Python Bytes - #293 And if I pull this open source Jenga block...
Episode Date: July 20, 2022Topics covered in this episode: PSF security key giveaway for critical package maintainers PyLeft-Pad FastAPI Filter AutoRegEx Anaconda Acquires PythonAnywhere Extras Joke See the full show note...s for this episode on the website at pythonbytes.fm/293
Transcript
Discussion (0)
Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds.
This is episode 293, recorded July 11th, 2022.
And I am Brian Ocken.
Hey, I'm Michael Kennedy.
And I'm Ashley Anderson.
Well, welcome, Ashley.
Before we jump in, tell us a little bit about who you are.
Yeah, I'm a software developer.
I work for a relatively small but sometimes growing startup out here.
We make a portable MRI machine.
So I'm one of these software developers
that came from an academic background.
I studied biomedical engineering and medical physics.
And then this is kind of my first full-time software gig.
But I think in research,
like everyone's doing software these days.
So a lot of people are kind of making that jump
and this was a perfect opportunity for it.
A portable MRI, that that's got to be fascinating
but yeah cool very cool how do you find the transition from this more researchy
side over to this uh maybe more formal dev role yeah it's like just such a better fit for me
i think um like in in my research labs and stuff i was often like uh way more interested in helping
build tools and stuff to help accelerate other people's work rather than, you know, diving into the research
myself. I often found that to be very frustrating and maybe I wasn't the best at it or something
like that. So this has just been a much better fit for me. Yeah. Cool. Well, um, let's jump into
your first topic. What do you got for us? Sure. Yeah. The first thing I wanted to talk about was,
um, I think this is kind of the big news since Friday. The PSF and the PyPI announced that they're giving away 4,000 of
these two-factor hardware keys. That's maybe kind of gotten washed out in this, but it's kind of a
cool effort. I saw this from Dustin Ingram's Twitter, and I know he's been involved in a lot
of the, or been interested in kind of
outlining a lot of the security concerns about supply chain vulnerabilities and stuff in the
past. I thought this was a really interesting idea for helping with supply chain vulnerabilities,
or at least kind of taking a step in that direction. And I think it's just the PyPI,
you know, sort of first step in this direction. They announced some other stuff in the past about maybe having private packages
or organizations on there
and namespace packages and stuff.
But this was a pretty cool thing to do.
It looks like they're going to roll out
two-factor as a requirement,
probably eventually for everybody.
The way they're starting it now
is kind of for some of the most popular packages.
And for people who have those popular packages, I'm not one of them.
They're offering codes to get some of these hardware keys to help that.
Interesting. Yeah, there's been a bit of a backlash to this, actually, which on two levels,
some people just expressing a little bit of frustration, and others more so see item two
coming up. One thing I think is interesting about this,
this whole side of things is,
like the original thing that you brought up, Ashley,
is people, I think, are focusing on their hardware keys.
And while that's a cool idea,
I think the bigger story is just 2FA, forget hardware keys.
Like, hardware keys are one way to do 2FA, right?
But if you look at the actual giveaway,
I think it's limited to certain locations, right?
Like I can't remember what all the locations were.
I feel like it's kind of North America,
Europe and Australia or something in that general realm.
And you could entirely have a popular,
what is now known as a critical Python package and not live in those locations, right?
Yeah, for sure.
I suspect a lot of them, a lot of the maintainers of those packages are not
in some of those locations.
I think those are probably dictated by like export rules on certain cryptography, but
I had thought about that.
I thought it was just a shipping thing, but you're probably right about that actually.
Yeah.
Oh yeah.
So there's a little bit of a pushback and like, hey, I'm doing this for free.
Why are you making me do this extra work setting up these keys?
And that's kind of why I said I feel like it's kind of the headline has missed the point here because to say, oh, I've got to get this hardware key and set it up is not technically true.
You just have to use 2FA of some form, right? It could be with like the standard 2FA you have with your phone, or maybe it even SMS would work. Although SMS is a sketchy, but better than nothing form of 2FA.
Like if I'm going to go and get a bank account, if I'm going to, some people, sorry.
Some people say that SMS really is like a pretty insecure version of, of 2FA. So I think having
some type of key.
And they say like, yeah, it would be better.
But at the same time, if you don't have any 2FA,
there's still another step.
They've got to hack your SMS somehow
to get through the SMS stuff,
which is better than just like,
they just guess your password
or they get it from a password breach.
So it's even for all the criticisms of SMS as a 2FA,
it's still not a negative.
It's just not nearly as good as the other option.
I'm just chuckling. Cause I, I just got an email last week about, uh, from, was it on the 8th of
July? Um, uh, saying, um, Hey, you're a critical, you're, you're a maintainer of a critical project.
Um, and they want me to set up two FA and I, I just haven't read it yet. So I like, this is news to me.
And it's a PyTest plugin I've got that supposedly is a critical project.
Go figure.
Oh, that's awesome.
The definition, people are wondering, I saw Will McGugan asking on Twitter, like, does
anybody know what this means?
I got this too.
