WEBVTT 00:00:00.001 --> 00:00:05.600 Every year, the core developers meet to discuss and propose the major changes and trends in Python itself. 00:00:05.600 --> 00:00:11.640 This invite-only conference of about 50 people happens inside PyCon in the U.S. 00:00:11.640 --> 00:00:15.200 Because it's private, we rarely get detailed looks inside this event. 00:00:15.200 --> 00:00:21.160 On this episode, we have Seth Michael Larson here to give us his account of the sessions and proposals. 00:00:21.160 --> 00:00:24.820 It's a unique look into the zeitgeist of CPython. 00:00:25.240 --> 00:00:31.260 This is Talk Python To Me, episode 475, recorded August 22, 2024. 00:00:31.260 --> 00:00:33.620 Are you ready for your host? 00:00:33.620 --> 00:00:37.900 You're listening to Michael Kennedy on Talk Python To Me. 00:00:37.900 --> 00:00:41.580 Live from Portland, Oregon, and this segment was made with Python. 00:00:41.580 --> 00:00:47.660 Welcome to Talk Python To Me, a weekly podcast on Python. 00:00:47.660 --> 00:00:49.900 This is your host, Michael Kennedy. 00:00:49.900 --> 00:00:55.220 Follow me on Mastodon, where I'm @mkennedy, and follow the podcast using @talkpython. 00:00:55.400 --> 00:00:58.240 Both accounts over at fosstodon.org. 00:00:58.240 --> 00:01:03.140 And keep up with the show and listen to over nine years of episodes at talkpython.fm. 00:01:03.140 --> 00:01:07.640 If you want to be part of our live episodes, you can find the live streams over on YouTube. 00:01:07.640 --> 00:01:13.960 Subscribe to our YouTube channel over at talkpython.fm/youtube and get notified about upcoming shows. 00:01:14.260 --> 00:01:18.000 This episode is sponsored by Posit Connect from the makers of Shiny. 00:01:18.000 --> 00:01:22.500 Publish, share, and deploy all of your data projects that you're creating using Python. 00:01:22.500 --> 00:01:28.960 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quattro, Reports, Dashboards, and APIs. 00:01:28.960 --> 00:01:31.360 Posit Connect supports all of them. 00:01:31.360 --> 00:01:35.720 Try Posit Connect for free by going to talkpython.fm/posit. 00:01:35.720 --> 00:01:37.020 P-O-S-I-T. 00:01:37.740 --> 00:01:41.440 And it's also brought to you by us over at Talk Python Training. 00:01:41.440 --> 00:01:46.060 Did you know that we have over 250 hours of Python courses? 00:01:46.060 --> 00:01:47.240 Yeah, that's right. 00:01:47.240 --> 00:01:49.880 Check them out at talkpython.fm/courses. 00:01:49.880 --> 00:01:51.280 Hey, Seth. 00:01:51.280 --> 00:01:52.720 Welcome back to Talk Python To Me. 00:01:52.720 --> 00:01:53.440 Hey, Michael. 00:01:53.440 --> 00:01:54.820 Awesome to have you here. 00:01:55.360 --> 00:02:05.580 I'm really excited to get a look into the zeitgeist of the core devs and the people building Python for us through the Python Language Summit. 00:02:05.580 --> 00:02:06.840 Yeah, let's do it. 00:02:06.840 --> 00:02:07.980 Let's do it. 00:02:07.980 --> 00:02:13.440 So we're going to talk about the 2024 Language Summit that happened in Pittsburgh. 00:02:13.440 --> 00:02:20.800 It's like an embedded mini conference inside of PyCon, which is smart rather than trying to travel all over. 00:02:21.120 --> 00:02:28.060 But before we get into that and all those things, I know you've been on the show not too long ago, but for those who may have missed your introductions, you know, who are you? 00:02:28.060 --> 00:02:29.500 What do you do for Python these days? 00:02:29.500 --> 00:02:37.580 I'm Seth Larson, and I've been working at the Python Software Foundation for a little over a year now as the security developer in residence. 00:02:37.580 --> 00:02:43.280 And so that means that I do a lot of stuff related to security just for the entire Python ecosystem. 00:02:43.280 --> 00:02:52.120 That's CPython, pip, packaging ecosystem, like outwardly facing things for PyPI, maybe not as much the internals. 00:02:52.120 --> 00:02:55.340 I leave that for Mike Fiedler, the PyPI safety and security engineer. 00:02:55.340 --> 00:03:01.520 And I maintain a lot of open source projects specifically in like the HTTP and internet space. 00:03:01.520 --> 00:03:05.060 So like requests, your lib3, trust store, things like that. 00:03:05.060 --> 00:03:05.840 Oh, awesome. 00:03:05.840 --> 00:03:06.260 Yeah. 00:03:06.260 --> 00:03:07.780 Thanks for everything you're doing there. 00:03:07.780 --> 00:03:10.120 And how's the role working out? 00:03:10.120 --> 00:03:14.080 I know this is one of you were the first person in this role, like officially, right? 00:03:14.080 --> 00:03:14.540 Is that true? 00:03:14.540 --> 00:03:15.380 That is true. 00:03:15.380 --> 00:03:15.620 Yeah. 00:03:15.620 --> 00:03:20.860 I was the first security oriented hire at the PSF. 00:03:20.860 --> 00:03:22.020 It's been going really great. 00:03:22.020 --> 00:03:28.360 I mean, I feel like we've made a lot of improvements and there's a lot of exciting stuff that I'm working on today. 00:03:28.860 --> 00:03:43.060 And I don't know, I think one of the things that also got highlighted, because this role exists, it just means that more people at the PSF and in CPython core team and just in the Python ecosystem in general are talking more about security. 00:03:43.060 --> 00:03:50.360 And like, that's just as important as the stuff that I'm doing day to day is that it's just, there's just more awareness of what's happening in security. 00:03:50.520 --> 00:03:50.680 Yeah. 00:03:50.680 --> 00:03:54.400 So I have two polar opposite thoughts here. 00:03:54.400 --> 00:04:07.700 One is I'm really surprised how few significant issues there are in Python, CPython, you know, the interpreter, the runtime, the standard library, all that. 00:04:07.700 --> 00:04:11.340 It's really rare that you get a red light splashing. 00:04:11.340 --> 00:04:14.880 Oh my gosh, go patch your systems now. 00:04:15.260 --> 00:04:15.340 Right. 00:04:15.340 --> 00:04:25.740 There's sometimes really minor things like this audit trail is not completely followed under this condition, but that's not a, the pager goes off and you know, cause you got, it's now a race. 00:04:25.740 --> 00:04:27.420 That's one thing. 00:04:27.420 --> 00:04:28.320 So that's awesome. 00:04:28.320 --> 00:04:28.540 Right. 00:04:28.540 --> 00:04:39.920 That the other is PyPI, typo squatting, all the, all the stuff that makes Python extra good, the half million packages and other shady things people do. 00:04:40.000 --> 00:04:50.220 And we're going to talk about this in the broader sense, not PyPI, but you know, in the open source space of like, well, what if, what if somebody took over a GitHub account for a little while or, or something? 00:04:50.220 --> 00:04:50.760 Yeah. 00:04:50.760 --> 00:04:57.400 So, and that, that's not on fire, but that's, there are battles being waged actively there. 00:04:57.400 --> 00:04:58.100 I would say, right? 00:04:58.100 --> 00:04:58.900 A hundred percent. 00:04:58.900 --> 00:05:00.120 So it's a contrast, right? 00:05:00.120 --> 00:05:05.600 There, I can speak with confidence that there is malware on PyPI right now as we speak, but like, yeah. 00:05:05.660 --> 00:05:07.020 So that's, that's the case, right? 00:05:07.020 --> 00:05:17.960 I think it really has to do with CPython is an incredibly mature project in like every sense of the word, like governance, security, design, all of these things. 00:05:17.960 --> 00:05:18.280 Right. 00:05:18.280 --> 00:05:25.000 And like, there's just a huge amount of people and resources being, being work, like working on CPython at any one moment. 00:05:25.000 --> 00:05:34.760 And like contrast that to the, you said half a million, you know, I tend to focus on the like 95% of downloads by totality. 00:05:34.760 --> 00:05:35.000 Right. 00:05:35.000 --> 00:05:40.920 Because there, there's a lot of projects on PyPI that maybe don't have the supply chain criticality of others. 00:05:40.920 --> 00:05:41.460 Right. 00:05:41.460 --> 00:05:42.560 But yeah, absolutely. 00:05:42.560 --> 00:05:43.200 A hundred percent. 00:05:43.200 --> 00:05:51.380 And when you, I think when you hone in on that smaller window of projects, it ends up being a much better picture than, 00:05:51.380 --> 00:05:53.820 I think it's, I think it's a hundred percent good picture. 00:05:53.820 --> 00:05:57.520 Honestly, there are legitimate bugs that people have to deal with. 00:05:57.520 --> 00:06:04.920 Like, you know, maybe there's a Django release that says we didn't validate the CRF token in, in this particular form. 00:06:04.920 --> 00:06:06.340 So you should update your Django. 00:06:06.340 --> 00:06:06.580 Right. 00:06:06.580 --> 00:06:08.060 And that's, that's just a legit bug. 00:06:08.060 --> 00:06:10.820 That's not people attempting to do bad things. 00:06:10.820 --> 00:06:15.900 I mean, I can't even take really any credit for how secure and mature CPython is. 00:06:15.900 --> 00:06:21.540 I'm such a late addition in the life of CPython, and like PyPI projects. 00:06:21.540 --> 00:06:23.660 And so it really is the community. 00:06:23.660 --> 00:06:30.200 I think it is just, there's so much investment and so much love and care happening in all these projects that it does speak volumes. 00:06:30.200 --> 00:06:37.820 But that, I mean, that doesn't mean that we need to think that things need to be perfect or that it's necessarily a bad thing to have a vulnerability in a, in a project. 00:06:37.820 --> 00:06:43.660 Because there's projects that are even more mature than CPython that have vulnerabilities all the time. 00:06:43.660 --> 00:06:44.540 It's totally normal. 00:06:44.540 --> 00:06:48.020 I think the important thing is just like knowing what to do when that happens. 00:06:48.020 --> 00:06:49.100 And that's where I come in. 00:06:49.100 --> 00:06:50.000 Yeah. 00:06:50.000 --> 00:06:52.660 I don't want to belabor this because you know, the security angle. 00:06:52.660 --> 00:06:53.320 Wow. 00:06:53.320 --> 00:07:01.920 Interesting to me and central to what you're up to is not the topic, but I do think it's interesting that, the white house recently came out. 00:07:01.920 --> 00:07:02.960 I think it was the white house. 00:07:02.960 --> 00:07:06.120 It said we recommend Python and a couple other languages. 00:07:06.120 --> 00:07:10.840 We basically, we, we recommend memory safe languages, which did you see that post? 00:07:10.840 --> 00:07:11.520 You must have, right? 00:07:11.520 --> 00:07:12.980 I certainly did. 00:07:12.980 --> 00:07:17.780 And I actually had a, a big part of recommending that to the white house. 00:07:17.780 --> 00:07:18.640 So when the. 00:07:18.640 --> 00:07:19.420 No kidding. 00:07:19.420 --> 00:07:20.160 I had no idea. 00:07:20.160 --> 00:07:20.680 Yeah. 00:07:20.680 --> 00:07:21.100 Yeah. 00:07:21.100 --> 00:07:28.720 So the PSF, we responded to the request for information that CISA put out, or the office of the cyber director put out. 00:07:28.720 --> 00:07:29.080 Yeah. 00:07:29.080 --> 00:07:30.440 I think a year and change ago. 00:07:30.440 --> 00:07:42.000 And in that post, we recommended CPython and Python in general as a memory safe language and went into all the details about like, yes, it's written in C, but like the language itself. 00:07:42.000 --> 00:07:45.160 What people will actually be programming in is Python. 00:07:45.160 --> 00:07:50.460 And we also emphasized how Python is a bridge into memory unsafe languages. 00:07:50.460 --> 00:08:00.120 And because of all the focus on performance lately, it's actually like sometimes in some cases more performant to keep the code written in Python as opposed to writing it in C. 00:08:00.120 --> 00:08:01.820 And so we emphasize a whole bunch of stuff. 