Python Bytes - #380 Debugging with your eyes
Episode Date: April 23, 2024Topics covered in this episode: NumFOCUS concerns leaping pytest debugger llm Extra, Extra, Extra, PyPI has completed its first security audit Extras Joke See the full show notes for this episod...e on the website at pythonbytes.fm/380
Transcript
Discussion (0)
Hello and welcome to Python Bytes where we deliver Python news and headlines directly to your earbuds. This is episode 380 recorded on April 23, 2023. I'm Michael Kennedy.
And I'm Brian Ocken. our courses at TalkPythonTraining, the complete PyTest course, Patreon supporters, links at the top of the show notes.
So very much appreciate that.
And while you're there, you can connect with us
over on Fostedon, if you
Mastodon there.
So Mastodon anywhere, but you can find us on
Fostedon, at mkennedy, at Brian Ocken,
and at Python Bytes. Join the show
live, pythonbytes.fm slash live.
Usually
Tuesdays at 10 a.m pacific time now and you see
all the older versions there if you want the video as well and finally brian a bunch of people are
signing up for the newsletter that you're sending out about things from the show every week so
that's awesome people can just visit python by set fm click on newsletter right in the middle of the
top of the screen and put in their email we We will treat it kindly, but then we will email you stuff that we're up to, which we'd love
to do. So we appreciate that. And, you know, I really want to just like maybe focus on that kind
of stuff. Brian, what do you think? Let's focus, man. Let's focus. Speaking of focus, we've got
NumFocus. So NumFocus is a, you know, actually, I probably should have done a little more research.
NumFocus is a collection of different resources.
And let's just take a look at the about of NumFocus.
So NumFocus has a mission of promoting open practices and research data in scientific computing.
There's a lot of information on the NumFocus site.
You can check it out.
But if you take a look at the projects that are involved,
this is crazy.
So the sponsored projects, there's a lot of our favorites,
like NumPy, Pandas, Jupyter, SciPy.
So many things are involved with NumFocus and collaborate with NumFocus.
And I'm not, like I said, we should have had Pamphil on to talk about it a little bit.
But Pamphil, let us know something that's going on with the NumFocus group.
And it's a little, there's some changes going on.
So this was suggested by Pamphil Roy, who's in little, there's, there's some changes going on. So this was suggested by Pam Phil Roy, who's in the, uh, in the audience right now.
So thanks for showing up.
So this was an article by, uh, Paul Ivanov called numb focus concerns, and we'll link
to it in the show notes, of course.
Uh, but there's, um, there has been some, there's some shakeup going on in NumFocus a little bit.
There's been some problems in the past
with NumFocus being able to meet the expectations
of some of the projects within the NumFocus banner.
And there was a town hall meeting in February
announcing that there's a new direction
and it caught a lot of people by surprise.
So I'm trying to highlight it here as well. So people know about it.
There have there's really,
I kind of want to point people to this article and just say that there's,
there's some things changing. There's apparently in the past,
there was some lack of transparency of how the board was selected.
So they're trying to make that a little bit more transparent. There is an initiated effort to elect open board seats to try to get
more people on the board and some proposed changes to the governance structure. And then around some
of these issues, there's also some of the projects within NumFocus
are pursuing alternative, uh, venues for fiscal sponsorship. So getting money, uh, in other ways.
So a lot of information here. Um, uh, the, I thought it was interesting. Some of the,
some of the different alternatives to, uh, there's like open source collective or some of the,
some of the ways to get money. There's different, different I mean money is important to try to get some of the projects some people working on it so if you'd like to get more involved or just know have more information about what's going on with num focus this is a this is a really great writeup so thanks for passing this along excellent i you know numfocus is
interesting it's it's really one of the bigger ways that funds python open source and outside
of python as well but there's not many other organizations like that so keeping it keeping
it healthy is definitely important yeah i'm glad'm glad there's some attention being drawn to it before it kind of implodes.
So I don't think it will.
I think we'll see numfocus for quite a while.
Definitely.
All right.
Speaking of shining a little bit of light on something. Let's talk about leaping. Python, this high test project
should be one that you're focusing on,
but I beat you to it.
So here we go.
Have you heard of this leaping?
I have not.
Okay, well, it's because the description is so,
wait, no, there's no description.
This is a small project that does,
it's got 238 stars.
