Python Bytes - #483 Thanks Brian

Episode Date: June 9, 2026

Topics covered in this episode: Vulnerability and malware checks in uv HTTP GET requests with the Python standard library Millions of AI agents imperiled by critical vulnerability in open source pa...ckage alembic-git-revisions Extras Joke Watch on YouTube About the show Goodbye and Thanks Brian Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years. Calvin #1: Vulnerability and malware checks in uv release just yesterday by Astral https://astral.sh/blog/uv-audit uv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-audit Malware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute — including ones PyPI quarantined but lockfiles can still reference Enable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in preview Future roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only Michael #2: HTTP GET requests with the Python standard library If you’re doing HTTP in Python, you’re probably using one of three popular libraries: requests, httpx, or urllib3. There have been issues with httpx lately. Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included. But maybe less is more, especially in the age of agentic AI A good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow. Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package "BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette — the ASGI framework underlying FastAPI — with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server tooling The exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code execution MCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) — exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topology Fix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable version Open source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time — most are AI-generated noise, and real ones like this still compete for the same evenings and weekends Michael #4: alembic-git-revisions By Julien Danjou from Mergify Automatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'. See the introductory article Caused by two migrations landed with the same down_revision, and Alembic doesn’t know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions. The insight: git already knows the order Extras Calvin: GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don’t have this super power on the target name yet. train-%: uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS) Michael: Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread. Joke: Accurate

Transcript
Discussion (0)
Starting point is 00:00:00 Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds. This is episode 483 recorded June 9th, 26. I'm Michael Kennedy. I'm Calvin and Nick Parker. And this episode is brought to by us, all of our things. We'll talk a little bit about that in the introduction. But here in just a second, if you want to follow us on social media, we're on all the socials. We'll have those in the show notes for you. Sign up for the newsletter at Pythonbytes.com.com slash newsletter or just domain, click on newsletter. You always get a bunch of interesting things as well as some extra announcements for fun
Starting point is 00:00:34 stuff that we have going on. And with that, I actually, Calvin, have a pretty big announcement. So I want to say thank you to Brian Ockin. The big news is that Brian has stepped back from the show. He's been working on it for almost 10 years, just a few months short of 10 years. That's, that's a great run. That's an incredible run. That is an incredible run. Obviously, the world has changed a lot over the last 10 years. And Brian just needs more time to focus on some of his other projects, not stepping away from programming. He's not going to go become like a organic farmer in Eastern Oregon. Forest Ranger. Exactly. You know what? I'm retiring from tech. That's it. No, but he's moved on from the show. And I just want to take a moment and say, Brian, thank you very
Starting point is 00:01:19 much. You've made the show what it is over the years. And it's been great to work with you. And it's been really, really awesome. And I know a lot of people on the audience are, going to miss you. Yeah, I agree. I've gotten to know Brian over the years as well, and I really appreciate him being on the show and just being a part of the Python community. So I've, I've enjoyed having Brian around as well. Not that he's not going to go away, but he's just not here right now. Yeah, maybe we'll have him back as a current guest sometime. Yes, absolutely. So Brian, thank you very much. And Calvin, welcome to the show. I'm glad to be here. I'm excited. This is a new, the next generation of Python bytes. Let's do it. Yeah, absolutely. The next generation
Starting point is 00:01:57 So I know you have your pulse on the industry in so many ways, and you have a ton to contribute. And so we're going to work together on Python Bites for a while. And yeah, it's awesome. So thanks for coming on the show. It's really great to have you. Thank you, Brian, for being here. Calvin, welcome. Normally, we just kick off the show.
