Python Bytes - #429 Nitpicking Python
Episode Date: April 21, 2025Topics covered in this episode: Huly CVE Foundation formed to take over CVE program from MITRE drawdb 14 Advanced Python Features Extras Joke Watch on YouTube About the show Sponsored by Posit W...orkbench: pythonbytes.fm/workbench Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Huly All-in-One Project Management Platform (alternative to Linear, Jira, Slack, Notion, Motion) If you're primarily interested in self-hosting Huly without the intention to modify or contribute to its development, please use huly-selfhost. Manage your tasks efficiently with Huly's bidirectional GitHub synchronization. Use Huly as an advanced front-end for GitHub Issues and GitHub Projects. Connect every element of your workflow to build a dynamic knowledge base. Everything you need for productive team work: Team Planner • Project Management • Virtual Office • Chat • Documents • Inbox Self hosting as a service: elest.io Brian #2: CVE Foundation formed to take over CVE program from MITRE Back story: CVE, global source of cybersecurity info, was hours from being cut by DHS The 25-year-old CVE program, an essential part of global cybersecurity, is cited in nearly any discussion or response to a computer security issue. CVE was at real risk of closure after its contract was set to expire on April 16. The nonprofit MITRE runs CVE on a contract with the DHS. A letter last Tuesday sent Tuesday by Yosry Barsoum, vice president of MITRE, gave notice of the potential halt to operations. Another possible victim of the current administration. CVE Foundation Launched to Secure the Future of the CVE Program CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide. Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community. Michael #3: drawdb Free and open source, simple, and intuitive database design editor, data-modeler, and SQL generator. Great drag-drop relationship manager Define your DB visually, export as SQL create scripts Or import existing SQL to kickstart the diagramming. Brian #4: 14 Advanced Python Features Edward Li Picking some favorites 1. Typing Overloads 2. Keyword-only and Positional-only Arguments 9. Python Nitpicks For-else statements Walrus operator Short Circuit Evaluation Operator Chaining Extras Michael: Thunderbird send / other firefox things. Joke: Python Tariffs Thanks wagenrace Thanks Campfire Tales
Transcript
Discussion (0)
Hello and welcome to Python Bytes where we deliver Python news and headlines directly to your earbuds.
This is episode 429 recorded April 21st, 2025 and I am Brian Ocken.
And I am Michael Kennedy.
And this episode is sponsored by the folks at Posit Workbench. Thank you Posit. Also,
if you listen to them later in the show, of course, if you'd like to connect with us,
please do so on Blue Sky or Mastodon. We have all of those links in the show notes.
We love it.
Love to hear from you.
Love to hear new, new topics that you think we might want to cover.
And if you'd like to listen to us live, head on over to python bites.fm slash live, usually
Mondays at 10 Pacific time.
But you can also use that link just to, um, to find the YouTube channel to watch older
episodes too. And finally
Get all you don't need to write anything down while you're listening because we'll just send it to you Joe
So head on over to Python bytes.fm
Join the mailing list or the newsletter list and you'll just get an email sent every week with all the links
But it also has backup information of like, you know, what you need to know to understand the story.
So really nice.
And we don't use it for spamming or anything like that.
Michael, what do you got for us?
I might have a problem.
I, I like to self-host stuff too much.
It means I end up with things that I have to take care of rather than just have a login
somewhere, but I'm going to make a recommendation nonetheless.
So if you find yourself using Slack, I think even zoom, maybe if you're using
JIRA, if you're using notion and you would like that all in one place, rather
than a bunch of different apps that you pay for, for free for open source,
self-hosted or paid as hosted if you
really want to do it that way there's a project or tool or platform whatever
called HULI HULI an open source platform that serves as an all-in-one
replacement for linear JIRA slack and notion how cool is that okay okay so
maybe you want to have the place to do chat conversations, or you want to store your documents, or you want to do project management and sync it with your GitHub issues, or do planning.
So all of this stuff is super cool, I think, and even has video meetings.
So if you want to also get rid of Microsoft Teams or Zoom or whatever, it gives you a nice private way to do all that.
Right.
And I don't know.