00:08:01.820 --> 00:08:07.560 And so I think that that had a, a small percentage of, of the reason why that was recommended. 00:08:07.760 --> 00:08:10.660 Put it, put it, put it on the radar and positioned it correctly. 00:08:10.660 --> 00:08:11.020 Maybe. 00:08:11.020 --> 00:08:11.720 Exactly. 00:08:11.720 --> 00:08:12.320 Awesome. 00:08:12.320 --> 00:08:13.240 Well, congratulations. 00:08:13.240 --> 00:08:16.860 I was just going to say that's kind of interesting, but I'll join more to it than that. 00:08:16.860 --> 00:08:18.480 There's a lot happening behind the scenes. 00:08:18.480 --> 00:08:20.080 Yeah. 00:08:20.080 --> 00:08:20.320 Yeah. 00:08:20.320 --> 00:08:20.460 Yeah. 00:08:20.460 --> 00:08:20.880 Yeah. 00:08:20.880 --> 00:08:21.360 There is. 00:08:21.360 --> 00:08:21.960 All right. 00:08:21.960 --> 00:08:23.560 Shall we talk about this language summit thing? 00:08:23.560 --> 00:08:24.400 Let's do it. 00:08:24.400 --> 00:08:25.140 Let's do it. 00:08:25.140 --> 00:08:30.360 So, let's just, I mean, I gave it sort of a, a vague intro. 00:08:30.360 --> 00:08:34.280 You wrote a nice blog post about it here on the Python blog. 00:08:34.280 --> 00:08:38.680 just give us a sense of what the language summit, what is it for? 00:08:38.680 --> 00:08:42.400 Is this something is like an open space I can go to or not? 00:08:42.400 --> 00:08:42.880 No. 00:08:42.880 --> 00:08:50.460 So, so it is, it is a specific space for Python core developers, to use. 00:08:50.460 --> 00:08:55.880 And so I think the whole goal of this is to get a bunch of core developers in a room 00:08:55.880 --> 00:09:02.060 together to discuss things, and to kind of get some recommendations, some ideas flowing, 00:09:02.060 --> 00:09:08.200 uh, maybe without necessarily like having the full formed thought, right. 00:09:08.200 --> 00:09:11.920 Because like putting something out there, like completely radically changing the direction of 00:09:11.920 --> 00:09:16.360 Python, that that's, that's, that's a lot to put that out just publicly, whatever. 00:09:16.360 --> 00:09:21.120 And so this is like a place to collaborate for core developers and some special guests 00:09:21.120 --> 00:09:24.720 because they're not everyone that's there as a core developer, but it is invite. 00:09:24.720 --> 00:09:27.920 So you have to like apply to go and say why you want to go. 00:09:27.920 --> 00:09:28.760 And then, yeah. 00:09:28.760 --> 00:09:34.560 So it's not just folks who were, I can't remember if it was Sebastian Ramirez or Samuel Colvin 00:09:34.560 --> 00:09:35.960 or something around the typing thing. 00:09:35.960 --> 00:09:40.240 I remember some of those folks might've been at one of them because they're like, wait, we 00:09:40.240 --> 00:09:44.500 can't change typing to be more performant where it completely ignores the runtime stuff. 00:09:44.500 --> 00:09:45.420 Cause we have all these frameworks. 00:09:45.420 --> 00:09:45.960 Right. 00:09:45.960 --> 00:09:46.180 Right. 00:09:46.180 --> 00:09:46.340 Right. 00:09:46.340 --> 00:09:46.840 Yeah. 00:09:46.840 --> 00:09:47.220 Yeah. 00:09:47.220 --> 00:09:47.300 Yeah. 00:09:47.300 --> 00:09:51.580 But the language summit, it, it's a whole bunch of different, like submitted topics. 00:09:51.580 --> 00:09:55.460 People will talk and then there's discussion and some outcome. 00:09:55.460 --> 00:09:56.700 Maybe there's no outcome. 00:09:56.700 --> 00:09:58.760 Maybe there's like next steps. 00:09:58.760 --> 00:10:02.340 Maybe we solve some problems within the time of the meeting. 00:10:02.340 --> 00:10:07.860 And yeah, my job there was to, to actually like take down all the notes and write about 00:10:07.860 --> 00:10:09.200 it and like publish these blog posts. 00:10:09.200 --> 00:10:13.480 Cause one of the, one of the reasons why this is allowed to be like an invite only meeting is 00:10:13.480 --> 00:10:16.240 that there is someone who is basically taking. 00:10:16.240 --> 00:10:17.480 So I think it's a real careful balance. 00:10:17.480 --> 00:10:17.700 Yeah. 00:10:17.700 --> 00:10:17.800 Yeah. 00:10:17.800 --> 00:10:18.600 Yeah. 00:10:18.600 --> 00:10:19.840 And like, yeah. 00:10:19.840 --> 00:10:24.660 And like what happened during the discussion so that the community can learn about what 00:10:24.660 --> 00:10:28.960 actually happened without necessarily, you know, getting the rawness of it, I guess. 00:10:28.960 --> 00:10:29.440 Yeah. 00:10:29.440 --> 00:10:29.480 Yeah. 00:10:29.480 --> 00:10:31.480 There's a real careful balance. 00:10:31.480 --> 00:10:36.840 You got to strike between allowing the freedom to say whatever without public scrutiny. 00:10:36.840 --> 00:10:40.280 But at the same time, you don't want it to be like, well, the Python cabal met. 00:10:40.280 --> 00:10:41.380 They've decided. 00:10:41.380 --> 00:10:42.080 Exactly. 00:10:42.080 --> 00:10:44.600 They don't like, they don't like your idea or whatever. 00:10:44.600 --> 00:10:45.460 Exactly. 00:10:45.460 --> 00:10:47.100 Yeah. 00:10:47.100 --> 00:10:47.340 It's cool. 00:10:47.440 --> 00:10:49.260 So I'll point people up. 00:10:49.260 --> 00:10:50.780 Obviously it's going to be in the show notes. 00:10:50.780 --> 00:10:52.240 Point people at your writeup. 00:10:52.240 --> 00:10:54.560 It's like a meta post, I guess. 00:10:54.560 --> 00:10:55.400 Would you say that? 00:10:55.400 --> 00:10:58.460 It's, it talks about, you know, sort of landing page. 00:10:58.460 --> 00:10:59.680 Landing page. 00:10:59.680 --> 00:11:00.260 Exactly. 00:11:00.520 --> 00:11:03.380 Four, one, two, three, four, five, six, seven, eight, nine. 00:11:03.380 --> 00:11:07.500 And then nine topics and presentations that were covered. 00:11:07.500 --> 00:11:11.920 And then the lightning talks, which is also almost like another sub meta section. 00:11:11.920 --> 00:11:15.620 So there's a, there's a lot to explore here and there's nice write-ups on each of these. 00:11:15.620 --> 00:11:17.180 So where should we start? 00:11:17.180 --> 00:11:22.000 And we want to kind of wrap up the conversation we were just having, because that was actually 00:11:22.000 --> 00:11:25.160 a little bit of a topic at the language summit, right? 00:11:25.160 --> 00:11:26.000 Yeah. 00:11:26.000 --> 00:11:28.520 Security was definitely a topic at the language summit. 00:11:29.220 --> 00:11:35.740 This, this was somewhat in the, in the recent light, like the light of XZ when XZ had happened. 00:11:35.740 --> 00:11:42.520 Pablo, one of the release managers for CPython 3.10 and 3.11, I believe, brought this topic. 00:11:42.520 --> 00:11:49.860 And it was basically discussing Python's like contribution and release and all of that model 00:11:49.860 --> 00:11:51.260 in the light of XZ. 00:11:51.260 --> 00:11:54.320 So like XZ, I'll just go over really quickly. 00:11:54.320 --> 00:11:54.560 Yeah. 00:11:54.560 --> 00:11:54.720 Yeah. 00:11:54.720 --> 00:11:55.180 I'm sure. 00:11:55.180 --> 00:11:56.200 Tell people about XZ. 00:11:56.200 --> 00:11:56.680 Yeah. 00:11:56.680 --> 00:11:59.140 I'm sure a lot of people have like heard of it at this point. 00:11:59.140 --> 00:12:03.480 It was such a long game deal. 00:12:03.480 --> 00:12:04.620 It was crazy. 00:12:04.620 --> 00:12:05.060 So yeah. 00:12:05.060 --> 00:12:06.200 What is the scary part? 00:12:06.200 --> 00:12:07.660 What is XD utils? 00:12:07.660 --> 00:12:10.440 And then what is the XC utils security issue? 00:12:10.440 --> 00:12:10.920 Yeah. 00:12:10.920 --> 00:12:20.900 So XD utils is a library written in C for basically processing archives of the XZ format, which is 00:12:20.900 --> 00:12:27.720 just a compression format, like GZip, like any other compression format, Zotflee, Bratly, all 00:12:27.720 --> 00:12:28.080 of those. 00:12:28.080 --> 00:12:33.340 And so this library was maintained by a single person, big surprise. 00:12:34.640 --> 00:12:38.540 And what is relatively little known, right? 00:12:38.540 --> 00:12:43.680 Before all of this happened, I would say it was probably just adding features, fixing bugs 00:12:43.680 --> 00:12:45.960 every once in a while, make a release and all of that. 00:12:46.520 --> 00:12:54.260 And what ended up happening is this project was identified as a project that had very few 00:12:54.260 --> 00:13:01.220 maintainers and also through a series of reasons had a linkage to SSH. 00:13:01.480 --> 00:13:02.940 And so what ended up happening? 00:13:02.940 --> 00:13:03.860 Yep. 00:13:03.860 --> 00:13:05.240 And so SSH was... 00:13:05.240 --> 00:13:09.340 If you can get into SSH and SSHD, then bad things are going to happen. 00:13:09.340 --> 00:13:09.920 Yeah. 00:13:09.920 --> 00:13:17.680 So the whole end goal of this entire operation was to get access to OpenSSH through like linking, 00:13:17.680 --> 00:13:18.160 basically. 00:13:18.640 --> 00:13:25.220 And so what ended up happening is a bunch of fake sock puppet accounts showed up after 00:13:25.220 --> 00:13:30.400 this loan maintainer indicated that they were having a little bit of trouble maintaining the 00:13:30.400 --> 00:13:32.700 project and like meeting user demands. 00:13:32.700 --> 00:13:38.720 Like these sock puppet accounts show up like days before they were actually used and all kind 00:13:38.720 --> 00:13:40.900 of in similar fashion, right? 00:13:40.900 --> 00:13:46.640 And basically are pressuring this maintainer to either make them feel like they're not doing 00:13:46.640 --> 00:13:49.860 a good job or to try to add a new maintainer. 00:13:49.860 --> 00:13:54.260 In this case, Giatan is the pseudonym that this account used. 00:13:54.260 --> 00:14:03.140 And what ended up happening is over a year of like legitimate positive contribution from this 00:14:03.140 --> 00:14:08.220 account, this account was added as a like equivalent to a release manager, right? 00:14:08.220 --> 00:14:14.380 Like someone who is approving PRs and merging things and is capable of accessing the actual archives 00:14:14.380 --> 00:14:15.660 when releases happen. 00:14:15.660 --> 00:14:19.860 And then a good chunk of time passes after that. 00:14:19.860 --> 00:14:26.340 And there's a couple of little changes added that on their own are not an attack, but it 00:14:26.340 --> 00:14:34.020 was preparing for an attack where essentially a small change was added into the release archives 00:14:34.020 --> 00:14:38.640 that was not a part of the source tree that activated the entire attack chain. 00:14:39.280 --> 00:14:46.840 And then when this started to like be pulled in downstream into things like Fedora, early 00:14:46.840 --> 00:14:50.080 versions of Red Hat, this never went into any stable builds, but it was all the pre-releases. 00:14:50.080 --> 00:14:56.400 This ended up getting onto people's machines and then was eventually discovered because of a very 00:14:56.400 --> 00:15:00.240 small performance difference when logging into SSH. 00:15:00.900 --> 00:15:01.900 Yeah. 00:15:01.900 --> 00:15:05.740 And that was somebody who wasn't even looking, forgot the person's name, but they worked at 00:15:05.740 --> 00:15:08.400 Microsoft and they were just on the Azure team or something. 00:15:08.400 --> 00:15:10.960 And they, they just were like, why did this slow down a little bit? 00:15:10.960 --> 00:15:11.580 That's weird. 00:15:11.580 --> 00:15:14.920 And they're like, wait a minute, what is this doing in here? 00:15:14.920 --> 00:15:15.460 Yeah. 00:15:15.460 --> 00:15:16.820 It was on the verge. 