The definition from what I understand is you are in the top one percent of downloads for a
moving six month window so in the last six months your project is in the top one percent of most
used most downloaded wow so congratulations that's awesome
um cool i guess i'll read the email more closely now yeah perhaps set up. Ashley, do you know what happens if you just are like Brian?
Like, I don't spam.
Doesn't matter to me.
Just ignore it.
That's a good question.
I guess eventually they'll probably not let you upload if you don't enable it.
Next time you go to log in or upload a package, it'll just say, hey, you have to turn on 2FA.
Because like you said, you don't have to have the key.
You just have to have 2FA on.
So I clicked on the manage and it says I've got a little big banner up that I'll just
pop to it right now um oh where's it on here we'll go ahead and show this I get um this project is
included in the two-factor mandate for critical projects in the future you will be unable to
perform this action without enabling to factor
off so um i think i think you're right i think it's just gonna kick me out of being able to
to do anything with the project if i don't enable this yeah interesting interesting this is cool
brian one uh i think teddy's right out there like congrats brian's on fire high test check by the
way people listening is the
plugin but it's cool to see it live to see what's happening so this apparently is what maintainers
get and i'm with you actually i think what's going to happen is just you won't be able to
upload with twine anymore you won't be able to log in you won't be able to make changes it'll just
force you down a 2fa path yeah i read that you still can upload because like people want to do
i know there were some people initially concerned
about how do I do automatic uploads from my
CI system or whatever. And you can do it if
you get a token, but you have to
generate one of those tokens with your 2FA
enabled account to do that.
That happens with all the 2FA accounts.
You can no longer use your GitHub
password for
on the CLI. Once you set
up GitHub 2FA, then all of a sudden you've got to go
create an app give it a name and get it like an api token for it and stuff like that right
i think that's okay yeah so brian let's let's ask you like how do you feel about that does
this seem like a big burden to you are you okay with this or you know i was i i'm okay with it
because i i think it's it's securing the supply chain mean, I've already enabled the two-factor authentication on GitHub,
and I've got a bunch of banking stuff that I have on multi-factor authentication and stuff.
So I'm waiting for 12-factor authentication, but that might be a bit extreme.
All right, now you put your small pinky toe onto the key reader over there and
then you hold down this key with your other finger and then you put your face up yeah
an optic scan a blood scan you gotta have you know deposit a urine scan and all sorts of stuff
you gotta do good i know i'm not i've drawn the line there i'm not doing it so no but i'm i'm fine with it i i don't know the details yet though if if i gotta get a hardware
key though i'm gonna be a little upset i think i don't know well they might be one for free but
yeah even even even getting one for free i feel like i'd be like uh if i'm not a hardware key
guide i don't know yeah well what if i lose it, yes. First of all, let me preface the statement with,
please don't email me.
It's,
it's,
if we disagree on this,
it's fine.
Just don't email me.
Yeah.
We can just agree to disagree,
but I am personally not a fan of two FA hardware keys because what if you lose it?
Exactly.
It's really bad.
If you,
I now all of a sudden,
if I'm,
what if I'm traveling and like the website is down
and I've got to log into the ISP, the cloud system to make a change.
Did I, what if I forgot to bring the key or what if I do bring it?
Then I lose, like just the act of having a physical key that has to always be with you.
Like, do you take it with you when you go swimming?
I mean, I mean, that's a little extreme, but like if you're going to go to the beach and
you might need it, what are you going to do? And then if I only have my phone,
I can't plug the key into the phone. I don't know. It just, it seems like I certainly know
why you would have it at like, if I worked at a bank and I needed to get on the VPN and I needed
to have that permanently stuck in my computer, fine. But as a broad-based solution, I feel like
things like Authy, Google Authenticator,
the Microsoft, whatever it's called,
all those things,
I think they still provide a pretty strong level of security
while being able to travel with you
and being able to synchronize across devices
that you might not always have them with you.
So yeah, when people say,
oh, it's such a hassle to get these keys,
like you could just set up Authy.
You know what I mean?
Yeah, I use Authy too.
I'm also, I'm a little freaked out by
the hardware case. I did find it interesting in the giveaway, actually. I think they give you a
coupon to get two so that like you could get two in case you lose one. But that to me just is
exactly why I don't want one. Exactly. Well, okay. So I've got one plugged into my computer and I put
what one into the closet. If the house burns down, what am I going to do?
I mean, I'll probably, I'll grab my phone and run maybe if I can get to it, but I'm
not going to go rooting around for a hardware key.
I'm just going to get out.
You know what I mean?
There's, there's just all these like sort of weird edge cases that to me, I'm just like,
I don't really want to hand on one of these hardware keys.
Yeah.
Brian's going to have to go to the bank and his safe deposit box just to upload a new PyTest check.
Yeah, exactly.
All right, I turned both keys to the right
on three, two, one, chink.
Okay, V1.2 is out.
Yeah, okay.
But I would just point out the article here
from Armin Ronoffer,
which was super interesting, I think.
And this kind of gets into,
it'll probably lead us into the next topic here
of why there was a little bit of controversy around this.
And I think it wasn't so much
that people are resistant to two-factor.
It's more this designation of packages as critical.
And I don't know if that's just because
critical is a bit of a loaded term
or it ended up feeling a little bit
like a popularity contest.