It just, that really resonates with me as just like, here's this cool open source
thing that we can do and we can run it and we don't have to have all these
different services and I don't know.
I don't know about the others.
Honestly, don't know the pricing for Jira.
I've never paid for Jira, but Slack is out of control.
Like Slack is super expensive for what you get from it
and things like that.
And so having this with a bunch of dashboards
and it even has a nice self-hosting option.
So if you are a person who does Docker compose, guess what?
You just docker compose up dash D.
You have your whole platform running,
which I think is pretty excellent.
So that's how a lot of these self hosted things are shared and maintained.
So you don't even have to figure out how to put it into Docker.
It's already there and set up. So you just run it and you're good to go.
Just make sure you do backups. Pretty neat. I think this is pretty cool. Yeah.
And it also syncs both ways with GitHub. So if you've got GitHub issues,
it will sync with the issues,
and if you have GitHub projects,
it will sync with those projects.
So it's project management tools
and it's issue management,
like it's J-row replacement stuff,
is mirrored on GitHub,
so not everybody has to use it.
Like you can have internal people on this
and external people just perceiving it as GitHub.
I have GitHub issues.
I was just talking to my therapist
about it the other day.
Yes, indeed.
And John Other says, this is why I love the podcast.
Thanks for the holy recommendation.
And loves self-hosting as much as I do.
So, awesome.
Thanks, John.
Holy self-hosting, Batman.
Anyway.
Holy self-hosting.
Indeed, yeah.
The problem is you can,
well, now I've got 12 apps to back up and maintain.
But it is super cool to be able to say, we don't have to worry about data privacy.
We don't have to worry about sharing things or if those places get hacked or if they change
their business model or if they go out of business, you know, you got a self-hosted
open source thing that you can fork and just run.
And there's something cool about that.
I wonder if anybody's got like, because this sounds great, but I don't really want to do that work
So wonder if there's a self hosting as a service service. I
Think there actually is I'm forgetting the name of it right now. But yes, there basically is a self hosting as a service. Yes
It's amazing. Okay
What an interesting idea. All right. That's it for this one.
Over to you.
Okay.
Well, I am going to talk about critical.
Oh, what are those calling in?
CVEs, common, I should have practiced this, common vulnerability and exposures.
So CVEs, we're used to talking about these when there's like really wide scale attacks,
but they kind of happen all the time, like vulnerability
problems. And this propped up this last week rather urgently because the CVE system, the
entire system is sort of built on top of a non-for-profit called MITRE. And the entire system,
but there was a contract with the government,
the US government to maintain this database of CVEs.
However, and it's been around for 25 years,
it ran the risk of possibly going away
because of all of the cost cutting
that our current lovely administration is doing.
And so the-
It's a waste. It's a government waste, I tell you, Ryan.
Like what? And it's not even like a lot of people involved in this are volunteers anyway.
That's just nuts. Anyway, so a 25 year old CVE program ran the risk of going away. There was a letter that came out from
the vice president of MITRE gave notice of potential halt of operations. And apparently
they had been worried about this for some time. So there's this in order to deal with
this and possibly make sure that we don't have this risk in the future,
there is a now a CVE foundation. So there's been an announcement as of April 16th
that the CVE foundation has formally been formally established to ensure long-term viability,
stability, and independence of the CVE program.
This is really cool.
It isn't something they just like suddenly did.
They've been thinking about it for a while and planning it.
And there's an announcement at thecvefoundation.org
and they're gonna release information about, you know,
the transition, what its structure is,
the transition planning opportunities for involvement later.
But right now there's just an announcement.
But this is pretty crazy that we would like run the risk
of losing this.
This is how we talk about vulnerabilities.
But apparently there was an announcement also,
I couldn't find the link to it,
that they did not lose funding.
So it's okay for
now, but it's still the for now part. So the foundation wants to
make sure that it's not a just for now. I still think it's
what's something that we should fund as a government but you
know, is what it is, I guess.
I think we should fund it. But also, I feel like maybe that
should be more of like, kind of in the style of
Python or Mozilla foundation or you know that it's tied to the US
government rather than just an international organization of people who are really
committed to tracking security issues. It doesn't take insane amounts of funding
to track these things, you know what I mean? Yeah, I have no idea what the work is involved for this, but...