00:15:16.820 --> 00:15:18.660 And you know, what a long game. 00:15:18.660 --> 00:15:23.440 One person, one account came along and was just, you know, I'm going to hear to help you. 00:15:23.440 --> 00:15:27.520 I'm just going to make, I'm going to try to just become your best friend contributor. 00:15:27.780 --> 00:15:32.300 And then another one is just abusing, like mentally abusing the people. 00:15:32.300 --> 00:15:33.320 Like, why don't you just quit? 00:15:33.320 --> 00:15:34.820 Why don't you get some more support? 00:15:34.820 --> 00:15:38.220 And then like, who, well, let me reach out to some people who are helping me out recently. 00:15:38.220 --> 00:15:41.440 And it turns out these are like two sides of the same coin. 00:15:41.440 --> 00:15:41.980 Yep. 00:15:41.980 --> 00:15:42.560 Exactly. 00:15:42.560 --> 00:15:42.900 Yeah. 00:15:42.900 --> 00:15:43.460 Shady. 00:15:43.460 --> 00:15:44.060 Okay. 00:15:44.060 --> 00:15:45.600 Luckily that got caught. 00:15:45.600 --> 00:15:48.900 Cause you know, there's a lot of servers in the world that can be SSHed into. 00:15:48.900 --> 00:15:52.260 And like, well, we got, you know, public private key encryption. 00:15:52.260 --> 00:15:54.080 You can't break through that stuff. 00:15:54.080 --> 00:15:57.460 Long as you don't use passwords, like you're going to be fine unless you're not. 00:15:57.460 --> 00:16:02.440 So I received a lovely email on the day that this happened. 00:16:02.440 --> 00:16:09.640 Report to the security response team for Python, because we of course use the XC utils libraries 00:16:09.640 --> 00:16:12.100 because Python sports XC format as well. 00:16:12.100 --> 00:16:16.840 And I, there was a, there was a lovely few seconds where I'm like, oh, this is either going to 00:16:16.840 --> 00:16:19.040 be a fine day for me or a really bad day. 00:16:19.040 --> 00:16:21.660 And it ended up being a fine day. 00:16:21.660 --> 00:16:22.660 So that's good. 00:16:22.660 --> 00:16:26.500 It's like, are we going to be canceling all our plans for next year? 00:16:26.500 --> 00:16:26.900 Yeah. 00:16:27.300 --> 00:16:27.540 Yep. 00:16:27.540 --> 00:16:32.680 Am I going to have lots of questions to answer from like a concerned customers, users, 00:16:32.680 --> 00:16:33.800 but it was fine. 00:16:33.800 --> 00:16:34.020 Yeah. 00:16:34.020 --> 00:16:34.460 Yeah. 00:16:34.460 --> 00:16:37.320 I find this kind of stuff is a lot like everything's fine. 00:16:37.320 --> 00:16:38.220 You relax. 00:16:38.220 --> 00:16:40.120 Just work's going good. 00:16:40.120 --> 00:16:41.060 Life's going good. 00:16:41.060 --> 00:16:45.100 And then, you know, something's on fire just out of the blue and you have this, you know, 00:16:45.100 --> 00:16:46.240 it takes your breath away moment. 00:16:46.240 --> 00:16:49.140 Like, oh, does that apply to us as well? 00:16:49.140 --> 00:16:51.520 Cause if it does, everything just changed. 00:16:51.520 --> 00:16:53.980 And yeah, really glad I did. 00:16:55.580 --> 00:17:00.020 This portion of talk Python to me is brought to you by Posit, the makers of Shiny, formerly 00:17:00.020 --> 00:17:03.380 RStudio and especially Shiny for Python. 00:17:03.380 --> 00:17:05.300 Let me ask you a question. 00:17:05.300 --> 00:17:07.000 Are you building awesome things? 00:17:07.000 --> 00:17:08.060 Of course you are. 00:17:08.140 --> 00:17:09.620 You're a developer or a data scientist. 00:17:09.620 --> 00:17:10.540 That's what we do. 00:17:10.540 --> 00:17:12.580 And you should check out Posit Connect. 00:17:12.580 --> 00:17:18.080 Posit Connect is a way for you to publish, share, and deploy all the data products that 00:17:18.080 --> 00:17:19.560 you're building using Python. 00:17:20.260 --> 00:17:22.720 People ask me the same question all the time. 00:17:22.720 --> 00:17:25.900 Michael, I have some cool data science project or notebook that I built. 00:17:25.900 --> 00:17:29.200 How do I share it with my users, stakeholders, teammates? 00:17:29.200 --> 00:17:34.000 Do I need to learn FastAPI or Flask or maybe Vue or React.js? 00:17:34.000 --> 00:17:35.220 Hold on now. 00:17:35.220 --> 00:17:39.400 Those are cool technologies and I'm sure you'd benefit from them, but maybe stay focused on 00:17:39.400 --> 00:17:40.000 the data project. 00:17:40.000 --> 00:17:42.500 Let Posit Connect handle that side of things. 00:17:42.760 --> 00:17:47.220 With Posit Connect, you can rapidly and securely deploy the things you build in Python. 00:17:47.220 --> 00:17:53.660 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Ports, Dashboards, and APIs. 00:17:53.660 --> 00:17:55.960 Posit Connect supports all of them. 00:17:55.960 --> 00:18:01.200 And Posit Connect comes with all the bells and whistles to satisfy IT and other enterprise 00:18:01.200 --> 00:18:01.800 requirements. 00:18:01.800 --> 00:18:06.180 Make deployment the easiest step in your workflow with Posit Connect. 00:18:06.180 --> 00:18:11.320 For a limited time, you can try Posit Connect for free for three months by going to talkpython.fm 00:18:11.320 --> 00:18:12.300 slash Posit. 00:18:12.300 --> 00:18:15.960 That's talkpython.fm/P-O-S-I-T. 00:18:15.960 --> 00:18:17.840 The link is in your podcast player show notes. 00:18:17.840 --> 00:18:21.080 Thank you to the team at Posit for supporting Talk Python. 00:18:21.080 --> 00:18:28.460 One of the talks was Python security model after this issue, the XC utils backdoor. 00:18:28.460 --> 00:18:29.300 Tell us about that. 00:18:29.300 --> 00:18:29.700 Yeah. 00:18:29.700 --> 00:18:35.440 So this entire talk was essentially just overviewing like, hey, is this possible? 00:18:35.440 --> 00:18:39.340 Is this possible for CPython to be impacted by such an attack? 00:18:39.340 --> 00:18:40.920 And I mean, the answer is yes. 00:18:40.920 --> 00:18:41.900 It really is. 00:18:41.900 --> 00:18:48.600 Because if you have accounts that are willing to put years of effort into contributing good 00:18:48.600 --> 00:18:50.660 code to CPython, right? 00:18:50.660 --> 00:18:53.580 Like that, that is enough to become a core developer likely. 00:18:54.380 --> 00:18:57.080 And if you're a core developer, it means you can merge PRs. 00:18:57.080 --> 00:19:05.700 It means if you, I mean, if you get two core developer accounts promoted to this level of authorization, you can merge your own PRs with review, right? 00:19:05.700 --> 00:19:10.460 Like we're the big focus on this talk was like, okay, how, how can we prevent this? 00:19:10.720 --> 00:19:14.780 And if we in, in the ways that we can't prevent it, how can we be ready? 00:19:14.780 --> 00:19:18.460 And kind of like a discussing whether or not we're ready at this point. 00:19:18.460 --> 00:19:32.240 And I think the big consensus was that if we were to discover something like this that had already been merged into Python or had been released in Python, that we would be okay to be able to, to get it to like, get the word out. 00:19:32.240 --> 00:19:34.340 Like that sort of infrastructure already exists. 00:19:34.340 --> 00:19:35.700 And we're not too worried about that. 00:19:35.700 --> 00:19:36.600 Like we're a CNA. 00:19:36.600 --> 00:19:38.640 We can create a CVE really quickly. 00:19:38.640 --> 00:19:41.220 We can get like the announcements out really quickly. 00:19:41.220 --> 00:19:42.860 We can get releases out really quickly. 00:19:42.860 --> 00:19:46.400 So like in that way, the reactive sense, we're okay. 00:19:46.400 --> 00:19:51.900 In the proactive sense there, which is the more important one, but it's also the harder one. 00:19:51.900 --> 00:19:53.820 We, yeah. 00:19:53.820 --> 00:20:01.080 Because when nation states hire people to say the next three years of your job, it's, it's almost like, it's like a team, like a spy. 00:20:01.080 --> 00:20:01.460 Yeah. 00:20:01.820 --> 00:20:02.960 For multiple years. 00:20:02.960 --> 00:20:08.320 It's like the CIA or MI6 or something, you know, on the code side, you know. 00:20:08.320 --> 00:20:13.780 To be honest with you, it doesn't even need to necessarily be like nation state level stuff for this to happen. 00:20:13.780 --> 00:20:13.880 That's true. 00:20:13.880 --> 00:20:20.100 Because vulnerabilities in popular pieces of software are very, very lucrative. 00:20:20.100 --> 00:20:25.320 You can sell them and people make a lot of money on selling vulnerabilities to projects. 00:20:25.320 --> 00:20:27.520 But so why not grow your own, right? 00:20:27.520 --> 00:20:30.740 Yeah. 00:20:30.740 --> 00:20:31.160 Yeah. 00:20:31.160 --> 00:20:31.400 So. 00:20:31.400 --> 00:20:32.080 Go ahead. 00:20:32.080 --> 00:20:35.400 One of the things I think is great is there's a really long release cycle. 00:20:35.400 --> 00:20:35.840 Yeah. 00:20:35.840 --> 00:20:36.340 Right. 00:20:36.340 --> 00:20:38.800 And like a staged rollout. 00:20:38.800 --> 00:20:46.680 So I don't know how many people jump in and install alpha one of some Python, but it's, it's pretty limited and it's not going to make it. 00:20:46.680 --> 00:20:47.220 No, no. 00:20:47.220 --> 00:20:47.640 Of course. 00:20:47.640 --> 00:20:48.060 I know. 00:20:48.060 --> 00:20:48.860 I see you raise your hand. 00:20:48.860 --> 00:20:53.300 But I think that's going to be a good thing. 00:20:53.300 --> 00:20:54.180 I think that's going to be a good thing. 00:20:54.180 --> 00:20:55.180 update channel. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:55.180 I think that's going to be a good thing. 00:20:55.180 --> 00:20:56.180 I think that's going to be a good thing. 00:20:56.180 --> 00:20:57.180 I think that's going to be a good thing. 00:20:57.180 --> 00:20:58.180 I think that's going to be a good thing. 00:20:58.180 --> 00:20:59.180 I think that's going to be a good thing. 00:20:59.180 --> 00:21:00.180 I think that's going to be a good thing. 00:21:00.180 --> 00:21:01.180 I think that's going to be a good thing. 00:21:01.180 --> 00:21:02.180 I think that's going to be a good thing. 00:21:02.180 --> 00:21:03.180 I think that's going to be a good thing. 00:21:03.180 --> 00:21:04.180 I think that's going to be a good thing. 00:21:04.180 --> 00:21:05.180 I think that's going to be a good thing. 00:21:05.180 --> 00:21:06.180 I think that's going to be a good thing. 00:21:06.180 --> 00:21:07.180 I think that's going to be a good thing. 00:21:07.180 --> 00:21:08.180 I think that's going to be a good thing. 00:21:08.180 --> 00:21:09.180 I think that's going to be a good thing. 00:21:09.180 --> 00:21:10.180 I think that's going to be a good thing. 00:21:10.180 --> 00:21:11.180 I think that's going to be a good thing. 00:21:11.180 --> 00:21:12.180 I think that's going to be a good thing. 00:21:12.180 --> 00:21:13.180 I think that's going to be a good thing. 00:21:13.180 --> 00:21:14.180 I think that's going to be a good thing. 00:21:14.180 --> 00:21:15.180 I think that's going to be a good thing. 00:21:15.180 --> 00:21:16.180 I think that's going to be a good thing. 00:21:16.180 --> 00:21:17.180 I think that's going to be a good thing. 00:21:17.180 --> 00:21:18.180 I think that's going to be a good thing. 00:21:18.180 --> 00:21:19.180 I think that's going to be a good thing. 00:21:19.180 --> 00:21:20.180 I think that's going to be a good thing. 00:21:20.180 --> 00:21:21.180 I think that's going to be a good thing. 00:21:21.180 --> 00:21:22.180 I think that's going to be a good thing. 00:21:22.180 --> 00:21:23.180 I think that's going to be a good thing. 00:21:23.180 --> 00:21:24.180 I think that's going to be a good thing. 00:21:24.180 --> 00:21:25.180 I think that's going to be a good thing. 00:21:25.180 --> 00:21:26.180 I think that's going to be a good thing. 00:21:26.180 --> 00:21:27.180 I think that's going to be a good thing. 