Python Bytes - #483 Thanks Brian
Episode Date: June 9, 2026Topics covered in this episode: Vulnerability and malware checks in uv HTTP GET requests with the Python standard library Millions of AI agents imperiled by critical vulnerability in open source pa...ckage alembic-git-revisions Extras Joke Watch on YouTube About the show Goodbye and Thanks Brian Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years. Calvin #1: Vulnerability and malware checks in uv release just yesterday by Astral https://astral.sh/blog/uv-audit uv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-audit Malware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute — including ones PyPI quarantined but lockfiles can still reference Enable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in preview Future roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only Michael #2: HTTP GET requests with the Python standard library If you’re doing HTTP in Python, you’re probably using one of three popular libraries: requests, httpx, or urllib3. There have been issues with httpx lately. Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included. But maybe less is more, especially in the age of agentic AI A good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow. Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package "BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette — the ASGI framework underlying FastAPI — with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server tooling The exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code execution MCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) — exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topology Fix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable version Open source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time — most are AI-generated noise, and real ones like this still compete for the same evenings and weekends Michael #4: alembic-git-revisions By Julien Danjou from Mergify Automatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'. See the introductory article Caused by two migrations landed with the same down_revision, and Alembic doesn’t know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions. The insight: git already knows the order Extras Calvin: GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don’t have this super power on the target name yet. train-%: uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS) Michael: Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread. Joke: Accurate
Transcript
Discussion (0)
Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds.
This is episode 483 recorded June 9th, 26. I'm Michael Kennedy.
I'm Calvin and Nick Parker.
And this episode is brought to by us, all of our things. We'll talk a little bit about that in the introduction.
But here in just a second, if you want to follow us on social media, we're on all the socials.
We'll have those in the show notes for you.
Sign up for the newsletter at Pythonbytes.com.com slash newsletter or just domain, click on
newsletter. You always get a bunch of interesting things as well as some extra announcements for fun
stuff that we have going on. And with that, I actually, Calvin, have a pretty big announcement.
So I want to say thank you to Brian Ockin. The big news is that Brian has stepped back from the show.
He's been working on it for almost 10 years, just a few months short of 10 years. That's,
that's a great run. That's an incredible run. That is an incredible run. Obviously, the world has
changed a lot over the last 10 years. And Brian just needs more time to focus on some of his other
projects, not stepping away from programming. He's not going to go become like a organic farmer
in Eastern Oregon. Forest Ranger. Exactly. You know what? I'm retiring from tech. That's it.
No, but he's moved on from the show. And I just want to take a moment and say, Brian, thank you very
much. You've made the show what it is over the years. And it's been great to work with you.
And it's been really, really awesome. And I know a lot of people on the audience are,
going to miss you. Yeah, I agree. I've gotten to know Brian over the years as well, and I really
appreciate him being on the show and just being a part of the Python community. So I've, I've enjoyed
having Brian around as well. Not that he's not going to go away, but he's just not here right now.
Yeah, maybe we'll have him back as a current guest sometime. Yes, absolutely. So Brian,
thank you very much. And Calvin, welcome to the show. I'm glad to be here. I'm excited. This is
a new, the next generation of Python bytes. Let's do it. Yeah, absolutely. The next generation
So I know you have your pulse on the industry in so many ways, and you have a ton to contribute.
And so we're going to work together on Python Bites for a while.
And yeah, it's awesome.
So thanks for coming on the show.
It's really great to have you.
Thank you, Brian, for being here.
Calvin, welcome.
Normally, we just kick off the show.
Hey, I'm Brian and Michael or whatever.
But this time, at least you've been on this show before as well as Talk Python.
But just give people a real quick introduction, since you're kind of been a new to.
a lot of people. Sure, sure. So I'm Calvin Hendx Parker. I'm co-founder and CTO of Six Feet Up. We are a
Python agency that loves specializing and solving hard problems and helping impactful leaders,
you know, build a better world out there and do things to benefit humankind in some way.
I also am a co-founder of the Indypie meetup here in Indianapolis, so very involved in the community.
I love going to PyCon and being around all the folks. So this definitely fits well with
like kind of my mission, which is to bring more to the Python.
community if I can.
And you're also an AWS hero.
Is that right?
Oh, yeah, I am.
AWS heroes since 2018 or 2019, I think, yeah.
So it basically means AWS thinks I'm kind of a, I guess, a big deal.
I don't know.
He's a couple guy.
He's a big deal.