Yeah, I don't know what the work is, but it's not like there's a lot of server infrastructure.
It's not running like AI forums or something, you know?
Yeah, and it probably... the funding probably should be coming from like all the ISPs and
big companies and stuff that are benefiting from this, but yeah.
I think so too, but hey, I'm not against the US government.
I'm glad they were doing it, but it just puts it
in a weird situation these days.
And Python became a CVE authority not too long ago,
the PSF, so they can announce their own CVEs
around things in the Python space
without going through an external, not convincing
some other participant to allow them to list their CVE for Python and so on.
So there's a bit of a distributed aspect of it.
Now before we jump on to thinking our sponsor, Ryan, the thing that I was thinking of is
Elestio, E-L-E-S-T-I-O, and it says fully managed DevOps for your cloud and open source software.
And I've not used this. It's not a recommendation, but we, as in they deploy
and manage open source software to your cloud provider of choice. So, you know,
create a Hetzer server, point it out and then pick the various self-hosted
things that you want and they will self-host them there for you. I believe it's how it works.
Awesome. Self-hosting as a service. Who knew?
Who knew? Well, I guess you did. But we also have, we also have Posit doing pretty awesome stuff.
Why don't you tell them about it?
This portion of Python Bites is brought to you by the folks at Posit. Posit has been making
huge investments in the Python community lately. Known originally for RStudio, they've been building
out a suite of tools
and services for Team Python.
Have you thought of all the things that go
into a Python data science project?
You need your notebook, or IDE
for sure, but you also need a server
or cloud environment to run it.
A version of Python, packages,
access to your databases, and internal
APIs. That's a lot to set up.
And if you change any of these things,
when you return to your project months down the road,
you might get different results.
Wouldn't it be nice to have all of this set up for you
in one easy to access place
whenever you want to get work done?
That's the goal of Posit Workbench.
Posit Workbench allows data scientists to code in Python
within their preferred development environment without any additional strain or on IT.
It gives data scientists access to all the development environments they love, including
Jupyter and Obix, JupyterLab, Positron, and VS Code.
And yet it helps ensure reproducibility.
Here's how it works.
You or your team set up PositWorkbench on a powerful, dedicated server within your organization
or on the same cloud service that is hosting your most important data sources, such as AWS, SageMaker,
Azure, GCP, Kubernetes, or pretty much anywhere.
There, you create dedicated, pre-configured environments to run your code and notebooks.
And importantly, you also configure access to proprietary databases and internal APIs.
When it's time to onboard a new data scientist
or start a new project, you just fire it up in Workbench,
and it's fully configured and ready to go,
including the infrastructure side things.
All of this is securely administered by your organization.
If you work on a data science team where consistency matters,
you owe it to you and your org to check out Posit Workbench.
Visit pythonbytes.fm slash workbench today
and get a three month free trial to see if it's a good fit.
That's pythonbytes.fm slash workbench.
The link is in your podcast player's show notes.
Thank you to Posit for supporting Python Bytes.
Indeed.
All right, you ready for the next one?
Yeah.
Database.
Database things.
So here's a really interesting free web app, I guess it is, that lets you draw and import
and export and visualize database diagrams.
So either you've got your own project or where I see this being super useful is you're put
onto a new project or you're a consultant and they're like, and welcome for the two weeks.
Here is the database and here's the app.
Please fix it by now.
And you're like, how do I even get started?
What is here?
Right.
So this thing called draw DB dot app allows you to draw, copy, and paste database diagrams.
And if you go there, you can see there's really nice graphics, and the UI is quite nice for interacting with it.
So it says you can try this for yourself for free.
And what's interesting is it asks you to choose your database, as in like SQLite or Postgres or SQL Server or whatever, because it imports and exports SQL statements.
And those different databases
have different database SQL dialects,
which in and of itself is annoying.
But let's just say, I don't know, I'll do Postgres, right?
And you come in here, you can add a little table,
and you can then edit that thing,
give it a column, multiple columns, different data types,
and create a second one.