00:21:27.180 --> 00:21:28.180 I think that's going to be a good thing. 00:21:28.180 --> 00:21:31.180 I think that that helps in a way. 00:21:31.180 --> 00:21:39.180 Obviously, people that are living on the edge, maybe they're the more valuable targets, but I mean, I'm not going to be the one to encourage that. 00:21:39.180 --> 00:21:50.180 Yeah, I don't think that I think the biggest defenses against this, and this was what was discussed there, was trying to push things to be in the open. 00:21:50.180 --> 00:21:58.180 Actually, in a way, open source is uniquely able to respond and be defended against for these sorts of attacks. 00:21:58.180 --> 00:22:12.180 Because if this were to happen in Windows, for example, would we have had the almost immediate being able to debug what the actual attack was, how long this had been going on, what patches were bad? 00:22:12.180 --> 00:22:19.180 Like that sort of visibility into the source code is something that was really important in being able to actually track this thing down. 00:22:19.180 --> 00:22:20.180 Yeah. 00:22:20.180 --> 00:22:26.180 And so having test files and binary files not checked into source code and instead generated. 00:22:26.180 --> 00:22:40.180 So one of the parts of this attack that allowed it to go hidden for so long and be checked into source code was that almost all of the attack code was hidden extremely well in a binary file, which made it so that code reviewers could- 00:22:40.180 --> 00:22:43.180 Some of the test binary elements. 00:22:43.180 --> 00:22:48.180 Because if you've got a compression file utility, you've got to have compressed files for your unit test, right? 00:22:48.180 --> 00:22:49.180 Mm-hmm. 00:22:49.180 --> 00:22:50.180 Exactly. 00:22:50.180 --> 00:22:57.180 So it was basically these files were checked in and there's just huge binary blobs that you can't actually get your eyeballs on to review. 00:22:57.180 --> 00:23:00.180 We talk about like lots of eyeballs make for shallow bugs. 00:23:00.180 --> 00:23:04.180 Well, if the eyeballs can't see the bugs, then you're not going to find them. 00:23:04.180 --> 00:23:15.180 And so we talked about like removing binary files from the source code or making sure that all the binary files that are generated have like a script that allows them to generate at any time and things like that. 00:23:15.180 --> 00:23:18.180 So is it one of the changes recently? 00:23:18.180 --> 00:23:36.180 I can't remember if this was on IPI or if this is a GitHub thing, but allowing GitHub to be the thing that publishes directly builds the wheels and uploads them to PI PI rather than somebody downloading the code, building them and uploading it, which obviously that's a opaque step there. 00:23:36.180 --> 00:23:46.180 Yeah, so other like other things that tie more strongly these whatever release artifacts are actually ending up on people's machines to the source code. 00:23:46.180 --> 00:23:49.180 So that's I mean, I would call that build provenance. 00:23:49.180 --> 00:23:53.180 There's a whole bunch of different frameworks that that works under. 00:23:53.180 --> 00:24:12.180 But yeah, build provenance being able to tie in an artifact that's installed in your system back to the actual source code so that when you are evaluating that that artifact on whether you want to install that on your system or deciding whether to upgrade or whatever, you can look at the source code instead of writing at this like compiled binary. 00:24:12.180 --> 00:24:15.180 That's something that I really want to focus on for like PI PI in the future. 00:24:15.180 --> 00:24:16.180 But yeah, we're not there. 00:24:16.180 --> 00:24:17.180 Awesome. 00:24:17.180 --> 00:24:18.180 Yeah. 00:24:18.180 --> 00:24:22.180 When you because when you look at a project, you say, well, let me see what the releases on GitHub. 00:24:22.180 --> 00:24:28.180 If you know that literally that was the thing that compiled or got built and then that's what's on PI PI. 00:24:28.180 --> 00:24:31.180 That's a different forensic analysis than. 00:24:31.180 --> 00:24:32.180 Exactly. 00:24:32.180 --> 00:24:33.180 Well, it's somebody's machine. 00:24:33.180 --> 00:24:41.180 What it ends up nice like being nice is that it and this is the tough part is that I feel like a lot of people's behavior, which is to go on GitHub and say, you know, I'm going to get a lot of the work. 00:24:41.180 --> 00:24:44.180 I'm going to get to go on GitHub and look at the diff between like tags. 00:24:44.180 --> 00:24:47.180 That's what a lot of people do, but that's not actually what you should do. 00:24:47.180 --> 00:24:50.180 You should be looking at the diff between the artifacts. 00:24:50.180 --> 00:24:54.180 That's the thing that's actually installed on your machine, but that's way harder to do than looking at the tags. 00:24:54.180 --> 00:24:55.180 So exactly. 00:24:55.180 --> 00:24:56.180 We just crowdsource it. 00:24:56.180 --> 00:24:57.180 We're all crowdsourcing it. 00:24:57.180 --> 00:24:59.180 Like wait for the way we are. 00:24:59.180 --> 00:25:02.180 I know where we are. 00:25:02.180 --> 00:25:03.180 All right. 00:25:03.180 --> 00:25:05.180 We're just related to this while we're still on this topic. 00:25:05.180 --> 00:25:09.180 You know, you talked about the somewhere. 00:25:09.180 --> 00:25:10.180 There we go. 00:25:10.180 --> 00:25:16.180 There's also a big news around CVEs, which are official vulnerability numbering. 00:25:16.180 --> 00:25:23.180 So they're referenced through all those cybersecurity talk and stuff. 00:25:23.180 --> 00:25:24.180 Right. 00:25:24.180 --> 00:25:25.180 You can describe it better. 00:25:25.180 --> 00:25:31.180 But so big news is that the PSF now, and you alluded to this, is now an official numbering authority. 00:25:31.180 --> 00:25:39.180 So rather than saying there's a problem with Python, who is going to sort of officially call this out and write it up and so on. 00:25:39.180 --> 00:25:40.180 Like you guys can do that directly now. 00:25:40.180 --> 00:25:41.180 Right. 00:25:41.180 --> 00:25:42.180 Yeah. 00:25:42.180 --> 00:25:52.180 So like CVEs are basically it's a set of identifiers and records that show what's like a bunch of metadata about vulnerabilities in software is what it is. 00:25:52.180 --> 00:25:53.180 And it's only one system. 00:25:53.180 --> 00:25:53.180 And it's only one system. 00:25:53.180 --> 00:25:59.180 There are a bunch of other like vulnerability databases, but CVE seems to be the one that everyone uses or references. 00:25:59.180 --> 00:26:19.180 And so what being a CVE numbering authority gives us is it makes it so that someone at the PSF can like operate the CVE UI and workflow and all of that to say like, oh, we want to create a new CVE ID on behalf of the Python team or on behalf of the pip team. 00:26:19.180 --> 00:26:27.180 And what that ends up meaning is that because we are part of the process instead of having to go to some other entity. 00:26:27.180 --> 00:26:32.180 So like Mitre or Red Hat or, you know, Microsoft, there's a whole bunch of CNAs. 00:26:32.180 --> 00:26:34.180 There's a there's over 100 now, I think. 00:26:34.180 --> 00:26:43.180 Instead of going to someone else that, you know, isn't as well versed in Python or, you know, our release schedule or any of those things. 00:26:43.180 --> 00:26:50.180 Right. We get to inject the knowledge that we have about Python into all of these records, into all these advisories. 00:26:50.180 --> 00:26:56.180 And it makes it so that we don't actually have to talk to someone else to be able to handle a vulnerability and to end. 00:26:56.180 --> 00:27:04.180 Right. So like before you would potentially have a reporter going to talk to someone else and getting a CVE ID and then they would come talk to us. 00:27:04.180 --> 00:27:10.180 And by that point, like it was it's hard to like make a determination and there's a whole bunch of things have already happened. 00:27:10.180 --> 00:27:13.180 And maybe there's messes that need to get cleaned up to make sure that it's not confusing. 00:27:13.180 --> 00:27:20.180 So by owning the entire process, we're able to make sure that things are as little confusing as possible. 00:27:20.180 --> 00:27:24.180 Like what actually needs to be done for users when we publish these things? 00:27:24.180 --> 00:27:30.180 Yeah, that's great. I want to move off the security angle here because I know there's so much more to talk about. 00:27:30.180 --> 00:27:36.180 However, you know, but you guys do it. Have you considered or ever run any sort of bug bounty program? 00:27:36.180 --> 00:27:41.180 We don't have a bug bounty program right now. I mean, the hard part with the bug bounty program is it takes money. 00:27:41.180 --> 00:27:49.180 So if if you would like to see a bug bounty program happening at the PSF, get in touch with the PSF. Send email. 00:27:49.180 --> 00:27:52.180 Yeah, I think incentives are really aligned there. 00:27:52.180 --> 00:27:57.180 There's a lot of companies that have this tooling at the center of their data center. 00:27:57.180 --> 00:27:58.180 So maybe. 00:27:58.180 --> 00:27:58.180 Yeah, maybe. 00:27:58.180 --> 00:28:00.180 Maybe. Maybe. Maybe we can make it happen. 00:28:00.180 --> 00:28:05.180 All right. Next up, the REPL or the PI REPL for the Python PI REPL. 00:28:05.180 --> 00:28:06.180 What's the deal with this? 00:28:06.180 --> 00:28:12.180 Yeah, so this was a a talk that was given by a couple of different core devs. 00:28:12.180 --> 00:28:23.180 I think this included a bunch of people. Pablo, Lukash and Lissandros all gave this talk and it was about, hey, this new REPL that's coming in Python 3.13. 00:28:23.180 --> 00:28:29.180 Here's all the cool stuff that it can do and how it makes the usability so much better for people. 00:28:29.180 --> 00:28:33.180 And they demoed a whole bunch of the new features, which was really exciting. 00:28:33.180 --> 00:28:38.180 There was lots of applause showing off a few of these like little little features. 00:28:38.180 --> 00:28:50.180 And I think that the other side of it is like because this new REPL is written in Python and not written in C, it lowers the barrier for contributions and maintenance drastically. 00:28:50.180 --> 00:29:02.180 Before the REPL was like super entwined with like the parser and all of these other really low level details of Python that a lot of people probably didn't want to get involved with if they didn't have to. 00:29:02.180 --> 00:29:09.180 Versus this where it's this completely separate and much more easy to contribute to piece of software. 00:29:09.180 --> 00:29:13.180 Yeah. And did this come from the PyPy project? 00:29:13.180 --> 00:29:24.180 Yes, this was PYPy. And I think that there's been some back and forth contributing back, contributing forward, all of that, which is also really great. Right. Having one REPL shared between two different implementations. 00:29:24.180 --> 00:29:28.180 Yeah, that's great. Just working and working better together. More people working on it. 00:29:28.180 --> 00:29:34.180 I always caught PYPy because some people call Python packaging index PyPy. 00:29:34.180 --> 00:29:40.180 But that's also this other thing. So anyway, it's a part of every one of my days. Right. 00:29:40.180 --> 00:29:50.180 I'm sure that I because a lot of the times, you know, a significant percentage of my work as a security person is being in working groups that are not Python related at all. 00:29:50.180 --> 00:29:53.180 And yeah, there's a lot of PyPys flying around. Yeah. 00:29:53.180 --> 00:29:56.180 You talk about NumP being on PyPy and you're like, OK, hold on. 00:29:56.180 --> 00:30:00.180 Hold on. Could be two different things. 