Starting point is 00:02:16 Hey, I'm Brian and Michael or whatever. But this time, at least you've been on this show before as well as Talk Python. But just give people a real quick introduction, since you're kind of been a new to. a lot of people. Sure, sure. So I'm Calvin Hendx Parker. I'm co-founder and CTO of Six Feet Up. We are a Python agency that loves specializing and solving hard problems and helping impactful leaders, you know, build a better world out there and do things to benefit humankind in some way. I also am a co-founder of the Indypie meetup here in Indianapolis, so very involved in the community. I love going to PyCon and being around all the folks. So this definitely fits well with
Starting point is 00:02:54 like kind of my mission, which is to bring more to the Python. community if I can. And you're also an AWS hero. Is that right? Oh, yeah, I am. AWS heroes since 2018 or 2019, I think, yeah. So it basically means AWS thinks I'm kind of a, I guess, a big deal. I don't know.
Starting point is 00:03:10 He's a couple guy. He's a big deal. Yeah, yeah, right. Yeah, there's only a few of them around the globe. And it's kind of cool because you can't be an Amazon employee or employed by a competitor. And so it allows me to maintain my independence and a little bit of cloud agnosticness. Yeah.
Starting point is 00:03:24 Awesome. All right. Well, with that, how about you kick off? our first topic. Oh sure. I'd love to. So we've got just yesterday, the fine folks at Astral have released some new features that are still in beta or checking for vulnerabilities and also some malware checks. So for example, they've added the new audit subcommand. So as you, this is not an unheard of thing in the community. There's existing tools like it, for example, safety and pip audit. What is different about UV offering this?
Starting point is 00:03:54 They have basically said that we have an opinion like they've done in other other ways. Astral has basically said we have opinions about how things should be done. And we're trying to optimize the developer experience workflow to make this not suffer from some the problems you get with like, for example, NPM. When you do an NPM install, you get this just overload of warnings for deprecations. And so you just kind of start ignoring it and not paying attention to it. The idea is to be explicit and call it when you want to have these kind of scans run. So you could put it into a pre-commit hook. For example, you can obviously run it in your CI Pipeline. but it's meant for the developers to run locally as well.
Starting point is 00:04:30 And the add command and sync commands have been updated. Well, optionally right now they're not enabled, but if you enable the UV malware check, the add and sync commands will proactively tell you if you're adding a potential malware package to your project right now. I actually tried it out today. I actually love that. Yeah, that's really cool.
Starting point is 00:04:49 I literally did it today because I was like, oh, I should go check out my last Fast API project to make sure I'm up to date on things. And I ran the UV Audit, again, super fast. as you would expect most of the tools from Astral to be. And I had my Pi coding agent go and fix all the problems. And I released a new prod release just this morning because of the UV audit tool. It seems really, really nice.
Starting point is 00:05:09 I'm really excited about it. Awesome. I have been, I talked about it maybe six months ago or so. A couple of security things you can do for the supply chain vulnerability. Yeah. It's just super scary, right? Because you're just working normally on your project. And if you time it wrong, well,
Starting point is 00:05:27 bad things happen. And they have happened to people, right? Yeah. Not in great numbers in the Python world, but still enough, you know, some of the LLM tools I can think that were pretty, that was a pretty bad one. Well, we're paying attention now. I think folks are hopefully paying more attention and tools like this make it easier to pay attention and less friction to be safe. I think it's got options, for example, not to install the latest version of a package. Maybe you want to like a cool off period to say, I think that was already built in to UV, which is have a cool off period. And that's a smart thing to do. You don't want the package that was released today because it might have a vulnerability from a supply chain attack in there. And you want to make sure, usually in a few days, those are shook out.
Starting point is 00:06:05 And so grabbing a seven-day old version of it, probably the safe thing to do, for example. Yeah, and that's what motivated me to start down that whole path of talking about those things. I'm like, oh, they just shipped no earlier than whatever it was. And so that was really excellent. And then I started using PIP audit as well. And even like shared how you bring that into like a Docker world. And that's great. I'm feeling like that needs to be for me updated to use UV audit instead of PIP audit,
Starting point is 00:06:31 which just because one of the things I see on the screen is 4 to 10 times faster, everything else I'm doing with UV, but I just couldn't because it didn't support this, right? There's an asterisk there. Pip audit with a fully prime cache is probably about as fast. But if you're going from a CI pipeline, you're going to get the 4 to 10x speed up. So those are the, again, creature comforts that I believe the astral folks have brought to the game. They've just said, we're going to be opinionated. This is how we're going to do it.