But yeah, I think it's pretty clear to me
that PyPI wants to, which is an open source project itself, right? Wants to eventually probably
roll this out to everybody and maybe doesn't have the capacity for that right now or something.
Yeah, I totally agree. And Armin Peik is quite interesting and he comes down a little bit,
you know, on the middle. Like I see the value, but also I see why people are a little bit
frustrated with this. He does talk about this
thing that the Rust community has, you know, hat tip towards topic four as well, called CargoVet,
which is the idea of vetted packages and unvetted packages. So if you, when you pip install
something, you could say something like, do I only want to allow the higher vetted packages?
PyPI doesn't have this at the moment, but other package indexes do.
To me, again, coming back to the hardware thing, I feel like people saw this and they
thought, I've got to go to this hardware key.
This seems like, I can't believe you're forcing this on me.
If you're a software developer in 2022 and you don't have any form of 2FA setup, I feel
like those are the people who got really frustrated. But at the same time,
what are you doing on the internet in 2022
without at least a few things on 2FA?
My Authy account has something like
46 different 2FAs in there.
My 1Password has like a thousand accounts.
I don't know.
It doesn't seem like a huge burden
to hold up your phone,
scan a QR code and carry on.
But if you're not in the 2FA space, and especially if you perceive that to mean I got to get into the hardware 2FA space, I can see why people would see this as frustrating.
And with that, maybe it's time to just move to the next topic, number two, which is PyPI moved to require 2FA for critical projects, which is this here.
But what's really interesting is they's sort of talking about the challenges. And one of the things that happened is there's this project
called Atomic Rights, which was designated as critical. Atomics Rights, what it actually does,
it's pretty straightforward, is it lets you use a context manager to write to files atomically. So you can write to the file,
write the file. If there's some kind of crash or mistake or bug or something, it won't actually
change the file. So normally you would just do like while true, start writing. And if something
crashes, like you'll have a half written file. So this is kind of cool. It says, what are you
going to do is use a context manager, open a file.
We're going to write to a temp file.
And then when you exit the context manager successfully,
we're going to apply all those changes
by doing an overwrite move type of operation
at the OS level.
I don't know how truly atomic it is,
but it sure is better than writing line by line, right?
And certainly it has the data safety aspect,
which is pretty cool.
Anyway, apparently people use this as in 127,839 packages.
Maybe that number was higher not long ago.
Packages, projects on GitHub use this.
I guess not packages, but projects, many of which were packages themselves. So this guy, Marcus Unterwaditzer, said, you know what?
This is really frustrating to me.
I don't want to set up 2FA.
So I'm just going to unpublish this, take it down.
And so I don't know exactly what the chain of events was.
I think something happened to the GitHub repository getting deleted, which then triggered, maybe also somehow triggered a delete
of all of the historical PyPI packages.
Whatever the steps were,
it erased all the historical PyPI packages.
So imagine your project has a dependency on atomic rights
and your requirements.txt or pyproject.toml
or whatever says equal, equal,
what version are we on?
We've got some releases here.
There's no releases anymore, so I can't tell you.
But if you had like some concrete number there, it would say, pip would say, can't find that.
Sorry.
And so all sorts of started breaking.
Continuous deployment, continuous integration, a bunch of PyTest packages, tests and automation and stuff brian maybe you saw
some people going what's going on with this thing i i didn't really notice it but well you'd only
notice if you depended upon this head setup automation right like basically check out your
code install the dependencies run pi test but people are like these tests used to pass why are
they no longer passing and it's because pip couldn't install this project that Marcus got a little frustrated with and deleted out of PyPI. So that's interesting, right? Like, should he have done that? I don't know. Here's his sort of comment saying, here's what you got. And it says, PyPI just told me to enable 2FA to keep uploading this package because I thought it was annoying and entitled to guarantee the software compliance for a handful of companies. Basically, his take was you're making me secure
the supply chain so that large banks and other companies that care about it will feel better.
And you're making me do extra work again, that I think the confusion about hardware,
moving to hardware to a favor versus just scanning a QR code with your phone.
Anyway, you're making me do extra work.
And so I deleted the packages.
Apparently, I deleted all the old versions.
Sorry.
Those have been restored by directly working with, I believe, Dustin Ingram from PyPI.
So if you go down here somewhere, it says, no, sorry, Donald Stuffed is the one who.
But yeah, it shows you, I guess, unintended consequences. Hey, we're going to make atomic rights a little safer. Maintainer of atomic
rights doesn't like that. Deletes it, makes everything break. Ashley, what's your take on
this? You've been tracking it. Yeah. I mean, I find it really interesting. Like it gets to the
whole, you know, what is the sustainability of this giant open source ecosystem that we have?
I know, I think in the, in the show notes, you refer to this as Python's left pad incident or something
like that, which is sort of a throwback to a very similar thing that happened in NPM
recently.
There was another one recently, like the start of the Ukraine war, basically, where someone,
I think, pulled their package and put in something that was like protest wear
or something like that.
It tried to delete all the data off the hard drives
if it detected you were in certain countries or something,
which is a pretty rough hammer to use.
