Python Bytes - #335 Should you get your mojo on?
Episode Date: May 11, 2023Topics covered in this episode: Introducing 'Trusted Publishers’ Mojo: a new programming language for all AI developers. django-prose pylyzer is a static code analyzer / language server for Pytho...n, written in Rust. Extras Joke See the full show notes for this episode on the website at pythonbytes.fm/335
Transcript
Discussion (0)
Hello and welcome to Python Bytes where we deliver Python news and headlines directly to your earbuds.
This is episode 335. Is that right? Yeah.
Recorded May 9, 2023. And I'm Brian Ocken.
I'm Michael Kennedy.
And we've got a sponsor, InfluxDB. Thanks, Influx. We'll hear more about them later.
If you'd like to connect with us and talk to us in sort of real time or async,
we've got all of us are on Mastodon,
all of us, all two of us,
but at mkennedy, at Fostodon, at Brian Ocken,
and at Python Bytes, we're all on Fostodon.
So you raise a philosophical issue.
The United States, the laws may have gone too far
to be business friendly in some ways,
and businesses have the same rights as a person.
Does a podcast?
I don't know.
Huh? You said all three of us are on Pond. Oh, yeah. in some ways, and businesses have the same rights as a person. Does a podcast? I don't know.
You said all three of us are on PON. Does the podcast have pronouns? What rights does our podcast have? I'm very curious now, but maybe we've got to think about that later.
My podcast identifies as a podcast.
It identifies as MP3.
Well, so let's kick off the wonderful show um with a cool topic yes talking
about trust so brian one of the ways in which you automatically publish or even within your system
publish things to pi pi is you take your one and only permanent api key and you put it in that, in whatever location that is.
So some people will go and publish from GitHub through GitHub actions.
And in the action, it says, here's where your username goes.
Here's where your API key goes.
And it may be a little known fact that people, I'm not sure if you're aware of
this, but if you're on the command line and you do get actions like get pool and
it says, oh, enter your username. Boom, enter your username.
Enter your password. You can enter that
API key and that will allow you
to do full CLI access
presumably, depending on...
Actually, that's the getable. I'm crisscrossing these.
But nonetheless, putting your
API
key into GitHub
actions and other CI, CD
places and scripts.
Not ideal, right?
Yeah.
So last month, a couple of weeks ago, Dustin Ingram, one of the folks at PyPI said, we're
introducing trusted publishers.
So starting today, PyPI package maintainers can adopt a new, more secure publishing method
that does not require long-lived passwords or API tokens
to be shared with external systems,
such as GitHub Actions and others.
Okay.
Okay, so what you can do instead
is you can create like an OpenID OAuth type of connection
between API for your account and GitHub, yeah?
And when you do that, then when that, uh, that action runs,
instead of saying, what is the API key? It says, let me through open ID connect exchange, say we
trust each other for this user. Give me a 30 second valid token that I can use, or I'm making
up 30 seconds, but give me a token that I can use, a short-lived token, that just for this publish or just for this interaction is authenticated
and then will immediately expire.
Oh, yeah, cool.
Yeah, that's pretty cool, right?
Yeah, so basically you just connect those and you're good to go.
These API tokens, because they're regenerated and short-lived,
never need to be or should be stored.
They are not shared.
They rotate automatically because they are invalid.
They invalidate themselves.
And this is not quite as obvious,
but if somebody says this user logged in
and published this version of a package to PyPI,
and there's one API key, well, I don't know.
Was that really the user?
Where were they?
Were they on vacation when they were at that IP address? Or is that a hacker? Was that a CI system? We don't know. Was that really the user? Where were they? Were they on vacation when they were at that IP address?
Or was that a hacker?
Was that a CI system?
We don't know.
But because this actually understands what system is requesting the token, they say that it provides a verifiable link between a published package and its source, which I think is pretty cool.
I think?
Although, what if somebody hacks into my GitHub Actions?
Yeah, well, it only goes one level out
in the ring of trust, right?
OK.
So yeah, I mean, that is possible for sure.