So it's not a huge thing, but i want to give it a bit
of a shout out because i think this is cool and i would love to hear your take right so leaping is a
pi test debugger simple fast lightweight for python tests and it traces the execution of your code
and then allows you so you run a test session,
you know, PyTest dot whatever.
And then you can retroactively ask questions
about how your PyTest session went using natural language.
Okay, neat.
So like, well, what would you possibly ask it?
So it does this by keeping track of the variable changes,
variables changing over time,
and other sources of non-determinism within your code.
So you would just say pytest dash leaping.
If you install that, then it runs.
You can ask questions like,
why am I not hitting this function?
Why was this variable set to this value?
What is the value of a variable at this point?
And what changes can I make to my code to make this test pass even?
Stuff like that.
I assume this is pretty neat.
You know, I don't have any experience with it, but it sounds pretty creative.
It says it's based on both O-Lama and GPT-4.
You can pick which model you would like.
And those are both pretty powerful.
Why leaping?
Leaping llamas?
I don't know.
Well, typically llamas do leap a lot.
No, I don't think they do actually.
Maybe a little bit.
Okay. I don't know. i can't tell you why maybe i think it might come from a larger project that here but i don't really know
well i'll play with it and maybe we could get somebody on to tell us or i'll ask somebody why
leaping um anyway i thought i thought this was
kind of interesting so i'm just trying to light up thanks for giving me some homework to to work
yes of course last one we gave um was it mike fiedler we gave homework this time i'm giving
you homework yeah haven't heard back from mike though what's up mike yeah where's that article, man? Over to you.
So, okay.
So I've got an extras, extras, extras section
because I kind of got down a rabbit hole.
So on the last discussion of this numfocus concerns,
I was looking at...
Well, anyway, um, one of the other topics that, uh, Penfield
passed over is that there's a 2024 developer summit going on.
So I'll just get started to 2024 developer summit happening in Seattle, uh, June 3rd
to 5th.
This is a invite only thing.
Um, it's, so I'm just announcing it cause it's cool.
Don't try to sign up cause you can't, but that's, it's so i'm just announcing it because it's cool don't try to sign up because
you can't but that's it's still neat that we have one of the one of the reasons why i wanted to
bring it up is uh not to try to promote it but to say uh when with like some of the uh the was the
xz or something that last that bug that went by recently xbvx i can't remember xxz x the near downfall of all the internet well
well one of the problems was this discussion that people in a project don't talk to each other that
much so and and you there's a lot of times where you can't really get away from that but uh the
scientific python developer supplement is one place where a lot of the people from
these Python scientific projects get together.
And it's pretty neat.
Last year was the first and they did a whole bunch of cool things last year,
including some, yeah, a bunch of planning implemented.
They had a working group on sparse arrays, a bunch of specs were worked on and even some PyTest stuff.
So community building, lots of great resources to try to get some of these these core things together and some even some PyTest plugins, pretty neat.
And so one of the things here was like another PyTest plugin. I'm like,
cool, what's that do? So popped over, this is PyTest regex. And well, if you've got a large,
especially parameterized, but really a large PyTest code test code base, sometimes you've got
like quite a few tests coming in. And do you specify one of the ways you can pick
out a subset of tests is to use the dash k option to say hey i just want to use something that has
tests like underscore 3d in it uh to try to get those but that might still be a long list
and what this is is a has the ability and there is some logic in the dash K so if you don't know about the logic of the dash K definitely read my book or take my course but the it is
isn't as powerful as a regular expression but with this plug-in you can
use a regular expression to select the test names which is kind of awesome I
think it's kind of awesome it's also kind of scary to think of uh using
regular expressions in test selection you're going to need to write a test for your command line
yeah okay so that's cool that's cool pytest regex is one of my uh my extra extra extras
the um next one on the list is uh there's this write-up. Carlos rolled and I think my latest today I learns about
Python. And a lot of these are fun. But the thing that I wanted to highlight, oh, it's, I guess I
always just forget that underscores are a thing for long, long numbers. And it's very handy for
constants. Okay, the thing that I thought was neat was this, uh, uh, what was it? There was
an example of a decorator with just a class. You don't have to import anything or decorator, uh,
stuff. If you just have a class with a dunder in it and a dunder call, you can implement your
own decorator. And I didn't realize that it was that easy. So kind of a cool, small example.