Starting point is 00:06:55 and we're going to make it better for everybody, hopefully. So if you like those opinions, it's good for you. If you had other opinions, well, this is probably better. Yeah. Yes, exactly. So out in the audience, Mike, hey Mike, points out that this weekend's miasma, Hades attack is timely. Yeah.
Starting point is 00:07:12 I don't know about it, but okay. Yeah. If you had a CI pipeline running on the weekend and got that version over the weekend, and these things always happen on a Friday late on a weekend because no one's looking, that's exactly the timing that these kind of things. happen. So make sure you got that cool off period in there. Yeah, exactly. So I made the mistake of actually going on vacation for the weekend, and so I wasn't paying enough attention. So I got to research this. Wait, you actually took a couple days off? Yeah. I sat by the ocean. It wasn't terrible.
Starting point is 00:07:41 Nice. All right. Let's talk about, I think this relates a little bit back to the supply chain, but not necessarily in a vulnerability way. You also mentioned your pie coding agent. We need to speak about this a little bit. Yeah, we should. Yeah, absolutely. This is going to have to be one of your whole topic sometime, but it seems to me like a lot of the projects that people depend upon have these very shallow dependencies. And by that I mean, like, yeah, I'm sure I'm using this library that lets me give, I don't know, a zip code and it gives me the state back or something like that, right? But I only call the one function. You know what I mean? Would it be possible to just have some kind of coding agent or even you just write that into your project instead of adding
Starting point is 00:08:27 maybe that dependency and three other dependencies that has, then you're worried about like cool down periods and supply chain and just like, oh, this one only works on 314. This one only works or lower and this other one only works in 315 and above. Like, what do I do? Yeah. You know, those kind of issues. So I want to highlight this article called HTTP get request with Python standard library by Alex Chan. And so Alex basically says there's been all this stuff going on with HTTPX. I'm going to talk about that at the end of the show a little bit more. But we've also got requests. We've got UroLib. We've got NIC-QEST, N-I-Quest, which is a little bit like a modernized request compatible API. But built into the library, we've got UROLIB requests. Could we just put the three or four
Starting point is 00:09:16 functions that we want to write, but turn that and just instead of having actually HTTPX or requests, just have it use the built-ins, right? So build a little facade, adapter layer on top of stuff that's already there. What do you think of that idea? I think that's smart, kind of a little bit of shift left or first principles. Like, if you don't need to bring along those whole packages, you don't bring along a lot of complexity. Frameworks are nice when they solve, you know, they usually do like an 80% kind of problem. If you get a 10% kind of problem, I wouldn't bring those kind of dependencies into your project. Because now you're, you're on the treadmill. You got to keep up with the release cycles and security vulnerabilities,
Starting point is 00:09:52 et cetera, versus if you're controlling your own fate here for just a couple little things you need, it's probably cleaner and more and more explicit than implicit. You're just not subject to have to deal with all the stuff that goes with it, right? And like, put security aside, just the, they released a new version or they decided they're going to do a breaking change and that's probably worthwhile but then you've got to deal with the breaking change you know like if the thing you're doing is not going to change really and it's pretty straightforward you could just ask clod or pie or whatever's hey see this thing could you just give me the two functions i'm using uh if there if there's enough foundational stuff in the standard library right so i think this is a pretty interesting thing
Starting point is 00:10:33 for people to think through i went i was going down this path i'm like this is pretty cool what if i could just make i mean i think i use three functions from htpx what if i could do this for hdpx instead of the thing that they were based on, how hard would that be with a little bit of Claude help, right? And it turns out that the standard libraries, HTTP call stuff, does not have any ASync support whatsoever. I was going to ask if that was a thing. No, it's not.
