WEBVTT 00:00:00.001 --> 00:00:04.680 Every year, Python has a new major release. This year, it's Python 3.12, and it'll come out on 00:00:04.680 --> 00:00:11.320 October 2nd, 2023. That's four days from when this episode was published. There is quite a process 00:00:11.320 --> 00:00:16.460 involved to test build and ship Python across the many platforms and channels. We have Seth 00:00:16.460 --> 00:00:21.780 Michael Larson here to give us a detailed rundown on exactly what is involved in releasing CPython. 00:00:21.780 --> 00:00:27.120 This is Talk Python To Me, episode 431, recorded September 28th, 2023. 00:00:27.120 --> 00:00:27.460 I agree. 00:00:27.460 --> 00:00:44.200 Welcome to Talk Python To Me, a weekly podcast on Python. This is your host, Michael Kennedy. 00:00:44.200 --> 00:00:49.320 Follow me on Mastodon, where I'm @mkennedy, and follow the podcast using @talkpython, 00:00:49.320 --> 00:00:55.260 both on fosstodon.org. Be careful with impersonating accounts on other instances. There are many. 00:00:55.740 --> 00:01:00.320 Keep up with the show and listen to over seven years of past episodes at talkpython.fm. 00:01:00.320 --> 00:01:06.160 We've started streaming most of our episodes live on YouTube. Subscribe to our YouTube channel over 00:01:06.160 --> 00:01:11.920 at talkpython.fm/youtube to get notified about upcoming shows and be part of that episode. 00:01:11.920 --> 00:01:18.760 This episode is brought to you by JetBrains, who encourage you to get work done with PyCharm. 00:01:19.120 --> 00:01:25.660 Download your free trial of PyCharm Professional at talkpython.fm/done dash with dash PyCharm. 00:01:25.660 --> 00:01:31.760 Hey there. Before we jump into talking about building CPython, I have a new course to tell you about. 00:01:31.760 --> 00:01:35.440 HTMX plus Django. Full web apps hold the JavaScript. 00:01:35.440 --> 00:01:39.320 This is an excellent new Django course written by Christopher Trudeau. 00:01:39.320 --> 00:01:43.420 In just a few hours, you'll learn how to make your app much more interactive, 00:01:43.880 --> 00:01:46.280 and the code even a little cleaner than pure Django. 00:01:46.280 --> 00:01:52.100 You may be familiar with our HTMX plus Flask course I released a while ago, 00:01:52.100 --> 00:01:54.720 and this one is its Django sister course. 00:01:54.720 --> 00:01:59.560 And it is out now at talkpython.fm/HTMX dash Django. 00:01:59.560 --> 00:02:01.020 The link is in your show notes. 00:02:01.020 --> 00:02:06.080 If you Django and have been wanting to adopt HTMX, you should definitely give this course a look. 00:02:06.480 --> 00:02:11.620 And a heartfelt thank you to everyone who has purchased one of our courses or library bundles. 00:02:11.620 --> 00:02:13.600 It truly makes this show possible. 00:02:13.600 --> 00:02:15.340 Now, on to that interview. 00:02:15.340 --> 00:02:17.380 Hey, all. Hey, Seth. 00:02:17.380 --> 00:02:17.840 Hello. 00:02:17.840 --> 00:02:20.700 Awesome to have you here on the show. 00:02:20.700 --> 00:02:22.040 Yeah, thanks for having me. 00:02:22.040 --> 00:02:28.280 Absolutely. I'm looking forward to talking about the details, the steps of releasing CPython. 00:02:28.640 --> 00:02:34.180 And for those of you who have not been watching and paying attention, by the time this comes out, 00:02:34.180 --> 00:02:35.420 it'll probably have already happened. 00:02:35.420 --> 00:02:37.100 I'm sure it's already happened. 00:02:37.100 --> 00:02:40.620 By the time this video is up, though, it's not quite happening. 00:02:40.620 --> 00:02:46.580 So as of the recording, next Monday, this whole process that we're going to talk about goes into action, right? 00:02:46.580 --> 00:02:48.200 Releasing Python 3.11. 00:02:48.200 --> 00:02:48.740 Yeah. 00:02:48.740 --> 00:02:50.220 This, not 3.12. 00:02:50.220 --> 00:02:51.400 This will have happened. 00:02:51.400 --> 00:02:52.320 3.12. 00:02:52.860 --> 00:02:53.960 I got to get used to it. 00:02:53.960 --> 00:02:58.180 It's like, you know, in January, you always write the year on. 00:02:58.180 --> 00:03:06.400 So 3.12, the new version, the still faster, faster CPython 3.12 with lots of cool features is going to be out. 00:03:06.400 --> 00:03:08.240 And how does that happen, right? 00:03:08.240 --> 00:03:10.800 There's a lot going on behind the scenes. 00:03:10.800 --> 00:03:16.900 And you wrote a really cool blog post called Visualizing the CPython Release Process or something like that. 00:03:16.900 --> 00:03:17.600 I'm getting off memory. 00:03:17.600 --> 00:03:20.580 And it has a great diagram with a whole bunch of boxes. 00:03:20.580 --> 00:03:24.440 And so we're going to go through and kind of just talk about how that happens and so on. 00:03:24.440 --> 00:03:27.900 But before we get into it, maybe a quick intro for folks who don't know you yet. 00:03:27.900 --> 00:03:28.340 Yeah. 00:03:28.340 --> 00:03:30.600 So I'm Seth Larson. 00:03:30.600 --> 00:03:33.940 Online, everywhere, I am Seth M. Larson. 00:03:33.940 --> 00:03:34.620 That's my handle. 00:03:34.620 --> 00:03:41.060 And I am the security developer in residence at the Python Software Foundation, the inaugural security developer in residence. 00:03:41.060 --> 00:03:42.820 Hopefully for more, obviously. 00:03:42.820 --> 00:03:50.940 But yeah, this whole role is funded through the OpenSSF Alpha Omega project specifically. 00:03:50.940 --> 00:03:59.240 And it's kind of a project that's focusing on Alpha being really, really important projects that everyone agrees, yep, that's a really important project to secure. 00:03:59.240 --> 00:04:01.340 So among them is Python and PyPI. 00:04:01.600 --> 00:04:04.360 And then Omega is kind of like the long tail, right? 00:04:04.360 --> 00:04:05.820 Like all the other projects. 00:04:05.820 --> 00:04:07.420 Because there's open source is huge. 00:04:07.420 --> 00:04:08.900 There's millions of different projects. 00:04:08.900 --> 00:04:10.660 How can we secure those? 00:04:10.660 --> 00:04:13.320 And so, yeah, this role exists because of them. 00:04:13.320 --> 00:04:14.040 So I'm very thankful. 00:04:14.040 --> 00:04:15.460 And it's mostly. 00:04:15.460 --> 00:04:16.340 As are we all. 00:04:16.340 --> 00:04:16.620 Right. 00:04:16.620 --> 00:04:17.600 Speaking for the community. 00:04:17.600 --> 00:04:18.660 This has been something. 00:04:18.660 --> 00:04:18.820 Yeah. 00:04:19.180 --> 00:04:22.720 There's been a lot of places where it's like, well, why doesn't someone take care of this? 00:04:22.720 --> 00:04:25.360 Like, well, there's nobody whose sole job it is. 00:04:25.360 --> 00:04:28.900 But like Python has been slowly rolling in these new roles, which is fantastic. 00:04:28.900 --> 00:04:31.580 Like Lukash Lenga at the developer in residence. 00:04:31.580 --> 00:04:33.260 You're the security developer in residence. 00:04:33.260 --> 00:04:36.700 We have Mike Fiedler, who I spoke to about on PyPI security. 00:04:36.700 --> 00:04:38.640 Like there's people. 00:04:38.640 --> 00:04:40.260 There's developers working on stuff. 00:04:40.260 --> 00:04:40.680 It's awesome. 00:04:40.680 --> 00:04:42.040 There's something to be said. 00:04:42.040 --> 00:04:46.960 Like having someone working on stuff full time, like you can get a lot done. 00:04:47.320 --> 00:04:52.360 It's quite nice because we're so used to, you know, how the speed of open source. 00:04:52.360 --> 00:04:52.760 Right. 00:04:52.760 --> 00:04:53.360 Which is not. 00:04:53.360 --> 00:04:56.560 I guess when someone says the speed of open source, they don't immediately think, oh, yeah, 00:04:56.560 --> 00:04:59.600 that's going to be that's going to be fast and snappy because people have lives. 00:04:59.600 --> 00:05:00.060 Sometimes it is. 00:05:00.060 --> 00:05:00.320 Yeah. 00:05:00.320 --> 00:05:01.320 Well, sometimes it is. 00:05:01.320 --> 00:05:05.000 When things are brand new, they can have a lot of momentum. 00:05:05.000 --> 00:05:09.460 But, you know, my personal view is like on all these software projects, there's these 00:05:09.460 --> 00:05:12.700 little gnarly edges that is just as fun for no one. 00:05:12.700 --> 00:05:13.120 Right. 00:05:13.120 --> 00:05:17.200 And like, I want to add this new feature or I want to add async to this thing so people can 00:05:17.200 --> 00:05:21.140 do this and like you can get so inspired, even if it's not your job and it's just your 00:05:21.140 --> 00:05:22.300 project and really go on it. 00:05:22.300 --> 00:05:28.300 But like, you know, really polishing out that little bit of documentation or or updating that 00:05:28.300 --> 00:05:28.520 detour. 00:05:28.520 --> 00:05:33.720 Like it's it's all the fine polish, I guess, that I think you all are bringing to 00:05:33.720 --> 00:05:34.880 Python, which is awesome. 00:05:34.880 --> 00:05:35.320 Yeah. 00:05:35.320 --> 00:05:36.320 There's tons of work. 00:05:36.320 --> 00:05:42.080 That's like it really does need that amount of time investment and like a sustained time 00:05:42.080 --> 00:05:42.460 investment. 00:05:42.460 --> 00:05:47.420 So like when you're working with external groups or like, you know, developing processes and 00:05:47.420 --> 00:05:51.260 stuff like that, like you just need you just need to be there a lot more than, you know, 00:05:51.260 --> 00:05:51.940 weekends. 00:05:52.400 --> 00:05:55.420 So it's good to have that full time presence. 00:05:55.420 --> 00:05:56.040 Yeah. 00:05:56.040 --> 00:05:56.660 Yeah. 00:05:56.660 --> 00:05:57.920 I think it is, too. 00:05:57.920 --> 00:06:02.400 Although it's absolutely mind blowing how much stuff gets done in traditional pure open 00:06:02.400 --> 00:06:02.700 source. 00:06:02.700 --> 00:06:03.880 It really is. 00:06:03.880 --> 00:06:06.120 Honestly, it gives a whole new perspective to it. 00:06:06.120 --> 00:06:06.340 Right. 00:06:06.340 --> 00:06:07.720 It's like, oh, yeah. 00:06:07.720 --> 00:06:09.280 You know, all of this is happening. 00:06:09.280 --> 00:06:15.460 But, you know, almost all of the people that I interact with on a day to day basis are volunteers. 00:06:16.080 --> 00:06:20.960 And so like I when I kind of wrote about this a little bit in my opening when I announced 00:06:20.960 --> 00:06:26.480 myself as a security developer in residence, but it's like you need to you can't have expectations 00:06:26.480 --> 00:06:28.280 and like assign people work. 00:06:28.280 --> 00:06:28.940 You know what I mean? 00:06:28.940 --> 00:06:32.680 Like this is not a traditional work environment where you can just tell people what to do. 00:06:32.680 --> 00:06:36.460 And, you know, it it's a certain way of working. 00:06:36.460 --> 00:06:39.960 And I'm used to it because I am an open source maintainer myself. 00:06:39.960 --> 00:06:43.380 So it makes a lot of sense to me and I feel very comfortable with it. 00:06:43.440 --> 00:06:46.700 But it's very different than a regular security developer job would be. 00:06:46.700 --> 00:06:48.640 Would you say fewer TPS reports? 00:06:48.640 --> 00:06:51.360 Yeah, a few fewer. 00:06:51.360 --> 00:06:51.880 Yeah, yeah. 00:06:51.880 --> 00:06:53.120 Just a couple fewer. 00:06:53.120 --> 00:06:57.340 Hey, you since you brought it up, maybe we'll come back to this if we have time at the end. 00:06:57.340 --> 00:07:01.140 But, you know, you've got some pretty notable projects that you're working on here. 00:07:01.140 --> 00:07:04.000 Like give a quick shout out to some of your open source work that predates. 00:07:04.000 --> 00:07:04.360 Yeah. 00:07:04.360 --> 00:07:10.080 So I am the lead maintainer of your lib3, which is one of the most downloaded Python packages 00:07:10.080 --> 00:07:10.600 on PyPI. 00:07:10.600 --> 00:07:12.920 I also help maintain requests. 00:07:13.220 --> 00:07:15.460 It's a user of your lib3. 00:07:15.460 --> 00:07:19.700 And then in addition to that, I have a library, which I quite love, which is called TrustStore, 00:07:19.700 --> 00:07:25.200 which is being adopted by a lot of package managers right now, like pip and Conda and PDM, 00:07:25.200 --> 00:07:33.400 which allows those those packages to use system certificates as opposed to something like Certify 00:07:33.400 --> 00:07:42.140 so that you can take advantage of all of the benefits that you get for using a system trust store for HTTPS as opposed to like a static bundle of certificates. 00:07:42.140 --> 00:07:47.180 Because operating systems are actually constantly checking, updating all of these things. 00:07:47.180 --> 00:07:48.140 It's just a little bit better. 00:07:48.140 --> 00:07:53.760 Some certificate store or some certificate authority turns out to be shady and they get revoked and. 00:07:54.440 --> 00:07:58.040 Or just not have not have the best practices. 