Python Bytes - #392 The votes have been counted
Episode Date: July 17, 2024Topics covered in this episode: 2024 PSF Board Election & Proposed Bylaw Change Results SATYRN: A modern Jupyter client for Mac Incident Report: Leaked GitHub Personal Access Token Extra extra ...extra Extras Joke See the full show notes for this episode on the website at pythonbytes.fm/392
Transcript
Discussion (0)
Hello and welcome to Python Bytes where we deliver Python news and headlines directly
to your earbuds. This is episode 392 recorded July 17th, 2024. I'm Michael Kennedy.
And I'm Brian Ocken.
This episode is brought to you by Code Comments, an original podcast from Red Hat. So thank you
to Red Hat for supporting the show. We'll tell you more about them later. You can follow us on
Fostedon. The links for Brian, me, and the show are all in the show notes. And you can also follow
us on X if you wish. I know some people have not yet made the transition. What are you waiting for,
people? Come on. And finally, before we jump into it, we are super excited that people are signing
up for the newsletter. Check that out. Just go to pythonbytes.fm. Click on the big newsletter button in the middle.
Put your email in.
You'll hear about cool stuff.
We'll get the show notes, but you'll also get announcements that we might send out and other things.
Live events, who knows.
So sign up, be in the know, and we'd love to talk to you there.
And we won't share.
Ryan.
We were going to do a contest or something.
Yes, we're going to do a contest.
The numbers are growing and we
reach a monumental number i'm pulling up my list monk management here we are close we're getting
quite close here so yeah we're going to do some kind of contest yeah some kind of giveaways we'll
see what that is the 2024 psf board election and bylaw election. The election happened and the results are in already.
So it happened pretty quick.
And nobody's demanded a recount yet.
So, you know, that's good.
Because we don't do that in the PSF.
So new board members, Tanya Allard, Kwanhei Bay, and Christian Moriera-Fredes, I think.
But congrats to the three new board members.
Super awesome.
Should be fun for you.
One of the things in this announcement was that the, where was it?
Basically, it says, what's next?
If there's four, here it is at the bottom.
There's four seats open again next year.
So it might feel early. But if you're kind of thinking about running for the board, it might not be early to think about it now to get ready and think about what you want to propose and stuff.
So and they suggest reaching out to one or two current board members to ask them about their experience before before throwing your hat in the ring.
So it actually sounds pretty interesting.
So anyway, so the three new board members, congrats.
And then also all of the PSF bylaw changes passed heartily, like with a big margin.
So let's take a look at that a little bit.
So let's look at what they are again.
So there were merging, contributing, and managing member classes. That seems seems like a no-brainer i'm glad they're doing that um simplifying the
voter affirmation process by treating past voting activity as intent to continue voting that makes
sense yeah i like that one because in order to vote you have to attest that you're interested
in voting for some reason now which is funky would so well well also i mean it
makes sense for like counting it like you know if if if we just send it to everybody and just
what give them three weeks to vote i mean it's it's how long do you have to wait um the i don't
know make it's it's all right now if you voted this year you'll automatically be able to vote
next year that makes sense um and then the third one of uh allowing for
removal of fellows by a board vote um in response to code of conduct violations that was um there
was a lot of controversy on the chat and stuff and in the mailing list however um that third third
one and all of them the third one passed like by a huge margin uh second one also huge margin first
huge margin so um uh it's you know smaller margin for three but basically still most people are for
it and i was for it too um and i i trust our board so i think it's a good thing so uh if you want to
read more about all of these um there's a link to all the different bylaw changes.
So you can read more about them if you want to.
Yeah, cool.
Very cool.
Hey, I do have a quick comment here.
Okay.
So the number of people who voted are in the hundreds,
like 300, 400, something like that.
There are millions of Python developers,
literally millions.
There's plenty tens of thousands of people
who just listened to this podcast
who are in the know and interested enough.
Vote, guys and girls.
Yeah, yeah, be part of the community by voting.
It's a good way to get every voice heard.
I also really enjoyed this year,
and I do this every year,
of actually reading about the different,
reading all the different board candidates and what they've done.
It's kind of a neat way just to like catch up on some people and what the,
what their contributions to Python are.
Catch a little zeitgeist.
Where's the whole community going in a sense,
but not as much as if you listen to Python bytes every week,
because then it's like a rapids of zeitgeist.
You can barely stand it.