Speaking of what if somebody hacks into my GitHub Actions,
you can see in the doc that the blog post that they publish,
it shows this is the part that you add permissions, ID right,
ID token is right, and that's it,
versus here is your
username and password right so that's cool it says additional security hardening is available
you can further increase the security of your release workflow by configuring trusted publishers
only to release from a specific github action environment i don't do anything with that to
that degree with GitHub actions,
but basically with GitHub action environments, you can set rules and workflows around that environment, such as requiring manual approval for each run by a set of trusted people who are
repository maintainers, right? So even if it gets hacked, you know, it's not enough that the
organization, the GitHub organization has a workflow that hacked, it's not enough that the organization,
the GitHub organization has a workflow that will push it.
You might want to set it up so that it says,
in order to push PyTest check
out of this environment automatically
when we're going to production, right?
Shipping a build, you've gotta go push a button
as Brian Ocken on GitHub.
Okay, interesting.
Okay, that is optional, but strongly recommended.
And finally, right now, from my understanding, this just works with GitHub Actions.
However, it this infrastructure to make this possible is now in place.
So it can be integrated with many more things.
So introducing trusted publishers, if you maintain important packages, this might be
worth looking at.
That's pretty cool. Thanks.
Indeed. Yeah. Over to you.
Well, this topic is on fire.
It is on fire.
So Modular released a video and a statement. I think it was on the second of the month.
So it's been almost a week but you know
uh time moves fast in the software world so uh mojo modular announced mojo mojo is a new programming language for all ai developers and although i'm not an ai developer we are all
ai developers now i think either you're in the machine or you are controlling your face. Yes, exactly.
So anyway, so what is Mojo? So there, and also I want to thank everybody that suggested this. We
got like a whole bunch of people suggested this said, have you seen this? And don't feel bad if
you, if you see a new, new topic and you think, eh, somebody has probably already told, told you
guys, tell us anyway, we like it. And anyway, anyway so mojo a new programming language what what is it so it is kind of like
python ish it looks like python so it actually supposedly that one of the goals is it's going
to be a super set of funds so it's not there yet but it has it's they want to do uh kind of like python but extra stuff that's c plus plusish like
structs and and in in strict types and everything is this like your programming world has crashed
together and is now trying to become one i hope so the the tectonic plates of brian
hawkins programming experience i'm pretty excited about it, actually. Not for AI stuff, but for hardware things.
I think that this would be kind of fun.
So what's the big deal?
It's compiled and fast in the order of like thousands of times faster in some cases, supposedly.
So one of the things, we're going to link the mojo web page where how you can get started, it's hard to get started right now, but we'll get to that. So there's a there's also a fast AI like this kind of, where's this coming from?
Are you, if you're not familiar with modular, which I wasn't really,
these are the same people that kind of brought us LLVM.
So yeah, Chris Latner and crew.
Yeah.
So there's, there's, there's a lot of excitement around it.
And it's not an LLVM.
It is.
So I had to look this up.
LLVMs are what low level virtual machine
is what it started out with.
But we kind of know it as
almost all languages are built on top of it right now.
So Mojo is not that.
It's multi-level intermediate representation.
It's a MLIR instead.
So do I care?
Probably not.
But it's, so anyway anyway there's a announcement probably does mean it has a lot of targets that it can compile for right giving you that intermediate
flexibility yeah um and it's in it doesn't have some of the there are some limitations with the
llvm that it doesn't have because it's a little different. So I don't completely know it. But there's,
it's kind of a fun video. I've been playing with it just a little bit. So if you right now,
what's the stage of it, you can't get it for your local machine. So you, you have to sign you have
to like, if you want to go to the normal page, you say get started, and it has you sign up on a list waiting list and luckily
i got in yay um so i got to play with it and uh the a little bit so when you when you drop into
it and play with it you get a jupiter notebook thing um and the jupiter notebooks are already
filled out with like a hello world and or hello mojo and you get to walk through it and you get to see some of the
different stuff so it's got definitions or defs but you have these let statements so you can
that's different um we don't have to do lets and and vars in declarations in python so it's you
can do normal python kind of the neat thing about having it be kind of like python is
you're kind of used to it already you don't have to learn something new but also it's compatible
with external libraries so you can hook in things that are already built in pure python that can be
hooked in too that's the part where i'm curious about can i just forget about all this other
machine language a low level stuff and can i just use this to compile my Python? Don't know
that yet. Yeah, I don't know what the integration with other libraries is like the example had
clearly indicated like NumPy integration. Yeah. But can I use flask with it? For example, right?