Starting point is 00:11:02 I'm like, wait, what are the use cases for ASync I.O? Database, HTTP, you know, like API. Hitting a network. Hitting a network. Like, wait. It's got, it's, it's, had that since 3.4, I believe, was when ASync was in. And then ASync and a wait came in at 3.5. Michael, you need to submit a pep now. You know what? Very insightful thought. I actually wrote
Starting point is 00:11:26 Brett Cannon a message about this, said, hey, what would the steps to be actually submitting a pep for this? And he sent me back some stuff. And Brett, I haven't had it. Because I sent that message and went straight on vacation. I haven't had a chance to respond. But it looks like there's some work to be done and research to be done. But I do think that that's a totally reasonable thing. And DB API itself also surely does not support async but should, you know. Like I think there's a few really clear places. Yeah, there's still some hard problems left in the Python core. Yeah, we thought it was all done.
Starting point is 00:11:56 Yeah. Yeah. Although it is nice when you got like HTTPX2 and you can just drop in and replace. Yep, exactly. Yeah. Nice. Yeah. Yeah.
Starting point is 00:12:03 We talked about that from the Pidaniac folks. Yeah. Yeah. Yeah. Yeah. Sounds good. All right. Over you, Calvin.
Starting point is 00:12:09 From next one. So this one's a little bit of a double. edged mixed bag. The bad host vulnerability is a critical vulnerability in Starlet, which is an ASCII framework underlies a lot of very popular projects right now that are, if you're doing MCP or if you're doing Fast API, it basically is kind of a core layer for that asynchronous HTTP traffic for building an API server. So this vulnerability was reported. The community responded. There was a little bit of a back and forth. But I think the, The exploit is trivial.
Starting point is 00:12:44 For example, injecting a single character into an HTTP host header can bypass path-based authentication. Now, this is where this gets a little more interesting, is that maybe that's not a great pattern for you to do, which is path-based authentication. That was kind of the pushback from the Starlet maintainers, which is this is not really an intended use case for Starlet. It is a vulnerability. It has been patched, has been fixed.
Starting point is 00:13:10 But I believe they got a little bit of a bum deal from the journalists who are covering it. So actually, in addition to this post here, there's also the maintainer's perspective, which I thought was a very interesting view into both sides of the situation. Not often do you get to see when there's a vulnerability or a CVE announced that the maintainers get to kind of post their response. And I think they post their response because it's well written, well thought out, explaining why this is probably not something that's common. many people probably weren't as vulnerable as they thought they might be,
Starting point is 00:13:41 but it would affect some really major projects, and if major projects were doing a pattern that was not originally intended by the maintainers of Starlet, then you end up in this bad spot. And it could end up in remote code execution as a worst-case scenario or data exfiltration that you weren't expecting because of this, but it probably wasn't the way you should be architecting your application. They also got a little bit of a complaint against the Ars-Technica reporter. basically they asked really demanding questions and wanted an immediate response.
Starting point is 00:14:11 That's back here down at the bottom, which was kind of rude. They were very demanding, and they only gave them, I don't know, hours, maybe an hour or two notice that they were going to publish this article on the website. And the website went on, the Ars Technical website went on to say that they had contacted the maintainers but hadn't heard back. You know, there was no comment from the maintainers, which people can read into that how they want. So I'm glad that they did this.
Starting point is 00:14:33 Yeah, it sounds really bad. Like Marcello is just going to go, I forget you, I have no comment, right? Yeah, because these are open source maintainers who are doing this for the community. They're not, they don't have a security team under the covers waiting to respond to journalists and security researchers. I mean, they did work with the security researchers. They did negotiate a shared disclosure or a mutual disclosure timeframe. You know, this ended up for the best for everyone involved, except how he got portrayed.