Speaking of barely standing it,
imagine if you were on Saturn doing data science.
Okay, so we obviously know about Jupiter,
which is our biggest planet, clearly.
But Saturn is pretty big too, and it's cool.
It's got cooler rings than Jupiter.
So better for data science?
I don't know.
Okay, seriously, this is saturn and uh it's a
modern jupiter desktop application for mac os cool pretty cool so it's like super minimal it has a
bit of a not a jupiter lab that's too close to the real jupiter but just the jupiter notebook style
like straightforward it's supposed to be real minimalist, right? It's a nice and clean.
It has a command palette. So you can, you know, command K or command shift P, whatever the hot
key is. I don't know yet. I haven't tried it. So you just download it and you get going. I think
it might come bundled with Python and you don't have to set up virtual environments and stuff,
but you can connect it to so-called kernels or basically virtual environments that you would like there all right
yeah so very nice you just download it and get started it has a built-in llm so you can ask it
llm things like describe the plot above and then plot it using or describe the data above and use
a plot using uh plot it using lines and scatter and boom it'll go and do that sort of thing pretty
cool yeah it's very minimalist if like i said if that's your vibe, then this is it.
There's a command palette you can use.
I don't know what the hockey is it again.
It comes with black built in.
So you get automatic formatting.
Just press F apparently and boom, your whole notebook is formatted, which is really nice.
I feel like that's one of the things kind of missing from notebooks is like a real nice
sort of management of code in general.
Like the autocomplete is not that great.
I know you can hit, there's like,
you can press some hotkeys to trigger autocomplete,
but it just doesn't happen as you type like many editors.
You can also do cool things like copy,
just go to a graph copy and just paste it straight into,
it's got a little copy button just for the data tables
and for the graphs and things like that.
Yeah, so all super neat.
Check it out.
And my final thought here is download the alpha.
There's no link to GitHub.
So presumably this is not an open source thing,
although perhaps it is.
I just haven't found it,
but there's no link to GitHub and there's no business model expressed here.
So will this be a paid product?
Is it just not yet out on GitHub?
You know what I mean?
Like, I don't know.
So buyer beware.
And by buyer, I mean person who downloads for free.
Yeah.
But it looks really promising to me.
I really like the vibe here.
Oh, okay.
Okay, go up.
Oh, this is the rough thing.
Let's see.
They do have a blog.
You can check it out, but it has literally one entry that says integrating the rough language server,
which is, you know, like an engineering cool.
That's fun.
But it doesn't tell you anything about it.
Oh, okay.
It doesn't add any information to what I was just talking about.
You know what I mean?
Yeah, and it doesn't have the Saturn.
It has a link to an editor, one repo, but it isn't the Saturn repo.
We'll see.
But, you know, look, if somebody makes something that you pay money for
that's a super nice data science app and it's not out of control,
I'm not saying that's a negative thing.
I'm just saying it's not clear what its status is, you know?
Yeah, but also if anybody that's part of this, like Jack Hodkinson
or anybody else on Saturn team, let us know what's going on.
Shoot us an email.
Speaking of stuff we want to let people know about, I bet there's some code comments in this Saturn code there.
What do you think?
I think probably.
Probably.
This episode is brought to you by Code Comments, an original podcast from Red Hat.
You know when you're working on a project and you leave behind a small comment in the code?
Maybe you're hoping to help others learn what isn't clear at first.
Sometimes that code comment tells a story of a challenging journey to the current state of the project.
Code Comments, the podcast, features technologists who've been through tough tech transitions,
and they share how their teams survived that journey.
The host, Jamie Parker, is a red hatter and an experienced engineer.
In each episode, Jamie recounts the stories of technologists from across the industry
who've been on a journey implementing new technologies.
I recently listened to an episode about DevOps from the folks at Worldwide Technology.
The hardest challenge turned out to be getting buy-in on the new tech stack
rather than using that tech
stack directly. It's a message that we can all relate to, and I'm sure you can take some hard
one lessons back to your own team. Give Code Comments a listen. Search for Code Comments in
your podcast player or just use our link, pythonbytes.fm slash code dash comments. The link
is in your podcast player's show notes. Thank you to Code Comments for supporting the show.
Back over to you. I want to talk about something bad that happened on PyPI.
But it could have been worse, but it's not.
But it could have been, but it wasn't bad.
Anyway, what happened was,
and I'm going to link to a couple blog posts.