I don't know. Yeah, don't know. These are in. Yeah, I don't know either um this is very exciting i did i did want to point
out that we are correcting a mistake that we made at pycon brian uh no not just last week
somebody out in the comment during the live stream last time and the youtube video and said i'm
telling y'all folks i'm really not believe what i'm hearing how can they not be talking about mojo
oh so uh yeah but well so what do you think well okay so one it sounds very exciting
two things rub me the wrong way quite a bit from the start that it's behind a an sort of mailing
list paywall not paywall but like gated wall yeah right that that just seems it seems off to the
the wrong start right if you want to get a lot of attraction, I think, you know, put it out there.
Maybe you've got to sign up in order to run the compilers on a Jupyter notebook in the cloud because they're not totally tested and stable or something along those lines.
That would be totally fair.
But, like, it doesn't tell you if it's open source or not.
It doesn't share a GitHub repository.
It doesn't share a way in which it expresses what this is going to be.
Is this a thousand dollar a month subscription?
Is this open source?
Is it both?
Right.
Is it like, oh gosh, what was it called?
Codon.
I believe some people were like so excited about Codon. It's under the model of if you've got to ask what the price is, it's, it's too expensive for you.
Oh yeah.
Which like, okay, I'm not going to get super excited about investing in that, even if it
is neat and powerful.
So that, that said, everyone seems to be super excited about it.
I love the way the language looks for like a more compiled way.
I think there's a lot of possible Python integrations.
Like we already talked about, Hey, could I run flask?
Is it so close that we could just make our stuff go faster and when we need it if we're willing to say
decorate our tie our variable declarations with a let or a var right i might be willing to do that
if my code could run a thousand times faster yeah um there's some i don't know it's like it's not
clear to me how much uh sort of community there is versus product which i don't i'm not saying you
shouldn't have one or the other they're both fair but it doesn't say and that and it's behind a like
a sign up wall which makes me wonder right it just makes me feel less excited about it which is why i
didn't cover it last week i'm like maybe i don't know we'll'll see. Okay. Also, the rough edges, there's a rough edges section of like roadmap and rough edges.
Some of them are really big missing things like tuples.
Yeah.
Tuples not supported,
classes not supported.
Well, that's a lot of Python that you can't use without classes.
Yeah. Maybe it's just early and they're just showing it. If it's coming, that is totally classes. So yeah, well, and maybe this is just early and they're just showing it. And if
it's coming, that is totally good. So I just, I don't know when I first saw it though, the like
here, like sign up for our mailing list so that you can maybe look at it. It's like, uh, what is
this thing here? And it doesn't express, there's no GitHub repo linked. I don't know. So I have a
lot of hope for it, but I'm just not, I'm going to just withhold my assessment of like the impact.
I think it will make yet because of that.
Right.
I whistled.
It could have quite an impact if,
if,
if we get everybody able to play with it and it's,
it's,
it's just going to be,
I mean,
it was,
there's a lot of people talking about it this week,
but it seems like there's a new trend every week.
So anyway.
Yeah, I'm a little suspect.
Is it written in Rust?
I'm not sure it is.
Just kidding.
How can it be cool if it's not written in Rust?
I know.
That's exactly my point.
That seems where all the action is right now, which is cool.
But it's also worth pointing out for people who are not putting it together that Chris Lautner is also the person behind the Swift programming language, which is a pretty interesting language
that's also borrowed a lot from Python.
So it is exciting.
The other thing that is it's sold as a make AI work fast, but like Python.
That's awesome.
And it's a cool focus, but it doesn't speak to a goal of like, hey, we could bring more and more Python
until it's like a 90% case that's awesome that we could do many things with if it's really focused
on running Python code on GPUs and just really, really focused in on the AI stuff. So that's the
other comment that I wanted to make about like, where's this going? So we'll see. But yeah,
a lot of people are excited. I mean, I would say, honestly,
we have not received more listener recommendations
that we cover something than this.