00:30:00.180 --> 00:30:01.180 There's a lot going on here. 00:30:01.180 --> 00:30:04.180 Yeah. So this is really interesting. 00:30:04.180 --> 00:30:06.180 I haven't really played with it much. 00:30:06.180 --> 00:30:10.180 I honestly don't spend a ton of time in the bear Python REPL. 00:30:10.180 --> 00:30:19.180 Like if I'm I'm REPLing a lot of times I'm in the JetBrains sort of enhanced REPL that's inside PyCharm, something like that. 00:30:19.180 --> 00:30:25.180 But and I think partly because there was a lot of challenges with the bear Python REPL, right? 00:30:25.180 --> 00:30:33.180 There's no autocomplete. But worse than that was if you've got a five line function and you want to edit it, you've kind of got to go to the top heart hitter. 00:30:33.180 --> 00:30:37.180 Like it's it really was hard to work with blocks of code. 00:30:37.180 --> 00:30:40.180 There's no color, things like that. 00:30:40.180 --> 00:30:44.180 Yeah. Color is the standard for you don't have color in your terminal at this point. 00:30:44.180 --> 00:30:47.180 Like even 20 basically given up at that point. 00:30:47.180 --> 00:30:51.180 I have an emoji and you don't have color. I mean, emojis. 00:30:51.180 --> 00:30:57.180 Got to have like the rainbow prompt, maybe like the logo of the thing that starts a starship. 00:30:57.180 --> 00:31:01.180 Oh, yeah. I was well. I didn't even consider the ASCII art and possibly the ASCII art in color. 00:31:01.180 --> 00:31:09.180 No, seriously, though, I do think it sounds like a minor deal, but just the readability of having highlighting and stuff. 00:31:09.180 --> 00:31:12.180 Yeah. Syntax highlighting is huge. Syntax highlighting is like really huge. 00:31:12.180 --> 00:31:14.180 That's not a part of the current REPL, I don't think. 00:31:14.180 --> 00:31:19.180 But like it becomes much more possible because this PyRipple exists. 00:31:19.180 --> 00:31:21.180 Yeah, exactly. Yeah. 00:31:21.180 --> 00:31:25.180 I think that like the biggest thing, yeah, like the whole blocks of code. 00:31:25.180 --> 00:31:29.180 I just remember the demo of them showing like, oh, you have like five lines. 00:31:29.180 --> 00:31:32.180 You have to hit up, up, up like four times hit enter. 00:31:32.180 --> 00:31:33.180 It's just like, oh, my God. 00:31:33.180 --> 00:31:34.180 If you mess it up, you got to start over. 00:31:34.180 --> 00:31:35.180 You got to start over. 00:31:35.180 --> 00:31:37.180 And you're just, you're just sad. 00:31:37.180 --> 00:31:40.180 You just contemplate putting it in a file instead of doing this in the REPL. 00:31:40.180 --> 00:31:42.180 Exactly. That's why I'm not in there. 00:31:42.180 --> 00:31:44.180 I avoid being in there because it's hard. 00:31:44.180 --> 00:31:48.180 This will be really, really great for people that are just starting Python journey. 00:31:48.180 --> 00:31:53.180 Because I think that a lot of people learning and starting off will use the REPL straight up. 00:31:53.180 --> 00:31:54.180 Yes. 00:31:54.180 --> 00:31:55.180 Instead of an IDE. 00:31:55.180 --> 00:32:01.180 Like having this, there was a big focus on like teachability and documenting it and making it work the same. 00:32:01.180 --> 00:32:07.180 Like if you actually like read the post, like what the discussions were about for like everyone is basically totally in favor. 00:32:07.180 --> 00:32:08.180 They loved it. 00:32:08.180 --> 00:32:11.180 But they wanted to make sure that this was going to be like a consistent experience. 00:32:11.180 --> 00:32:21.180 Specifically, like Carol Willing had this big point about like having a consistent experience being really important for teaching Python across different operating systems. 00:32:21.180 --> 00:32:22.180 So. 00:32:22.180 --> 00:32:22.180 Yeah. 00:32:22.180 --> 00:32:26.180 And something a little bit, a little bit better than up, up, up five times and don't get it out of order. 00:32:26.180 --> 00:32:27.180 Exactly. 00:32:27.180 --> 00:32:28.180 Yeah. 00:32:28.180 --> 00:32:44.180 So I guess one of the, I don't know if this was discussed, but one of the challenges of this, I think is it requires, and it's not necessarily bad, but just a challenge is I think it requires the new windows terminal rather than say CMD.exe, the older style. 00:32:44.180 --> 00:32:49.180 So it just works out of the box on macOS and on Linux, but on windows, you got to be a little careful about how you run it. 00:32:49.180 --> 00:32:49.180 Is that right? 00:32:49.180 --> 00:32:56.180 So I actually don't know what the current status of all of this is because the time has marched on since these blog posts have happened. 00:32:56.180 --> 00:32:57.180 Yeah. 00:32:57.180 --> 00:32:57.180 Yeah. 00:32:57.180 --> 00:32:58.180 Yeah. 00:32:58.180 --> 00:33:05.180 There has been a lot of work done on the windows side that the current team, like the team that presented this didn't have any windows experience. 00:33:05.180 --> 00:33:09.180 And so they didn't know really how hard it was going to be. 00:33:09.180 --> 00:33:12.180 I think that there's been a lot of strides in the windows side of things. 00:33:12.180 --> 00:33:14.180 So I think the situation's better. 00:33:14.180 --> 00:33:21.180 I don't know offhand if CMD that exe is supported or if it's just the new windows terminal, but I, yeah, I think it's fine. 00:33:21.180 --> 00:33:22.180 It was sitting in windows terminal. 00:33:22.180 --> 00:33:24.180 Like people need to be using that thing. 00:33:24.180 --> 00:33:25.180 Anyway, it's true. 00:33:25.180 --> 00:33:35.180 It's like opening up on your Mac and just having like the bare white bash, I guess it's Z shell these days, but just the completely, you know, non fixed font. 00:33:35.180 --> 00:33:37.180 Like, what is this thing that you are running? 00:33:37.180 --> 00:33:39.180 Like, you're like, the terminal is horrible. 00:33:39.180 --> 00:33:42.180 Like, well, that thing is, but you know, you could make it a lot nicer by the way. 00:33:42.180 --> 00:33:46.180 And, you know, it's, it's similar, trade off there. 00:33:46.180 --> 00:33:47.180 Right. 00:33:47.180 --> 00:33:48.180 And windows world. 00:33:48.180 --> 00:33:49.180 So, okay. 00:33:49.180 --> 00:33:50.180 Exactly. 00:33:50.180 --> 00:33:51.180 Interesting. 00:33:51.180 --> 00:33:54.180 Next one is, should we, should we adopt? 00:33:54.180 --> 00:33:56.180 Should we adopt calendar versioning? 00:33:56.180 --> 00:33:58.180 We're beyond zero verse. 00:33:58.180 --> 00:33:59.180 So that's really good. 00:33:59.180 --> 00:34:06.180 But there's been a, a reluctance to have Python four, but we've got three 12, three 13. 00:34:06.180 --> 00:34:12.180 Are we just going to have three dot 128 or should we come up with something else? 00:34:12.180 --> 00:34:13.180 Right. 00:34:13.180 --> 00:34:16.180 What is calendar versioning and should we adopt it and how many digits should it have? 00:34:16.180 --> 00:34:17.180 Yeah. 00:34:17.180 --> 00:34:27.180 So this was, presented on by Hugo, who is the new release manager for Python three 14 and 15, which maybe that's a little presumptive saying those numbers. 00:34:27.180 --> 00:34:30.180 cause if this goes through, that would not be the case anymore. 00:34:30.180 --> 00:34:33.180 he's going to work himself straight out of a job here. 00:34:33.180 --> 00:34:34.180 What's going on? 00:34:34.180 --> 00:34:35.180 Yeah. 00:34:35.180 --> 00:34:43.180 this is, this was, there were definitely jokes about like, this is just your attempt to, to get out of being the release manager for these releases. 00:34:43.180 --> 00:34:52.180 but yeah, that, so Hugo proposed this, what this is kind of like a pre PEP feeling out of how this situation should be. 00:34:52.180 --> 00:34:58.180 And like trying to pare down the options, I think was Hugo's biggest, biggest question or what should we do it? 00:34:58.180 --> 00:35:00.180 And should we pare down the options? 00:35:00.180 --> 00:35:02.180 Cause there's a million different ways we can do calendar versioning. 00:35:02.180 --> 00:35:13.180 and yeah, I think if you scroll down, there was like a slide that had just, you know, every single possible calendar versioning possibility for Python and all the different languages. 00:35:13.180 --> 00:35:19.180 but yeah, counter version is like really common for programming languages and other things that are similar to Python. 00:35:19.180 --> 00:35:28.180 and so this was basically like, Hey, we have this yearly release cycle that is been working for a while and we're probably going to keep doing it. 00:35:28.180 --> 00:35:32.180 Should we, it's worth pointing out for people who don't know that it used to be 18 months. 00:35:32.180 --> 00:35:40.180 And so the calendar version, it would get a little out of phase or something there, but now, now that it's yearly in the fall, it really lines up perfectly. 00:35:40.180 --> 00:35:41.180 Yeah. 00:35:41.180 --> 00:35:49.180 And so this kind of assumes that we're going to keep doing the yearly thing, which I'm fine with the yearly thing, but yeah, as, as long as we kept the yearly schedule, it would look like. 00:35:49.180 --> 00:35:58.180 Like the release year would line up with whatever the, so it would be like the ended, the one that was like most agreed upon was like three dot. 00:35:58.180 --> 00:36:06.180 And then a two digit year, or what would end up becoming a three digit year when we roll over to a hundred, assuming that Python's still using them, you know, a hundred years. 00:36:06.180 --> 00:36:12.180 but yeah, so like, that was kind of like the one that was most palatable to core devs or people were most excited about. 00:36:12.180 --> 00:36:21.180 And I think the big reason why switching to like a Calver year was interesting is that we have this thing called like support lifetime. 00:36:21.180 --> 00:36:24.180 So like how long is CPython supported? 00:36:24.180 --> 00:36:26.180 How long do you get security fixes? 00:36:26.180 --> 00:36:27.180 How long do you get bug fixes? 00:36:27.180 --> 00:36:30.180 and so being able to do math is easier. 00:36:30.180 --> 00:36:31.180 Yeah, exactly. 00:36:31.180 --> 00:36:33.180 Like, let me put this out to the audience. 00:36:33.180 --> 00:36:36.180 Is Python 3.8 supported or is it not supported? 00:36:36.180 --> 00:36:37.180 I don't know. 00:36:37.180 --> 00:36:38.180 You gotta do, you gotta do math. 00:36:38.180 --> 00:36:39.180 You gotta think about it. 00:36:39.180 --> 00:36:40.180 yeah. 00:36:40.180 --> 00:36:43.180 yeah, so three, seven just recently dropped support, right? 00:36:43.180 --> 00:36:44.180 Which is crazy. 00:36:44.180 --> 00:36:48.180 Cause that seems like a pretty new version of my mind, but I totally make sense. 00:36:48.180 --> 00:36:55.180 but if you just knew it's supported for how many years, six years, five years, it's five years for security releases, I believe. 00:36:55.180 --> 00:36:56.180 Yeah. 00:36:56.180 --> 00:36:58.180 So then you're like, it's 2025. 00:36:58.180 --> 00:37:01.180 So, you know, 20, 20 out becomes a lot easier. 00:37:01.180 --> 00:37:05.180 And there was also say like, do I have the current one, right? 00:37:05.180 --> 00:37:08.180 If you're not tracking it super carefully, like three 11, is that the latest? 00:37:08.180 --> 00:37:09.180 Like, I don't know. 00:37:09.180 --> 00:37:11.180 I only use Python every like once a month. 00:37:11.180 --> 00:37:12.180 What was the 2023? 