Yeah, pretty extreme measure.
What if you were working to collect data
about trying to help Ukraine, but you happen to be in
this other country? I mean, it's just, yeah, it's just overstepping, I think a little bit
unintended consequences. Yeah. But this is like, I mean, we're working in industry and having to
pin our packages and stuff. This is something that, you know, we kind of already protect for
by mirroring, you know, I think most people with, I'm going to use critical, not in the way that's
being used here, but like when you have a project and you're using all these dependencies it's kind of
also on you to know that like well the supply chain i mean pipe di doesn't have a permanent
retention policy maybe it should but that is going to lead to you know potentially much even even
bigger hosting costs and everything for what's already a really expensive project um we run into
the same thing with like packages from ubuntu and
stuff like that as well not that they get pulled in this way but they'll bump versions on us that
you know and especially in a regulated industry we can't just update dependencies whenever they
come out so yeah it wouldn't surprise me to see ipi become immutable uh once it goes up there like
you can't change it yeah more so right yeah yeah i would expect it to be more of a request thing you put in a request and say hey i want to this is mine i want
to take it down and some review happens or something um because people depend on it and i
i get i kind of get both sides of it i get that it's my thing i should have complete control over
it but i also don't have i don't have complete control over github i don't have complete control over uh pi pi or the psf and i use those services um they can like the the psf
for instance i gotta they like purge all of your accounts like once a year or something like that
and you have to re you have to re-log in or recreate your account and uh and you know get
projects and services change their policies
every once in a while. And, and this is a change in policy that for some projects we're going to
require to a FAA, they can do that. And if I want to continue to use it, um, I have to now, if I
don't want to continue to use it, that that's a, I get, I guess that's where we're getting the
question in is what ramifications
are there?
Can somebody take their, take their stuff off of PyPI or not?
Don't know.
Yep.
I think the, if you read a lot of the conversations here, maybe we'll just close up this whole
section on that.
It comes down to two different beliefs.
One, I should, it's my code.
I wrote it.
I can do whatever I want.
I own it.
If I don't like it, I can just delete it. If I want to stop, I should, it's my code. I wrote it. I can do whatever I want. I own it. If I don't
like it, I can just delete it. If I want to stop, I can stop. The other one says, once you put it
out there on GitHub and you've put it out to the world as here's a library that you can use and
depend upon, and you publish it to the index with a clear intention of sharing it, you have a
minuscule responsibility not to keep working on it, but to not destroy it for other people who are building on what you previously did.
Yeah, I think there's a difference there, too, between like writing and publishing the code and publishing a package or distributing a package that's intended to be, you know, conveniently downloaded in CI and stuff like that, where you're kind of making a little bit more of a promise there.
But also, I mean, going back to Marcus's post here, it sounds like his intention wasn't to break, you know, people's existing workflows and stuff like that. It was
really, he just didn't want to be the maintainer of a critical package. And exactly. He's like,
I deleted it. That fixed it. Yeah. And then became, I think this, you know, the sort of poster
of this controversy. So yeah. Yeah. Yeah. Yeah. Um, if you read marcus's twitter you can go back and sort of
you kind of get a sense that he's the kind of person that would not want to take that kind of
um stuff being put upon him or whatever let's wrap it up with teddy's comment out in the audience
feels feels like a small step to enable 2fa i wonder why it creates so much debate feels a bit
political especially today where 2fa is required almost everywhere yeah i'm yeah i agree i think
again i think people
saw the here's your hardware key like i don't want a hard work key there's so much work let's
let's move on brian that was uh that was a good one but let's fast let's get out of there yeah
fast a harsh transition yeah let's just talk about fast api you know um anyway don't transition from
that so that's good uh Fast API filter came up.
It was suggested by Arthur, Arthur Rio, who is also the creator of it.
And it looks pretty cool.
So it's he he said in a tweet, I love using I loved using Django filter with Django rest
framework, and I wanted an equivalent for fast API.
So what this is, is a package you add to a project that uses fast API.
And with it, you get like when you're going through the cool debug user interface stuff,
you can filter stuff.
So you can, you know, it'll look at your schema and then you can, you know, filter
different items and only see part of it.
And it's just pretty neat. He also, it also has things like the filters support operators,
like greater than, greater than equal, less than not in and things like that. So it's kind of a
fun way to just filter when you're looking at your data to filter it um and in his read me um he mentions that he's got a video and you kind of need a big screen for this but uh
but he does have a video to uh to show it in action which is kind of cool um he shows filtering
some of the data and then seeing the different data output anyway just just kind of a neat nice
debugging tool if you're using FastAPI.
That's really awesome. Ashley, do you do anything with FastAPI?