Yeah, yeah, right.
Yeah, there's only a few of them around the globe.
And it's kind of cool because you can't be an Amazon employee or employed by a
competitor.
And so it allows me to maintain my independence and a little bit of cloud agnosticness.
Yeah.
Awesome.
All right.
Well, with that, how about you kick off?
our first topic. Oh sure. I'd love to. So we've got just yesterday, the fine folks at
Astral have released some new features that are still in beta or checking for vulnerabilities
and also some malware checks. So for example, they've added the new audit subcommand.
So as you, this is not an unheard of thing in the community. There's existing tools like
it, for example, safety and pip audit. What is different about UV offering this?
They have basically said that we have an opinion like they've done in other
other ways. Astral has basically said we have opinions about how things should be done.
And we're trying to optimize the developer experience workflow to make this not suffer from some
the problems you get with like, for example, NPM. When you do an NPM install, you get this just
overload of warnings for deprecations. And so you just kind of start ignoring it and not paying
attention to it. The idea is to be explicit and call it when you want to have these kind of scans run.
So you could put it into a pre-commit hook. For example, you can obviously run it in your CI Pipeline.
but it's meant for the developers to run locally as well.
And the add command and sync commands have been updated.
Well, optionally right now they're not enabled,
but if you enable the UV malware check,
the add and sync commands will proactively tell you
if you're adding a potential malware package to your project right now.
I actually tried it out today.
I actually love that.
Yeah, that's really cool.
I literally did it today because I was like,
oh, I should go check out my last Fast API project
to make sure I'm up to date on things.
And I ran the UV Audit, again, super fast.
as you would expect most of the tools from Astral to be.
And I had my Pi coding agent go and fix all the problems.
And I released a new prod release just this morning because of the UV audit tool.
It seems really, really nice.
I'm really excited about it.
Awesome.
I have been, I talked about it maybe six months ago or so.
A couple of security things you can do for the supply chain vulnerability.
Yeah.
It's just super scary, right?
Because you're just working normally on your project.
And if you time it wrong, well,
bad things happen. And they have happened to people, right? Yeah. Not in great numbers in the Python world,
but still enough, you know, some of the LLM tools I can think that were pretty, that was a pretty bad one.
Well, we're paying attention now. I think folks are hopefully paying more attention and tools like
this make it easier to pay attention and less friction to be safe. I think it's got options, for example,
not to install the latest version of a package. Maybe you want to like a cool off period to say,
I think that was already built in to UV, which is have a cool off period. And that's a smart thing to do.
You don't want the package that was released today because it might have a vulnerability from a supply chain attack in there.
And you want to make sure, usually in a few days, those are shook out.
And so grabbing a seven-day old version of it, probably the safe thing to do, for example.
Yeah, and that's what motivated me to start down that whole path of talking about those things.
I'm like, oh, they just shipped no earlier than whatever it was.
And so that was really excellent.
And then I started using PIP audit as well.
And even like shared how you bring that into like a Docker world.
And that's great.
I'm feeling like that needs to be for me updated to use UV audit instead of PIP audit,
which just because one of the things I see on the screen is 4 to 10 times faster,
everything else I'm doing with UV, but I just couldn't because it didn't support this, right?
There's an asterisk there.
Pip audit with a fully prime cache is probably about as fast.
But if you're going from a CI pipeline, you're going to get the 4 to 10x speed up.
So those are the, again, creature comforts that I believe the astral folks have brought to the game.
They've just said, we're going to be opinionated.
This is how we're going to do it.
and we're going to make it better for everybody, hopefully.
So if you like those opinions, it's good for you.
If you had other opinions, well, this is probably better.
Yeah.
Yes, exactly.
So out in the audience, Mike, hey Mike, points out that this weekend's miasma,
Hades attack is timely.
Yeah.
I don't know about it, but okay.
Yeah.
If you had a CI pipeline running on the weekend and got that version over the weekend,
and these things always happen on a Friday late on a weekend because no one's looking,
that's exactly the timing that these kind of things.
happen. So make sure you got that cool off period in there. Yeah, exactly. So I made the mistake of
actually going on vacation for the weekend, and so I wasn't paying enough attention. So I got to research this.
Wait, you actually took a couple days off? Yeah. I sat by the ocean. It wasn't terrible.