00:37:12.180 --> 00:37:13.180 Oh, I see. 00:37:13.180 --> 00:37:14.180 Well, I mean, that's not the latest one. 00:37:14.180 --> 00:37:15.180 Okay. 00:37:15.180 --> 00:37:16.180 Yeah. 00:37:16.180 --> 00:37:20.180 So it was just an interesting conversation about figuring out what the best potential option 00:37:20.180 --> 00:37:21.180 was. 00:37:21.180 --> 00:37:22.180 And then Hugo ended up creating a pep. 00:37:22.180 --> 00:37:24.180 And I think that's being discussed right now. 00:37:24.180 --> 00:37:25.180 So cool. 00:37:25.180 --> 00:37:27.180 Why not 2024? 00:37:27.180 --> 00:37:28.180 Why 24? 00:37:28.180 --> 00:37:30.180 Because that feels, I don't know. 00:37:30.180 --> 00:37:36.180 It just feels like you've just point shifted what you're doing now rather than, then really 00:37:36.180 --> 00:37:37.180 clearly. 00:37:37.180 --> 00:37:40.180 Because, you know, as a new person coming in, you don't see that go, it's 24. 00:37:40.180 --> 00:37:41.180 So it must be 2024. 00:37:41.180 --> 00:37:44.180 And unless you really like put together the calendar. 00:37:44.180 --> 00:37:48.180 But if it's a dot 2024, you're like, I bet that's the year, you know? 00:37:48.180 --> 00:37:49.180 Right. 00:37:49.180 --> 00:37:50.180 Yeah. 00:37:50.180 --> 00:37:54.180 And then eventually in the not too distant future, there will be a Python 3.24. 00:37:54.180 --> 00:37:55.180 Exactly. 00:37:55.180 --> 00:37:56.180 Yeah. 00:37:56.180 --> 00:37:57.180 We'll see. 00:37:57.180 --> 00:37:58.180 So there's going to be a PEP around this, you say. 00:37:58.180 --> 00:38:01.180 In fact, it says right here, PEP 604, right? 00:38:01.180 --> 00:38:02.180 I think it's pep. 00:38:02.180 --> 00:38:03.180 What is it like? 00:38:03.180 --> 00:38:05.180 Well, you know, that's just the yearly announcement. 00:38:05.180 --> 00:38:06.180 That's the yearly cycle. 00:38:06.180 --> 00:38:09.180 If you scroll down all the way to the bottom, it'll, I think it's like peps. 00:38:09.180 --> 00:38:10.180 Yeah. 00:38:10.180 --> 00:38:11.180 There's a lot of peps. 00:38:11.180 --> 00:38:12.180 Drafting. 00:38:12.180 --> 00:38:13.180 It just says drafting a pep. 00:38:13.180 --> 00:38:14.180 Oh, give that a click. 00:38:14.180 --> 00:38:16.180 I'm pretty sure there's a number 2026. 00:38:16.180 --> 00:38:17.180 There we go. 00:38:17.180 --> 00:38:18.180 Okay. 00:38:18.180 --> 00:38:19.180 Yeah. 00:38:19.180 --> 00:38:20.180 Oh, so that's going to be a while. 00:38:20.180 --> 00:38:21.180 So they released this pep. 00:38:21.180 --> 00:38:23.180 Well, so the, I'm just kidding. 00:38:23.180 --> 00:38:32.180 The most, the most important part of this discussion was that the Python version 3.14 be, be preserved. 00:38:32.180 --> 00:38:33.180 Python. 00:38:33.180 --> 00:38:34.180 Yeah. 00:38:34.180 --> 00:38:38.180 Well, it wasn't allowed for three, three 14 to change it. 00:38:38.180 --> 00:38:39.180 Yeah. 00:38:39.180 --> 00:38:46.180 The only thing that I can think of that you would have the two digits is that there's a lot of code and regular expressions and junk out there that checks for that. 00:38:46.180 --> 00:38:51.180 But you know, if we talk about some of the other stuff out there, like that's a pretty minor change. 00:38:51.180 --> 00:38:53.180 Like for example, free thread Python. 00:38:53.180 --> 00:38:54.180 Yes. 00:38:54.180 --> 00:38:55.180 Free thread Python. 00:38:55.180 --> 00:38:56.180 It's here. 00:38:56.180 --> 00:38:57.180 It is here. 00:38:57.180 --> 00:38:58.180 Sort of. 00:38:58.180 --> 00:39:03.180 You know, what actually really surprised me is that when I saw this PEP come through, was it 702 or something like that? 00:39:03.180 --> 00:39:11.180 It said, we're going to allow free threaded Python, which I'm going to have you explain for folks in a moment, but you're going to have to have a special build of it. 00:39:11.180 --> 00:39:15.180 And I thought, oh, well, that means if you want to play with it, you're going to have to build your own. 00:39:15.180 --> 00:39:18.180 But I noticed that the installers now give you an option for it. 00:39:18.180 --> 00:39:19.180 Yeah, they do. 00:39:19.180 --> 00:39:20.180 Yeah. 00:39:20.180 --> 00:39:21.180 The installers. 00:39:21.180 --> 00:39:22.180 Side by side install. 00:39:22.180 --> 00:39:23.180 Right. 00:39:23.180 --> 00:39:24.180 Yeah. 00:39:24.180 --> 00:39:26.180 That gets put onto your actual like. 00:39:26.180 --> 00:39:27.180 Yes. 00:39:27.180 --> 00:39:29.180 Python T is what you type instead of Python. 00:39:29.180 --> 00:39:30.180 Yeah. 00:39:30.180 --> 00:39:31.180 If you want the free threaded one. 00:39:31.180 --> 00:39:32.180 Yeah. 00:39:32.180 --> 00:39:32.180 It. 00:39:32.180 --> 00:39:34.180 I mean, free threading is here. 00:39:34.180 --> 00:39:35.180 I mean, there's options. 00:39:35.180 --> 00:39:38.180 If you're compiling yourself, you just enable some options. 00:39:38.180 --> 00:39:43.180 And I think I go over that in the actual blog post to the options that you actually use to try it out. 00:39:43.180 --> 00:39:54.180 And yeah, it free threading essentially is it's a way to remove the GIL and move to a different like reference counting model object counting model. 00:39:54.180 --> 00:40:13.160 And which is quite exciting for a lot of people, but it will what it will end up meaning is that a lot of the packages that are written in C or that are relying on CPython APIs will have to get either, you know, tweaked a little bit to like use these slightly different C APIs to make it so that they play nicely with having no 00:40:13.160 --> 00:40:16.160 no GIL enabled and with the new memory management. 00:40:16.160 --> 00:40:17.160 Yeah. 00:40:17.160 --> 00:40:18.160 Yeah. 00:40:18.160 --> 00:40:19.160 It's super exciting. 00:40:19.160 --> 00:40:20.160 It's a variety of changes in the ecosystem basically. 00:40:20.160 --> 00:40:21.160 Yeah. 00:40:21.160 --> 00:40:26.160 Just because you have threads doesn't mean you get perfect scalability across the cores. 00:40:26.160 --> 00:40:28.160 Can't remember who wrote this article. 00:40:28.160 --> 00:40:30.160 Is it Simon Wilson? 00:40:30.160 --> 00:40:31.160 Maybe. 00:40:31.160 --> 00:40:32.160 Who did some. 00:40:32.160 --> 00:40:33.160 Yeah. 00:40:33.160 --> 00:40:40.160 I'm pretty sure Simon Wilson wrote one that said, look, we're going to take an algorithm that can is kind of embarrassingly parallel and parallelize it. 00:40:40.160 --> 00:40:45.160 And it turned out to be something like 50% gain per core. 00:40:45.160 --> 00:40:55.160 So it was like he had eight cores and it was four times faster with three threaded Python than without, which is still, if you can get your code to run four times faster, that's still really good. 00:40:55.160 --> 00:40:56.160 Right. 00:40:56.160 --> 00:40:57.160 Yeah. 00:40:57.160 --> 00:41:05.160 It's going to have, like you said, I think it's going to have an interesting requirement put on all the people building packages. 00:41:05.160 --> 00:41:06.160 Right. 00:41:06.160 --> 00:41:06.160 Yeah. 00:41:06.160 --> 00:41:14.160 And I know when I hear people say, I think maybe you just said like, oh, it's going to be the C extension packages that are really going to have to deal with it. 00:41:14.160 --> 00:41:17.160 They, they'll have to do locks in their thing. 00:41:17.160 --> 00:41:25.160 I think even in the Python code, there's certainly algorithms that have multiple steps that they'll get some data here. 00:41:25.160 --> 00:41:26.160 They'll work with the data. 00:41:26.160 --> 00:41:27.160 They'll make some changes. 00:41:27.160 --> 00:41:29.160 Then they'll put the data back in the same place. 00:41:29.160 --> 00:41:32.160 And even that would be subject to a race condition. 00:41:32.160 --> 00:41:33.160 Yeah. 00:41:33.160 --> 00:41:37.160 I think we're, you know, I've in long in the past did a lot of C++. 00:41:37.160 --> 00:41:41.160 I did a lot of C# and in communities like that, people are like always focused. 00:41:41.160 --> 00:41:45.160 They're like, always kind of crazy about two things, memory and threading. 00:41:45.160 --> 00:41:46.160 Right. 00:41:46.160 --> 00:41:48.160 And we just don't do that in Python. 00:41:48.160 --> 00:41:59.160 We just, I think we have just leveraged the fact that the Gil gives us kind of enough core screen granularity, the execution of our code, that it's just not something we hit a lot. 00:41:59.160 --> 00:42:03.160 And we don't try to do a ton of threading because it doesn't work all that well. 00:42:03.160 --> 00:42:06.160 However, this, this could expose lots of stuff. 00:42:06.160 --> 00:42:08.160 This could put a new focus on that. 00:42:08.160 --> 00:42:09.160 Yeah, definitely. 00:42:09.160 --> 00:42:10.160 Yeah. 00:42:10.160 --> 00:42:17.160 Just having more people using threading with Python that that's going to be huge for finding thread safety issues. 00:42:17.160 --> 00:42:19.160 Yeah. 00:42:19.160 --> 00:42:20.160 It's, it's just really exciting. 00:42:20.160 --> 00:42:26.160 I think that, and there's another blog post, a completely separate one that talks about like the C API. 00:42:26.160 --> 00:42:33.160 And there was some mention about like free threading and evolving the API so that it's a lot easier to use from a three, a free threading perspective. 00:42:33.160 --> 00:42:45.160 so like there's a ton of work happening in here to make this as easy, hopefully brief kind of split in the ecosystem and then have it converge together. 00:42:45.160 --> 00:42:52.160 And then we're going to, we're going to, we're going to, we're going to have a way that if this is really not working out, we can go back. 00:42:52.160 --> 00:42:56.160 But if it is working, we need a way that we can actually land this thing as the default. 00:42:56.160 --> 00:42:57.160 Yeah. 00:42:57.160 --> 00:43:03.160 Right. Right. Right. Right. And the PEP discusses. This is like, we're going to, we're going to see how it goes, which is really interesting. 00:43:03.160 --> 00:43:11.160 but I think it's not breaking in the sense that you can't still run Python three with the thing that you've got. 00:43:11.160 --> 00:43:16.160 You just might not be able to enable this free threading aspect of it for some time. 00:43:16.160 --> 00:43:22.160 Whereas from two to three, it's like, you cannot run this library on three period. 00:43:22.160 --> 00:43:28.160 There's no scenario which this is going to work because it needs to take into account this and it doesn't. 00:43:28.160 --> 00:43:29.160 And so it's out. 00:43:29.160 --> 00:43:33.160 So I feel like there's more time and space to evolve it. 00:43:33.160 --> 00:43:44.160 And you could say, well, in this space, you know, in this data science section of the world, we use these seven libraries and we're going to work and make them compatible so that we can get way better performance. 00:43:44.160 --> 00:43:51.160 Or, you know, we're going to work to make sure that FastAPI and Pydantic support it really well so that we can scale our web servers better. 00:43:51.160 --> 00:43:55.160 Yeah, no, this will be huge for, for like web and data. 00:43:55.160 --> 00:43:58.160 I think that a lot of people are excited for this for a really good reason. 00:43:58.160 --> 00:44:00.160 Yeah. Yeah. I totally agree. I totally agree. 00:44:00.160 --> 00:44:02.160 Okay. So this is a big deal. 00:44:02.160 --> 00:44:06.160 It's coming in three 13, but you've got to run Python T for now. 00:44:06.160 --> 00:44:09.160 Yeah, it's a three 13, but it's also available in the pre releases. 00:44:09.160 --> 00:44:12.160 The first release candidate for three 13 is out. 00:44:12.160 --> 00:44:15.160 So give it a test. If you haven't given it a test, give it a test. 00:44:15.160 --> 00:44:16.160 Yeah. Very cool. 00:44:16.160 --> 00:44:19.160 All right. What, what one do we want to talk about next? 00:44:19.160 --> 00:44:22.160 We got just a couple more minutes to cover. 