Unfortunately, no. This just makes me more jealous, I think, of the people who
get to use FastAPI because it's got all these cool, I mean, as a developer, I've played around
with it, but it's got all these cool sort of debug admin interfaces. And then you see even
more stuff like this kind of built on top of that. It's awesome yeah absolutely yeah and uh it's a fun one i'm i'm planning on
learning more about fast api on michael's upcoming course so yeah are you going to be able to make it
brian i i'm going to make sure i make it yeah awesome i'm looking forward to that so yeah
that's the the live in person fast api course
i'm doing it about a month from now so should be fun before we move on i do want to talk about
our sponsor for this week microsoft for startups founders hub they're doing super cool stuff as
someone who has started his own small business it is a of work. There's a lot of uncertainty and knowing how to
get help and having support of people who have experience is really, really valuable. Starting
business is hard. They say that by some estimates, 90% of all the startups will go out of business in
the first year, which is tough, but that's how it is. With that in mind, Microsoft's for startups
set out to understand what startups need to be successful and create a digital platform to help overcome those challenges.
And that's where they got their Founders Hub.
So Microsoft for Startups Founders Hub provides all founders at any stage with free resources
to help them solve startup challenges.
You get technology benefits, access to expert guidance and skilled resources, mentorship,
networking connections, and so much
more. So, and unlike a lot of other similar programs in the industry, it doesn't require
startups to be investor backed or third-party validated to participate. Founders Hub is just
open to everyone. So what do you get? You get, you can speed up your development with free access to
GitHub and Microsoft Cloud resources that have a bunch of credits that unlock over time so you can grow without worrying about paying for stuff.
They also help startups innovate.
They're partnering with companies like OpenAI, an AI research and deployment company to get
extra benefits through their partners as well.
So with the Founders Hub, it's not really about who you know.
You have this access to this mentorship network.
So you get
access to a pool of hundreds of mentors across a range of disciplines, areas like idea validation,
fundraising, management and coaching, sales and marketing, and specific technical stress points.
I think that might be the most valuable honestly, is, hey, I need to talk to this person or somebody.
Is this a good idea? Is this how I should be doing? And so on. So you can book a one-on-one
meeting with mentors,
any of whom are founders themselves.
Make your idea a reality today with critical support that you'll get
from Microsoft for Startups Founders Hub.
During the program,
visit pythonbytes.fm slash foundershub.
Click the link in your show notes.
And yeah, thanks to Microsoft
for supporting the show.
Nice.
Indeed.
So what do you got for us next, Michael? Ashley's
next. I'm letting him go next. Oh, right.
Yeah, we'll scroll down to mine then.
Yeah, so I guess
I think kind of the reason I'm here, I
emailed you guys after there was some discussion
on the podcast a few weeks ago
about, you know, hey, we're seeing a lot more stuff
built in Rust and you had
some good points about like why
we're seeing that. But I thought
super relevant to this podcast is this project. And in fact, this whole organization, Py03 on
GitHub, has a number of projects in here that are super relevant to Python developers, obviously.
So the main one I think is Py03, which is Rust bindings. And basically what I emailed you guys
was that my hypothesis is the tooling
around building extensions for Python in Rust
or calling Python from Rust
is getting so good and so easy
that for me, I find this preferable
to writing C extensions, for example, now.
Not even necessarily because of Rust,
although Rust is a really great language
I've been getting into over the last year.
But just like that tooling aspect of it is really great.
So the experience is pretty awesome based on these separate projects.
So there's PyO3, which is the bindings.
And this allows you to basically use these type of things.
It's almost like a function decorator.
These are called procedural macros.
They're kind of tricky to write, but they're really easy to use. So you just put this on there
and then use this one to create a module, add your function to the module. And then
if you build this file, you can import it in Python and run this function. So the combination
of the ease of writing this, and then there's another project in here called Maturin.
Before you move on real quick, maybe for people listening,
if you go back just real quick to that section you had there.
Yeah.
So the idea is what you do is you write some Rust code,
and then you put, do you call it a decorator or an attribute?
What do you call that hash thing?
It's called a macro.
Yeah, a procedural macro, but you can just call it a macro.
Yeah.
So you put the macro onto function.
There's one function that defines the module.
And then in there, you just say,
here are basically all the things I'm exporting from Rust over to Python.
And those are just the ones you've wrapped with the macro, right?
Mm-hmm, yep, yeah, exactly.
Assuming that writing Rust for you is straightforward,
this is a really simple addition.
Yeah, and I think, you know, once you have this kind of,
you know, there's a little bit
of boilerplate in here,
but these macros reduce
the boilerplate so much
that once you're in the function,
in fact, I think this is like
a really cool way
to get started with Rust
because some of the really
steep learning curve in Rust
is when you're building
larger projects
and you have to deal with,
you know, strict typing
and lifetimes
and all these scary things
that, you know, Rust can do. But like you're, you're limited to just a function scope
because that's what you're calling from, from Python. I think it's a kind of a cool way to
get started and just get familiar with the syntax. Interesting. Yeah. Yeah. And yeah,
I think part of the reason these tools are so great is like the whole Rust community puts a
lot of value on tooling. It's like a relatively young language.
So from the start, I think it had this sort of, you know, attitude of building good ergonomics
for developers, having good, you know,
a single command line tool kind of that can do
all these different things.
And so this group that maintains PyO3
has also created this tool called Maturin,
which feels to me a lot like Flit,
you know, like the super lightweight wheel builder.
And so you see here,
you just run mature and develop
with this project structure in here.
It also has like a mature init, I think,
which will create a new project for you.