00:07:58.040 --> 00:08:01.180 And so, yeah, just like, OK, we're going to pull that one. 00:08:01.180 --> 00:08:02.440 But we're even pulling us. 00:08:02.440 --> 00:08:04.640 Yeah, they even get stolen. 00:08:04.640 --> 00:08:04.980 Right. 00:08:04.980 --> 00:08:06.700 Sometimes these certificates get stolen. 00:08:06.700 --> 00:08:07.780 They get stolen. 00:08:07.780 --> 00:08:10.740 You know, there's all sorts of things that can go wrong. 00:08:10.740 --> 00:08:12.640 Thankfully, it doesn't go wrong very often. 00:08:12.920 --> 00:08:14.820 Otherwise, it would be a lot bigger of a problem. 00:08:14.820 --> 00:08:17.080 But yeah, it does happen every once in a while. 00:08:17.080 --> 00:08:17.740 Yeah, that's cool. 00:08:17.740 --> 00:08:18.180 Yeah. 00:08:18.180 --> 00:08:23.280 And you were on Python Bytes, my other podcast I do with Brian to talk about trust store, which is cool. 00:08:23.280 --> 00:08:23.820 All right. 00:08:23.820 --> 00:08:24.460 Back to this. 00:08:24.460 --> 00:08:29.020 So tell us a bit about this developer, security developer in residence role. 00:08:29.020 --> 00:08:33.160 Like people were like, oh, this maybe they've heard of it or is maybe even new to them. 00:08:33.160 --> 00:08:37.220 But like, what is your what is your job here in the PSF space? 00:08:37.220 --> 00:08:44.840 Yeah, it's it's it's kind of funny talking about my role, too, because people see security through so many different lenses. 00:08:44.840 --> 00:08:48.900 And this is even like outside of talking to people online that are in the open source space. 00:08:48.900 --> 00:08:54.580 So whenever I talk about this job, people will say, oh, so you do IT security for the PSF. 00:08:54.580 --> 00:08:55.780 I'm like, well, no, I don't do that. 00:08:55.780 --> 00:08:57.720 And then they'll say, oh, so you secure. 00:08:57.720 --> 00:08:59.120 Yeah, right. 00:08:59.120 --> 00:08:59.900 I'm in. 00:08:59.900 --> 00:09:00.980 No, no, no. 00:09:00.980 --> 00:09:02.760 So I don't do that. 00:09:02.760 --> 00:09:04.420 I don't do IT security for the PSF. 00:09:04.420 --> 00:09:13.840 And then the next question they usually ask is like, oh, so you make it so that Python is more secure, like the code of Python is more secure. 00:09:13.840 --> 00:09:16.040 And I'm like, not really. 00:09:16.040 --> 00:09:17.400 Honestly, I don't do that either. 00:09:17.400 --> 00:09:24.780 And what I really do is try my best to make it so that bad stuff doesn't happen to Python users. 00:09:24.780 --> 00:09:30.940 And so, you know, obviously those things are important, like securing Python, the actual code itself. 00:09:30.940 --> 00:09:42.420 But on like the scale factor, maybe those are a little bit less important than some things like making sure that when you download something from Python.org, it is the correct thing. 00:09:42.420 --> 00:09:42.660 Right. 00:09:42.660 --> 00:09:51.280 Making sure that when a release is happening for Python, nothing can subvert that release and get injected in and then distributed to everyone. 00:09:51.660 --> 00:09:55.320 And then it goes beyond Python when you start thinking about like the packaging space. 00:09:55.320 --> 00:10:05.980 So like making sure that HIP release process is good, making sure that the all of these like tools and stuff that are using all of these binary libraries. 00:10:06.360 --> 00:10:11.680 How can you be sure that those libraries that are bundled along with them don't have vulnerabilities? 00:10:11.680 --> 00:10:13.960 And then a lot of things around like process. 00:10:13.960 --> 00:10:23.740 So vulnerability management and making sure that, you know, vulnerabilities that are discovered in Python and reported to us, they actually get to the end of the process where they're fixed and released. 00:10:24.220 --> 00:10:36.480 There's just a whole bunch of things like that where it's more of like a scale and safety and like making sure that my effort goes towards things that are going to keep on churning as opposed to things that are like spot fixes. 00:10:36.480 --> 00:10:36.860 Right. 00:10:36.860 --> 00:10:37.620 Because sure. 00:10:37.620 --> 00:10:45.680 Spot fixes, they're important, but they don't have the scale and they don't have that like keep on giving you the value aspect of them. 00:10:45.680 --> 00:10:46.080 Yeah. 00:10:46.080 --> 00:10:51.620 And the consequence of a lot of what you described sounds like supply chain type issues. 00:10:51.620 --> 00:10:54.000 The consequence of that is so bad. 00:10:54.120 --> 00:10:58.780 It doesn't matter how patched your computer is or how good your firewall is. 00:10:58.780 --> 00:11:01.680 If CPython itself ships with a virus. 00:11:01.680 --> 00:11:02.240 Right. 00:11:02.240 --> 00:11:02.700 Right. 00:11:02.700 --> 00:11:03.160 Yeah. 00:11:03.160 --> 00:11:05.200 Or somebody snuck it in right at the build. 00:11:05.200 --> 00:11:05.540 Yeah. 00:11:05.540 --> 00:11:05.980 Yeah. 00:11:05.980 --> 00:11:06.180 Right. 00:11:06.180 --> 00:11:06.380 Right. 00:11:06.380 --> 00:11:06.600 Right. 00:11:06.600 --> 00:11:09.100 And so it's good that you focus on those. 00:11:09.100 --> 00:11:10.040 Nobody wants that. 00:11:10.040 --> 00:11:11.540 Well, almost nobody wants that. 00:11:11.540 --> 00:11:13.060 Very few people want this. 00:11:13.060 --> 00:11:14.640 So those are not good people. 00:11:14.640 --> 00:11:15.760 We don't want them to want this. 00:11:15.760 --> 00:11:16.600 We don't. 00:11:16.600 --> 00:11:19.720 We don't take them into consideration for their use cases. 00:11:19.720 --> 00:11:21.160 We sure don't. 00:11:21.160 --> 00:11:21.680 Awesome. 00:11:21.680 --> 00:11:23.160 And let's see. 00:11:23.300 --> 00:11:24.080 I believe you're on. 00:11:24.080 --> 00:11:26.080 Well, when I read the article, you're on week nine. 00:11:26.080 --> 00:11:27.060 So you're on week 10. 00:11:27.060 --> 00:11:28.340 Is that where we are? 00:11:28.340 --> 00:11:30.440 I think I'm on week 12 at this point. 00:11:30.440 --> 00:11:30.960 Oh, man. 00:11:30.960 --> 00:11:31.520 Time flies. 00:11:31.520 --> 00:11:31.820 Yeah. 00:11:31.820 --> 00:11:32.240 I know. 00:11:32.240 --> 00:11:35.180 I'm actually drafting up like a quarterly review. 00:11:35.180 --> 00:11:36.900 And it's a big thing. 00:11:36.900 --> 00:11:37.600 So, yeah. 00:11:37.760 --> 00:11:38.000 Okay. 00:11:38.000 --> 00:11:40.900 See, a quick question from the audience here on the live stream. 00:11:40.900 --> 00:11:47.400 You know, Lewis asks, is there a visibility or will there be a public visibility for CVEs in packages? 00:11:47.400 --> 00:11:49.400 That is an excellent question. 00:11:49.400 --> 00:11:50.360 It is a good question. 00:11:50.360 --> 00:11:56.280 And I bring this up because didn't the PSF just get certified as like a CVE authority or whatever that is? 00:11:56.280 --> 00:11:57.520 Like ability to create CVEs? 00:11:57.520 --> 00:11:58.100 I don't know. 00:11:58.220 --> 00:12:00.080 Yeah, I can I can talk so much about this. 00:12:00.080 --> 00:12:00.300 Right. 00:12:00.300 --> 00:12:03.520 So there there's a whole bunch of stuff happening in that space. 00:12:03.520 --> 00:12:21.980 So I'll start off with stuff that I did not personally do, but I'm helping maintain now, which is there is an advisory database called if you go on GitHub, it's GitHub.com slash PyPA slash advisory database with a dash in between advisory and database. 00:12:21.980 --> 00:12:35.640 And that database is essentially trying to categorize all of the CVEs and what versions they affect for every single package on the Python package index, which is an impossible task. 00:12:35.640 --> 00:12:37.140 But so we're trying our best there. 00:12:37.140 --> 00:12:40.460 But yeah, so one of the packages, no problem. 00:12:40.460 --> 00:12:41.220 No problem. 00:12:41.220 --> 00:12:41.400 Right. 00:12:41.400 --> 00:12:43.220 Like that's a that's a manual task right there. 00:12:43.220 --> 00:12:43.860 Yeah. 00:12:43.860 --> 00:12:44.120 No. 00:12:44.120 --> 00:12:51.880 So what this actually does is for the bulk of it, what it will do is it'll go out and it'll pull the CVE feed from NBD and MITRE. 00:12:51.880 --> 00:13:00.060 And it will parse it and try to find references to Python packages and versions inside of CVEs. 00:13:00.060 --> 00:13:04.780 So obviously that's sometimes there's false positives, but a lot of the times there's just it just works out OK. 00:13:04.780 --> 00:13:07.060 And there's a little bit of triage involved. 00:13:07.060 --> 00:13:09.440 There's a little bit of manual submission of this, too. 00:13:09.440 --> 00:13:21.860 But yeah, so tools like pip Audit, which is a tool that I love so much, uses this database in addition to other scanning tools like any scanning tool can use this database. 00:13:21.860 --> 00:13:26.880 But yeah, this is the canonical location for vulnerabilities affecting Python packages. 00:13:27.040 --> 00:13:43.800 So for Python itself, the Python Software Foundation just recently, like a few weeks ago, announced that we are now a CVE numbering authority, which means that we are we kind of have like a scope of just Python and pip right now. 00:13:44.000 --> 00:13:46.440 So those are the only two projects that we're emitting CVEs for. 00:13:46.440 --> 00:13:55.920 And what that means we can do is it means that people have to submit reports to us, which is good because then they can't submit them to other places and get CVEs that way. 00:13:55.920 --> 00:13:58.760 It can be kind of frustrating because in the past, sometimes that would happen. 00:13:58.760 --> 00:14:02.100 And then we wouldn't know about the vulnerability until it got published as a CVE. 00:14:02.100 --> 00:14:03.560 And we'd be like, what just happened? 00:14:03.560 --> 00:14:13.640 Like one of the big deals is you're supposed to be told in an ideal world, you're supposed to be given like a come knock in the back door like that WebP code. 00:14:13.860 --> 00:14:16.080 We're going to need to talk about the WebP code before. 00:14:16.080 --> 00:14:16.460 Yeah. 00:14:16.460 --> 00:14:17.020 Oh, gosh. 00:14:17.020 --> 00:14:18.100 Don't get me started on WebP. 00:14:18.100 --> 00:14:19.280 Don't get me started on WebP. 00:14:19.280 --> 00:14:25.840 This portion of Talk Python To Me is brought to you by JetBrains and PyCharm. 00:14:25.840 --> 00:14:30.620 Are you a data scientist or a web developer looking to take your projects to the next level? 00:14:30.620 --> 00:14:33.320 Well, I have the perfect tool for you, PyCharm. 00:14:33.320 --> 00:14:42.600 PyCharm is a powerful integrated development environment that empowers developers and data scientists like us to write clean and efficient code with ease. 00:14:43.280 --> 00:14:48.920 Whether you're analyzing complex data sets or building dynamic web applications, PyCharm has got you covered. 00:14:48.920 --> 00:14:56.080 With its intuitive interface and robust features, you can boost your productivity and bring your ideas to life faster than ever before. 00:14:56.080 --> 00:15:02.300 For data scientists, PyCharm offers seamless integration with popular libraries like NumPy, Pandas, and Matplotlib. 00:15:02.300 --> 00:15:09.400 You can explore, visualize, and manipulate data effortlessly, unlocking valuable insights with just a few lines of code. 00:15:10.020 --> 00:15:14.040 And for us web developers, PyCharm provides a rich set of tools to streamline your workflow. 00:15:14.040 --> 00:15:23.040 From intelligent code completion to advanced debugging capabilities, PyCharm helps you write clean, scalable code that powers stunning web applications. 00:15:23.040 --> 00:15:31.340 Plus, PyCharm's support for popular frameworks like Django, FastAPI, and React make it a breeze to build and deploy your web projects. 00:15:31.740 --> 00:15:36.280 It's time to say goodbye to tedious configuration and hello to rapid development. 00:15:36.280 --> 00:15:37.800 But wait, there's more. 00:15:37.800 --> 00:15:46.520 With PyCharm, you get even more advanced features like remote development, database integration, and version control, ensuring your projects stay organized and secure. 00:15:46.760 --> 00:15:51.980 So whether you're diving into data science or shaping the future of the web, PyCharm is your go-to tool. 00:15:51.980 --> 00:15:54.060 Join me and try PyCharm today. 00:15:54.060 --> 00:16:04.680 Just visit talkpython.fm/done-with-pycharm, links in your show notes, and experience the power of PyCharm firsthand for three months free. 00:16:04.680 --> 00:16:05.860 PyCharm. 