Nice. All right. Let's talk about, I think this relates a little bit back to the supply chain,
but not necessarily in a vulnerability way. You also mentioned your pie coding agent. We need to speak about
this a little bit. Yeah, we should. Yeah, absolutely. This is going to have to be one of your whole
topic sometime, but it seems to me like a lot of the projects that people depend upon have these
very shallow dependencies. And by that I mean, like, yeah, I'm sure I'm using this library that
lets me give, I don't know, a zip code and it gives me the state back or something like that,
right? But I only call the one function. You know what I mean? Would it be possible to just
have some kind of coding agent or even you just write that into your project instead of adding
maybe that dependency and three other dependencies that has, then you're worried about like cool down periods
and supply chain and just like, oh, this one only works on 314. This one only works or lower and this
other one only works in 315 and above. Like, what do I do? Yeah. You know, those kind of issues.
So I want to highlight this article called HTTP get request with Python standard library by Alex
Chan. And so Alex basically says there's been all this stuff going on with HTTPX. I'm going to talk
about that at the end of the show a little bit more. But we've also got requests. We've got UroLib.
We've got NIC-QEST, N-I-Quest, which is a little bit like a modernized request compatible API.
But built into the library, we've got UROLIB requests. Could we just put the three or four
functions that we want to write, but turn that and just instead of having actually
HTTPX or requests, just have it use the built-ins, right? So build a little facade,
adapter layer on top of stuff that's already there. What do you think of that idea?
I think that's smart, kind of a little bit of shift left or first principles. Like, if you don't
need to bring along those whole packages, you don't bring along a lot of complexity. Frameworks are
nice when they solve, you know, they usually do like an 80% kind of problem. If you get a 10% kind of
problem, I wouldn't bring those kind of dependencies into your project. Because now you're,
you're on the treadmill. You got to keep up with the release cycles and security vulnerabilities,
et cetera, versus if you're controlling your own fate here for just a couple little things you need,
it's probably cleaner and more and more explicit than implicit. You're just not subject to have
to deal with all the stuff that goes with it, right? And like, put security aside, just the,
they released a new version or they decided they're going to do a breaking change and that's probably
worthwhile but then you've got to deal with the breaking change you know like if the thing you're
doing is not going to change really and it's pretty straightforward you could just ask clod or pie or
whatever's hey see this thing could you just give me the two functions i'm using uh if there if there's
enough foundational stuff in the standard library right so i think this is a pretty interesting thing
for people to think through i went i was going down this path i'm like this is pretty cool what if i
could just make i mean i think i use three functions from htpx what if i could do this for hdpx
instead of the thing that they were based on,
how hard would that be with a little bit of Claude help, right?
And it turns out that the standard libraries,
HTTP call stuff, does not have any ASync support whatsoever.
I was going to ask if that was a thing.
No, it's not.
I'm like, wait, what are the use cases for ASync I.O?
Database, HTTP, you know, like API.
Hitting a network.
Hitting a network.
Like, wait.
It's got, it's, it's,
had that since 3.4, I believe, was when ASync was in. And then ASync and a wait came in at 3.5.
Michael, you need to submit a pep now. You know what? Very insightful thought. I actually wrote
Brett Cannon a message about this, said, hey, what would the steps to be actually submitting a pep for this?
And he sent me back some stuff. And Brett, I haven't had it. Because I sent that message and went straight on vacation.
I haven't had a chance to respond. But it looks like there's some work to be done and research to be done.
But I do think that that's a totally reasonable thing.
And DB API itself also surely does not support async but should, you know.
Like I think there's a few really clear places.
Yeah, there's still some hard problems left in the Python core.
Yeah, we thought it was all done.
Yeah.
Yeah.
Although it is nice when you got like HTTPX2 and you can just drop in and replace.
Yep, exactly.
Yeah.
Nice.
Yeah.
Yeah.
We talked about that from the Pidaniac folks.
Yeah.
Yeah.
Yeah.
Yeah.
Sounds good.
All right.
Over you, Calvin.
From next one.
So this one's a little bit of a double.
edged mixed bag. The bad host vulnerability is a critical vulnerability in Starlet,
which is an ASCII framework underlies a lot of very popular projects right now that are,
if you're doing MCP or if you're doing Fast API, it basically is kind of a core layer for
that asynchronous HTTP traffic for building an API server. So this vulnerability was reported.
The community responded. There was a little bit of a back and forth. But I think the,
The exploit is trivial.
For example, injecting a single character into an HTTP host header can bypass path-based
authentication.
Now, this is where this gets a little more interesting, is that maybe that's not a great
pattern for you to do, which is path-based authentication.