And then you see here,
this develop will actually, you know,
give you some output, whatever,
because it builds a wheel
and then installs it in your virtual environment.
And so then you can see here,
you just call into that code
and then this is, you know, calling Rust code for you already.
Oh, cool.
That's really nice.
So have you built things that you've released or are backed by Rust?
Not released, but like I've done, you know, some obvious things
and then also some stuff for work as well.
Some small pieces of mostly like, you know know i work in in i came from a
scientific background and i now work for this you know like i said a portable mri startup so our
whole thing is like python from from top to bottom which is really cool um but for those performance
critical numerical computing things we use a ton of numpy and tensorflow um but then also uh you
know some c extensions and i've been just kind of playing around with converting those to Rust
and this Rust NumPy is another
one of their projects here that makes
it really easy to write a
function that'll take a NumPy array basically
and do some calculations on it.
Oh, fantastic. Rust NumPy.
Is it like an
interoperability layer between Rust and
NumPy? Yeah, it pretty much just lets
you take NumPy arrays
from Python into your Rust functions
that you're creating with Py03
and then also
create NumPy arrays and return them from
those functions.
It depends heavily on ndarray, which is
a pure Rust project here
for n-dimensional
arrays and computation, which is probably more
analogous to what actually NumPy itself
is, but in the Rust ecosystem.
Okay, that's pretty cool.
So, why Rust
over C?
I was mentioning to you before
the Rust community
is really excited
about Rust. Everyone who tries it likes
it, I think. It's topping
the charts in all these, you know,
most loved programming language
surveys and stuff like that
from Stack Overflow
and everything.
It guarantees,
it provides some more
stronger guarantees
around memory safety
while still maintaining
high performance.
So that comes at a cost
of a little bit of like
complexity and learning curve.
It also happens to,
with those memory safety
things like come with what they call fearless concurrency where the typing system can prevent
you from creating race conditions and actually warn you about them or you know fail to compile
at compile time uh and so i find like the trade-offs between uh memory safety and performance
and ease of use to be really interesting between Rust and Python.
They make completely different choices, but like both sort of with similar things in mind,
like Python sacrifices some performance for ease of development, but still wants to be memory safe,
right? Like if you're getting a seg fault in Python, you're calling into something and
doing something wrong, or it's hard to do that with pure Python code, right? And same is true
of Rust. It's like, if you're not writing what they call unsafe code where you have to kind of wrap it in
a block that's actually called unsafe uh you shouldn't end up with those type of problems um
so it's it's kind of cool to see those two things and then when you really do need performance you
can drop into this sort of in a lower level language maybe it's a little bit steeper learning
curve but you'll get the performance and you don't have to sacrifice that memory safety to get it.
Yeah, fantastic.
Brian, you do more C stuff than I do these days.
What do you think?
There's some bottleneck stuff, the things that I use Python for that we do have like large amounts of data passing back and forth.
And I don't, I mean, normally Python isn't the bottleneck, but sometimes it is.
And there are cases where I'm, I was just Googling some stuff right now, trying to figure out if I can apply Rust to some of these things.
Because I actually, I think that's what Ashley pointed out is fascinating, is this might
be a really great way to learn Rust is to try to solve one of your bottleneck problems
in Python with Rust.
And I mean, I'm comfortable with C as well, but even though I've been using it for decades,
I'd rather, if I can use something else, I would like to try.
Something a little more modern. I totally agree. And yeah, you're right that, oh, I need to
implement these
three functions in Rust and then plug them into Python. That's different than I need to completely
learn Rust so I can just do this whole project in Rust. Yeah. Yeah. It's a narrow scope, kind of a
cool way to try to learn something. Yeah. And these projects have like a ton of great examples.
A few of them have user guides and stuff like that. So plenty of material there
to get you started.
Nice.
Cool.
Yeah, very, very good one.
Thanks, Ashley.
All right.
Have you ever heard
that regular expressions are easy?
Yeah.
Yeah.
Not me.
But here, Brian,
let me type something.
I'm going to type this.
I'm going to say,
okay, I want a dot plus
and then I want,
I'm going to write the word fun.
I'm going to write, is fun. I'm going to write,
is it backslash D plus? I don't even know if that's a proper regular expression,
but what does it, what does it do? So I want to introduce you to this site called auto reg X.
And this comes to us from Jason, Jason Washburn. Thank you, Jason, for sending this over.
And the idea is I can put a reg X in in here and hit go wait oh hold on let me
just do this one do a simple one for a second what am i missing here i think you have that it's
backwards you're going english yeah yeah yeah so why was it doing that that was um yeah so first
of all yeah okay so let's start with that direction that's the default direction it pulls up so what i can do is say um i want a regex that um starts with fun then any number write that okay and so then it says well you know
what what you want is carrot fun dot star regex is that right it's not quite right
but we'll start this this is start starts Starts with. But dot star, I think, is any character, right?
Yeah.
Oh, then how about, yeah, it's not perfect.
Then the same numbers.
There you go.
Oh, there you go.
Yeah, you got to, it's not perfect.
You got to understand the English.
But I wrote an English sentence to it, and it came up with a regular expression.
It says, disclaimer, all outputs are generated by OpenAI's GTP3.