00:16:05.860 --> 00:16:07.600 It's how I get work done. 00:16:10.100 --> 00:16:28.620 The real, like, the ideal process is someone would Google, like, Python and security, or, like, Python and reported vulnerability, and then they would find these, like, really lovely instructions that someone else wrote up to say, just send an email to security at python.org with whatever information you have, and then we triage that. 00:16:28.940 --> 00:16:35.900 And if we decided it's a vulnerability, we would ask for a CVE on your behalf and, like, credit you and all this stuff, and then fix it. 00:16:35.900 --> 00:16:40.320 And then the release and publication of the CVE would happen at the same time. 00:16:40.320 --> 00:16:43.140 So that's what we call coordinated vulnerability disclosure. 00:16:43.140 --> 00:16:48.940 And so instead of, like, oh, there's a vulnerability, but there's no fix available for that vulnerability, like, that's what you want to avoid. 00:16:49.640 --> 00:17:05.500 Because it causes panic, and in theory, it could cause exposure, right, where there's some dwell time in between when people, or it doesn't minimize the dwell time between when people are able to patch and when the vulnerability is known to potential attackers. 00:17:05.500 --> 00:17:06.040 Right. 00:17:06.040 --> 00:17:10.340 There's already a latency boom from when it's announced to somebody actually fixing it. 00:17:10.340 --> 00:17:14.060 But if when you hear it, you can't actually fix it for two more weeks because it's not released. 00:17:14.060 --> 00:17:19.840 Well, that just gives people two weeks to try to dissect, like, what exactly do they mean by there's this image problem? 00:17:19.840 --> 00:17:20.180 Exactly. 00:17:20.180 --> 00:17:21.060 Exactly. 00:17:21.060 --> 00:17:21.700 Oh, yeah. 00:17:21.700 --> 00:17:22.620 I'm going to look at my image, yeah. 00:17:22.620 --> 00:17:25.080 We're going to start talking about LibWebP, actually. 00:17:25.080 --> 00:17:26.080 Yeah, the... 00:17:26.080 --> 00:17:27.060 No, I'm just using it. 00:17:27.060 --> 00:17:30.060 Like, it's the most recent example, because last night there was a... 00:17:30.060 --> 00:17:36.520 And it's really relevant to CVEs because there was some drama that Apple patched some of their code. 00:17:36.520 --> 00:17:43.920 When Google announced it, it looked like it was only applied to Chrome, but it actually applied to anything that used WebP, which, looking at the updates, is like, everything. 00:17:43.920 --> 00:17:46.580 Everything on my computer needs to be updated because of it. 00:17:46.580 --> 00:17:50.520 You know, like, that mismatch was, like, caused a lot of drama. 00:17:50.520 --> 00:17:51.960 I definitely agree. 00:17:51.960 --> 00:18:02.180 Yeah, there was, like, a week of time in between when that CVE just mentioned Chrome and Apple, and then when it actually ended up mentioning LibWebP. 00:18:02.180 --> 00:18:06.500 And then right when it mentioned LibWebP, I'm like, oh, I know a lot of Python packages use that. 00:18:06.500 --> 00:18:09.060 And so I then went out and go and talk to those people. 00:18:09.060 --> 00:18:09.500 Oh, interesting. 00:18:09.500 --> 00:18:10.860 And they fixed those things now. 00:18:10.860 --> 00:18:11.140 So. 00:18:11.140 --> 00:18:12.040 Yeah, that's great. 00:18:12.040 --> 00:18:16.860 Another good reason to stay on top of dependency management and stuff, right? 00:18:16.860 --> 00:18:17.640 Like tools. 00:18:17.640 --> 00:18:28.160 One of the things I think we're coming to sort of understand and manage better in the Python space is not your dependencies, but the transitive closure of your dependencies. 00:18:28.160 --> 00:18:28.700 Right? 00:18:28.700 --> 00:18:39.260 So I might use, let me just say, I guess, what if I use Pillow to work with images, but Pillow itself uses some other library that it pip installs that itself might have some kind of image code. 00:18:39.260 --> 00:18:41.680 If I say I use Pillow, oh, I need to update it. 00:18:41.680 --> 00:18:44.000 Pip install --upgrade. 00:18:44.000 --> 00:18:49.180 Pillow doesn't upgrade its dependencies and those dependencies of the, right? 00:18:49.240 --> 00:18:53.160 So like, but that could be where a lot of silence issues live. 00:18:53.160 --> 00:19:04.140 And so things like poetry, flit, pip-tools, there's a lot of tools coming on that I think are gaining popularity that treat not just what you directly wanted to pip install, but its friends and its dependencies. 00:19:04.140 --> 00:19:05.060 Yeah, definitely. 00:19:05.060 --> 00:19:07.280 What do you think about that from a security perspective? 00:19:07.280 --> 00:19:07.900 Yes. 00:19:07.900 --> 00:19:17.960 So having the most important thing from like a kind of dependency management side of things is having those lock files and having them have hashes. 00:19:17.960 --> 00:19:21.040 Like it's, it's less of a problem now. 00:19:21.040 --> 00:19:29.400 Like I, it likely won't come to fruition that those hashes end up being important, but luckily lots of lock file formats do generate hashes anyways, which is great. 00:19:29.400 --> 00:19:32.860 So that subverts attacks against PyPI partially. 00:19:32.860 --> 00:19:35.040 We're in the middle DNS madness. 00:19:35.040 --> 00:19:36.360 Right. 00:19:36.360 --> 00:19:36.640 Yeah. 00:19:36.640 --> 00:19:42.400 Like if somehow you've been tricked into using a bad certificate or something, right? 00:19:42.400 --> 00:19:44.800 Like it, it saves you from a lot of stuff like that. 00:19:44.800 --> 00:19:46.800 So having hashes, they're basically free. 00:19:46.800 --> 00:19:47.540 They're great. 00:19:47.540 --> 00:19:48.380 Just use those. 00:19:48.380 --> 00:19:53.760 The other side of it is running a vulnerability checker against those dependencies. 00:19:53.760 --> 00:19:57.640 Cause then you'll, or either that or having a tool that's doing that for you. 00:19:57.640 --> 00:20:00.020 So like depend a bot is a tool that does that for you. 00:20:00.020 --> 00:20:05.900 It will check vulnerability databases and then give you like a security notification or a PR to say, 00:20:05.900 --> 00:20:12.940 Hey, this is affected by a medium severity vulnerability, or you can run them your own via pip audit with. 00:20:12.940 --> 00:20:17.880 It can either check an already installed environment or it can check like a requirements file. 00:20:17.880 --> 00:20:21.780 I don't know the full extent of all the different file types that I can check. 00:20:21.860 --> 00:20:30.400 I know that it works on requirements.txt, but yeah, it, it'll check those files for known vulnerabilities and all of the transitive dependencies, just everything that's available. 00:20:30.400 --> 00:20:34.620 And then from there, it'll tell you, Hey, these are the things that you need to fix. 00:20:34.620 --> 00:20:35.820 Here are the fixed versions. 00:20:36.020 --> 00:20:39.620 Like try upgrading to at least this, doesn't mean that it's easy. 00:20:39.620 --> 00:20:41.940 advisory database you talked about. 00:20:41.940 --> 00:20:43.860 It does go back to that advisory database. 00:20:43.860 --> 00:20:44.260 Yeah. 00:20:44.260 --> 00:20:53.860 And it also can hook into OSV, dot dev, which is kind of like this global, aggregation of tons of different vulnerability databases. 00:20:53.860 --> 00:20:59.100 So for example, we have one for Python that I pointed out, but then like rust has one. 00:20:59.100 --> 00:21:00.600 Debian has one. 00:21:00.600 --> 00:21:01.740 what is it? 00:21:01.740 --> 00:21:03.960 Rocky Linux, I think has one. 00:21:03.960 --> 00:21:09.660 Like there's just a whole bunch of them and you can kind of interface with this database using the same API and it's, it's kind of nice. 00:21:09.660 --> 00:21:10.500 So, yeah. 00:21:10.500 --> 00:21:17.420 So making this a security show, we just talked to Mike Fiedler a little while ago about that as well. 00:21:17.420 --> 00:21:18.040 Diving into it. 00:21:18.040 --> 00:21:24.620 I mean, we'll come back to the release process, but I do want to ask you about this is one of the challenges I see is like I got to depend about a warning. 00:21:24.620 --> 00:21:31.040 Luckily it was for basically the requirements dash dev side, not the true requirement. 00:21:31.120 --> 00:21:40.560 You know, like I'm going to use a bunch more tools to do like Jupyter stuff on my data, but I'm really just running a website and there's like a much smaller, a smaller set of things on there. 00:21:40.560 --> 00:21:49.000 But there was a vulnerability report for something, some package that was in my requirements, for the dev verge, the dev setup. 00:21:49.000 --> 00:21:57.080 However, when I tried to go update it, one other package that is the reason that was there said, no, it has to be less than something. 00:21:57.080 --> 00:22:00.140 And that something was less than the fix. 00:22:00.280 --> 00:22:03.000 And I'm like, how do I square these two things? 00:22:03.000 --> 00:22:07.940 Like I can pip install it, but then it keeps complaining that you're, you're running the wrong version. 00:22:07.940 --> 00:22:08.700 Like, no, I'm not. 00:22:08.700 --> 00:22:12.740 The other one has a remote CVE and, you know, a remote code execution in it. 00:22:12.740 --> 00:22:14.300 And I'm like, I really don't want that. 00:22:14.300 --> 00:22:15.160 I mean, not a server. 00:22:15.160 --> 00:22:17.240 So it's probably fine, but I really don't want that. 00:22:17.240 --> 00:22:20.500 No, I'm, I don't care if it's slightly more unstable. 00:22:20.500 --> 00:22:21.560 I want the new one. 00:22:21.560 --> 00:22:22.300 Give it to me. 00:22:22.300 --> 00:22:23.040 Right. 00:22:23.080 --> 00:22:24.800 And that's, that's a bit of a challenge. 00:22:24.800 --> 00:22:32.000 I think, when you say like, I've got 50 dependencies and I've got to somehow square, I need to get a brand new one right away. 00:22:32.000 --> 00:22:32.840 What are your thoughts on that? 00:22:32.840 --> 00:22:35.700 Yeah, this, this is a super tough problem. 00:22:35.700 --> 00:22:40.160 And I think it's one that open source will be coming to reckon with even more now, right? 00:22:40.160 --> 00:22:51.420 Because we're kind of at a, in a place now where there's a few really important libraries, which are kind of moving something that is very extensively and widely used to be not maintained anymore. 00:22:51.420 --> 00:23:01.140 For example, open SSL, open SSL one or 1.1.1, which is extremely widely used, is no longer maintained. 00:23:01.140 --> 00:23:03.080 There's going to be no more security patches for that. 00:23:03.080 --> 00:23:13.220 And it's, it's going to be tough because my guess is that there's also just a lot of software that's not built for open SSL three being the open SSL of choice. 00:23:13.220 --> 00:23:13.460 Right. 00:23:13.460 --> 00:23:20.580 Luckily, Python is not in that situation, but it's, it's certainly like a thing that other pieces of software might have to deal with. 00:23:20.580 --> 00:23:32.020 in terms of Python packaging, this is kind of why the guidance on don't specify an upper bound, unless you know that that upper bound like makes sense. 00:23:32.020 --> 00:23:39.660 And like, so like backwards incompatibility, like, yeah, maybe you want to say, okay, if this is version 2.1. whatever. 00:23:39.660 --> 00:23:43.620 And it's some ver, you can say, okay, anything less than three is probably fine. 00:23:43.620 --> 00:23:45.780 but even that, right. 00:23:45.780 --> 00:23:47.400 If you, if that package goes unmaintained. 00:23:47.400 --> 00:23:49.660 Yeah, this one from two to three and its main version, right. 00:23:49.660 --> 00:23:50.760 It's, it's major version. 00:23:50.760 --> 00:23:51.160 So. 00:23:51.160 --> 00:23:51.680 Right. 00:23:51.680 --> 00:23:52.120 Yeah. 00:23:52.120 --> 00:23:54.420 So this is, this is a difficulty. 00:23:54.420 --> 00:23:55.080 Yeah. 00:23:55.080 --> 00:23:57.180 There's a lot of packages that set hard upper bounds. 00:23:57.180 --> 00:24:04.560 And I just, I don't know why, because I, maybe it, it's going to break it, but I feel like it's speculative. 00:24:04.560 --> 00:24:09.700 Like, ah, we should probably not let a major version run, but you know, that, that leads into trouble. 00:24:09.700 --> 00:24:09.980 Right. 00:24:09.980 --> 00:24:14.580 Like, even if you just want to use some other library that says greater than or equal to three, and this one says less than three. 00:24:14.580 --> 00:24:15.140 You're like, great. 00:24:15.140 --> 00:24:16.080 Now, what do I do? 00:24:16.080 --> 00:24:16.200 Yeah. 00:24:16.200 --> 00:24:19.460 I think that the toughest thing is that you can't go back and then like amend it. 00:24:19.460 --> 00:24:22.420 yeah, that's the hardest part is because. 00:24:22.660 --> 00:24:33.380 So I will speak very, very highly of all of these, anything that can make pip automatically get the right thing is just magical is so good. 00:24:33.380 --> 00:24:35.920 And so people like that. 00:24:35.920 --> 00:24:43.300 And I totally get why people are doing these upper bound, sorts of things, but yeah, it does have the issues that you, that you talked about. 