Yeah.
I mean, maybe the only other thing was Guido retiring
from BDL was the only other thing that we got
like that much, that much Macedon Twitter email about.
So thank you all for sending that in.
These are my thoughts. I would love to see it succeed but i just don't know quite uh where it's going or what it's
going to be yet yeah i guess my optimism comes from the where it's coming from the people involved
have a history of doing things that are helpful to the community so yeah it absolutely has you
know big hitters behind it so it's got a way better chance than just somebody publishing something cool.
Okay.
Yeah.
All right.
Yeah, we'll see.
I mean, it's certainly worth keeping track of it.
So next up, I would like to talk about our sponsor.
No, right on.
InfluxDB.
So this episode of Python Bytes is brought to you by Influx Data, the makers of InfluxDB. InfluxDB is a database purpose built
for handling time series data at a massive scale
for real time analytics.
Developers can ingest, store, and analyze all types
of time series data, metrics, events, traces,
in a single platform.
So dear listener, let me ask you a question.
How would boundless cardinality
and lightning fast SQL clear queries impact
the way you develop real time applications?
InfluxDB processes large time series data sets
and provides low latency SQL queries,
making it a go-to choice for developers
building real time applications
and sinking crucial insights.
For developer efficiency,
InfluxDB helps you create IoT analytics and
cloud applications using timestamped data rapidly and at scale. It's designed to ingest billions of
data points in real time with unlimited cardinality. InfluxDB streamlines building,
wants, and deploying across various products and environments from the edge, on-premise,
and to the cloud. Try it for free at
pythonbytes.fm slash influxdb. That link is also of course in our show notes. Thanks for
sponsoring the show. Yep. Thank you. Influxdb. Now let's talk about some Django. Okay. All right.
So in Django, I want to introduce something called Django Prose.
Doesn't it just make you want to write, just sit down and put on your best Ernest Hemingway impression and just start writing?
I don't know, maybe.
But this thing is a rich text editor that you plug in to, I believe, into the admin section, the admin backend for Django.
Yeah.
Okay. So wonderful rich text editing backend for Django, yeah? Okay.
So wonderful rich text editing for your Django project, right?
So what you do is you install it,
you add it as one of your apps,
and then you have to run some migrations
because it needs some database backend stuff
to keep track of what it's working on.
And then finally you set up a URL for it
and then you're good to go.
And there's different ways in which you can work with it.
It can control basically the entire page because it's more or less HTML.
And so you can just say, show me the document.content.
Now, when you render that in your Django templates, this is HTML and Django templates, like many
of the templating languages are smart and say, yeah, no, if we just let people type in here,
they're going to type angle bracket JavaScript,
hackswords.com, dot, dot, dot, dot, dot, right?
So they're going to HTML encode that,
which will show it up as like view source, right?
So you got to do a pipe safe to say, nope, don't encode it.
Just drop the HTML straight in there,
in which case this should not be used by untrusted individuals.
You can also have ORM models,
and the ORM model itself can have a rich text field type,
which is kind of interesting, right?
Yeah.
And then you can show that as part of your template.
And again, you've got to pipe safe that,
because if not, it won't work.
And then you can even have a separate table
with a foreign key relationship to the content
for large documents.
So there's a lot of stuff with not just dropping an editor
into the admin section, but actually integrating that
into the Django ORM and models, which
is where I think it gets worth paying attention to over some of the other just JavaScript
front-ends for HTML editing. Nice. Yeah, it even has a form support for
rendering out editable forms and attachments, all those sorts of things. It
also only allows a subset of tags and attributes, and it uses the
bleach library, which I don't know how familiar people are with bleach, but bleach is kind of
interested. Apparently it's deprecated, although you're just using it for whitelisting. I don't
know really why it would make a change, right? Like these are the 20 tags and whatnot that are
allowed and they're still going to be allowed. But anyway, if you want to see, there's both a picture.
That's larger than I was hoping for.
There's a picture of basically what it looks like.
And you can imagine it's like a rich text editor or online blog thing.
And it has an editing section and a preview section as well as a video tutorial.