Sometimes it makes sense. Sometimes it doesn't. But you could also do the reverse yeah let's do the reverse all right i'm gonna make i'll
try to go back to my other one i said i say carrot then uh dot plus and then fun and backslash uh is
it let's try that and do it uh in reverse so i'll run it again and you wait for a second since the
regular expression means the string must start with any character. Then there must be one or more characters before
the substring fun. And then there may be any number of digits after the substring fun. What
do you think about that? It's not quite right. I think it only matches one. Yeah, maybe it only
matches one. Yeah, but still, the trick for me too, is that regular expressions are like
different depending on your platform. That's what always tricks me up.
I'm like, which ones?
Exactly.
So this is a really cool tool to almost understand regular expressions.
Yeah.
So here's how I would perceive this.
I would say I wouldn't use this and just go writing all my regular expressions.
But if I'm like, I really don't know how to get a regular expression to do that.
Yeah.
You could go write the english sentence
and it might come up with either the right answer or something close enough that it's like you know
okay i see where it's going now it's not quite matching but let me i would call this more of a
guide or uh like a yeah signpost along the way not the tool to build it i could see it being super
useful with like uh i think there's a site, Regexer or something like that,
where you can basically write a bunch of test cases
and then
your Regex and have it run against
them all in your browser and see it right there.
And that's like, when I have to write
regular expressions, that's how I do
it. Like write a bunch of tests in here
and get it to work. I maybe should be writing the tests
in my own code and actually putting them in
as tests, but I do it in this.
But yeah, if you kind of integrate those two tools together, I could see this being useful.
Yeah, for sure.
We take the example one over here and we could put it into this there and see what it says.
So the regex is create a group that is a word and then you got a piece, at least some white
space there.
What do we get if we run that?
The regular expression matches any word that begins with an uppercase letter.
That's pretty cool.
It does.
Yeah.
Anyway, fun.
People can check it out.
More Regex fun.
Thanks, Jason, for sending that in.
And then, Ashley, you also pointed out
that Simon Wilson wrote an article on this.
I don't know anything about this.
I just saw this in the news.
Yeah, he was actually,
so it's sort of related because it's GPT-3 and code.
And I mean, even this first one has some regular expression stuff in it. something else yeah he was actually so it's sort of related because it's gpt3 and code and i mean
even this first one has some regular expression stuff in it but i guess there's a mode with gpt3
i haven't really played with this but you can like paste in code and then start asking it questions
about it like in a sort of conversational manner and his blog post i i thought was really cool and
the one thing i did see pointed out was similar to what we were just talking about is apparently
the the ai model like the chatbot can be very scarily confident in its answers.
And sometimes it's very confidently wrong.
So you have to not be lulled into the false sense of security there.
Yeah, for sure.
Cool.
You definitely do have to take it with a grain of salt.
All right, Brian, close us out here.
Okay. So Philippe sent us this next topic
and he's working for Python Anywhere.
So anyway, he's one of the insiders.
Anaconda acquires Python Anywhere
to expand the Python team collaboration in the cloud.
So not expand the team,
expand Python team collaboration.
So this is the team, expand Python team collaboration.
So this is an interesting, we're linking to an article from Anaconda press release just saying, yeah, we bought Python anywhere or acquired them.
So it's interesting.
I think I'm going to jump to another thing before I, I guess, give my feedback. One of the things here, it says from the announcement, the acquisition comes on the heels of Anaconda's release of PyScript, an open source framework for running Python applications with HTML.
We've covered that.
The Python Anywhere acquisition and the development of PyScript are central to Anaconda's focus on democratizing Python and data science.
So I'm going to be optimistic and not pessimistic on this.
I think hopefully it's a good thing.
And then on the Python Anywhere site blog, there's a FAQ about the acquisition.
And it kind of goes through, like, from the customer standpoint, you you know will this affect my account uh the
billing change basically they're going to keep everything the same at least for now um and but
hopefully it will expand its services and stuff and make things better my personal take on it
so is that i'm hoping python anywhere is a cool idea but i haven't seen much from them lately
so i'm hoping this will breathe some life into python anywhere i'm not saying it cool idea but i haven't seen much from them lately so i'm hoping this will breathe
some life into python anywhere i'm not saying it's dead but i just it'd be cool to see it grow
fun fact talk python itself started out on python anywhere for a month or so because i'm like i want
to get this up and it's kind of complicated to figure out all the linux and it's the next stuff
and it seems real easy to just fire it up over here.
And it worked great for a while,
but eventually moved off.
It's like, you know, started doing 15 terabytes of traffic a month.
Yeah.
So anyway, I'd love to see that coming along.
That seems great.
Let me share also one more other thing.
So on the screen, I have python.org
and it shows you a code sample.
Has anyone clicked this little thing up here on the right?
This little shell looking thing?
I have before, but I don't remember what it does.
Watch.
Oh, nice.
So it opens up a Python REPL.
That Python REPL is running on Python Anywhere.
Yeah, and one of the cool things about Python Anywhere is this ability.
This ability to just run it from any device.