Starting point is 00:15:03 Now, luckily, I think folks in the country, comments stood up for Marcello and the team. So I think people in the community understand, but someone who's just coming to that article in Archechnica might think they're wrong, may think differently of that project. And I think they should read this article as a response to that. Very interesting. I generally enjoy reading Dan Gooden's work and I like Archtechnica, but that's a little. I was surprised. You can just see the incentives at play here. Like, hey, you got to do an article this week or we got to be the first to publish on this. So. Well, and I think because MCP servers,
Starting point is 00:15:34 were the prime target. If you're running an MCP server, you were probably using a Starlet-based framework under the covers. And so a lot of credentials are stored in there. And if they were slop-coded, vibe-coded versions of those servers out there, they could have used a path-based protection like this. Sure. And probably, I don't know how it links back to fast MCP, but I think that's probably based on startup. That's what I was thinking, too. I didn't go double-check that, though. Yeah. I'll leave that as a exercise to the audience. But I think it is. These open source maintainers are getting near daily security reports, especially when you're seeing projects like Mythos being released. I think this volume is only going to increase. So a lot of
Starting point is 00:16:14 it's AI generated noise, and they have to be able to deal with it. So you're seeing a lot of pushback from the open source communities against AI pull requests and security posts. Absolutely. Yep. We could go down that a lot, but let's instead, let's talk about merges. Merges. Let's talk about merging. So are you an Olympic sort of person? Do you Olympic? Do you, SQL alchemy is really the question. I do actually on my, that fast API project that I was mentioning from this morning, I have Olympic in there. Okay, very interesting.
Starting point is 00:16:43 Yeah, I think Fast API, sorry, I think Sika alchemy is pretty neat. And this project, you know, Julian Fianjo is also does this quite a bit at their, so he is one of the founders of Mergify, which is all about making sure that merges, you know, PRs are merged faster. That's good advice right there. Stop breaking Maine. Exactly. Stop breaking Maine. It's a platform that allows you to handle merges better, right? So, but one of the problems, there we go, one of the problems they ran into is the way Olympic.
Starting point is 00:17:15 So what is Olympic? Olympic is a system that allows different developers in production or Q&A or whatever to have an older version of the database, change the classes that map over to the ORM to the database, and then apply this automation to restructure or migrate the database such that it's now consistent with this new world, right? And the way it works is every change you make, you check in an up and a down set of changes, like add this column, delete this column, right? And so on, you know, like the up would be add a column and then the down would be delete the column. And there's this set of revisions that pile up for these projects. The problem is each revision says the one that came before me was, you know, some hash. Yeah. Yeah.
Starting point is 00:18:00 or something another, right? And if you, if two people create a PR off of the same base and that PR needs a migration in it, they both point back to the same one, but they really need to be done one and then the other, right? Like you need a linear chain of migrations, not, not some kind of complex hierarchy of migrations. And so that is a problem, right? And they saw that, Julian and all them saw that a lot with their merging tools, right? So this project here called Olympic Get Revisions. So instead of using a, when you run it, Olympic migrate or whatever, instead of having to just capture the back version, what it uses is Git history to figure out the orders of when those
Starting point is 00:18:44 actual migrations landed in the migration series and say, well, they look like they pointed the same one, but this one came in this time, and then the next one came in after that. So is the blockchain craze officially over that they're? they didn't use blockchain to solve this exactly i think we should use bit torrent and blockchain right all these things so i yeah i think this is a pretty neat one so i just want to give it a shout out so if you use it's smart it's totally smart why why we did not do this i know this is quite new uh you can see it's it's it's been updated seven hours ago it's about a month old i know four months old when the the repo was created i think probably it was released just very very recently
Starting point is 00:19:21 right so check it out if this sounds like it's a problem that that you have here's a really nice fix for it. Yeah. I mean, just putting in place these good guardrails makes sense across your project. So this, this almost should become the default behavior. Yeah. I mean, think of when, how old is sequel alchemy? It's pretty old. It's pretty old. And I don't mean that in a pejorative way. I'm just thinking, no, no, no, it's mature. It's very mature. It's like saying, well, Jay goes, like, Jay goes, you know, been around for a long time and it's doing awesome stuff. But the reason I bring that up is it's just, Olympic was created in a time before all these crazy PRs and think of all the AI PRs going on now as well it's got to be worse you know yeah so all right
Starting point is 00:20:00 so if you olympic check out an olympic get revisions from juliana team smart you got any yeah yeah so i think that's it for all of our topics right so yeah yeah i did want to add in a little bit of extra here if you've not checked it out library skills it's by sebastian from the fast api project uh fast api has a great mc or a skill included with the library so if you're you're you're a skill included with the library So if you're using agentic tools to build on top of Fast API, your tools will now know more about the preferred best practices in that framework because those skills exist in the agents folder. This library skills project is a standard and it allows you to build out skills for any library you may be using.