00:24:43.300 --> 00:24:48.380 But yeah, there's something to say about how great the, those bound checks are. 00:24:48.600 --> 00:25:00.220 I wish there was a way that you could add something like some sort of guidance to pip to say after the fact, like, okay, I said this was open, but now I'm going to go ahead and tell you that like, this definitely doesn't work with this version. 00:25:00.220 --> 00:25:04.880 Maybe that's something that can get recommended, but yeah, it's just so nice when it does work out. 00:25:05.200 --> 00:25:05.560 Yeah. 00:25:05.560 --> 00:25:05.620 Yeah. 00:25:05.620 --> 00:25:15.860 I, I can relate to Frank here who writes with 1.3,000 or 1,300 dependencies in our project because of this dependencies are at all times. 00:25:15.860 --> 00:25:16.380 Yeah. 00:25:16.380 --> 00:25:19.420 I have on Talk Python Training, the courses website. 00:25:19.420 --> 00:25:21.700 I think there's 248 packages. 00:25:21.700 --> 00:25:26.380 If you look at what's installed and then the dependencies, and then you try to throw in the data sciencey stuff. 00:25:26.380 --> 00:25:30.580 And it's just like, there's a 50, 50 chance that I can actually install everything. 00:25:30.580 --> 00:25:34.120 Cause like half the time, something has got a less than, something's got a greater than. 00:25:34.120 --> 00:25:36.160 And I'm like, Oh my God, as you upgrade, right? 00:25:36.160 --> 00:25:41.020 Like at any point in time, it's deterministic, but you're over at over the evolution of it. 00:25:41.020 --> 00:25:41.220 Right. 00:25:41.220 --> 00:25:41.660 Yeah. 00:25:41.660 --> 00:25:42.780 No, it's, it's tough. 00:25:42.780 --> 00:25:44.660 It's tough when you start getting to that number. 00:25:44.660 --> 00:25:47.040 Like there's just so many intertangled things. 00:25:47.040 --> 00:25:47.660 There are. 00:25:47.660 --> 00:25:54.700 And like, the reason I bring this up now is it's, it's a hassle when like, I want to use this library and that library and somehow I've got to like juggle things. 00:25:54.700 --> 00:26:00.380 So they work, but it's concerning when you get a depend about alert that says there's a remote code execution. 00:26:00.380 --> 00:26:04.260 You're going to need to deal with it and your dependencies won't let you upgrade. 00:26:04.260 --> 00:26:05.180 You know what I mean? 00:26:05.180 --> 00:26:06.860 Like that's, that's why I bring this up. 00:26:06.860 --> 00:26:08.300 It's, it's definitely concerning. 00:26:08.300 --> 00:26:08.620 Yeah. 00:26:08.620 --> 00:26:14.640 Another thing that you can do, and this is, I feel like they don't talk about this as much with depend about is that there are ways. 00:26:14.640 --> 00:26:19.120 to mitigate vulnerabilities that doesn't necessarily have to come from upgrading. 00:26:19.120 --> 00:26:28.860 Like I'm always going to say upgrading your dependency is the best way to go forward because then you know that there's no chance of at least that vulnerability in particular being exploited. 00:26:28.860 --> 00:26:33.180 But if it's something like remote code execution, but it's this one component, right? 00:26:33.180 --> 00:26:35.280 As long as you're not using that component, then you're fine. 00:26:35.280 --> 00:26:40.980 Or if it's remote code execution, when you get some sort of input, whatever, right. 00:26:40.980 --> 00:26:42.700 That's, that's malformed or whatever. 00:26:42.700 --> 00:26:46.580 And you're like, okay, well that component's not exposed to the network. 00:26:46.580 --> 00:26:47.860 It's, I only use it internally. 00:26:47.860 --> 00:26:50.220 So there is something to say. 00:26:50.220 --> 00:26:51.260 It's not even a server. 00:26:51.260 --> 00:26:52.860 It doesn't open a port, right? 00:26:52.860 --> 00:26:54.480 It's just a thing I run on my computer. 00:26:54.480 --> 00:26:56.100 It's like, it probably doesn't matter. 00:26:56.100 --> 00:26:56.840 Exactly. 00:26:56.840 --> 00:26:57.140 Yeah. 00:26:57.140 --> 00:26:58.200 And that's, that's kind of the hard part. 00:26:58.200 --> 00:26:59.200 I'm the one typing into it. 00:26:59.200 --> 00:27:03.520 And it's like, but if it's in your website, then all of a sudden it gets a little trickier, right? 00:27:03.520 --> 00:27:04.480 Then it gets dicier. 00:27:04.480 --> 00:27:04.800 Yeah. 00:27:04.800 --> 00:27:05.120 Definitely. 00:27:05.120 --> 00:27:05.440 Yeah. 00:27:05.440 --> 00:27:07.660 The stakes are higher when you attach the internet to anything. 00:27:07.960 --> 00:27:10.720 But when it's like a local script, it's probably going to be okay. 00:27:10.720 --> 00:27:10.980 Just look at your log file. 00:27:10.980 --> 00:27:12.060 Just tell your log file. 00:27:12.060 --> 00:27:16.300 And it's request, request, hack, hack, request, attempted hack, request. 00:27:16.300 --> 00:27:16.960 It's just nonstop. 00:27:16.960 --> 00:27:17.520 WP login. 00:27:17.520 --> 00:27:17.860 Yes. 00:27:17.860 --> 00:27:18.260 Yeah. 00:27:18.260 --> 00:27:19.000 WP admin. 00:27:19.000 --> 00:27:20.340 All them things. 00:27:20.340 --> 00:27:20.620 Yeah. 00:27:20.620 --> 00:27:24.240 It's usually, luckily it's WP something or something most of the time. 00:27:24.240 --> 00:27:24.720 So you're good. 00:27:24.720 --> 00:27:26.760 You're safe against 90%. 00:27:26.760 --> 00:27:27.380 We're all good. 00:27:27.380 --> 00:27:31.380 As long as you don't return a 200 to any of those, like your traffic will remain low. 00:27:31.380 --> 00:27:31.860 Yeah. 00:27:32.140 --> 00:27:32.500 Absolutely. 00:27:32.500 --> 00:27:34.320 All right. 00:27:34.320 --> 00:27:36.040 So that's what you're doing. 00:27:36.040 --> 00:27:37.500 You're focusing on these kinds of things. 00:27:37.500 --> 00:27:38.540 That's really, really awesome. 00:27:38.540 --> 00:27:42.860 And thanks for giving us an even more detailed look than I expected into it. 00:27:42.860 --> 00:27:44.560 Yeah. 00:27:44.560 --> 00:27:48.840 Let's talk about your, let's talk about, you know, the timely thing. 00:27:48.840 --> 00:27:52.520 I mean, security is always timely, but the CPython, let me see if I get this right. 00:27:52.520 --> 00:27:54.900 312 release coming up here on Monday. 00:27:54.900 --> 00:27:55.620 Dang. 00:27:55.620 --> 00:27:56.320 He's got it. 00:27:56.320 --> 00:27:56.680 Amazing. 00:27:56.680 --> 00:27:57.740 I got it, man. 00:27:57.740 --> 00:27:58.300 I'm ready. 00:27:58.400 --> 00:27:59.880 I'm ready for this new, new world. 00:27:59.880 --> 00:28:03.820 So there is a PEP and let's see who, who put this together. 00:28:03.820 --> 00:28:05.380 This is Barry Warsaw and Guido. 00:28:05.380 --> 00:28:07.600 And it is PEP 101. 00:28:07.600 --> 00:28:08.760 I love it. 00:28:08.760 --> 00:28:09.800 PEP 101. 00:28:09.800 --> 00:28:10.700 The one you need, right? 00:28:10.700 --> 00:28:11.360 Yeah. 00:28:11.360 --> 00:28:12.380 What a perfect number. 00:28:12.380 --> 00:28:16.440 But it's, it's the title is doing Python releases 101. 00:28:16.440 --> 00:28:18.780 That's kind of a circular. 00:28:18.780 --> 00:28:19.280 I love it. 00:28:19.280 --> 00:28:25.360 And it just talks about all the steps and it's kind of a manual of now you do this and now 00:28:25.360 --> 00:28:25.840 you do that. 00:28:25.840 --> 00:28:28.800 But it's just a really long doc. 00:28:28.800 --> 00:28:31.540 I love the stop, stop, stop, stop, stop. 00:28:31.540 --> 00:28:35.020 There's like, there's like all caps all across. 00:28:35.020 --> 00:28:35.940 Stop, stop, stop, stop, stop. 00:28:35.940 --> 00:28:37.060 Did you do this right? 00:28:37.060 --> 00:28:37.540 Right? 00:28:37.540 --> 00:28:38.100 Yep. 00:28:38.100 --> 00:28:43.060 That you can tell, you can always tell when there were problems in the past in a checklist, 00:28:43.060 --> 00:28:43.580 right? 00:28:43.580 --> 00:28:47.760 Like if there ever was something that happened incorrectly, it's, it's very obvious. 00:28:47.760 --> 00:28:49.500 And so, yeah, the stop, stop, stop. 00:28:49.620 --> 00:28:55.480 I feel that that, I don't personally know why that's there, but I do laugh every time 00:28:55.480 --> 00:28:55.900 I see it. 00:28:55.900 --> 00:28:56.100 So. 00:28:56.100 --> 00:28:56.680 Yeah. 00:28:56.680 --> 00:28:58.060 Let's see. 00:28:58.060 --> 00:29:00.780 Please note how PEP 101 replaces PEP 102. 00:29:00.780 --> 00:29:02.940 Time traveling was invented there. 00:29:02.940 --> 00:29:03.840 What is the. 00:29:03.840 --> 00:29:04.280 Yeah. 00:29:04.280 --> 00:29:04.940 At the very top. 00:29:04.940 --> 00:29:06.720 It's, I wanted to comment on that too. 00:29:06.720 --> 00:29:08.200 It said replaces PEP 102. 00:29:08.580 --> 00:29:14.460 And I wonder if it was more like a, oh, we should just use one-on-one sort of situation. 00:29:14.460 --> 00:29:16.760 Well, I think this is doing micro releases. 00:29:16.760 --> 00:29:17.440 Right. 00:29:17.440 --> 00:29:20.700 Is this one maybe more like full, like the full deal? 00:29:20.700 --> 00:29:21.420 I don't know. 00:29:21.420 --> 00:29:21.640 Yeah. 00:29:21.640 --> 00:29:24.440 I think security releases are, they're slightly different. 00:29:24.440 --> 00:29:28.180 We don't actually build binary installers for security releases. 00:29:28.180 --> 00:29:33.280 We only build source builds, like source tarballs for micro releases. 00:29:33.280 --> 00:29:35.880 And so maybe that was the distinction in 102. 00:29:35.880 --> 00:29:36.640 Sure. 00:29:36.640 --> 00:29:37.160 Okay. 00:29:37.160 --> 00:29:43.520 So this has existed since 2001, but you got to really dig into it. 00:29:43.520 --> 00:29:47.420 And you know, there's some interesting stuff there, but picture a thousand words, all these 00:29:47.420 --> 00:29:52.680 things, you put together a really nice graphic here and somehow you got this in like HTML. 00:29:52.680 --> 00:29:53.480 I'm impressed. 00:29:53.480 --> 00:29:54.300 Yeah. 00:29:54.300 --> 00:29:55.560 That's embedded SVG. 00:29:55.560 --> 00:30:00.160 I, I always use draw.io for my, my diagrams. 00:30:00.160 --> 00:30:01.980 I take pride in my diagrams. 00:30:01.980 --> 00:30:02.480 Yeah. 00:30:02.480 --> 00:30:03.000 It looks good. 00:30:03.000 --> 00:30:04.060 All right. 00:30:04.060 --> 00:30:06.600 So there are 10 steps. 00:30:06.600 --> 00:30:08.800 Some of the steps have ABCs in them. 00:30:08.800 --> 00:30:15.360 So, and you know, just for people who pull up this picture and obviously being a podcast, 00:30:15.360 --> 00:30:16.540 it's hard to see the picture. 00:30:16.540 --> 00:30:22.140 If you're not watching the live stream, I will put a link to the article, which has the picture 00:30:22.140 --> 00:30:22.620 in there. 00:30:22.620 --> 00:30:25.680 And if I remember right, I'll even put it as the chapter art. 00:30:25.680 --> 00:30:26.480 We'll see about that. 00:30:26.480 --> 00:30:28.140 but there's a legend in here. 00:30:28.140 --> 00:30:30.440 So you've got like different types of things. 00:30:30.440 --> 00:30:36.520 You've got human actors, which are golden release artifact, which is blue, a source of risk, which 00:30:36.520 --> 00:30:40.680 is where you're paying extra attention and the start and end state. 00:30:40.680 --> 00:30:45.100 And so, the colors mean stuff here and the legends at the bottom, but yeah, let's, you 00:30:45.100 --> 00:30:46.480 know, start with number one. 00:30:46.480 --> 00:30:47.380 What happens here? 00:30:47.780 --> 00:30:47.900 Yeah. 00:30:47.900 --> 00:30:52.240 So starting with number one, and I'm actually going to increase the size of my screen as 00:30:52.240 --> 00:30:54.940 well, because I'm going to pull it up separately myself. 00:30:54.940 --> 00:30:55.560 Yeah. 00:30:55.560 --> 00:30:57.820 There's a lot going on here. 00:30:57.820 --> 00:30:59.300 There's a lot going on here. 00:30:59.300 --> 00:31:01.940 You need some, you need some manager control plus on it. 00:31:01.940 --> 00:31:02.380 Yep. 00:31:02.380 --> 00:31:02.840 Okay. 00:31:03.000 --> 00:31:03.340 All right. 00:31:03.340 --> 00:31:09.440 So in the very beginning, what happens is essentially the release manager decides it's 00:31:09.440 --> 00:31:10.440 time to make a release. 00:31:10.440 --> 00:31:12.200 It'll be common source right now. 00:31:12.200 --> 00:31:15.200 So we're, we're deciding, okay, we're going to make a release. 00:31:15.200 --> 00:31:21.140 And so something that happens even before this is we kind of talk amongst all of the other, 00:31:21.140 --> 00:31:24.860 it says release managers in there, like windows release manager, macOS release manager. 00:31:24.860 --> 00:31:27.800 They kind of flip between that language and experts. 00:31:27.800 --> 00:31:30.360 So like windows expert, macOS expert. 00:31:30.520 --> 00:31:34.080 Someone who understands this weird windows things that can make a MSI installer. 