Then you can say, grab one column from one database, different data types, and create a second one, then you can say
like grab one column from one database or one table rather and then drag it and drop it in a
field on another, another column, and that'll create a foreign key relationship automatically,
for example. And you can go over and you can say file export SQL or import from SQL and that'll
generate the data definition language, DZL stuff, create scripts and create the indexes and columns.
Or if you've got a database, you can export it
and then load up this diagram based
on what was in your database.
And then visualize it, tweak it, save it,
or just try to understand it.
That's really cool.
Yeah.
And as far as I can tell, it's free.
I don't know.
Maybe there's some point where I pay for it.
But I don't think so.
So anyway, I think it's a great little app
and people should check it out
if they have databases they wanna visualize.
And you know, I'm usually starting with a drawing anyway.
They like drawing it on paper.
So why not just draw it in something like this and.
Exactly, cause then you could say,
generate my table from this.
Yeah, yeah, that's cool.
Neat, cool.
So not much more to it, but there it is.
All right, well, my last item is a, and I'm only going to cover
part of this, but it is a blog post by Edward Lee called 14
advanced Python features. And, and you know, it's a listicle
sort of a thing, but there's a lot of those like advanced
Python features. And he even talks about this that are
really, really not that advanced. They're just stuff that people should know
and some fun things for, you know,
advanced for beginners, but not really.
But I kind of really like this
because there are things in this list
that I really wish I would have learned earlier.
And so anyway, I'll just jump in.
There's a few things I wanted to pick out. First off is typing overloads.
And this is something that I just learned by while reading
this article, I didn't know you could do this. So within the
typing module, you can say from typing import overload, and, and
then one of the things you can do then is you can essentially
list overloaded operations, overloaded definitions for a function
call. And it's not really like full function overloading like we have in C or something
like that. However, there's return types. So let's say there's an example here that
if you only pass in a certain you pass in a certain type,
then you're always gonna get a list of strings.
And if you're passing in a different type,
then you always get a single string back.
Those sorts of things are nice to have
for typing or return types.
And that's something that we don't really have in Python.
You can't have a difference in just return type. So having that in place
is kind of neat. I'm going to play with this right away. So that's pretty cool. Overloading
functions with the typing. So I'll have to try that. Next up is something I've been using a lot
lately is keyword only and positional only arguments. And specifically, so we now have these a star or a slash that
you can separate the parameters to a function, the parameter definition. And the the asterisks
or star means that everything, everything after that is keyword only parameters. And
then the slash is positional only parameters. And only parameters and that's the everything before.
So it's a little, one of them's before
and one of them's after.
So in his example, he's got AB and then slash CD star EF.
So that means A and B are positional only,
C and D can be positional or keyword
and then E and F have to be keyword only.
And the thing that I'm doing a lot is
why I'm using this keyword only one a lot
is for functions that have,
and these are all like not usually API functions,
but functions, internal functions
that have a lot of parameters that have defaults
and you would almost hardly ever pass it
like just a positional only because the defaults and you would almost hardly ever pass it like just positional only because
the defaults are, it doesn't really matter the order, it's just they all have defaults
and there's a bunch of them. So I really want all the callers of that, every place we're
calling the function to list which variable or which parameter they're defining as they
call the function and you can do that with the asterisks. Super cool.
That's really cool.
Another thing that I think is really useful for that
is if it's the same,
a lot of times you're gonna give it like numbers
or true and false where you don't have a variable
that you're passing in, but you have just
some kind of constant.
Cause if it goes seven, seven, five, true, true, false,
you're like, whoa, whoa, whoa, what?
It's not like variable names
are there where like X comma Y comma Z like oh those are the dimensions no just
go 775 like hmm which is which you know what I mean especially true true false
true something like that if you have a if you force keyword arguments on it
then it's a much more readable thing at the call site yeah things that are like
generic like you're just adding things it It doesn't really matter. You know,
it doesn't really matter that the your ad function is a and B, but you know,
the for true and false, you really want, what, what do those mean? Um,
I like those. It's a good addition. Uh, last thing I want to come, uh,
come to is, um, there's a list of, uh, he said, uh,
number nine is Python nitpicks, which is really a few, uh,
a few topics around it, but it's listed as
a nitpick because it's a bummer when people aren't utilizing this.