So you can run this from a tablet or
a chromebook or something without installing anything and and that's that's neat i'd like
to see that expand cool idea yeah it sure is and i can see how this pairs with py script so this is
in my browser i can just run python and get a view into a ripple but with py script i maybe
just move the execution to the front end as well. So they're kind of
related in that regard.
Go ahead, Brian.
There's a few things I'd really love to see
Python Anywhere change with this.
Currently,
Python Anywhere doesn't support
Python 3.10. Hopefully, we can
get that updated.
And you can run
WSGI apps, but you cannot run ascii right now
um so no fast api on there uh so that's hopefully that will be fixed but and then also the free plan
doesn't allow you to do um uh jupiter notebooks and with i'm guessing with anaconda in there that
might be probably well i would i suspect would. Alright, how about extras?
Just a couple minutes left for those.
I've got nothing. Ashley? Nothing?
I had a couple in here.
Not a whole lot to say about them, but that's
I guess why they're extras.
Pep691, there's a new
JSON-based simple API
for PyPI, so more PyPI news
there. This is like for
tools like Pip, I guess,
that are sort of, you know,
indexing packages and stuff like that
or going on a search for packages.
Like we'll now be able to parse JSON
instead of, I guess, up until now,
they've been parsing HTML,
which was a surprise to me.
You can go to somewhere.
Yeah, you go somewhere on pypi.org
slash something simple
and you just get a wall of links
and you get like 350,000 links,
which is not an ideal way to,
like it doesn't seem like the best stage format.
It's cool because I guess it can be like,
it can serve those as static files, right?
So that's why instead of having a dynamic web app,
you don't have to worry about loading all this stuff.
It's just like an Nginx server pointed at a huge directory.
But this allows those same servers, I guess,
to serve JSON instead of HTML. It's neat.
Yeah, great. And then rich codecs
is a tool
for automatically creating
these terminal screenshots from
stuff in your documentation.
Mostly, I thought we can't have a
Python Bites episode without something related to
rich, right?
That's right. Check this out if you're
using rich and want to make some screenshots that's right check this out if you've got if you're using rich or
and and want to uh you know make some screenshots that stay up to date with your code yeah some
color coded um code blocks in your your markdown yeah for sure very nice yeah all right all right
i just have a quick one for an extra here um there's an article on dob dev jobs scanner the
top eight most in demand programming languages. So we've got JavaScript,
TypeScript is number one, but Python number two. I bring this up because I was doing a live stream
on TalkPython and somebody came along and said, hey, should I still be learning Python? I heard
that it's really hard to get a job and there's not a lot of interest in that. So yeah, well,
anyway, I'm not sure what else you choose and again this javascript stuff it's like
it's like being a css full stack css developer you might have to have javascript javascript skills
to do python stuff or to do asp.net or to do whatever else right like there's a javascript
is unique in the sense that a lot of times it's paired with other things whereas those other
things are often more standalone you know what i mean so yeah maybe the fact that javascript is up there because like every other language below it
also needs javascript plus i don't i'm not sure exactly sure what the metric is here if this is
like how you how you pull that out but anyway take it with a bit of grain of salt but i think this is
pretty good all right are you all ready for a joke? Because Brian, you have started something. I have. Okay.
You have.
So remember we had the, I don't remember what the exact topic was, but we talked about this.
Oh, this was what is the junior dev see themselves doing in five years?
Oh, yeah, yeah.
Senior dev.
So this woman, Netta, she has just an amazing set of jokes. And so you're going to be hearing more than one of
these, but let's, let's, let's look at this one. They're so good. They're so good. I'm obviously
linking to the show notes. So here's an example of people. I think what the story is here is these
two women, they live in this apartment complex and they, um, they're in an elevator with some
of their neighbors.
And there's this older woman says,
so what do you girls do for a living?
One of the women says, I'm an architect.
Oh, and Netta, she's a programmer.
And you just see the crap emoji, like, oh no.
Later on, Netta receives a knock at the door.
And this old woman is like, there's a problem with my phone.
And then there's like another guy with a beard that shows up just showing the laptop to her and then there's
like a whole line of people with like printers and all kinds of stuff just basically oh you're
our tech support now i i so have lived this yeah yeah i have to actually oh go ahead sorry
yeah no actually do you get this uh Not so much anymore, I guess.
But this was definitely like my experience in the dorms, I remember.
Well, I mean, like now you could say I work on MRI machines
and nobody will ask you.
They don't want you to fix it.
They don't have one.
No, they'll start telling you their medical problems
and stuff like that.
So my first job out of college was with HP.
I was working with satellite test systems um but uh everybody just heard hp and wanted me to figure out how to
configure their computer or their printer uh can you get my printer on my network brian and it's
really gotten slow lately i get a lot of pop-ups like no i don't i don't know how to fix that
on purpose i don't know how to fix that on purpose i don't know how to fix that
awesome well that's all i got brian okay well uh thanks thanks for the joke i love that one um
we could have more of these yeah and uh thanks actually for joining us and and i really appreciate
you talking about um Rust Python stuff.
We've been curious about that.
Oh, yeah.
Really happy to be here.
Thanks for having me on.
All right.
Well, bye, everybody.
Bye.