00:44:22.160 --> 00:44:25.160 We've got, what about Python and mobile? 00:44:25.160 --> 00:44:36.160 I think that one's, I know there's the black swan talk that Keith Russell McGee gave and Carol willing also sort of shouted out. 00:44:36.160 --> 00:44:43.160 Like there's a couple of places that are really, really important computationally in the world that Python kind of isn't. 00:44:43.160 --> 00:44:44.160 Yeah. 00:44:44.160 --> 00:44:45.160 We should have it there. 00:44:45.160 --> 00:44:47.160 And those number one has got to be mobile. 00:44:47.160 --> 00:44:48.160 Yeah. 00:44:48.160 --> 00:44:50.160 Mobile and front end for me, mobile and front end are the two. 00:44:50.160 --> 00:44:58.160 And like a far distant behind that is like, could I get a single binary out of my app that I can give to someone? 00:44:58.160 --> 00:45:04.160 That's a different, that also is in there, but it's, it's like not as important as, Hey, I want to, I want to build some mobile apps. 00:45:04.160 --> 00:45:07.160 Can I use, you know, I want to learn that with an easy language. 00:45:07.160 --> 00:45:08.160 Can I use Python? 00:45:08.160 --> 00:45:10.160 Like, ask me something else. 00:45:10.160 --> 00:45:11.160 Yeah. Yeah. Right. 00:45:11.160 --> 00:45:12.160 Like next question. 00:45:12.160 --> 00:45:30.160 Yeah. So this was, this was a, it's almost like a, a big status update on where Python is in the mobile space, which is really exciting because they've made a ton of progress on getting like actual tiering of support for these platforms. 00:45:30.160 --> 00:45:38.160 so if you don't know, Python has a like platform support tiers where it's like tier one is like x86 Linux, right? 00:45:38.160 --> 00:45:44.160 Like that's a, you know, 90% of PI PI downloads are, are that like, yeah, probably want to support that one. 00:45:44.160 --> 00:45:48.160 and then it's things like macOS, you know, x86 and arm and all of that. 00:45:48.160 --> 00:45:49.160 Right. 00:45:49.160 --> 00:45:55.160 and then lower down there's tier two, which is, you know, the platforms that they have people that are interested in them. 00:45:55.160 --> 00:45:59.160 But if those people were to go away, then we wouldn't actually have a way to support them. 00:45:59.160 --> 00:46:01.160 And tier three is like even more so. 00:46:01.160 --> 00:46:08.160 Right. so having tier three support, for Python, for both Android and iOS for three 13, like that's super exciting. 00:46:08.160 --> 00:46:11.160 It means that these things are getting actively tested. 00:46:11.160 --> 00:46:17.160 there's like integration testing on real platforms and that there's people that care about it that are fixing bugs. 00:46:17.160 --> 00:46:21.160 And this is exactly what you need, to get your platform supported. 00:46:21.160 --> 00:46:27.160 And so this is all being provided by Anaconda funding this project and be aware. 00:46:27.160 --> 00:46:38.160 Okay. Yeah, that's right. They are, you know, be aware and Keith has been on this for a long time, but in a kind of come along and put more time and energy behind it, in terms of funding and people as well. 00:46:38.160 --> 00:46:41.160 I'm not sure, but certainly in funding, that's awesome. 00:46:41.160 --> 00:47:06.160 Mm hmm. Yeah. So I think this was, it was both a status report and also kind of trying to figure out how these sorts of platforms can get tested, more easily and like actually not having constant breaking because these platforms are so different from, you know, what almost every other core developer is using to develop a Python or a lot more limited in terms of capabilities, and like locked down in a security perspective too. 00:47:06.160 --> 00:47:18.160 And they have no regard for backwards compatibility. I got, I, you know, I have mobile apps for the talk Python courses that are in both iOS and Android's app stores. 00:47:18.160 --> 00:47:25.160 And I'll get messages like, Hey, dear developer, if, we see that you're built against three year old APIs. 00:47:25.160 --> 00:47:46.160 If you don't rebuild and republish your app in the next six months, we're taking it out. The last one I do this for was Google. I'm like three, three years. Okay. Can we, no, we can't get any better compatibility than that. Like I just got to keep re-uploading the same thing. Even if there's no changes. Like, so, you know, that's just a different mentality of like, ah, we changed all that. We don't like that anymore. 00:47:46.160 --> 00:47:59.160 Yeah. Luckily I'm, I'm actually not sure how affected Python in particular is by things like that. Cause that's like utilizing APIs, like mobile SDK APIs versus like the operating system of the phone, which. 00:47:59.160 --> 00:48:11.160 Yeah. Right. Like people would build apps with Python and then they would be subjected to these emails. And it's not even that I was necessarily using any of those APIs. It's just like, we see you're compiled against the wrong version. So try again, you know? 00:48:11.160 --> 00:48:25.160 Yeah, no, the, yeah, the difficulties that I've, at least from, from this talk have, figured out is that like these platforms are just a lot more locked down. So like a lot of system calls won't be available that the test suite like assumes are available always. 00:48:25.160 --> 00:48:30.160 Sure. It's almost like a circuit Python sort of deal, but not that extreme. 00:48:30.160 --> 00:48:40.160 Yeah. It's like somewhere in the middle and figuring out how to all work together happily and develop on this similar code base that has all these different target platforms. 00:48:40.160 --> 00:48:54.160 Yeah, absolutely. Absolutely. Awesome. Well, I'm, I'm really excited. I'm all here for it. If, if three years ago, I think it was when we started working on those mobile apps, if I could have used Python in a really solid way, a hundred percent, those apps would be built in Python. 00:48:54.160 --> 00:49:07.160 But just, there's so many, so much tooling and stuff around that. You got to create a signed APK before you upload. There's a lot of stuff going on there. And so, hopefully they, they get that. That would be a game changer. 00:49:07.160 --> 00:49:19.160 And just, you know, it's not on, it wasn't here. Almost surprised me that it wasn't here, but front end stuff, WebAssembly, PySerscripts, Pyodide, all those things I think are in that same realm. 00:49:19.160 --> 00:49:23.160 Although they can just kind of ship stuff to the web because there's no gatekeepers, but still. 00:49:23.160 --> 00:49:24.160 Yeah. 00:49:24.160 --> 00:49:29.160 Was that mentioned anywhere during the summit that just didn't make a post? 00:49:29.160 --> 00:49:36.160 No, Wasm was not, there was no topic about Wasm specifically at, at this language summit. 00:49:36.160 --> 00:49:38.160 Yeah, sure. I think there was the previous year. 00:49:38.160 --> 00:49:39.160 Previous year there was. Yeah. 00:49:39.160 --> 00:49:43.160 Should we make PDB better? Does it matter? Are people using PDB? What do you think? 00:49:43.160 --> 00:49:58.160 Yeah. So this, this was all about PDB is Python's debugger for people that don't know. if you've never used it, it lets you kind of like drop into set a breakpoint in Python and then drop into that exact spot with all the context and everything, which is really. 00:49:58.160 --> 00:50:02.160 Right. At a lower level. Yeah. At a lower level than a VS Code or PyCharm. 00:50:02.160 --> 00:50:03.160 Right. Exactly. Yeah. 00:50:03.160 --> 00:50:31.160 Like seeing all these like super internals of Python, if that, if that's something that you really need. Right. and so this was a talk, that was mostly about, okay, we're, we have PDB, but now we have all of these new models like free threading and all of that. And also we're being a little bit held back by backwards compatibility. there's like a specific, really specific point where, because of backwards compatibility reasons. 00:50:31.160 --> 00:50:52.160 And PDB is a part of the Python standard library. It becomes difficult to break backwards compatibility, even if it would mean you get a bunch of really good stuff out of it. you can't always do that because people are depending on it. And I think that the, yeah, the recommendation was maybe we should develop this outside of the standard library so we can, you know, be, yeah. 00:50:52.160 --> 00:51:00.160 Break backwards compatibility if it's not necessary and, and make it so that we can support multiple versions instead of just having it be per version. And yeah. 00:51:00.160 --> 00:51:11.160 Yeah. Yeah. That's, that's a good idea. That's exactly what I was thinking. Cause you know, there's the whole dead batteries talk. Like, does this still belong here? I'm not necessarily thinking this should not be in Python, but you know, yeah. 00:51:11.160 --> 00:51:18.160 Yeah. Yeah. Something broken out maybe, but take that exact code, break it out, but you know, enhance it kind of independently. 00:51:18.160 --> 00:51:29.160 Yeah. And I think the concern from, from some people in the room was that, oh, if we break this out onto PPI, then it would potentially mean that it would not get the same level of contribution that PDB sees because it's part of Python. Right. Sure. And I mean, totally valid in my opinion too. Like being a part of Python is a huge, like blessing of like, yeah, this is something important. Right. Um. 00:51:29.160 --> 00:51:59.140 But I think that there's, there's other ways to signal that that's something important. Like if you look at like my pie, my pie is underneath the Python GitHub organization. And so maybe something like that, right. Where it's this tool that is very actively used by core developers for development. And it is a little bit more, 00:51:59.140 --> 00:52:19.040 more official than, you know, just some random person putting something up on pipe. Yeah. This is core developers supporting this. And black is that way too, I believe. Right. It is. Yeah. So maybe something to signal just a little bit more of an official. This is a core developer tool. Here's why you should contribute to it instead of just, you know, a random project on pipe. Yeah. Which definitely wouldn't be in that case. 00:52:19.040 --> 00:52:29.120 It would not. It would definitely not. All right. How about, how about a quick review of maybe some, some of the lightning talks? Yeah. Any of these stands? 00:52:29.120 --> 00:52:56.120 out. You know, obviously Rust and Python is, seriously a one. yeah. Emily's talk was, yeah. I was going to say, Emily's got a good one. Emily has a really good one because, and this is like, it's, it's almost meta, right? Because lightning talks, are not submitted ahead of time. You actually have to submit them during other people's talks. like to the list that you want to talk about this and then put together some slides really quickly. 00:52:56.120 --> 00:53:09.020 So yeah, these talks are pretty impressive in that way having your minutes, but the Emily's talk was about, it was kind of like wrapping up a theme that was being heard multiple times over the course of the language summit. 00:53:09.120 --> 00:53:26.980 but obviously this is a problem outside of the language summit too, which is that when someone goes to make a prototype for a pep, they are given at least today, not a whole lot of support, for doing that prototype because it's basically like, oh, we think that this should be developed outside of the standard library. 