That was kind of the pushback from the Starlet maintainers, which is this is not really
an intended use case for Starlet.
It is a vulnerability.
It has been patched, has been fixed.
But I believe they got a little bit of a bum deal from the journalists who are covering it.
So actually, in addition to this post here, there's also the maintainer's perspective,
which I thought was a very interesting view into both sides of the situation.
Not often do you get to see when there's a vulnerability or a CVE announced that the maintainers
get to kind of post their response.
And I think they post their response because it's well written, well thought out, explaining
why this is probably not something that's common.
many people probably weren't as vulnerable as they thought they might be,
but it would affect some really major projects,
and if major projects were doing a pattern that was not originally intended
by the maintainers of Starlet, then you end up in this bad spot.
And it could end up in remote code execution as a worst-case scenario
or data exfiltration that you weren't expecting because of this,
but it probably wasn't the way you should be architecting your application.
They also got a little bit of a complaint against the Ars-Technica reporter.
basically they asked really demanding questions and wanted an immediate response.
That's back here down at the bottom, which was kind of rude.
They were very demanding, and they only gave them, I don't know, hours, maybe an hour or two
notice that they were going to publish this article on the website.
And the website went on, the Ars Technical website went on to say that they had contacted
the maintainers but hadn't heard back.
You know, there was no comment from the maintainers, which people can read into that
how they want.
So I'm glad that they did this.
Yeah, it sounds really bad.
Like Marcello is just going to go,
I forget you, I have no comment, right?
Yeah, because these are open source maintainers who are doing this for the community.
They're not, they don't have a security team under the covers waiting to respond to journalists and security researchers.
I mean, they did work with the security researchers.
They did negotiate a shared disclosure or a mutual disclosure timeframe.
You know, this ended up for the best for everyone involved, except how he got portrayed.
Now, luckily, I think folks in the country,
comments stood up for Marcello and the team. So I think people in the community understand,
but someone who's just coming to that article in Archechnica might think they're wrong,
may think differently of that project. And I think they should read this article as a response
to that. Very interesting. I generally enjoy reading Dan Gooden's work and I like Archtechnica,
but that's a little. I was surprised. You can just see the incentives at play here. Like,
hey, you got to do an article this week or we got to be the first to publish on this. So.
Well, and I think because MCP servers,
were the prime target. If you're running an MCP server, you were probably using a Starlet-based
framework under the covers. And so a lot of credentials are stored in there. And if they were
slop-coded, vibe-coded versions of those servers out there, they could have used a path-based
protection like this. Sure. And probably, I don't know how it links back to fast MCP, but I think
that's probably based on startup. That's what I was thinking, too. I didn't go double-check that,
though. Yeah. I'll leave that as a exercise to the audience. But I think it is. These open
source maintainers are getting near daily security reports, especially when you're seeing
projects like Mythos being released. I think this volume is only going to increase. So a lot of
it's AI generated noise, and they have to be able to deal with it. So you're seeing a lot of pushback
from the open source communities against AI pull requests and security posts. Absolutely. Yep.
We could go down that a lot, but let's instead, let's talk about merges. Merges. Let's talk about merging.
So are you an Olympic sort of person? Do you Olympic?
Do you, SQL alchemy is really the question.
I do actually on my, that fast API project that I was mentioning from this morning,
I have Olympic in there.
Okay, very interesting.
Yeah, I think Fast API, sorry, I think Sika alchemy is pretty neat.
And this project, you know, Julian Fianjo is also does this quite a bit at their,
so he is one of the founders of Mergify, which is all about making sure that merges, you know,
PRs are merged faster.
That's good advice right there.
Stop breaking Maine.
Exactly. Stop breaking Maine. It's a platform that allows you to handle merges better, right?
So, but one of the problems, there we go, one of the problems they ran into is the way Olympic.
So what is Olympic?
Olympic is a system that allows different developers in production or Q&A or whatever to have an older version of the database,
change the classes that map over to the ORM to the database, and then apply this automation to restructure or migrate
the database such that it's now consistent with this new world, right? And the way it works is every
change you make, you check in an up and a down set of changes, like add this column, delete this
column, right? And so on, you know, like the up would be add a column and then the down would be delete
the column. And there's this set of revisions that pile up for these projects. The problem is
each revision says the one that came before me was, you know, some hash. Yeah. Yeah.
or something another, right? And if you, if two people create a PR off of the same base and that PR needs a
migration in it, they both point back to the same one, but they really need to be done one and then the
other, right? Like you need a linear chain of migrations, not, not some kind of complex hierarchy
of migrations. And so that is a problem, right? And they saw that, Julian and all them saw that a lot
with their merging tools, right?