So the for else statement, and this is, I think probably still controversial, is maybe
a little bit, is whether or not you should utilize the else clause in for statements. And, um, and kind of, you know,
it's like often before the else clause or without using it, you might have to say
like something that his example is like a found flag to say, you know, whether or
not you actually found the item you were looking for while you're iterating the
for loop. Um, and then you can check that later, but there's, there's the else.
You could just say, you know, there's else you could just say,
you know, if, if you didn't find if, if you never hit anything inside the, the for loop,
you can else out. It's, it's still a little weird though. I still find it very, very good
to make sure that you comment that to say what's what's going on in the else you're
using what you're doing in there. So, okay.
I'm anti else. I'm definitely anti else.
And by the way, Guido, uh, I heard him quoted at one point that said, if I had
to do it over again, there would be no else statement.
I think it's just weird.
It's like, does it happen when it breaks or does it happen when it doesn't break?
Like is break the thing you're looking for and else is the other, or is
a break something weird and it was supposed to go out?
Like, it's just, I don't know.
It just, I know you can save one line of code,
but it's too ambiguous to me.
It's too weird.
So else is what, else is if you didn't break, right?
I think so, yeah.
Anyway, I think so.
Anyway, it's, the fact that you got us,
like we got out of this discussion is like,
I don't know, it makes it so weird.
For me, I'm out.
I know there's, I could do it, but I don't do it.
Okay, also the walrus operator, it's been around since 3.8, and 3 know there's I could do it, but I don't do it. Okay. Also the walrus operator
It's been around since 3-8 and 3-8 already deprecated or like end of life. So
We can start using definitely use the walrus operator again. It's just saving one line of code, but like it
How about a walrus? I'm a fan of war. I created the walrus operator this weekend. I believe okay for me
I like it because it's the locality of definition.
Like I'm creating it for this if block and I'm going to use it in this if block if I need it.
Otherwise, it's kind of like it's part of this thing,
not something that might make sense later down the line, probably.
For me, I like it.
Okay. A couple more short circuit evaluation.
I don't really care. I'm like, I'm,
I'm fine with, um, with a bunch of, if else is actually, if,
if that's all you can do, but, um, it was the short circuit,
which means using or utilizing or to say, um, uh,
if you're going to do one thing or the other or the other, you can use, or,
or short circuits. So once you hit one of them that's true,
anything after that's not gonna get ran.
And you can kinda go crazy with that though,
and actually put logic in there.
And I'm really not a fan of putting logic
in the short circuiting or operation, but that's just me.
But I am a fan of operator chaining.
And I often see this with people
coming from different languages. They don't know you can of operator chaining. And I often see this with people coming from different languages.
They don't know you can do operating operator chaining. So I'll see like if X is if zero is
less than X and X is less than 10, you don't have to do that in Python. Just put them together and
say zero less than X less than 10. So operating chaining is right. But also, I think that we
should have been a little more strict with operator chaining. And, uh, I don't think it like you can put anything in there, right. Um,
but I don't think you should like for numbers, it should be less than you should not be doing
like greater than, uh, operator chaining. It's just weird. We, the number line is small to big,
I think. So please do that. That's, that's all I wanted to cover for that. But, um,
there's a bunch
of other great stuff in here. So definitely check out this this article. Here's here's the full list.
So LRU cache. Love it. Yeah, love it. F strings. Love it. Nitpicks. I have some nitpicks with that
statement. But you know what? It's fine. Good. Good. Good find there, Brian. All right. Well,
we're done with our main topics and I don't have any extras Michael
but do you have any extras? Well I thought the answer was no but it turns out to be yes. Okay.
Because something I just heard about right before was oh gosh assuming on this is all weird. So
there's remember I wrote this article that said unsolicited advice for mozilla or firefox or
something like that saying, you know what?
Stuff that you guys are doing is not leading you
in the right path.
And here are five ideas that you might try as a business
to exist down the line.