00:31:34.080 --> 00:31:34.420 The people. 00:31:34.420 --> 00:31:34.920 Exactly. 00:31:34.920 --> 00:31:36.020 What do you do on Mac? 00:31:36.020 --> 00:31:37.320 I don't even know how to build that. 00:31:37.320 --> 00:31:37.500 Right. 00:31:37.500 --> 00:31:38.100 That person. 00:31:38.100 --> 00:31:38.580 Yeah. 00:31:38.580 --> 00:31:39.060 Yeah. 00:31:39.060 --> 00:31:43.500 Talk to, talk to them, get, get their, get their buy-in that indeed they're going to be 00:31:43.500 --> 00:31:47.480 around when you decide to do this, because this is kind of like a big coordinated thing. 00:31:47.480 --> 00:31:50.040 Everyone has to be around to do their part. 00:31:50.040 --> 00:31:54.200 And then if that is the case, then the release branch gets frozen. 00:31:54.200 --> 00:31:56.600 So in this case, that release branch would be 312. 00:31:57.000 --> 00:32:03.820 And so that's done by essentially putting a block on all future like pushes to the branch, 00:32:03.820 --> 00:32:06.620 like in GitHub, you use like branch protection. 00:32:06.620 --> 00:32:11.380 And that's basically to make it so that no one can merge pull requests anymore so that you 00:32:11.380 --> 00:32:14.040 have something that's stable that you can kind of work off of. 00:32:14.360 --> 00:32:19.180 And then after that, you'd move on to step two, which is the actual release manager will 00:32:19.180 --> 00:32:23.120 update their fork of the repo with whatever is on that branch. 00:32:23.120 --> 00:32:29.320 So like the 312 branch will get updated and then you'll pull that branch locally now on 00:32:29.320 --> 00:32:30.000 step three. 00:32:30.000 --> 00:32:33.000 So now you're on the actual release manager's machine. 00:32:33.180 --> 00:32:37.360 And so like I kind of have like gray boxes drawn kind of throughout. 00:32:37.360 --> 00:32:39.960 So those are kind of like security boundaries a little bit. 00:32:40.300 --> 00:32:45.160 The top most one is the GitHub like organization of Python. 00:32:45.160 --> 00:32:51.240 And then the middle, the tiny one that has the fork repo, that's the GitHub user for the 00:32:51.240 --> 00:32:52.320 release manager in particular. 00:32:52.320 --> 00:32:56.900 And then the furthest left, the gigantic one is the release manager's actual computer. 00:32:56.900 --> 00:32:59.060 It's not documented anywhere. 00:32:59.060 --> 00:33:00.920 It's just how I was thinking about it. 00:33:01.280 --> 00:33:03.720 But yeah, so then there's this thing called release tool. 00:33:03.720 --> 00:33:06.360 And so release tool is basically just a Python script. 00:33:06.360 --> 00:33:07.160 It's on GitHub. 00:33:07.160 --> 00:33:13.980 If you go to github.com/Python slash release dash tool, it's basically just a script that 00:33:13.980 --> 00:33:20.620 runs and then does all of the stuff that's needed to build the source distribution and documentation 00:33:20.620 --> 00:33:22.320 of a new Python release. 00:33:22.320 --> 00:33:23.760 And so you run that. 00:33:23.760 --> 00:33:29.520 And as a result, you kind of get like a huge amount of code that needs to be committed. 00:33:29.640 --> 00:33:33.500 And so there's a whole bunch of different little tools that kind of get run in addition to 00:33:33.500 --> 00:33:33.700 that. 00:33:33.700 --> 00:33:37.600 So things like blurb, Sphinx gets run as a part of that. 00:33:37.600 --> 00:33:41.280 Yeah, you need a whole lot of dependencies installed. 00:33:41.280 --> 00:33:45.200 So you like you need like LaTeX, you need a whole bunch of stuff installed for this to actually 00:33:45.200 --> 00:33:45.540 work. 00:33:45.540 --> 00:33:50.060 Do you make sure you've got like the right, right compiler? 00:33:50.060 --> 00:33:52.440 Is there a lot of concern about that? 00:33:52.440 --> 00:33:58.060 Like, is it clang or LLVM or GCC or, you know, I believe it's GCC. 00:33:58.060 --> 00:33:59.300 I believe it's GCC. 00:33:59.740 --> 00:34:02.760 You know, I didn't dig into that exact point, but I'm pretty sure it is GCC. 00:34:02.760 --> 00:34:06.320 But I feel like that's another part that you like that choice matters, right? 00:34:06.320 --> 00:34:07.560 Like you might get different outputs. 00:34:07.560 --> 00:34:09.140 You might discover bugs that weren't there. 00:34:09.140 --> 00:34:13.020 So you got to kind of get that gray box all set up as well, right? 00:34:13.020 --> 00:34:13.840 Yeah, definitely. 00:34:14.200 --> 00:34:20.600 And so the fact that it's on someone's machine, I would say reproducibility is quite tough in 00:34:20.600 --> 00:34:22.140 those sorts of situations, right? 00:34:22.140 --> 00:34:28.500 Like if someone were to build a release of Python and then a day goes by, like I guarantee you 00:34:28.500 --> 00:34:34.140 that if you try to do it again with the exact same starting input, it would be potentially 00:34:34.140 --> 00:34:34.980 different, right? 00:34:35.020 --> 00:34:40.220 And so that's actually a problem from a security perspective for reproducibility, because it means 00:34:40.220 --> 00:34:46.000 that someone else can't verify that what you did is correct, right? 00:34:46.000 --> 00:34:48.280 Like the hash might change or something like that, right? 00:34:48.540 --> 00:34:53.860 Hashes might change or if there's like somehow the time is getting embedded into a binary 00:34:53.860 --> 00:34:55.140 somewhere like that. 00:34:55.140 --> 00:34:59.720 There's just a whole bunch of different ways that reproducibility could be different between 00:34:59.720 --> 00:35:00.500 two different runs. 00:35:00.500 --> 00:35:01.860 Yeah. 00:35:01.860 --> 00:35:07.120 And so that after the release tool happens, you basically get handed a couple of source 00:35:07.120 --> 00:35:09.260 tarballs that just have everything in them. 00:35:09.260 --> 00:35:13.400 And then you also get a bunch of get like changes to the repository. 00:35:13.400 --> 00:35:18.360 So these are things like the change log has been generated from all of the blurb notes. 00:35:18.360 --> 00:35:23.580 And so what you do is then you take all of those changes and you create a big commit that 00:35:23.580 --> 00:35:28.460 says this is the release of CPython 3.2, 3.12.0. 00:35:28.460 --> 00:35:32.220 And then you tag it and you push that to the fork. 00:35:32.220 --> 00:35:34.400 You don't push that to the main repository yet. 00:35:34.400 --> 00:35:37.720 And so the reason you don't push that to the main repository, and this is actually something 00:35:37.720 --> 00:35:44.400 that this phenomena is, is an interesting one, especially because a lot of security build 00:35:44.400 --> 00:35:52.160 tooling doesn't take this work workflow into account, which is you don't push the tag to 00:35:52.160 --> 00:35:54.260 the origin until the very end. 00:35:55.040 --> 00:36:01.140 A lot of security tooling like salsa and all of these things will kind of like they won't 00:36:01.140 --> 00:36:06.140 assume because you can you can do it without tags, but like they'll have features that are 00:36:06.140 --> 00:36:12.220 Oh, we'll capture the get tag in the output of like this, like document that says that your 00:36:12.220 --> 00:36:15.680 builders came from this repository, this set of tooling, whatever. 00:36:15.680 --> 00:36:16.040 Right. 00:36:16.180 --> 00:36:21.860 But a lot of projects actually wait on the tag until the very end because they want things 00:36:21.860 --> 00:36:24.640 to be repeatable without causing confusion. 00:36:24.640 --> 00:36:29.300 So if something went wrong throughout this whole release process, you wouldn't want there to 00:36:29.300 --> 00:36:32.440 be a tag on the main repo that is now confusing people. 00:36:32.440 --> 00:36:32.880 Right. 00:36:32.880 --> 00:36:34.480 Because those tags cause notifications. 00:36:34.480 --> 00:36:35.060 I'm going to get the code. 00:36:35.060 --> 00:36:37.940 You're like, actually, no, the Mac build wouldn't build. 00:36:37.940 --> 00:36:39.540 We're going to fix that or whatever. 00:36:39.540 --> 00:36:39.880 Right. 00:36:39.880 --> 00:36:40.420 Right. 00:36:40.420 --> 00:36:40.960 Exactly. 00:36:41.220 --> 00:36:45.420 And so this whole thing is like very it's a common thing. 00:36:45.420 --> 00:36:50.300 So pip actually has this exact same workflow where they do everything in the release until 00:36:50.300 --> 00:36:54.300 the very end and then they push the tag to the repo because they know that if they push 00:36:54.300 --> 00:36:57.200 that tag and it needs to change, it's going to cause confusion. 00:36:57.200 --> 00:37:01.360 So, yeah, that kind of is like step five in there. 00:37:01.360 --> 00:37:02.380 It pushes that tag. 00:37:02.380 --> 00:37:09.460 And so that tag is highlighted red as a source of risk because that is a fork of CPython and 00:37:09.460 --> 00:37:16.700 tags tags are not in themselves verifiable because anyone can push a tag. 00:37:16.700 --> 00:37:22.100 If you if you're just looking at just the name of the tag, anyone can write a tag if you have 00:37:22.100 --> 00:37:24.880 right access to a get repository or a GitHub repository. 00:37:24.880 --> 00:37:31.160 And so if you push a tag and say someone has access to your account, someone could move that 00:37:31.160 --> 00:37:33.500 tag to a different commit, completely different commit. 00:37:33.500 --> 00:37:38.420 And if it were pulled in that time and no one decided to like check something else. 00:37:38.420 --> 00:37:44.060 So like the commit hash, for example, you would be like it would be able to inject code into the 00:37:44.060 --> 00:37:44.500 process. 00:37:44.500 --> 00:37:44.740 Right. 00:37:44.740 --> 00:37:44.740 Right. 00:37:44.740 --> 00:37:46.680 That's as far as we know, that has not happened. 00:37:46.680 --> 00:37:47.320 Yeah, that is bad. 00:37:47.320 --> 00:37:49.120 It is bad to inject arbitrary. 00:37:49.120 --> 00:37:52.080 Someone else's arbitrary code into Python directly. 00:37:52.560 --> 00:37:57.300 And it's also it's actually doubly bad because there's there's different degrees of bad in 00:37:57.300 --> 00:37:59.100 term like in supply chain security. 00:37:59.100 --> 00:38:04.520 One degree of bad is like if you're able to do bad stuff, but then people notice. 00:38:04.520 --> 00:38:05.080 Right. 00:38:05.080 --> 00:38:07.000 Or like people can see what happened. 00:38:07.000 --> 00:38:11.980 And so this is kind of like degrees of bad of you can inject code and then you can clean 00:38:11.980 --> 00:38:13.260 up after yourself afterwards. 00:38:13.260 --> 00:38:13.800 Right. 00:38:13.800 --> 00:38:14.680 Because you can tag back. 00:38:14.680 --> 00:38:16.120 You know, put the tag back. 00:38:16.120 --> 00:38:17.140 You have right access. 00:38:17.140 --> 00:38:17.400 Right. 00:38:17.400 --> 00:38:22.180 And so that that sort of like put the tag back or being able to circumvent it in that 00:38:22.180 --> 00:38:24.040 way is not good. 00:38:24.040 --> 00:38:25.680 Yeah. 00:38:25.680 --> 00:38:26.780 Don't give people ideas. 00:38:26.780 --> 00:38:29.800 These are not new ideas. 00:38:29.800 --> 00:38:31.920 So I feel less bad talking about these. 00:38:31.920 --> 00:38:32.320 Yeah. 00:38:32.320 --> 00:38:38.120 Another thing in this article is actually like tying every step of the release process back 00:38:38.120 --> 00:38:42.500 to a known attack that has succeeded against another project. 00:38:42.600 --> 00:38:48.540 So like SolarWinds was about build like release artifact poisoning, essentially. 00:38:48.540 --> 00:38:48.900 Right. 00:38:48.900 --> 00:38:53.460 You're like taking advantage of the fact that these release artifacts are being distributed 00:38:53.460 --> 00:38:55.560 and, you know, they're signed. 00:38:55.560 --> 00:39:01.040 Everything looks good, but you've gotten code injected into the actual artifact itself and 00:39:01.040 --> 00:39:01.960 it didn't get noticed. 00:39:01.960 --> 00:39:02.500 Right. 00:39:02.500 --> 00:39:07.400 And so like that sort of attack could happen against Python if if there's not mitigations 00:39:07.400 --> 00:39:07.820 against it. 00:39:07.820 --> 00:39:08.000 Right. 00:39:08.000 --> 00:39:10.880 And so, yeah, and then the next step is six. 00:39:10.880 --> 00:39:15.940 And so at this point, the release manager has sourced tarballs from the result of just 00:39:15.940 --> 00:39:16.940 running the release tool. 00:39:16.940 --> 00:39:18.260 And so they're kind of just waiting. 00:39:18.260 --> 00:39:22.540 They're sitting around waiting for the other experts to to do their thing now. 00:39:22.540 --> 00:39:28.140 And this is where Windows and macOS installers are actually built. 00:39:28.140 --> 00:39:33.280 And so these aren't built for security releases, but for 312.0, these will be built. 00:39:33.800 --> 00:39:37.960 And they're two completely different sets of build processes. 