One of them is on the PyPI.org blog from E. Durbin.
Incident report leaked GitHub personal access token.
So what happened was, and E just go ahead and writes out the timeline of events.
It was something he was working on, something called Cabotage.
And the gist of it is, he was trying to debug something and ran into some problems with timeouts for GitHub access tokens for the generic ones or the community ones or whatever.
And so he used his own personal one for a while while he was developing it, then he switched back. But his personal access token got saved into a PYC file that made it to a
Docker image that got published.
So this is bad because it had gave that would have given access to a whole
bunch of pipe AI and core stuff,
even including Python probably not good.
So what happened,
how this was found though,
was J frog does a regular binary scan of a lot of packages or open source projects that we rely on, including Python and stuff.
And they found this problem, and they notified the security team on Pipe.ai. And the token, the security team from
Pipe.ai revoked the token within 17 minutes of getting notified. This is like amazingly blazingly
fast, I think. And JFrog even points this out that this is, we had done a research team identified it
reported to Pipe.ai and it was revoked in a mere 17 minutes which is
super cool anyway um so it was revoked it was fixed and um and then afterwards a scan was done
to find out if that was if that like access token was used for anything and it wasn't so it wasn't
exploited at all but um there are some good takeaways that and there's in the original blog post to just
talk about a little bit more about the details about how this showed up in the Docker file.
But the takeaways are a few of them. It there's three of them first set aggressive expiration
dates for API tokens. So if you are going to use an API token, have only have it for as long as you
need it and have it, you know, consider the timeout because if it escapes, you have to, you,
you have to deal with that. Um, also treat PYC files as if they were source code. So, um, and
that's, um, don't, you know, normally I don't think about that cause we don't publish PYC files,
but if they're in a Docker image, it's going to get published.
The other note was only release builds from
automated systems on like use
a CI system with a clean source only.
Some great reminders that PYC files are
really something to be careful about also,
and be very careful with access tokens.
Yeah, pretty scary.
Pretty scary.
The TechRadar folks,
TechRadar is the right place.
I really like their writing.
They phrased it as,
a GitHub token leak could have put the entire Python language at risk.
What if Python itself was malicious?
Right?
Because, I mean, it gave anyone
who wanted to get ahold of that right
access to the Python, C Python repo and other parts of deployment.
It's not ideal.
Yeah.
But it sounds like it was caught.
So it's really good.
Could have been very bad.
So yes, another bullet dodged another bullet dodged, but, uh, both,
both, uh, posts are interesting reads.
The J frog, um, one also has a, has quite a bit of good information about, um, you
know, how to protect
from this and some of the some of the actions some of the new github access tokens have a have a way
they're easier to scan than they used to be able you they're easier to find because there's like
a prefix that you can scan for within binary so that's pretty cool oh right right right yeah
they've changed that format that's good yeah i would like to go on a bit of an extra extra extra
this was not the intention i had some other topic and i'm like i have any another extra another
extra i'm like all right this is this is out of control let's so you ready extra extra extra hear
all about it yeah i'm ready let's do it number one first extra pretty quick here is python 313 beta
3 has been released this was a couple days ago it's not like why would you put
the data to the bottom i don't know anyway i know it's at the top june 27th so it's actually been a
little bit of time but there's no other beta and people should be checking out this is the third
of four beta releases so this is basically the last last chance to make potential changes before it's completely just down to bug fixes, right?
Okay.
So, the Python folks strongly
encourage maintainers of third-party
Python packages to test with
3.13 during the beta phase and report
any found issues to the Python bug
tracker ASAP. It will be
feature complete while the release is
planned to be feature complete entering the beta phase
as possible to get modified or changed based on how serious any problems might be anyway 313
beta 3 awesome minibar ice i told you guys about this when there was the bartender i was such a fan
of bartender recommend everywhere and then bartender went a little funky it's not that it was
sold to someone else that's a problem it's that it sold. And the fact that it was sold was obscured. That's the problem, right? Talked about that
previously. So I switched to ice and ice was like, it kind of does the thing that bartender used to,
but it's, it hides menu. Like it doesn't seem to show everything reliably. And anyway, it was
really kind of janky, but this thing, I think got a ton of attention since all that happened.
It's got a lot of contributions.
So new release, a lot of bug fixes, primarily like a cool little dropdown that like shows all your stuff in a second.
Like if you click on it, it'll show you a little second window.