Please do that.
And so they're actually, I mean, I really doubt
they gave a crap about what I said,
but they are introducing this new suite of services.
How about that?
So Thunderbird, it all seems to be based around Thunderbird,
their email client, and Thundermail,
which is a really interesting term.
But they're offering Thunderbird appointment,
which is kind of like Calendly or TidyCal or whatever.
Thunderbird Send for private file sharing.
I used to love Firefox Send, but it got abused by hackers and other badness.
And so then it stopped working.
But you could put, just like, here's the URL,
here's the password.
The whole file just goes away in three days,
give it to someone, and then they could have it.
It was really great.
And so I'll end to end encrypt it,
all that kind of stuff.
Also, some AI thing, because of course there's an AI thing.
And then Thunderbird Mail, hosted Thunderbird Mail,
all that.
Anyway, I think this is a cool idea.
Thundermail.
Thunder, Thunderbird, oh.
So very cool.
That's all I got for my extra.
You can't spell mail without AI, sorry.
Well, I'll tell you what, that seems to be
what they think in their feature set.
Every mail client I find is like,
and now we have some terrible AI thing
That will just erase all your formatting make you have to rewrite your mail if you try to use it
But it's here and it's great. No
Anyway shall we
You know Brian we try to make it not too political here, but I got a I got a political joke in a sense
Okay, awesome. Are you ready for it? Yeah. So this one came to us by many people.
So thank you to everyone who sent us this in.
Have you noticed, I don't watch the news a ton, but have you noticed that there's some
talks about tariffs lately?
Yeah.
I mean, look, I think genuinely it's fair to say like, let's discuss tariffs.
And if other countries have tariffs on us does it make
sense for us to not? I don't know whatever I think there's a debate that can be had but
the way that it's been done is so just chaotic and random and on and off again and so on
but somebody decided that if that's a good idea for a global trade boy oh boy wouldn't
that be a cool idea for Python and for program languages, and particularly
for these pesky external outside of the standard library
packages.
So I present to you tariff, a Python package
that imposes tariffs on Python import statements.
And no, it's not just a joke.
It's literally version one.
It's not even zero over anymore. And it is released on PyPI. It's literally version 1. It's not even 0.0 anymore.
And it is released on PyPI.
So you can literally pip install tariff.
What does it do?
Well, boom, fire, fist emoji, fire emoji, a little reference
back to Signal, the greatest, most tremendous Python package
that makes importing great again.
Tariff is a fantastic tool that lets
you impose import tariffs on Python packages.
We're going to bring manufacturing back
to your code base by making foreign imports more
expensive.
And so all you got to do is import it.
You set your rate on the different libraries,
like 50% tariff on NumPy, 200% tariff on Pandas, and so on.
And then when you import NumPy, it's literally 50% slower.
It takes 50% longer than before.
What do you think?
That'll teach him.
Yeah.
That'll teach him.
Yeah.
We're going straight back to self-hosted vendering it in.
But what's not is it works.
It's not just a weird joke idea, but somebody made it.
It's open source.
And the hat.
The hat.
The hat is good.
Why tariff, you may ask?
Because foreign packages have been stealing
our CPU cycles for too long.
It's time to put America first and make importing fair
and balanced again.
Obviously a parity package, use at your own risk.
It says in the GitHub logo.
Other people stealing our CPUs,
we need to steal our own CPUs.
Exactly.
That is how we're going to do it.
Yeah.
Well, that's what I got for you.
Is it funny?
I don't know, but I think it is certainly amusing.
It's not.
When I look at my 401k, it is not funny.
But gotta laugh.
You got to cry.
Those are one of your two reactions.
Might as well laugh.
Glad I like my job because I'm going to be here for a while.
Anyway, thanks. Thanks for everything going to be here for a while.
Anyway, thanks for everything, Michael.
Thanks for the joke.
Thanks to everybody that shared them.
Like we said, a lot of people sent that in,
but that is not a waste.
That also gives us a signal that we
might want to cover it if a lot of people are thinking about it.
So thanks.
Yeah, thank you.
All right, bye.
Bye, Brian.
Bye, everyone.