So this project here called Olympic Get Revisions.
So instead of using a, when you run it, Olympic migrate or whatever, instead of having to just
capture the back version, what it uses is Git history to figure out the orders of when those
actual migrations landed in the migration series and say, well, they look like they pointed
the same one, but this one came in this time, and then the next one came in after that.
So is the blockchain craze officially over that they're?
they didn't use blockchain to solve this exactly i think we should use bit torrent and blockchain
right all these things so i yeah i think this is a pretty neat one so i just want to give it a
shout out so if you use it's smart it's totally smart why why we did not do this i know this is
quite new uh you can see it's it's it's been updated seven hours ago it's about a month old i know
four months old when the the repo was created i think probably it was released just very very recently
right so check it out if this sounds like it's a problem that that you have here's a
really nice fix for it. Yeah. I mean, just putting in place these good guardrails makes sense across
your project. So this, this almost should become the default behavior. Yeah. I mean, think of when,
how old is sequel alchemy? It's pretty old. It's pretty old. And I don't mean that in a pejorative way.
I'm just thinking, no, no, no, it's mature. It's very mature. It's like saying, well,
Jay goes, like, Jay goes, you know, been around for a long time and it's doing awesome stuff.
But the reason I bring that up is it's just, Olympic was created in a time before all these
crazy PRs and think of all the AI PRs going on now as well it's got to be worse you know yeah so all right
so if you olympic check out an olympic get revisions from juliana team smart you got any yeah yeah so
i think that's it for all of our topics right so yeah yeah i did want to add in a little bit of extra
here if you've not checked it out library skills it's by sebastian from the fast api project
uh fast api has a great mc or a skill included with the library so if you're you're you're a skill included with the library
So if you're using agentic tools to build on top of Fast API, your tools will now know more about
the preferred best practices in that framework because those skills exist in the agents folder.
This library skills project is a standard and it allows you to build out skills for any library
you may be using.
If you've been using Agentic AI cloud code or others to build your software projects, sometimes
they grab old dependencies because that was the popular thing at the time.
They go based on what was kind of popular on the internet versus,
what's the best practice now?
And so this helps guide your agents to those best practices.
So it's a cool project.
It's very, very new and also has a lot,
he's already almost a 600 stars.
So maybe after this episode,
he'll get past 600 stars on the library skills repository.
Wow.
That's pretty cool.
This is super cool.
Well done, Fast API team.
Yeah, I mean, they don't stop.
It's pretty cool.
So there you go.
Yeah, that's really cool.
And I think this is a brilliant idea.
I actually had been working,
on doing that just for myself.
Because this is absolutely a problem.
So I'm like, I work on court and flask,
and I'm working on Pyramid, and I use disk cache.
And some of these are popular, like Fast API,
but others not very popular at all.
So I've actually been every project that I adopt
that I think is going to be important for something
like Claude is I'll go through and I'll generate
this kind of document that says, here's all this stuff you need.
And the way that I get it is I will get cloned the documentation.
the latest documentation from the project and the source code
until it you generate this from the documentation
and everything you see in the documentation
you need to verify with the active source code of the project, right?
But that's just Michael randomly working on it is on GitHub,
you can check it out, but that's it's cool
that they've set up this more standard way, right?
That's just not just everybody trying to solve it for themselves.
Yeah, and it makes sense.
You want to have good, authoritative information
on the versions of the things you're currently working on in your project
because you may have a version behind and the AI may tell you a new thing that doesn't exist in your version and you can't upgrade yet.
So again, it helps line up all the pieces and give you the best chance of building great software with these AI agents.
I wouldn't avoid a rant.
I definitely think that people who are not having great AI experiences need to think of like bringing some of these ideas in there and all of a sudden hallucinations like just go away.
Go away.
Yeah, it's incredible.
It's been told.
Yeah.
Yeah.
Mike asked, how does Django handle migration and serialization conflicts?
I don't know.
Do you have any idea?
I don't know either off top of my head.
I have not run into it much.
I'd have to ask someone on my team if they had.
Yeah.
Yeah.
It's probably pretty similar.
My guess is, yeah.
It's pretty mature.
I have one more extra.
Yeah, yeah.
So this one's a bit old school.