00:39:37.960 --> 00:39:40.760 One of them happens in Azure pipelines. 00:39:40.760 --> 00:39:46.640 So if you go to that release tool, there's actually like a Windows folder that just has 00:39:46.640 --> 00:39:50.780 100 YAML files in it for all of the different Azure pipeline configurations. 00:39:50.780 --> 00:39:51.140 Yeah. 00:39:51.140 --> 00:39:51.640 Yeah. 00:39:51.640 --> 00:39:53.800 Azure pipelines a little bit like GitHub actions. 00:39:53.800 --> 00:39:56.520 People who are familiar with that, but not Azure. 00:39:56.520 --> 00:39:56.980 Right. 00:39:56.980 --> 00:39:57.840 Something roughly. 00:39:58.220 --> 00:39:58.340 Yeah. 00:39:58.340 --> 00:39:58.540 Yeah. 00:39:58.540 --> 00:39:58.620 Yeah. 00:39:58.620 --> 00:40:02.300 And I think there was like a time where Azure pipelines and GitHub actions were like basically 00:40:02.300 --> 00:40:02.980 the same thing. 00:40:02.980 --> 00:40:03.360 Yeah. 00:40:03.360 --> 00:40:03.640 Yeah. 00:40:03.640 --> 00:40:04.860 Like in the very beginning. 00:40:07.000 --> 00:40:07.440 Yeah. 00:40:07.440 --> 00:40:11.440 So Azure pipelines, there's a whole bunch of stuff that happens there because there's 00:40:11.440 --> 00:40:15.600 Windows embeddable packages is something that gets uploaded to python.org. 00:40:15.600 --> 00:40:18.640 Windows installers also get uploaded to python.org. 00:40:18.640 --> 00:40:21.200 But that also there's like NuGet gets updated. 00:40:21.200 --> 00:40:23.380 The Windows store gets updated there. 00:40:23.380 --> 00:40:25.120 So like there's a lot happening there. 00:40:25.120 --> 00:40:30.600 And there's actually a lot of things that happen that require the actual release manager, 00:40:30.600 --> 00:40:33.300 the Windows release manager to like approve them. 00:40:33.400 --> 00:40:34.180 So like they're gated. 00:40:34.180 --> 00:40:39.220 These are things like signing keys that are, you know, as a part of the process, you have 00:40:39.220 --> 00:40:43.240 to like sign off to say like, yep, we want to give this job access to the signing key. 00:40:43.240 --> 00:40:43.960 So that's great. 00:40:43.960 --> 00:40:49.520 Do you know if Winget is kind of like the newer package manager for Windows? 00:40:49.520 --> 00:40:52.060 Do you know if Python goes there as well these days? 00:40:52.060 --> 00:40:52.760 Let's see. 00:40:52.760 --> 00:40:55.240 I haven't used Windows in a really long time. 00:40:55.240 --> 00:40:56.600 So I don't know. 00:40:56.600 --> 00:41:00.840 I do, but I only use it for play games and simple Windows tests. 00:41:00.840 --> 00:41:01.360 I don't know. 00:41:01.360 --> 00:41:01.840 All right. 00:41:01.840 --> 00:41:05.820 But yeah, so NuGet is like one of these kinds of package managers for Windows and maybe 00:41:05.820 --> 00:41:06.460 maybe Winget. 00:41:06.460 --> 00:41:08.640 People in the audience, if anyone knows, they can let us know. 00:41:08.640 --> 00:41:09.400 Yeah, definitely. 00:41:09.400 --> 00:41:11.500 I've not even heard of Winget. 00:41:11.500 --> 00:41:13.020 So I feel really out of the loop right now. 00:41:13.020 --> 00:41:15.520 It's only a couple of years old, I believe. 00:41:15.520 --> 00:41:16.660 Gotcha. 00:41:16.660 --> 00:41:17.020 Gotcha. 00:41:17.020 --> 00:41:21.080 And following on with that, those probably won't help you if you don't do a lot of Windows. 00:41:21.080 --> 00:41:27.740 Lewis asked, does Python maintain Chocolaty, which is similar to Winget, but more independent 00:41:27.740 --> 00:41:29.540 than Winget? 00:41:29.960 --> 00:41:32.280 They tried Winget and it was buggy and it wasn't great. 00:41:32.280 --> 00:41:33.540 Chocolaty is maybe a little older. 00:41:33.540 --> 00:41:34.100 I don't know. 00:41:34.100 --> 00:41:35.360 Same story probably, right? 00:41:35.360 --> 00:41:35.820 Yeah. 00:41:35.820 --> 00:41:36.720 I also don't know. 00:41:36.720 --> 00:41:39.200 Unfortunately, Windows is not my strong suit. 00:41:39.200 --> 00:41:40.280 Yeah. 00:41:40.280 --> 00:41:42.940 Yeah, it's all good. 00:41:42.940 --> 00:41:43.920 Definitely a tastier name. 00:41:43.920 --> 00:41:46.680 That's how I choose all my tooling is how tasty is the name. 00:41:47.060 --> 00:41:47.220 Yeah. 00:41:47.220 --> 00:41:54.240 And so then the counterpart to that is the macOS binary installers. 00:41:54.240 --> 00:41:59.720 And so there's basically just another set of scripts that get run on the macOS release 00:41:59.720 --> 00:42:02.100 manager, like their machine. 00:42:02.100 --> 00:42:06.040 And it builds just everything having to do with macOS. 00:42:06.040 --> 00:42:07.240 It does notarization. 00:42:07.580 --> 00:42:13.080 It does, you know, making, I know not as much about macOS either, but I know that notarization 00:42:13.080 --> 00:42:13.560 happens. 00:42:13.560 --> 00:42:19.100 And actually I've talked to a few folks about this one too, because this one, if you notice, 00:42:19.100 --> 00:42:21.060 it's just one square and it's just red. 00:42:21.060 --> 00:42:25.120 And I was like, yeah, there's a lot more to dig into there. 00:42:25.840 --> 00:42:26.120 Yeah. 00:42:26.120 --> 00:42:29.840 But yeah, the macOS notarization stuff is a serious pain as well. 00:42:29.840 --> 00:42:34.620 Like it's a little bit like submitting something to the iPhone app store where it, you know, 00:42:34.620 --> 00:42:36.120 like gets reviewed and yeah. 00:42:36.120 --> 00:42:36.620 Yeah. 00:42:36.620 --> 00:42:39.600 I think once you have it already notified, you can publish updates. 00:42:39.600 --> 00:42:44.120 Cause I was thinking as you were talking about that, like how do you design or deal with the 00:42:44.120 --> 00:42:48.720 latency, you know, of like I've submitted it and how long till someone picks it up and 00:42:48.720 --> 00:42:49.120 reviews it? 00:42:49.120 --> 00:42:49.600 I don't know. 00:42:49.600 --> 00:42:53.800 But I guess once it's kind of approved for notarization, then it, it just goes through 00:42:53.800 --> 00:42:54.260 pretty quickly. 00:42:54.260 --> 00:42:58.100 You just set a really long timeout on your CI job. 00:42:58.100 --> 00:42:59.120 Like exactly. 00:42:59.120 --> 00:43:00.480 Timeout seven weeks. 00:43:00.480 --> 00:43:02.280 Give it a week at least. 00:43:02.280 --> 00:43:03.440 Yeah. 00:43:03.440 --> 00:43:04.440 No. 00:43:04.440 --> 00:43:10.000 And so then after all of those things kind of happen, there's this stage in, you know, 00:43:10.000 --> 00:43:14.700 there's a stop, stop, stop line in the PEP 101 that just basically says for the release 00:43:14.700 --> 00:43:17.640 manager to wait for everyone to be done with their thing. 00:43:17.640 --> 00:43:22.240 And then once everyone's done with their thing and has uploaded everything to python.org, there's 00:43:22.240 --> 00:43:24.200 basically like this phase of testing everything. 00:43:24.200 --> 00:43:27.940 So you, you know, download everything, you make sure everything works on all the operating 00:43:27.940 --> 00:43:32.020 systems, the way that's expected to, you don't want to like blow the horn and then realize 00:43:32.020 --> 00:43:34.420 the very last mile that there's something wrong. 00:43:35.020 --> 00:43:36.680 And so like lots of testing happens. 00:43:36.680 --> 00:43:41.260 And then after the testing happens at that point, then everything that will get uploaded 00:43:41.260 --> 00:43:46.940 to python.org or that has been uploaded to python.org gets signed by the release manager in particular 00:43:46.940 --> 00:43:49.280 with sigstore and GPG. 00:43:49.280 --> 00:43:52.080 And then from there, all of those signatures get published. 00:43:52.080 --> 00:43:54.940 And that is the end of python.org. 00:43:54.940 --> 00:43:56.460 All of the artifacts are published. 00:43:56.460 --> 00:44:02.740 And only then does the release manager, this is step 10, do a git push to the actual upstream 00:44:02.740 --> 00:44:03.900 CPython repo. 00:44:03.900 --> 00:44:07.200 And at that point, then the branch can be unblocked. 00:44:07.200 --> 00:44:08.720 All of these things, the release is done. 00:44:08.720 --> 00:44:09.660 Everyone's happy. 00:44:09.660 --> 00:44:10.560 We can celebrate. 00:44:11.260 --> 00:44:15.980 Yeah, that's kind of the very high level view of what happens. 00:44:15.980 --> 00:44:16.860 Amazing. 00:44:16.860 --> 00:44:18.480 A couple of thoughts here. 00:44:18.480 --> 00:44:25.100 First of all, the Windows square is like tangibly different than the macOS square. 00:44:25.100 --> 00:44:32.420 The Windows square says, send off some source code to Azure pipelines, a external repeatable 00:44:32.420 --> 00:44:33.640 CI build system. 00:44:33.640 --> 00:44:35.780 Whereas the Mac one is like, build it. 00:44:35.780 --> 00:44:36.480 You know what I mean? 00:44:36.480 --> 00:44:38.820 That's actually pretty interesting. 00:44:39.000 --> 00:44:42.340 And I don't know that there's an Azure pipeline for macOS, right? 00:44:42.340 --> 00:44:45.500 Like that's just the sort of the story of Mac and servers. 00:44:45.500 --> 00:44:48.020 But just highlighting those differences, right? 00:44:48.020 --> 00:44:52.340 Like it's a different thing to say, I build on my machine with whatever I got versus I push 00:44:52.340 --> 00:44:56.540 to something like Azure pipeline CI, CD and get some results back. 00:44:56.540 --> 00:44:56.900 Yeah. 00:44:56.900 --> 00:45:02.560 Both the source tarball builds and the macOS builds are all local, right? 00:45:02.560 --> 00:45:06.740 And they're not done with a repeatable like CI provider. 00:45:07.640 --> 00:45:12.380 I was actually able to get like the actual source tarballs to work on GitHub actions. 00:45:12.380 --> 00:45:18.180 And so that's something that I've worked on and provided that to release managers. 00:45:18.180 --> 00:45:19.760 And we're talking about it right now. 00:45:19.760 --> 00:45:25.180 And macOS is actually, to my knowledge, is actually going to be revamped a little bit 00:45:25.180 --> 00:45:28.160 because that tooling has been around for so long. 00:45:28.220 --> 00:45:30.700 I think that there's going to be some work done on it. 00:45:30.700 --> 00:45:32.560 And so I haven't dug into it as deeply. 00:45:32.560 --> 00:45:36.840 I've kind of more just provided a bunch of context to the release managers about things 00:45:36.840 --> 00:45:37.600 that I want to see. 00:45:37.600 --> 00:45:41.500 Like if I were to do this myself, this is the other things I'm interested in, right? 00:45:42.060 --> 00:45:46.060 Provided that you actually had access to a macOS system. 00:45:46.060 --> 00:45:50.960 I'm sure you could do it all from the CLI because, for example, for the Talk Python courses apps, 00:45:50.960 --> 00:45:52.980 we use Flutter and you just say Flutter run. 00:45:52.980 --> 00:45:59.260 And it compiles that iOS or macOS version somehow through the command line. 00:45:59.260 --> 00:46:04.760 And then like out comes a thing that is already deployed onto a simulator or something, right? 00:46:04.760 --> 00:46:06.520 So it could happen. 00:46:06.520 --> 00:46:12.420 I mean, there is some hosting, but it's kind of like, here's your Mac mini in the cloud. 00:46:12.420 --> 00:46:16.640 Yeah, I mean, there is a GitHub Action supports macOS. 00:46:16.640 --> 00:46:17.440 Does it? 00:46:17.440 --> 00:46:17.700 Okay. 00:46:17.700 --> 00:46:19.560 So possibly, yeah. 00:46:19.560 --> 00:46:20.680 Maybe it could happen. 00:46:20.940 --> 00:46:24.540 I'm not saying it has to, I'm just, it was kind of a striking difference that one is like 00:46:24.540 --> 00:46:26.720 a CI, CD process and one is local and manual. 00:46:26.720 --> 00:46:27.240 Yeah. 00:46:27.240 --> 00:46:34.600 Actually, Windows is the most repeatable, most like actually isolated from any, from the, 00:46:34.600 --> 00:46:36.180 just the machine itself, right? 00:46:36.180 --> 00:46:37.320 The release manager themselves. 00:46:37.320 --> 00:46:38.260 So, yeah. 00:46:38.260 --> 00:46:39.360 Yeah, that's pretty interesting. 00:46:39.360 --> 00:46:43.020 And then we have binaries and they get published and everybody is happy. 00:46:43.020 --> 00:46:45.100 We all go and install it. 00:46:45.100 --> 00:46:47.420 And it's been in testing for quite a while, right? 00:46:47.420 --> 00:46:48.900 Like we've had a bunch of betas. 00:46:48.900 --> 00:46:49.620 We had alphas. 00:46:49.780 --> 00:46:54.460 We have had three release candidates and on Monday we'll have a dot zero. 00:46:54.460 --> 00:46:55.240 It's exciting. 00:46:55.240 --> 00:46:56.100 It's really exciting. 00:46:56.100 --> 00:46:57.120 It is exciting. 00:46:57.120 --> 00:47:02.660 The other question I would ask you is like, what is the time from like step one to step 00:47:02.660 --> 00:47:03.020 10? 00:47:03.020 --> 00:47:05.300 How much clock time has passed? 