Really nice.
So I can more strongly recommend open source free ice than before.
Links in the show notes.
You got a lot of stuff up there, man.
That's why I need this thing.
It's out of control, man. I'm telling you it's a problem all right last time you mentioned the article i will pile drive you if you say ai again and it resonated strongly with me all right
yeah so um the primogen guy did a one hour prime reacts to, I will pile drive you article and it is gold.
So check out this.
If you just want to like sit back and listen to it in the background,
this is a really good video.
It's worth your hour of time.
So check that out.
I listened to an inner.
I don't have the link right off the bat,
but I listened to a podcast episode,
somebody interviewing the guy also.
Okay.
Interesting.
Yeah.
He does a good stream sort of
thing all right next up we talked about polyfill i think a couple of episodes ago right polyfill
io and all that so polyfill was uh polyfill.io used to be run by some financial publication i
can't remember exactly i don't want to misattribute them and then they were sold they were like a cdn
for javascript stuff and they were sold. They were like a CDN for JavaScript stuff.
And they were sold to a Chinese company, which in itself is not necessarily bad.
But then the Chinese company started sending malicious code instead of regular JSON polyfills to its users.
But in a super select way, like, oh, are you doing an authentication at this third-party identity as a service thing?
Well, maybe now you're getting the bad JavaScript
or whatever, you know?
So really, really tricky stuff.
And the polyfill.io domain was not unregistered.
It was basically blocked by its registrar,
which I think was Namecheap.
But there are four other domains that it turns out
that they're also using as CDNs.
I don't know what happened to them.
Maybe they've been dealt with by now, but maybe not.
But also what if polyfill.io
just re-registers somewhere else eventually?
Is this possible?
I don't actually know.
So I posted a thing on,
busted on in on Twitter saying,
hey, if you have some kind of fancy DNS,
you might want to put blocks in for all these domains.
So staticfile.org, staticfile.net,
bootcss.com, bootcdn.net and polyfill.io
those are all blocked on my next dns which is awesome which is like um a pie hole but you get
access to it anywhere not just while you're at your house which is better i think cool yeah so
uh if you care about that stuff this is one way to say you can now surf the web. And even if you go to a vulnerable website, it won't load these things.
So that's always good.
All right.
Nice.
Next up, we have the JetBrains Developer Ecosystem Survey 2024.
The survey is now open.
It's pretty intense.
Takes like 25 minutes.
But if you want to complete it, contribute to sort of what editor is popular, what frameworks
you're using
do you like databases etc for this you may win a macbook pro 16 an envid g4 some phones and so on
and so on a bunch of stuff everyone potentially coding the castle in october october 5 to 12th
in tuscany still has some seats open so check that out at talkpython.fm slash castle.
If you're interested, a week of half Python learning, half excursions in Tuscany.
So check that out as well.
And that concludes my extra, extra, extra here all about it.
So do you need somebody to help carry your equipment?
Yeah, sure.
I mean, I'm going to bring a MacBook Air.
So that is pretty heavy.
Would you like to help? Yeah, yeah. If you want to pay for my trip, I would definitely help you out. Air, so that is pretty heavy. Would you like to help?
Yeah, if you want to pay for my trip, I would definitely help you out.
Yeah, awesome. I appreciate that.
It looks like fun. I'm excited to hear about that when you get back.
Yeah, I am too.
I figured we're doing a couple days of motorcycle riding,
and there's some off-road enduro tours you can do there.
It's pretty close, but I can link those together.
Then I'll need help carrying like all the motorcycle gear that will like are you gonna try to check your motorcycle
as a as a no you can rent you can rent motorcycles there okay yeah check it i'll just ship it ahead
it'll it'll be there waiting for me yeah awesome how about your extras got anything um yeah so i
wanted to um let's see uh i i'm working a new PyTest course. So already on TalkPython training, there is the Getting Started with PyTest course.
It is three and a half hours long.
So it's kind of the, it's not, it's pretty quick, covers a lot of the basics of PyTest.
I also have the complete PyTest course over on courses.pythontest.com.
This little, I mean, the 162 lessons might freak people out.
But a lot of the lessons, it's basically the entire Python testing with PyTest book.
And a lot of the videos are chopped up into like three minutes, four minutes.
As they should be.
Yeah.
But I do notice that there's a gap.