00:53:27.400 --> 00:53:49.400 initially, right. Like that's a really common, determination that the steering council comes to. and so being able to have kind of like a, a standardized way that people do a PEP prototype outside of the standard library. So things like creating a repo and like having all of this existing infrastructure set up and, maybe even hosting it under the Python. 00:53:49.400 --> 00:54:05.860 So to the Python GitHub organization to give it some like air of officiality of like, yeah, this is something like really big is happening here. It's not just like someone in a corner writing something right. Like giving some more grandiosity to, to the work that's being done and not just kind of saying, oh, go away. 00:54:05.860 --> 00:54:10.080 Like that is a question. Right. But that's kind of how it can land sometimes. 00:54:10.080 --> 00:54:20.320 Right. And maybe setting up people for success, at least this is what we're going to expect from you. If you go through this process, then you've got, you're further down the pipeline of having that conversation for a pep. 00:54:20.320 --> 00:54:41.700 Yeah, definitely. And like, if you're wanting to write something that is for Python, you know, you probably don't necessarily care about like setting up these exact workflows for publishing to PyPI. Like that's just a whole bunch of things that are in your way to actually being successful. So having that all be figured out already ahead of time for you makes things a lot easier for you. 00:54:41.700 --> 00:55:04.360 Yep. Yep. Yep. Yep. Let's, let's finish out with Yuri Silvanov's presentation, efficient data sharing between sub interpreters. And it's interesting because we talked about free threaded Python, but the year before the big news was sub interpreters and Eric Snow's work. And those are not directly competing type of things, but in a sense, they're kind of competing. 00:55:04.360 --> 00:55:12.300 Yeah, they're definitely competing for being like the model of how to do efficient, you know, parallelism in Python. 00:55:12.300 --> 00:55:27.860 Yeah. Yeah. How do we isolate the stuff so that we can avoid the guilt and we take it out and add different algorithms or do we just make copies of the interpreter and run them in isolation? But then you have this data sharing issue. I can't just share a pointer easily. Right. So what's this about? 00:55:27.860 --> 00:55:40.140 Yeah. So Yuri basically came with, and this was also a, if you want the extended version, Yuri also gave like an actual PyCon talk about this library that he's developed called MemHive. 00:55:40.140 --> 00:55:41.400 And then, yeah. What's it called? 00:55:41.400 --> 00:55:44.740 MemHive. Like M-E-M-H-I-V-E. Yeah. 00:55:44.740 --> 00:55:52.040 All right. Awesome. And just for everyone listening, just this week, last week, recently, all the videos of all the talks are now available on YouTube. 00:55:52.040 --> 00:55:55.200 So it's been a while coming, but you can go watch it now. 00:55:55.420 --> 00:55:58.640 Exactly. So go watch them all. If you, if you missed out on my talk, go watch them. 00:55:58.640 --> 00:56:06.160 But yeah, this, so this library in particular is, it's basically a way using immutable data structures. 00:56:06.160 --> 00:56:14.420 There's this immutable data structure called an H-A-M-T. I actually don't know what it's short for, but it's a hash, hash array map tree. 00:56:14.420 --> 00:56:16.440 There we go. It was in the, I wrote it down. 00:56:18.420 --> 00:56:30.100 And it's essentially like a way to have this tree that can be passed around and shared without like worrying what the other processes, sub interpreters are. 00:56:30.100 --> 00:56:31.180 They're not processes. 00:56:31.180 --> 00:56:33.580 The other sub interpreters are doing to this data structure. 00:56:33.700 --> 00:56:38.260 So it enables a more efficient and safe way of sharing data. 00:56:38.260 --> 00:56:40.100 That's kind of like in a tree structure. 00:56:40.100 --> 00:56:50.520 And I think one, the demo that he ended up giving was about a dictionary like data structure where, you know, you have a million keys and a bunch of sub interpreter workers working on that data. 00:56:50.520 --> 00:56:59.260 And they're able to, because it is using this immutable data structure, the modifications and changes are all safe, but it's also like super scalable and performant. 00:56:59.260 --> 00:56:59.620 Yeah. 00:56:59.620 --> 00:57:00.100 Yeah. 00:57:00.100 --> 00:57:00.560 Yeah. 00:57:00.560 --> 00:57:06.540 The thing about parallelism and multi-threading is if it's immutable, you can have many things as you want reading from the same memory. 00:57:06.540 --> 00:57:08.140 It's only when they start writing, does it matter? 00:57:08.140 --> 00:57:08.540 So. 00:57:08.540 --> 00:57:09.200 Exactly. 00:57:09.200 --> 00:57:09.640 Yeah. 00:57:09.640 --> 00:57:17.760 This, this like has a way, a mechanism to capture the rights in a way that is safe so that like the current one can see what has been written. 00:57:17.760 --> 00:57:22.020 And then the other ones aren't affected because their copy is not changed. 00:57:22.020 --> 00:57:22.500 Okay. 00:57:22.500 --> 00:57:23.380 That sounds very interesting. 00:57:23.380 --> 00:57:28.640 We talked about the coming compatibility matrix of free threaded Python. 00:57:28.640 --> 00:57:30.720 This won't have that issue, right? 00:57:30.720 --> 00:57:33.380 This operates in the every version of Python. 00:57:33.380 --> 00:57:33.860 Yeah. 00:57:33.860 --> 00:57:40.300 So this, I would assume that this sort of module would be able to say like, I am ready for a guild free world. 00:57:40.420 --> 00:57:49.820 So that's like the mechanism that I believe CPython has, has adopted for saying that your C module is ready for not having a guild. 00:57:49.820 --> 00:57:51.100 You actually have to opt into it. 00:57:51.100 --> 00:57:55.060 And then that module will, will be allowed to run in a free threaded Python. 00:57:55.060 --> 00:57:55.660 Yeah. 00:57:55.660 --> 00:58:01.060 It's something I recently learned is there's separate wheeled builds for free threaded Python as well. 00:58:01.060 --> 00:58:01.500 Yeah. 00:58:01.500 --> 00:58:01.560 Yeah. 00:58:01.560 --> 00:58:02.680 That's, that's interesting. 00:58:02.680 --> 00:58:03.180 Yeah. 00:58:03.180 --> 00:58:03.860 It's its own. 00:58:03.860 --> 00:58:09.360 I don't know exactly the phrase for it, but yeah, its own wheel tag platform target or whatever. 00:58:09.360 --> 00:58:10.300 Yeah. 00:58:10.300 --> 00:58:10.620 Yeah. 00:58:10.620 --> 00:58:11.080 Yeah. 00:58:11.080 --> 00:58:15.040 Like free threaded gets appended to, you know, macOS arm 64 or whatever. 00:58:15.040 --> 00:58:16.080 Exactly. 00:58:16.080 --> 00:58:16.620 Yeah. 00:58:16.620 --> 00:58:17.320 Awesome. 00:58:17.320 --> 00:58:18.240 All right. 00:58:18.240 --> 00:58:19.900 Seth, this has been great. 00:58:19.900 --> 00:58:21.480 How about some parting thoughts? 00:58:21.480 --> 00:58:22.340 Let's close this out. 00:58:22.340 --> 00:58:25.680 Let's just take aways from, from the whole experience. 00:58:26.060 --> 00:58:26.240 Yeah. 00:58:26.240 --> 00:58:28.540 I mean, the language summit is lovely. 00:58:28.540 --> 00:58:33.260 One of the things that's like most important to me is like this whole aspect of storytelling. 00:58:33.260 --> 00:58:37.880 And so that's why I felt really, really happy that I was invited along to, to be able to tell 00:58:37.880 --> 00:58:38.800 these stories to all of you. 00:58:38.800 --> 00:58:44.180 And I think that having all of these different narratives all in one place of all of these huge 00:58:44.180 --> 00:58:48.000 themes about what Python is going through all at once, right? 00:58:48.000 --> 00:58:54.680 Like it's really incredible how many different things are happening in Python all at once. 00:58:54.880 --> 00:58:59.040 Because like sometimes when you're focusing on just one or just two, you know, you don't 00:58:59.040 --> 00:59:04.020 have this huge context of, wow, Python is changing in like at least 20 different ways all at once. 00:59:04.020 --> 00:59:05.900 And we're somehow doing really, really well. 00:59:05.900 --> 00:59:11.200 I would say like, yeah, I have no doubt about any of any of these huge changes that Python 00:59:11.200 --> 00:59:14.300 is going through, like to, to take it in the wrong direction. 00:59:14.300 --> 00:59:16.400 Like I'm feeling hopeful and excited about all of them. 00:59:16.400 --> 00:59:17.680 So it's an exciting time. 00:59:17.680 --> 00:59:18.860 Yeah, I am as well. 00:59:18.940 --> 00:59:23.500 And it is really tricky to get a picture, a holistic picture of, of the progress. 00:59:23.500 --> 00:59:28.400 Cause there's a lot of different groups doing different things and there's no one person's 00:59:28.400 --> 00:59:32.540 or one company's job to get somebody to come and tell that story. 00:59:32.540 --> 00:59:33.240 So yeah. 00:59:33.240 --> 00:59:34.900 Thanks for giving us the insight here. 00:59:34.900 --> 00:59:35.360 It's been awesome. 00:59:35.360 --> 00:59:36.100 Yeah. 00:59:36.100 --> 00:59:38.740 Thanks for being on the show and I'm sure we'll have you back soon. 00:59:38.740 --> 00:59:39.140 Yeah. 00:59:39.140 --> 00:59:39.740 Sounds good. 00:59:39.740 --> 00:59:40.460 Thanks for having me. 00:59:40.680 --> 00:59:41.080 See ya. 00:59:41.080 --> 00:59:44.420 This has been another episode of Talk Python To Me. 00:59:44.420 --> 00:59:46.220 Thank you to our sponsors. 00:59:46.220 --> 00:59:47.840 Be sure to check out what they're offering. 00:59:47.840 --> 00:59:49.260 It really helps support the show. 00:59:49.260 --> 00:59:53.660 This episode is sponsored by Posit Connect from the makers of Shiny. 00:59:53.660 --> 00:59:58.180 Publish, share, and deploy all of your data projects that you're creating using Python. 00:59:58.180 --> 01:00:04.740 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Reports, Dashboards, and APIs. 01:00:04.740 --> 01:00:07.140 Posit Connect supports all of them. 01:00:07.400 --> 01:00:12.820 Try Posit Connect for free by going to talkpython.fm/posit, P-O-S-I-T. 01:00:12.820 --> 01:00:14.440 Want to level up your Python? 01:00:14.440 --> 01:00:18.500 We have one of the largest catalogs of Python video courses over at Talk Python. 01:00:18.500 --> 01:00:23.660 Our content ranges from true beginners to deeply advanced topics like memory and async. 01:00:23.660 --> 01:00:26.320 And best of all, there's not a subscription in sight. 01:00:26.320 --> 01:00:29.240 Check it out for yourself at training.talkpython.fm. 01:00:29.240 --> 01:00:34.200 Be sure to subscribe to the show, open your favorite podcast app, and search for Python. 01:00:34.200 --> 01:00:35.420 We should be right at the top. 01:00:35.900 --> 01:00:40.580 You can also find the iTunes feed at /itunes, the Google Play feed at /play, 01:00:40.580 --> 01:00:44.780 and the direct RSS feed at /rss on talkpython.fm. 01:00:44.780 --> 01:00:47.760 We're live streaming most of our recordings these days. 01:00:47.760 --> 01:00:51.160 If you want to be part of the show and have your comments featured on the air, 01:00:51.160 --> 01:00:55.580 be sure to subscribe to our YouTube channel at talkpython.fm/youtube. 01:00:55.580 --> 01:00:57.640 This is your host, Michael Kennedy. 01:00:57.640 --> 01:00:58.940 Thanks so much for listening. 01:00:58.940 --> 01:01:00.100 I really appreciate it. 01:01:00.100 --> 01:01:02.020 Now get out there and write some Python code. 01:01:02.020 --> 01:01:22.900 I'll see you next time.