00:47:05.300 --> 00:47:05.860 Wall time. 00:47:05.860 --> 00:47:10.920 I would say that it is on, it's on the scale of hours. 00:47:11.140 --> 00:47:15.020 It's not like a day, which is kind of incredible, right? 00:47:15.820 --> 00:47:21.080 The fact that you get three volunteers together to do a bunch of all of this stuff. 00:47:21.080 --> 00:47:22.660 And it only takes a couple hours. 00:47:23.100 --> 00:47:27.700 It obviously depends on how many problems you run into on the way, because if you like get 00:47:27.700 --> 00:47:31.320 to the very end and then there's a problem that you find in testing, like you have to kind 00:47:31.320 --> 00:47:38.000 of start over, but yeah, if everything goes to plan, which has happened, I've coordinated security. 00:47:38.000 --> 00:47:42.920 Like there was a couple of security fixes that were in 3.115 that I coordinated. 00:47:42.920 --> 00:47:49.060 And yeah, I got to kind of witness the, okay, we've decided we're making a security release to the actual. 00:47:49.060 --> 00:47:49.940 It's out there. 00:47:49.940 --> 00:47:51.520 We can now talk about the vulnerabilities. 00:47:51.520 --> 00:47:52.460 Yeah. 00:47:52.520 --> 00:47:54.280 Was that the int parsing thing? 00:47:54.280 --> 00:47:56.940 It was the, what was it? 00:47:56.940 --> 00:48:00.420 There was an int parsing, or was it int parsing? 00:48:00.420 --> 00:48:01.380 No, it wasn't int parsing. 00:48:01.380 --> 00:48:02.360 Really long ints. 00:48:02.360 --> 00:48:02.880 I don't know. 00:48:02.880 --> 00:48:03.840 No, that's a different one. 00:48:03.840 --> 00:48:09.480 No, it was, there was a TLS, and this one sounds really scary. 00:48:09.480 --> 00:48:10.680 It's not as scary. 00:48:10.680 --> 00:48:16.220 It's a TLS bypass on the server side. 00:48:16.220 --> 00:48:23.800 So like if the client is supposed to be authenticated, for example, if you're using MTLS, you can, 00:48:23.800 --> 00:48:30.080 if you like send a handshake and then immediately close your socket, you can get lucky during like a, 00:48:30.080 --> 00:48:35.980 a brief period of time where the socket on the other side, like the server socket will say like, 00:48:35.980 --> 00:48:37.180 oh, it's closed. 00:48:37.180 --> 00:48:38.140 So it's fine. 00:48:38.140 --> 00:48:38.460 Right. 00:48:38.460 --> 00:48:45.160 And the data that whatever you sent over the wire won't, will still be readable, but then the 00:48:45.160 --> 00:48:46.780 handshake hasn't actually like completed. 00:48:46.780 --> 00:48:49.580 And so that sounds like scary, right? 00:48:49.580 --> 00:48:56.240 But it's, it's, it's actually not as bad because so many protocols, well, for one, so many protocols 00:48:56.240 --> 00:48:58.940 don't even use client authentication at all. 00:48:58.940 --> 00:49:00.800 So that's one huge point. 00:49:00.800 --> 00:49:07.240 The other side of it is that all protocols that people do end up using like mutual TLS with 00:49:07.240 --> 00:49:13.860 are protocols that like, you have to like send something back to, so like HTTP, for example, 00:49:14.200 --> 00:49:15.700 you have to send something back. 00:49:15.700 --> 00:49:17.780 And at that point the socket is closed. 00:49:17.780 --> 00:49:20.180 And so it can't send the data back. 00:49:20.180 --> 00:49:22.620 So there's like no data exfiltration. 00:49:22.620 --> 00:49:26.880 It's a pretty narrow scope of like what's actually vulnerable. 00:49:26.880 --> 00:49:31.520 But yes, the fix for that vulnerability is in 3.11.5. 00:49:31.520 --> 00:49:34.020 And there's another one too, but it's, it's a little bit more minor. 00:49:34.020 --> 00:49:39.260 Well, we'll start fresh with 3.12 and hopefully you will not have to witness one of these releases. 00:49:39.360 --> 00:49:44.940 Honestly, they're given how large CPython is and how wide ranging it, its standard library 00:49:44.940 --> 00:49:45.680 attempts to be. 00:49:45.680 --> 00:49:48.240 It's, it does not have many vulnerabilities. 00:49:48.240 --> 00:49:50.480 I mean, you go look at like a web browser upgrade. 00:49:50.480 --> 00:49:55.300 It's like, here's the 27, like remote code execution vulnerability. 00:49:55.300 --> 00:49:59.180 Maybe not quite that many, but here's the 27 security fixes this month. 00:49:59.180 --> 00:49:59.620 You know? 00:49:59.980 --> 00:50:00.100 Yeah. 00:50:00.100 --> 00:50:03.000 We've maybe, maybe it's a little more front of mind right now. 00:50:03.000 --> 00:50:07.740 Now that like Chrome is on their fifth zero day of the week, but yeah, it's, it's pretty 00:50:07.740 --> 00:50:09.140 tough week for Chrome right now. 00:50:09.140 --> 00:50:09.380 Yeah. 00:50:09.380 --> 00:50:11.100 And Firefox and the rest of us. 00:50:11.100 --> 00:50:11.640 Yeah. 00:50:11.640 --> 00:50:12.880 Yeah, for sure. 00:50:12.880 --> 00:50:19.280 let's see another, another comment from Frank says six door and GPG seem a bit at the 00:50:19.280 --> 00:50:20.180 end of the process. 00:50:20.180 --> 00:50:25.180 Considering these are billed locally in some cases, how does one guarantee of the sign sources 00:50:25.180 --> 00:50:26.240 are still right? 00:50:26.700 --> 00:50:27.140 Yeah. 00:50:27.140 --> 00:50:30.280 So this is kind of getting to the, like, I agree with you. 00:50:30.280 --> 00:50:33.320 How, how does one, how does one track that they're still right? 00:50:33.320 --> 00:50:39.500 so they, they get uploaded to python.org and at that point they're kind of like in a 00:50:39.500 --> 00:50:41.660 holding pattern for testing. 00:50:41.660 --> 00:50:44.300 And so those binaries are there, they're on python.org. 00:50:44.300 --> 00:50:46.280 They've got, you know, the hashes have already been taken. 00:50:46.280 --> 00:50:48.960 then the testing is happens. 00:50:48.960 --> 00:50:53.680 So like anything that happens between that and the six or starting, like, yeah, at that point 00:50:53.680 --> 00:50:56.640 it's kind of protected, but yeah, there is this really big dwell time. 00:50:56.640 --> 00:51:02.900 Where you just have artifacts sitting on someone's machine and they're going to get signed and 00:51:02.900 --> 00:51:03.660 sent out the door. 00:51:03.660 --> 00:51:06.840 And that's kind of like the due diligence of release managers. 00:51:06.840 --> 00:51:10.460 They need to make sure that those are the right artifacts that they've been tested properly, 00:51:10.460 --> 00:51:14.160 that the ones that you tested locally are the ones that are going to get ended up being 00:51:14.160 --> 00:51:14.660 signed. 00:51:14.660 --> 00:51:15.960 yeah. 00:51:16.060 --> 00:51:21.160 And so this is something, this is like a, a piece of the whole puzzle that gets mitigated 00:51:21.160 --> 00:51:26.440 by having those builds happen on external services, as opposed to on someone's local machine. 00:51:26.440 --> 00:51:28.360 Because at that point you're just giving, yeah. 00:51:28.540 --> 00:51:28.760 Yeah. 00:51:28.760 --> 00:51:33.520 You're just giving this like set of scripts, like very, very narrow set of input. 00:51:33.520 --> 00:51:38.180 Like I want this exact git commit and this version number to get built. 00:51:38.180 --> 00:51:42.920 And then out pops like a tar ball that's already been signed and verified and everything. 00:51:42.920 --> 00:51:45.420 And then from there, you just put that on python.org. 00:51:45.420 --> 00:51:45.700 Right. 00:51:45.700 --> 00:51:47.920 Like that, that is a lot less. 00:51:47.920 --> 00:51:51.860 there's a lot less of that risk where it's just on someone's machine. 00:51:51.860 --> 00:51:55.540 And how, how do, how does one know that that is the exact thing that they built? 00:51:55.540 --> 00:51:56.720 It's, it's not provable. 00:51:56.720 --> 00:51:57.200 Yeah. 00:51:57.200 --> 00:51:59.500 What about virtual machines for these gray boxes? 00:51:59.500 --> 00:52:02.400 I mean, obviously the Azure one, that's, that's its own thing. 00:52:02.400 --> 00:52:09.300 But have you considered like a, a Docker or an official just RLLs VM and go like, here, 00:52:09.300 --> 00:52:11.100 take this, run that. 00:52:11.100 --> 00:52:11.740 You know what I mean? 00:52:11.740 --> 00:52:13.120 yeah. 00:52:13.120 --> 00:52:17.400 To make it a little less dependent on the person whose role it is that year. 00:52:17.400 --> 00:52:21.740 It definitely would help with the reproducibility side of things because as we know, 00:52:21.800 --> 00:52:24.240 Docker is just the whole machine shipped in a box. 00:52:24.240 --> 00:52:24.480 Right. 00:52:24.480 --> 00:52:25.000 Yeah. 00:52:25.000 --> 00:52:29.440 so yeah, in, in theory, if you build the same thing again, in that exact same image, 00:52:29.440 --> 00:52:31.420 you would end up getting a pretty similar result. 00:52:31.420 --> 00:52:33.800 So it helps on that front, which, which is good. 00:52:33.800 --> 00:52:38.140 I think the tough thing is, is that you don't, you still don't have control of the 00:52:38.140 --> 00:52:39.880 inputs and the output. 00:52:39.880 --> 00:52:44.460 You also still don't have like this, like it comes out of the Docker container. 00:52:44.460 --> 00:52:45.260 You get a tar ball. 00:52:45.260 --> 00:52:49.480 There's still that time in between when the tar ball is out of the container and when it's 00:52:49.480 --> 00:52:54.360 actually on python.org where it's on someone's machine that is not in a container. 00:52:54.360 --> 00:53:00.020 and containers also aren't the best in terms of like, you, you did mention virtual 00:53:00.020 --> 00:53:07.120 machines as well, but even, even that like on a machine that is a high value target, 00:53:07.120 --> 00:53:08.620 you know, maybe it's worth it. 00:53:08.620 --> 00:53:09.000 Who knows? 00:53:09.000 --> 00:53:09.600 Yeah. 00:53:09.600 --> 00:53:10.120 Yeah. 00:53:10.120 --> 00:53:10.480 Who knows? 00:53:10.480 --> 00:53:11.140 All right. 00:53:11.140 --> 00:53:15.360 Well, it's pretty interesting and, it's, it's happening Monday. 00:53:15.360 --> 00:53:16.880 So very exciting. 00:53:16.880 --> 00:53:19.980 And I'm, I'm looking forward to all the new work. 00:53:19.980 --> 00:53:24.500 I mean, are there new features in three 12 that are you particularly excited about? 00:53:24.500 --> 00:53:30.420 You know, I, since being in this role, I actually haven't been paying attention to Python releases 00:53:30.420 --> 00:53:32.300 as much Python features as much. 00:53:32.360 --> 00:53:34.560 I'm, I'm mostly excited about it getting faster. 00:53:34.560 --> 00:53:37.160 I mean, the generic, it's just straight up faster. 00:53:37.160 --> 00:53:40.120 Like there's no one on the planet that's not happy about that. 00:53:40.120 --> 00:53:43.260 what are the major features this, this release? 00:53:43.280 --> 00:53:46.380 So there's like a, some more broad F string thing. 00:53:46.380 --> 00:53:49.680 So you used to be able to have a subset of the language in the F string. 00:53:49.680 --> 00:53:51.720 And now you can kind of like program in the F string. 00:53:51.720 --> 00:53:55.980 I believe, type statement is better generic types. 00:53:55.980 --> 00:53:56.300 Yeah. 00:53:56.300 --> 00:54:00.660 There's like a, a simpler way to express generics and the type system. 00:54:00.660 --> 00:54:05.480 And then I'm with you, you know, honestly, like f-strings being nicer. 00:54:05.480 --> 00:54:06.280 That's awesome. 00:54:06.280 --> 00:54:07.140 Thanks for that. 00:54:07.200 --> 00:54:09.980 But faster, faster, faster is good. 00:54:09.980 --> 00:54:14.080 this per interpreter GIL is kind of part of that faster CPython thing, right? 00:54:14.080 --> 00:54:18.760 Like it's hard to leverage, but if you could just say in your threads, new interpreter for 00:54:18.760 --> 00:54:19.720 this bit, right? 00:54:19.720 --> 00:54:23.540 All of a sudden you escape the GIL for computational stuff. 00:54:23.540 --> 00:54:24.400 That'd be pretty interesting. 00:54:24.400 --> 00:54:27.860 but you know, also this, this is another interesting thing. 00:54:27.860 --> 00:54:31.300 If you pull up this list, like the size of the scroll bar, I don't know. 00:54:31.760 --> 00:54:33.500 We were talking about scary scroll bars earlier. 00:54:33.500 --> 00:54:35.360 Like this is next level. 00:54:35.360 --> 00:54:36.120 Let me see. 00:54:36.120 --> 00:54:38.140 I'm going to, I'll throw this into omnivore. 00:54:38.140 --> 00:54:39.480 Are you a fan of omnivore? 00:54:39.480 --> 00:54:40.140 This app? 00:54:40.140 --> 00:54:40.880 Omnivore. 00:54:40.880 --> 00:54:41.860 Never heard of it. 00:54:41.860 --> 00:54:42.540 What is it? 00:54:42.540 --> 00:54:44.020 Omnivore.app. 00:54:44.020 --> 00:54:46.060 Kind of a Instapaper pocket replacement. 