Starting point is 00:20:42 If you've been using Agentic AI cloud code or others to build your software projects, sometimes they grab old dependencies because that was the popular thing at the time. They go based on what was kind of popular on the internet versus, what's the best practice now? And so this helps guide your agents to those best practices. So it's a cool project. It's very, very new and also has a lot, he's already almost a 600 stars.
Starting point is 00:21:04 So maybe after this episode, he'll get past 600 stars on the library skills repository. Wow. That's pretty cool. This is super cool. Well done, Fast API team. Yeah, I mean, they don't stop. It's pretty cool.
Starting point is 00:21:17 So there you go. Yeah, that's really cool. And I think this is a brilliant idea. I actually had been working, on doing that just for myself. Because this is absolutely a problem. So I'm like, I work on court and flask, and I'm working on Pyramid, and I use disk cache.
Starting point is 00:21:34 And some of these are popular, like Fast API, but others not very popular at all. So I've actually been every project that I adopt that I think is going to be important for something like Claude is I'll go through and I'll generate this kind of document that says, here's all this stuff you need. And the way that I get it is I will get cloned the documentation. the latest documentation from the project and the source code
Starting point is 00:21:57 until it you generate this from the documentation and everything you see in the documentation you need to verify with the active source code of the project, right? But that's just Michael randomly working on it is on GitHub, you can check it out, but that's it's cool that they've set up this more standard way, right? That's just not just everybody trying to solve it for themselves. Yeah, and it makes sense.
Starting point is 00:22:16 You want to have good, authoritative information on the versions of the things you're currently working on in your project because you may have a version behind and the AI may tell you a new thing that doesn't exist in your version and you can't upgrade yet. So again, it helps line up all the pieces and give you the best chance of building great software with these AI agents. I wouldn't avoid a rant. I definitely think that people who are not having great AI experiences need to think of like bringing some of these ideas in there and all of a sudden hallucinations like just go away. Go away. Yeah, it's incredible.
Starting point is 00:22:49 It's been told. Yeah. Yeah. Mike asked, how does Django handle migration and serialization conflicts? I don't know. Do you have any idea? I don't know either off top of my head. I have not run into it much.
Starting point is 00:23:00 I'd have to ask someone on my team if they had. Yeah. Yeah. It's probably pretty similar. My guess is, yeah. It's pretty mature. I have one more extra. Yeah, yeah.
