore, I wore your, I wore my shirt.
Uh, you're fully outfitted. So I've actually got two things. One before I get to Python web conference, the Django con Europe, 2021 call for papers is open until April 1st. Uh, so if you're
interested in talking at Django con Europe, it'll be a pretty worldwide conference. Uh, it was last
year. It was a lot of fun. Uh, we actually did it on the same platform as we did the Python web
conference, which is the other thing I wanted to mention in the extras.
So Python web conf 2021 is coming up in about, well, it'll be a week or so after you probably
hear this March 22nd through the 26th.
We've got an awesome lineup this year.
Again, even better than last year.
Michael's obviously back and be speaking at the conference.
We've got about 60 speakers, almost 20% women.
There's 43 new speakers this year. It's like five. Yeah, it about 60 speakers, almost 20% women. There's 43 new
speakers this year. It's like five. Yeah, it's like four or five days or something. It's a big
conference. Yeah, it's five days, but we're doing half days. So you don't have to consume your whole
day with being in a virtual conference, because we understand that that is just hard. And I think
we're all adjusting to what virtual conferences really kind of should be. So this is a new
experiment, which got four tracks. There's app dev, Pi data.
It's an official Pi data track.
There's a cloud track and a culture track.
So if there's nothing you're interested in,
I would be hard pressed to believe that.
There are tickets for $1.99 for professional, $1.99 for student.
And we do have our grant program back again this year.
So we are offering up grants for those who,
we want anybody who wants to truly attend
to be able to, no matter what the financial piece may be. So check out the grant program
for everyone who buys tickets. We offer up grants for those who can't afford tickets.
And I'm really excited about that. You can check that out at pythonwebconf.com.
Yeah, it's gonna be a ton of fun. It was a lot of fun last year. We got a bunch of social events
planned and some really awesome sponsors. And I'm just super excited about being able to produce something like this for the
Python community. I feel like the web is an area that doesn't always get the attention it should
in some other conferences. And we're hopefully fulfilling that. Yeah, super cool. It was a good
conference last year. So I'm looking forward to this year. Yeah, Brian and I were just on a
virtual conference at PyCascades, which was a lot of cool, cool fun.
We were on that panel about podcasting.
Yeah, that was great.
You all might know a thing or two about that.
We've done it once or twice.
I'm not sure I would laugh at it, but maybe a joke.
We could laugh at a joke.
What do you guys think?
Yeah.
Yeah.
All right.
So I know we got like two rounds of jokes, but let's do let's do another round of these these comments.
I'm already laughing.
I know they're so good.
So I'll do the first one, Brian, you do the next one.
Calvin, you do the next one.
We'll just kind of, we got five or six, something like that.
So it's important to comment your code.
There's this code, I believe it's Java,
and it is part of a class.
It says private logger, capital L class logger,
variable name logger equals logger class factory method dot get logger. So private logger logger equals logger dot get logger equals logger class factory method dot
get logger so private logger logger equals logger dot get logger what does the comment say
logger quote yeah just just logger this is the logger fantastic you passed your code review yes
i guess you have comments uh yeah all right brian what's the next one uh next one looks like c++
comments but um comment this block that says,
this is black magic from some Stack Overflow link.
Don't play with magic.
It can bite.
All right, Calvin, what do we got next?
Well, this one obviously is a Python comment in the code.
It says, for the sins I am about to commit, may Guido van Razum forgive me.
Yes.
I love it.
Which I would be hard-pressed to know what they're getting ready to commit if they read this in a python they really should know the guidance already
yeah yeah yeah maybe they put a semicolon in there i don't know all right the next one is uh
remove this if you want to be fired remove the comment or the code below it we don't know yeah
we don't know this we don't know this we don't know
next is a uh try accept block or a catching exception uh with just a comment and it says
houston we have a problem there's no code there though so you're just yes we do have a problem
you're just catching a raw exception don't do that exactly exactly all right what's the last
one all right the last one here is is a definition of int get random number.
And the body of the function is return for.
And the comment says chosen by fair dice roll guaranteed to be random.
If he wants.
Is this a real code someplace?
I mean, come on.
Yeah.
Oh, there's all sorts of good ones here.
Yeah, they're beautiful.
One of them that's not on the list is the comment is just, I need to find a better job.
All right.
One more.
Who put this one in here?
I threw that in there.
Tell us about this one.
I'm kind of a card nut.
So if you kind of exactly like hover over just the first half of the picture, you see
a guy in a Ferrari like waving and says, maybe rolling in the ferrari says using linux and then dot dot dot in windows
with wsl and if you scroll down you see that the ferrari is actually on a tow truck uh flatbed
being driven someplace and the guy's in it yeah like he's driving that's right he's cool very
cool very cool that's funny a lot of z-dacks
that you guys like the jokes out there and uh dean as well yeah and just i mean i commented in the
in the chat that you can increase your odds at winning the the pike on tickets by laughing at
the jokes yeah absolutely we'll put you in there twice if you laugh uh last for sure that's how it
works like the dad jokes of programming here oh yeah of course yeah
we're all that's like half our show that's how we all qualify for sure for sure all right well
brian thanks for being here as always and calvin thanks for joining us oh my pleasure i really
enjoyed it yeah good luck on your conference and catch you next time