So if you're doing Django and you want rich text editing that renders,
that basically edits raw HTML in a nice way, WYSIWYG, as they said back in the day,
you can go and check this out and check out Django pros.
Nice. Hey, so have you ever heard the, you know, if there was, if you had a writing group in a
penitentiary, it would be pros and cons. Pros from cons. it that's good yeah we're we're jumping ahead the
joke comes at the end right okay okay sorry um don't get ahead okay so uh i want to talk with
uh speaking of rich uh i want to talk about pylyser um actually not rich. Rust. So Pylyser. So this was suggested by Owen.
Thanks, Owen.
And this is a project that reminded me of Ruff a little bit.
So Pylyser is a static code analyzer in a language server for Python written in Rust.
Just cool.
Some of the details on it, I'm a little,
I don't quite understand.
But anyway, it's a Rust thing that can analyze your code.
So what is the big deal?
Why don't we have, speaking of Ruff,
what's the difference?
Well, so Ruff is like PyLite.
Ruff is a static code analysis,
but Ruff is just your linter.
It doesn't do type checking in language server. So Pylyzer has a little bit more,
it's a little, does more, a little more linting.
It can do things like checking for out of bounds errors
and things.
So it isn't a replacement for rough.
You would run both of them if you want to.
And they're so fast that why not?
So, and that's one of the things,
because it's written in Rust, it's quick, it's very fast,
but that's not the only thing,
because you always
want you also want like good error messages. So that's one of the selling points apparently is a
detailed analysis. It can check a whole bunch of stuff, but it also is readable. So it'll it'll do
you know, tell you what's wrong. And in it's supposedly it does things like underlining
where where the problem is and what you should do instead, maybe.
So this kind of looks like fun, actually.
Yeah, that is a really nice error message.
It has like a tree structure under the error thing.
It says, expected str but found int.
Yeah, kind of reminds me of some of the new stuff in Python to help you with problems.
Exactly, the 3.11 error message improvements.
Yeah.
And especially if it's going to do this sort of stuff,
language server, I'd like it integrated with an editor, right?
So this does have a VS Code extension
that you can integrate that and use that
instead of the built-in whatever VS Code uses.
PyLance.
PyLance.
PyLance is pretty good, though.
So anyway, I'm not sure how it works.
So here's the stuff that I don't quite get.
Part is it uses a type checker from the ERG programming language.
Erg.
Erg.
Erg.
I've never heard of Erg.
Interesting.
I haven't heard of it either.
So I'm not quite sure.
Maybe it's faster that way but
it does that i don't know if there's limitations but there's it's a uh project in the rather early
stages i think it's got a lot of stuff going on for it but i don't i think it's neat that they
listed a to-do list and the things they haven't done yet so it doesn't check for finals and other
things but does quite a bit that's still pretty good so new tool neat
uh all right are you ready for a joke or you got an extra i no extras today but i'm ready for a
joke awesome me too this one comes to us from arthur rio and says this joke might be right up
your alley okay so what this is is it says escape room so it's it's an escape room like you know the
like the kind of thing where you you go and you got to find the clues to get out. And if you don't find the clues,
you're going to be stuck in there. So this, this person with a big smiling anticipation
is walking into the escape room, finds a skeleton sitting at a laptop, like a person who died,
gone, right. And starts to get really worried. Like, maybe this escape room is too serious for me.
Looks over the shoulder and realizes what they are doing is they're in Vim trying to get out of it.
It's so meta.
I know.
It is so meta.
Yeah.
Go ahead.
You just have to hit escape.
I know.
And look at the person who says there's always a way.
A completely beaten, smashed macbook how did that
happen i don't know but there's always a way or something it looks it does look like he got run
over and then they opened it yeah it's well it's not ideal but the escape room i thought you'd
appreciate that one yeah why is that such a big thing like i don't know it's one frustrating old
joke of like people are always going to make fun
of i know you could do the same for emacs yeah how do you quit emacs i don't even know yeah it's
like a chord i forgot what it was like you know you have to play guitars for it yeah you do it
it's um that's why it takes would be episode 335 in the bag
yeah um thanks everybody for listening thanks michael you bet fun as always see ya bye