Starting point is 00:23:09 So this one's a bit old school. If you are a developer and you've ever used the Ganoo make command, did you know that it has a pattern-match? on the targets. So you can say train dash percent colon and then have a command that runs and it will place into your command like whatever you put in that percent word. So if you said train new model and then the command it would be like train dot pi and then you put a placeholder and it would put new model right there into it for you. That has been there since 1994. Now there are fancy new tools like just and task out there. They don't do this. This is actually I think a power move that I only heard
Starting point is 00:23:50 this week. So check it out. Make still very powerful and still very relevant in this day and age for doing task running. We do use Justin Task, but those projects should add this pattern matching to the target. That's really cool. Yeah, how interesting. There's just a never-ending source of learning. Oh, I know. In all these things, right? You're like, oh, yeah, figure this out. No, maybe not. And one more thing I want to mention because we didn't get to mention at the very beginning for something I want to pitch for everyone to come out and hang out with me. I am going to be doing a LinkedIn Live with Whitmore's from the 615 June 17th at 330 on oh right it's not a code review oh you're right is not a code review but you know what AI proves and what it checked so basically
Starting point is 00:24:32 calling the a out we'll be doing that on the 17th so come hang out with me that day I mean wit you're absolutely right that is not what it was supposed to do exactly try again yeah yeah that's exactly it nice all right I got a couple extras first to jump on so I had recently I had both Michael Chow and Rich Ione on Talk Python to talk about great docs. Are you familiar with this? I'm not familiar with great docs. It's a document generator plus static site generator. That's super mature because it's based on Cordo, which itself is pretty mature, right? So I did my first project documentation on top of this, and I think it is really neat. So this is just I'm showing you the Great Docs documentation, but I haven't published mine yet.
Starting point is 00:25:19 I've got IngenX settings to set first, and then they'll be up. But this is really cool because the reason I wanted to highlight this is you're talking about the library stuff and how libraries can basically set up skills that AIs can use to work without library, right? Yeah. Well, one of the things that's really cool about Great Docs is it automatically generates skills for your library. Very relevant.
Starting point is 00:25:43 And you can even write extra ones. And then you can just say install through like NPCS skills from wherever or run their CLI to install it for like Clod or Codex or whatever, which is already neat. It also generates an LLMs and an LLM.S.coms.com. But also a full one that has all the API documentation in there. And when you go to like one of your references or whatever, you pull it up, you can go and view every bit of documentation as a markdown file that you can give. And so I'm thinking that this is going to become a pretty popular way to document projects.
Starting point is 00:26:20 Because it's without doing anything at all. It's very sort of AI coding complete, I think you would say. What do you think of that? I love it. I mean, the more context we can provide to these agents and tooling, the better off we are. And actually, the nicer it is for humans, too. I love markdown. Reading markdown so much.
Starting point is 00:26:38 I find it to be very easy. and I can then format it how I want. So it's kind of a twofer there. Yeah, 100%. Yeah. All right. So you mentioned HTTPX2. We talked about it previously on the show as well.
Starting point is 00:26:50 And I looked at the Talk Python Courses site. I thought, man, could I switch to HBX2? Like, technically, yes, but what is the value of it? So I looked at my requirements file and I saw, well, there's five projects using HG to PX. So if I just switch mine to HBX2, like still, I'm primarily using just HVPX. So like if the libraries themselves don't swap over, no matter how much you don't, you want to use a different library, you're still using that one, right?
Starting point is 00:27:16 Because you want to use those libraries. So I went through as a well, let's walk the walk. So I went through my Lysmunk one, my Umami one, a memberful one. And they all now are using HPX2. So if anybody uses those and they want to use HPX2. You'll now get HPX2. Absolutely. Absolutely.
Starting point is 00:27:32 Very nice. Well, how about we close this episode out with a joke? All right. What do you got for me, Michael? So I've named this one. accurate. Tell me what you think about these different classifications of types of like problem solving. You know, maybe this is a CS sort of conversation. You know, we've got algorithms. This is when programmers don't want to explain what they did. Okay. You'll get me every time with these kind of
Starting point is 00:27:53 jokes. We have a heuristic, which is very interesting, less common and less provable, but often very interesting. The heuristic is when programmers can't explain what they did in the machine learning when programmers don't know what they did very black box exactly and it won't do it again but maybe it'll do something else also interesting i appreciate that yeah absolutely and i just also mark about the audience just says much appreciation reposits open source contributions yeah so great docs is from the folks from posit um the shiny and r studio but they're also doing like shining for python lots of lots of python stuff these days yeah very nice all right well that is a wrap Calvin that was fun thank you for being here awesome show with you we'll do it again we will
Starting point is 00:28:38 thanks michael yep bye everyone

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.