All right.
Next up on our extras and last is Ruff got a little faster. So version 040 of Ruff is supposedly greater than two times faster,
which is 20% to 40% speed up.
So these are pretty neat numbers so it was already pretty
zippy already so it's pretty cool anyway those are my extras yeah very cool that was for 0.4.0
yeah yeah okay i think that's not out yet but it's going to be or something that's awesome
i just did my pipx upgrade all,
which is a really cool command.
It just says,
go find all the things that uses Python command line tools and upgrade them.
And I got 1.3.0.1.37.
But very cool.
All right.
Well, that's a lot of extra.
Well, yeah.
So not the end of extra, I'm thinking, but a lot of extra let's well yeah so not not the end of extra i'm thinking but a lot of extra
yeah so let's talk about pi pi and packages now i've covered this a fair number of times where
we've talked about oh there's somebody uploading some horrible package that if you install it bad
thing happen bad things happen but this has nothing to do with
that not directly anyway even though it might sound like it pypi has completed its first security
audit okay so this is an article i believe by no dustin ingram and says who's part of the Python Packaging Group authority, says, we're proud to announce that
PyPI has completed its first ever external security audit.
The work was funded in partnership with the Open Technology Fund.
And they've done previous security stuff there.
And they selected TrailaBits,
which is a very well-known security pen testing company,
to work on it.
And they spent, so if you've ever thought like,
should I have a security audit done on my project?
Maybe, but Trail of Bits spent 10 engineering weeks of effort
going, trying to break into the systems
and break them and looking at the code and making
sure everything is good. That's a lot of, I don't know what that costs, but that can't be cheap. So
it's really cool that that was funded to make that happen.
The other important part is the scope. So this has to do specifically with what's called warehouse, which is when you go to PyPI.org, that thing.
That website, the APIs, the stuff behind the scenes
that people create accounts at, that they upload packages to,
like that infrastructure.
Not pip, not the packages stored in pip,
but the infrastructure that provides
the website and the APIs.
As well as something called Cavitage, a custom open source container orchestration framework that they created to deploy Warehouse.
Which sounds interesting, and I know nothing about this, but those are the two things which were, and the really nice part everything's pretty much fine they decided
that they didn't have any significant problems they found 29 different advisories 14 were
informational six were low priority eight were medium and zero were high priority issues discovered
so that's pretty awesome right that is pretty Yeah. So there's multiple articles and details published as follow-up.
So like all the stuff that they did there, it's all public.
And you can check it out if you wish.
But I feel like that's enough to give people the idea there.
So thanks, Dustin, for writing that up.
And very good to hear that at least the infrastructure of PyPI is solid.
Cabotage sounds like a soup or something.
Had a lovely cabotage last night for dinner.
It does.
All right.
Well, that's our main items, Brian.
How are you feeling about it?
Got any more extras in there for us?
I have some personal extras.
So I wanted to shout out or just to
highlight some personal extras so on um on the pi test course commute pi test course that i have
um the community was based on uh it was based on um slack mostly trying to use slack but slack has
this 90 day limitation thing on large communities. So, and it deletes stuff.
So I'm,
I'm trying out,
I'm going to try out Podia community for the community feature of
PyTest courses.
So I was just kind of hoping to reach out and say,
has anybody tried PyTest community or not?
Has anybody tried Podia community features and have a community set
up on that? And how's it going? If you, if you, if you have, and you have some feedback for me,
go ahead and try contact me at, at Moss on Mastodon. I'm at Brian Ocken at Fostedon. Let
me know if you have a cool community that I can check out. That'd be neat. And if you're
interested in joining
the PyTest community itself, you can of course
buy a course. But you can also
I'm going to try to open it up to other people.
And when I do make changes,
I'll announce it both through our
newsletter. So become a
friend of the show at Python Bytes
or you can sign up for the newsletter
at Python Test
podcast also.
I'll announce it on both those things.
So that's it.
Do you have any extras?
Ah, yeah.
Let's see what we got here.
I have some extras actually, but I got to set it up.
I don't want to spoil the joke.
It almost got the joke out there first.
So the first thing is, recently had a lot of fun
hanging out with Cecil Phillip and Brian Clark.
Those guys wrote
the VS Code course
at TalkPython, which is an awesome course.