So the new course I'm working on is a really introduction
to PyTest introduction to testing concepts. And this is, and I really want it to be something that
somebody could really watch in half a day easy, or even just a little bit. And I'm targeting,
I'm hoping to be under an hour to introduce a lot of these great concepts. And this would be intended for people
for the entire team. Like my idea would be everybody on the team, including the manager,
would take this little mini course. And then you'd have a couple experts, a couple people that want
to be the PyTest experts, take the complete course or something, or the one on TalkPython training
to be more in-depth.
And so I think there's a gap there for the little quick intro.
So I'm working on that.
That'll be fun.
I agree with you, by the way.
I do think there's probably a good gap there as well.
Yeah.
Also, and I'm kind of wanting that
from an internal for my own company of like,
I don't think I can tell people
to go watch an eight-hour video.
I don't remember if it's eight hours or not,
but it's well also, okay. I want to have people not freak out too much. It's split into three
parts and you really, the intent of the entire book wasn't to read everything. It's to read the
first part and then use the rest of it as resources as necessary. So same with the course. Okay. I've
got other stuff going on too. I've got a couple of these other couple of podcasts, Python people. I thought it was a great idea, but I just haven't
had time. So it hasn't been updated since May. I'm just going to officially say it's kind of
indefinitely on hold. I don't know what's going to happen with it, but I'm not working on it.
Okay. And Python test, it was testing code and it's still like this still the little icon is still testing
code and now it's python test for 14 episodes 14 out of 221 i'm gonna flip flop and probably
switch back to testing code because there's a series i want to do about test driven development
and it's really it's not it's language agnostic so it doesn't really make sense to have it be under the python banner and i probably i'm i can't i i want to say i promise to not switch it again but you know
who knows um it's it's whatever so yeah that's those are my extras um i'll probably get back
to record i'm still roughing out the ideas for the series it'll probably come out in august or
september excellent well very cool but that wasn't very funny though no it was not it was not good thing about podcasts
if people subscribe to them and in a year later you're like all right i'm ready for more python
people it'll just start showing up in their players again yeah and i'll talk you know follow
python bytes we're we're not going to stop python bytes anytime uh well there's no plan on it so
there's definitely no plan on it.
All right.
Let's get something a little bit funny.
Now, I know there's been a lot of talk about AI,
although I'm frightened of being pile-drived.
I don't know if people know this wrestling term,
but it's disturbing.
Anyway, I'm a little worried about it,
but this is not helping you code with AI.
This is just straight-up editor help
that I also consider super important. It's entitled
I Need My Intellisense. Are you a fan
of Scooby-Doo, Brian? Yeah.
Did you watch Scooby-Doo, the cartoon growing up?
So here's, what's the woman's name
with reddish hair? Did I?
I still catch up. I still keep up on
all the Scooby-Doos. Awesome.
So she has glasses and she lost them, obviously
like the picture. She's lost, I've lost
my glasses in this like scary house or whatever.
But the caption is my IntelliSense.
I can't code without my IntelliSense.
Oh, I relate.
That's pretty funny.
Yeah.
Yeah.
Anyway, I thought that would resonate with some folks out there.
Would I have to actually look up what the parameters are?
That's just barbaric.
It's totally barbaric and
it's a segment of your mind that doesn't need to be filled with those details you just type and
let it flow one of the things though that i um uh the all the pop-ups that happen to help you out
like it's great except for if you like i'm i wish there was a toggle that i could just turn
everything off or on because when i'm developing i I like those on, but when I'm recording a course or something, I don't want all those popping up
all the time. So do you turn them off for your courses and stuff? No, I have them on. I try,
I try to show people like, look, here's your options. This is the one you pick out of the list.
So yeah, I leave them on. Yeah. I don't want to lose my glasses.
All right.
Well, I'll try that.
Indeed.
All right.
I think there's also ways you can just set the aggressiveness of it,
which I think sounds like something you might want,
like in a serious way.
So you can set it so if you just press a dot, boom,
like the list comes up. Or you can set it so there's some other key, like control dot,
or something you've got to like choose,
which you wouldn't normally hit in the course of typing to trigger that kind of
stuff. So look into that.
Yeah. I think there's a delay too. You can say like, if I'm,
if I'm just going to start typing, don't pop that stuff up.
Yeah. Yeah, indeed. Yeah. Anyway. Cool.
All right. Well, thanks for another fun show. Thanks everyone for listening.
Thank you. Bye.
Bye.