00:54:46.060 --> 00:54:47.160 Oh, I'm already logged into it. 00:54:47.160 --> 00:54:47.540 Look at that. 00:54:47.540 --> 00:54:49.660 Oh, super, super cool. 00:54:49.660 --> 00:54:52.280 So I go here and you say add a link. 00:54:52.280 --> 00:54:54.120 Actually, it just, I think it just went in there. 00:54:54.120 --> 00:54:54.520 Let's see. 00:54:54.520 --> 00:54:56.640 40 minutes just to read that what's new. 00:54:56.640 --> 00:54:58.360 That's what I was trying to pull. 00:54:58.360 --> 00:55:00.840 Oh, it just, yeah. 00:55:00.840 --> 00:55:02.040 It calculates that for you. 00:55:02.040 --> 00:55:03.760 It's like, it's going to take a while. 00:55:03.760 --> 00:55:07.740 So just a sense of like, what is new in Python 3.12? 00:55:07.740 --> 00:55:08.760 That's a ton, right? 00:55:08.760 --> 00:55:09.200 Yeah. 00:55:09.200 --> 00:55:13.700 A ton of stuff, like tons of fixes, tons of fixes and improvements. 00:55:13.700 --> 00:55:17.720 Mike, people are out in the audience says, Python dash M SQLite 3 is nifty. 00:55:17.720 --> 00:55:19.800 Mike, you're going to have to tell me more about this. 00:55:19.800 --> 00:55:22.800 Does that, does that open up a database now? 00:55:22.800 --> 00:55:23.740 That would be lovely. 00:55:23.740 --> 00:55:24.320 Yeah. 00:55:24.320 --> 00:55:25.260 That would be cool. 00:55:25.260 --> 00:55:26.700 Kind of like the HTTP server. 00:55:26.700 --> 00:55:27.360 Yes. 00:55:27.360 --> 00:55:28.000 Yeah. 00:55:28.220 --> 00:55:29.260 With the JSON tool. 00:55:29.260 --> 00:55:31.100 The JSON tool is the one I use the most. 00:55:31.100 --> 00:55:31.960 What's that one do? 00:55:31.960 --> 00:55:35.120 So you can like pipe JSON into it and it'll just make it pretty. 00:55:35.120 --> 00:55:39.980 It's pretty, it's questionable how useful it is, but it sure does make pretty JSON. 00:55:39.980 --> 00:55:40.620 Yeah. 00:55:40.620 --> 00:55:42.640 Which I really appreciate. 00:55:42.640 --> 00:55:44.980 Like two, two space indented JSON. 00:55:44.980 --> 00:55:46.520 That is, that's perfect. 00:55:46.520 --> 00:55:47.140 Indeed. 00:55:47.140 --> 00:55:47.620 All right. 00:55:47.620 --> 00:55:50.620 One more comment from the audience and then we'll maybe wrap it up. 00:55:50.620 --> 00:56:01.920 Karen says, let me, she's clarifying above like VM Docker for less, less changes and better reproducibility. 00:56:01.920 --> 00:56:10.020 VM Docker for less heterogeneity reproducibility than the current situation, which is affected by a given user's environment. 00:56:10.020 --> 00:56:10.260 Yeah. 00:56:10.260 --> 00:56:15.480 Like what web browser did you install today or something completely unrelated or, you know, 00:56:15.480 --> 00:56:23.360 or like you upgrade, if it's your personal machine and you're using tools, like if you upgrade those tools, it could pull some other system dependency. 00:56:23.360 --> 00:56:23.640 Right. 00:56:23.640 --> 00:56:31.560 That ends up being relevant to the build of CPython and yeah, it's just, there's just so much that could be different over the course of even a few days. 00:56:31.560 --> 00:56:32.100 Yeah. 00:56:32.100 --> 00:56:32.640 Yeah. 00:56:32.640 --> 00:56:36.980 Which is why it's interesting that the windows one goes to Azure pipelines. 00:56:36.980 --> 00:56:39.500 Cause it kind of pulls, puts that to the side, right? 00:56:39.500 --> 00:56:39.920 Yeah. 00:56:39.920 --> 00:56:40.760 All right, Seth. 00:56:40.760 --> 00:56:46.500 Well, this has been super, super interesting and thanks for giving us a look into this world. 00:56:46.500 --> 00:56:48.580 So yeah, very, very excellent. 00:56:48.580 --> 00:56:51.360 And I guess, you know, final two questions. 00:56:51.360 --> 00:56:52.600 You can write some Python code. 00:56:52.600 --> 00:56:54.080 What editor using these days? 00:56:54.080 --> 00:56:55.360 Oh yeah. 00:56:55.360 --> 00:56:56.440 I'm using PyCharm. 00:56:56.440 --> 00:56:58.520 I, I love PyCharm specifically. 00:56:58.520 --> 00:57:01.900 You know, the, I have the, what is it? 00:57:01.900 --> 00:57:07.700 I had the professional edition for a good long while and then I let that subscription lapse and I need to just redo it. 00:57:07.700 --> 00:57:11.780 But so I'm using the community edition right now, but yeah, I love PyCharm so much. 00:57:11.780 --> 00:57:12.920 So really good editor. 00:57:12.920 --> 00:57:13.560 Awesome. 00:57:13.560 --> 00:57:14.220 I'm there with you. 00:57:14.220 --> 00:57:20.340 And then notable pipe I package, something that I already talked about these. 00:57:20.340 --> 00:57:22.500 I, so pip audit, just use pip audit. 00:57:22.500 --> 00:57:24.460 There's so much work happening somewhere. 00:57:24.460 --> 00:57:30.220 With pip audit that it, it just makes sense for you to use it because there's just a ton of work happening. 00:57:30.220 --> 00:57:36.560 And if you just add it to your workflow, you'll just know that things are vulnerable or like what's vulnerable and like what versions you should update to. 00:57:36.560 --> 00:57:37.060 Yeah. 00:57:37.060 --> 00:57:44.280 I already have some tooling that like some aliases that do three or four steps to actually update my dependencies and install them. 00:57:44.280 --> 00:57:49.000 Like I might as well just throw this as like another and, and pip audit. 00:57:49.000 --> 00:57:49.500 Yeah. 00:57:49.500 --> 00:57:58.120 And you can actually, so you can, I think there's a way that you can tell pip audit to install packages, but then it will like say something. 00:57:58.120 --> 00:58:00.960 If there is a vulnerability in whatever you're installing. 00:58:00.960 --> 00:58:01.360 Right. 00:58:01.360 --> 00:58:05.000 So like you can even replace like use pip audit. 00:58:05.280 --> 00:58:06.440 I think that that is a feature. 00:58:06.440 --> 00:58:07.200 All right. 00:58:07.200 --> 00:58:07.840 I think so. 00:58:07.840 --> 00:58:09.040 It has a features thing. 00:58:09.040 --> 00:58:09.600 Let me look at it. 00:58:09.600 --> 00:58:10.580 Oh, let's see it. 00:58:10.580 --> 00:58:12.460 Oh, it's not going to work because it's not the read me. 00:58:12.460 --> 00:58:14.360 It's true. 00:58:14.360 --> 00:58:17.160 I got to, got to go to the homepage, which will take some here. 00:58:17.160 --> 00:58:17.960 So I got to go to the source. 00:58:20.040 --> 00:58:21.100 No, where's the GitHub? 00:58:21.100 --> 00:58:22.300 Let me go to the stars. 00:58:22.300 --> 00:58:22.880 All right. 00:58:22.880 --> 00:58:23.200 You know what? 00:58:23.200 --> 00:58:24.680 Maybe I don't want to click this thing. 00:58:24.680 --> 00:58:25.240 Features. 00:58:25.240 --> 00:58:25.900 There we go. 00:58:25.900 --> 00:58:27.140 Multiple emitting. 00:58:27.140 --> 00:58:31.800 We haven't talked about S bombs, but seamlessly reusing. 00:58:31.800 --> 00:58:33.740 Yeah. 00:58:33.740 --> 00:58:36.540 If it reuses the pip caches, maybe, maybe, maybe. 00:58:36.540 --> 00:58:37.060 All right. 00:58:37.060 --> 00:58:38.580 I'll play with it. 00:58:38.580 --> 00:58:38.940 We'll see. 00:58:38.940 --> 00:58:39.880 People can check it out. 00:58:39.880 --> 00:58:40.880 Citation needed. 00:58:40.880 --> 00:58:42.020 Citation needed. 00:58:42.020 --> 00:58:42.980 Exactly. 00:58:42.980 --> 00:58:43.840 Citation needed. 00:58:43.840 --> 00:58:44.300 That's right. 00:58:44.300 --> 00:58:44.920 All right. 00:58:44.920 --> 00:58:45.960 Well, yeah. 00:58:45.960 --> 00:58:47.000 People check out pip audit. 00:58:47.000 --> 00:58:47.940 That looks excellent. 00:58:47.940 --> 00:58:49.240 And yeah. 00:58:49.240 --> 00:58:50.020 Final call to action. 00:58:50.360 --> 00:58:51.580 People are interested in this. 00:58:51.580 --> 00:58:57.080 I mean, give a thought to it on Monday, theoretically, at least in the past, if you've listened too 00:58:57.080 --> 00:58:59.140 far in the future, but you know, the next release. 00:58:59.140 --> 00:58:59.780 Yeah. 00:58:59.780 --> 00:59:04.440 No, I think the biggest, so in terms of like, what can you personally do? 00:59:04.440 --> 00:59:08.120 Because like, there's just, I just talked about so much stuff that is just kind of happening 00:59:08.120 --> 00:59:11.580 in the background, but there's also stuff that like individual people can do. 00:59:11.580 --> 00:59:17.920 And the most impactful URL that you can visit for security, if you're an open source consumer 00:59:17.920 --> 00:59:20.260 or like a maintainer, like it doesn't matter. 00:59:20.260 --> 00:59:21.460 This is just going to be impactful. 00:59:21.460 --> 00:59:26.480 If you work in software is best.openssf.org. 00:59:26.560 --> 00:59:31.980 So that is basically just like a webpage and it just has a few URLs and you click into 00:59:31.980 --> 00:59:36.460 any of those URLs and it's just gives you like a checklist of here's things to think 00:59:36.460 --> 00:59:36.720 about. 00:59:36.720 --> 00:59:40.400 Here's, and then if you click into those checklist items, it gives you, it's kind of like this 00:59:40.400 --> 00:59:46.140 recursive, nice, like guiding force of like, here's the things you could be doing. 00:59:46.140 --> 00:59:46.600 Right. 00:59:46.720 --> 00:59:50.900 And if you want to dig in more concise guide for developing more secure software, in other 00:59:50.900 --> 00:59:54.220 words, npm best practices and so on. 00:59:54.220 --> 00:59:54.440 Yeah. 00:59:54.440 --> 00:59:54.900 Excellent. 00:59:54.900 --> 00:59:55.540 Yeah. 00:59:55.540 --> 01:00:00.780 I'm hoping to put a like Python best practices guide there by the end of my, by the end of 01:00:00.780 --> 01:00:02.220 the, the year that I'm here. 01:00:02.220 --> 01:00:03.400 So don't you worry. 01:00:03.400 --> 01:00:04.080 Look forward to that. 01:00:04.080 --> 01:00:05.080 Excellent. 01:00:05.080 --> 01:00:05.900 I'll be right there. 01:00:05.900 --> 01:00:08.140 We'll get it above on the, on the list. 01:00:08.140 --> 01:00:08.800 Yeah. 01:00:08.800 --> 01:00:12.460 It'll, it'll somehow not sort alphabetically and it'll be okay. 01:00:14.540 --> 01:00:15.920 Tip the scales a little bit. 01:00:15.920 --> 01:00:17.240 Cool. 01:00:17.240 --> 01:00:18.860 Well, thank you for being here, Seth. 01:00:18.860 --> 01:00:19.360 Thank you. 01:00:19.360 --> 01:00:20.900 And thank you for all this hard work that you're doing. 01:00:20.900 --> 01:00:22.640 It's, it's good to know that you're out there. 01:00:22.640 --> 01:00:24.660 keep an eye on all these things. 01:00:24.660 --> 01:00:24.820 Thank you. 01:00:24.820 --> 01:00:26.560 Thank you so much for having me on the show. 01:00:26.560 --> 01:00:27.380 This has been lovely. 01:00:27.380 --> 01:00:28.500 Yeah, you bet. 01:00:28.500 --> 01:00:29.360 Catch you next time. 01:00:29.360 --> 01:00:29.700 Bye. 01:00:29.700 --> 01:00:33.640 This has been another episode of talk Python to me. 01:00:33.640 --> 01:00:35.460 Thank you to our sponsors. 01:00:35.460 --> 01:00:37.040 Be sure to check out what they're offering. 01:00:37.040 --> 01:00:38.460 It really helps support the show. 01:00:38.460 --> 01:00:43.620 The folks over at JetBrains encourage you to get work done with PyCharm. 01:00:44.020 --> 01:00:49.180 PyCharm professional understands complex projects across multiple languages and technologies. 01:00:49.180 --> 01:00:54.840 So you can stay productive while you're writing Python code and other code like HTML or SQL. 01:00:54.840 --> 01:00:59.980 Download your free trial at talkpython.fm/done with PyCharm. 01:00:59.980 --> 01:01:02.060 Want to level up your Python? 01:01:02.060 --> 01:01:06.200 We have one of the largest catalogs of Python video courses over at Talk Python. 01:01:06.200 --> 01:01:11.280 Our content ranges from true beginners to deeply advanced topics like memory and async. 01:01:11.680 --> 01:01:13.960 And best of all, there's not a subscription in sight. 01:01:13.960 --> 01:01:16.840 Check it out for yourself at training.talkpython.fm. 01:01:16.840 --> 01:01:18.760 Be sure to subscribe to the show. 01:01:18.760 --> 01:01:21.540 Open your favorite podcast app and search for Python. 01:01:21.540 --> 01:01:22.840 We should be right at the top. 01:01:22.840 --> 01:01:28.000 You can also find the iTunes feed at /itunes, the Google Play feed at /play, 01:01:28.000 --> 01:01:32.220 and the direct RSS feed at /rss on talkpython.fm. 01:01:33.160 --> 01:01:35.660 We're live streaming most of our recordings these days. 01:01:35.660 --> 01:01:39.060 If you want to be part of the show and have your comments featured on the air, 01:01:39.060 --> 01:01:43.480 be sure to subscribe to our YouTube channel at talkpython.fm/youtube. 01:01:43.480 --> 01:01:45.340 This is your host, Michael Kennedy. 01:01:45.340 --> 01:01:46.620 Thanks so much for listening. 01:01:46.620 --> 01:01:47.800 I really appreciate it. 01:01:48.040 --> 01:01:49.700 Now get out there and write some Python code. 01:01:49.700 --> 01:02:10.360 I'll see you next time. 01:02:10.360 --> 01:02:40.340 Thank you.