If you are a developer and you've ever used the Ganoo make command,
did you know that it has a pattern-match?
on the targets. So you can say train dash percent colon and then have a command that runs and it
will place into your command like whatever you put in that percent word. So if you said train new
model and then the command it would be like train dot pi and then you put a placeholder and it would
put new model right there into it for you. That has been there since 1994. Now there are fancy new tools
like just and task out there. They don't do this. This is actually I think a power move that I only heard
this week. So check it out. Make still very powerful and still very relevant in this day and age
for doing task running. We do use Justin Task, but those projects should add this pattern matching
to the target. That's really cool. Yeah, how interesting. There's just a never-ending source of
learning. Oh, I know. In all these things, right? You're like, oh, yeah, figure this out. No,
maybe not. And one more thing I want to mention because we didn't get to mention at the very
beginning for something I want to pitch for everyone to come out and hang out with me. I am going to be doing a
LinkedIn Live with Whitmore's from the 615 June 17th at 330 on oh right it's not a code
review oh you're right is not a code review but you know what AI proves and what it checked so basically
calling the a out we'll be doing that on the 17th so come hang out with me that day I mean wit
you're absolutely right that is not what it was supposed to do exactly try again yeah yeah that's
exactly it nice all right I got a couple extras first to jump on so I had recently I had both
Michael Chow and Rich Ione on Talk Python to talk about great docs. Are you familiar with this?
I'm not familiar with great docs. It's a document generator plus static site generator. That's
super mature because it's based on Cordo, which itself is pretty mature, right? So I did my first
project documentation on top of this, and I think it is really neat. So this is just I'm showing you
the Great Docs documentation, but I haven't published mine yet.
I've got IngenX settings to set first, and then they'll be up.
But this is really cool because the reason I wanted to highlight this is you're talking about
the library stuff and how libraries can basically set up skills that AIs can use to work without
library, right?
Yeah.
Well, one of the things that's really cool about Great Docs is it automatically generates skills
for your library.
Very relevant.
And you can even write extra ones.
And then you can just say install through like NPCS skills from wherever or run their
CLI to install it for like Clod or Codex or whatever, which is already neat.
It also generates an LLMs and an LLM.S.coms.com.
But also a full one that has all the API documentation in there.
And when you go to like one of your references or whatever, you pull it up, you can go and view
every bit of documentation as a markdown file that you can give.
And so I'm thinking that this is going to become a pretty popular way to document projects.
Because it's without doing anything at all.
It's very sort of AI coding complete, I think you would say.
What do you think of that?
I love it.
I mean, the more context we can provide to these agents and tooling, the better off we are.
And actually, the nicer it is for humans, too.
I love markdown.
Reading markdown so much.
I find it to be very easy.
and I can then format it how I want.
So it's kind of a twofer there.
Yeah, 100%.
Yeah.
All right.
So you mentioned HTTPX2.
We talked about it previously on the show as well.
And I looked at the Talk Python Courses site.
I thought, man, could I switch to HBX2?
Like, technically, yes, but what is the value of it?
So I looked at my requirements file and I saw, well, there's five projects using HG to PX.
So if I just switch mine to HBX2, like still, I'm primarily using just HVPX.
So like if the libraries themselves don't swap over,
no matter how much you don't, you want to use a different library,
you're still using that one, right?
Because you want to use those libraries.
So I went through as a well, let's walk the walk.
So I went through my Lysmunk one, my Umami one, a memberful one.
And they all now are using HPX2.
So if anybody uses those and they want to use HPX2.
You'll now get HPX2.
Absolutely.
Absolutely.
Very nice.
Well, how about we close this episode out with a joke?
All right.
What do you got for me, Michael?
So I've named this one.
accurate. Tell me what you think about these different classifications of types of like problem solving.
You know, maybe this is a CS sort of conversation. You know, we've got algorithms. This is when
programmers don't want to explain what they did. Okay. You'll get me every time with these kind of
jokes. We have a heuristic, which is very interesting, less common and less provable, but often
very interesting. The heuristic is when programmers can't explain what they did in the machine
learning when programmers don't know what they did very black box exactly and it won't do it again
but maybe it'll do something else also interesting i appreciate that yeah absolutely and i just also
mark about the audience just says much appreciation reposits open source contributions yeah so
great docs is from the folks from posit um the shiny and r studio but they're also doing like
shining for python lots of lots of python stuff these days yeah very nice all right well that is a wrap
Calvin that was fun thank you for being here awesome show with you we'll do it again we will
thanks michael yep bye everyone