Check it out at TalkPython.fm.
Click on courses, it's right at the top.
But as sort of a follow-up to
that, we had a
VS Code AMA,
and so I had Brian and Cecil there,
but also Luciana,
who's been on the show before,
and Karthik from the Python VS Code team.
And we spent 35 minutes and 44 seconds
taking questions from the audience
and talking about features
and direction of Python and VS Code.
And that was a lot of fun.
So people can check that out.
It's on YouTube.
And just, you know,
go check it out if they want next do you g unicorn not goonicorn because the icon is a green unicorn so g unicorn
has a cve which is not ideal cve means there is some problem worth giving a number and a record to.
So this is CVE-2824-1135.
And it's a waiting analysis, it seems.
But G-Unicorn fails to properly validate transfer encoding headers,
leading to HTTP request smuggling vulnerabilities.
You don't want smugglers in your web app, do you, Brian?
No.
No.
By crafting requests with conflicting transfer encoding headers,
attackers can bypass security restrictions and access restricted endpoints.
So I would say maybe you don't want to do that.
Hmm.
Okay.
Yeah. It doesn't sound incredibly dangerous,
but it is a 7.5.
It is high in the danger level.
So I guess it depends.
To me, it just depends on how is,
how are you actually restricting those things
and what part of G unicorn versus what part of
your own code is actually checking whether something has access to a thing and so on. So
yeah, but I want to put that out there because you might want to update your G unicorn.
Next up, uh, another announcement. You had the sci-fi one. So PyCon South Africa, PyCon ZA, is going to be a hybrid event.
And right now the big news is that the talk submissions are open.
They prefer them in person, but they can be given remotely as well
or recorded, I believe.
So you can possibly submit a talk.
If you're interested,
the main conference is in October.
So there's that.
And speaking of conferences,
this one was sent in by Philip Jones.
Brian, what would happen
if you had like a stealth conference
that invaded some other conference?
Like a symbiote.
Sub? Yeah.
So there's flask con inside PI con this year.
Okay.
So on Friday there will be having flask con 2024 in, you know, the
Friday, which is may 17th, at PyCon US.
And call for proposals are live.
Basically, they give you some ideas of things
they might find interesting and so on.
But yeah, there's a whole series of events
and introduction from David Lord,
who leads the Palettes project,
which manages Flask, among other things.
But yeah, there's a whole from 11
a.m. till 7 p.m. I maybe till 6 p.m. depending on what you call a conference
series just focused on flask so I think that's pretty interesting I'm most
interested to just see how this logistically works out but if you're
gonna be there anyway that's cool yeah actually this is kind of an interesting
idea it's on friday which i'm normally like you know going to other talks and other stuff on
fridays and i'd be curious to see some other piggyback things because at pycon there's uh
the tour the tutorial section before and then there's the sprints after but there's also like
there's a lot less people in
there so there might be there might be a lot less it might be opportunities to do some other
piggyback conference sub conferences um before after as well in the future yeah interesting
absolutely all right are you ready to close this out with a debugging joke i yeah sure okay we got
to do a little role playing here okay
so this is a conversation you want to be the developer or you want to be the the person
curious about how developers work it out uh i'll be the developer okay you do the green the green
bubble so here's a a text exchange between somebody who's sitting next to a software developer on a
train or something like
that and then texting with their developer friend go make this make sense right okay so here's the
non-developer is it common for software engineers to take out their laptops on the train only to
stare at them without doing anything well yes legally you have to or you lose your license
as a software engineer oh but seriously like he he just shut his laptop, opened it back up, pressed a button, and resumed staring at it.
Oh, yeah.
And now he's browsing his phone while staring.
It's called debugging.
You stare at the code until it works again.
Why do you guys get paid so much?
Pretty good, right?
Yeah.
Well, it's, yeah. and it's further than that i mean
after staring at it for a while i often bring in other people to stare at it with me
can we just stare at this together for a while because my staring is ineffective
it's called cold reviews exactly sometimes ai will also stare at it with you. It could also propose new ways to break it.
Yes, that's right.
Yeah.
All right.
Well, lots of fun.
Well, if I had PyTest leaping, I could just ask it why it's not working.
Exactly.
Come on.
Leap into action.
What's happening here?
All right.
Well, thanks for being here, Brian.
Thank you to everyone for listening.
Bye.