« Episode page WebVTT format On GitHub

#475: Python Language Summit 2024 Transcript

Recorded on Thursday, Aug 22, 2024.

00:00 Every year, the core developers meet to discuss and propose the major changes and trends in Python itself.

00:05 This invite-only conference of about 50 people happens inside PyCon in the U.S.

00:11 Because it's private, we rarely get detailed looks inside this event.

00:15 On this episode, we have Seth Michael Larson here to give us his account of the sessions and proposals.

00:21 It's a unique look into the zeitgeist of CPython.

00:25 This is Talk Python to Me, episode 475, recorded August 22, 2024.

00:31 Are you ready for your host?

00:33 You're listening to Michael Kennedy on Talk Python to Me.

00:37 Live from Portland, Oregon, and this segment was made with Python.

00:41 Welcome to Talk Python to Me, a weekly podcast on Python.

00:47 This is your host, Michael Kennedy.

00:49 Follow me on Mastodon, where I'm @mkennedy, and follow the podcast using @talkpython.

00:55 Both accounts over at Fostadon.org.

00:58 And keep up with the show and listen to over nine years of episodes at talkpython.fm.

01:03 If you want to be part of our live episodes, you can find the live streams over on YouTube.

01:07 Subscribe to our YouTube channel over at talkpython.fm/youtube and get notified about upcoming shows.

01:14 This episode is sponsored by Posit Connect from the makers of Shiny.

01:18 Publish, share, and deploy all of your data projects that you're creating using Python.

01:22 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quattro, Reports, Dashboards, and APIs.

01:28 Posit Connect supports all of them.

01:31 Try Posit Connect for free by going to talkpython.fm/posit.

01:35 P-O-S-I-T.

01:37 And it's also brought to you by us over at Talk Python Training.

01:41 Did you know that we have over 250 hours of Python courses?

01:46 Yeah, that's right.

01:47 Check them out at talkpython.fm/courses.

01:49 Hey, Seth.

01:51 Welcome back to Talk Python to Me.

01:52 Hey, Michael.

01:53 Awesome to have you here.

01:55 I'm really excited to get a look into the zeitgeist of the core devs and the people building Python for us through the Python Language Summit.

02:05 Yeah, let's do it.

02:06 Let's do it.

02:07 So we're going to talk about the 2024 Language Summit that happened in Pittsburgh.

02:13 It's like an embedded mini conference inside of PyCon, which is smart rather than trying to travel all over.

02:21 But before we get into that and all those things, I know you've been on the show not too long ago, but for those who may have missed your introductions, you know, who are you?

02:28 What do you do for Python these days?

02:29 I'm Seth Larson, and I've been working at the Python Software Foundation for a little over a year now as the security developer in residence.

02:37 And so that means that I do a lot of stuff related to security just for the entire Python ecosystem.

02:43 That's CPython, PIP, packaging ecosystem, like outwardly facing things for PyPI, maybe not as much the internals.

02:52 I leave that for Mike Fiedler, the PyPI safety and security engineer.

02:55 And I maintain a lot of open source projects specifically in like the HTTP and internet space.

03:01 So like requests, your lib3, trust store, things like that.

03:05 Oh, awesome.

03:05 Yeah.

03:06 Thanks for everything you're doing there.

03:07 And how's the role working out?

03:10 I know this is one of you were the first person in this role, like officially, right?

03:14 Is that true?

03:14 That is true.

03:15 Yeah.

03:15 I was the first security oriented hire at the PSF.

03:20 It's been going really great.

03:22 I mean, I feel like we've made a lot of improvements and there's a lot of exciting stuff that I'm working on today.

03:28 And I don't know, I think one of the things that also got highlighted, because this role exists, it just means that more people at the PSF and in CPython core team and just in the Python ecosystem in general are talking more about security.

03:43 And like, that's just as important as the stuff that I'm doing day to day is that it's just, there's just more awareness of what's happening in security.

03:50 Yeah.

03:50 So I have two polar opposite thoughts here.

03:54 One is I'm really surprised how few significant issues there are in Python, CPython, you know, the interpreter, the runtime, the standard library, all that.

04:07 It's really rare that you get a red light splashing.

04:11 Oh my gosh, go patch your systems now.

04:15 Right.

04:15 There's sometimes really minor things like this audit trail is not completely followed under this condition, but that's not a, the pager goes off and you know, cause you got, it's now a race.

04:25 That's one thing.

04:27 So that's awesome.

04:28 Right.

04:28 That the other is PyPI, typo squatting, all the, all the stuff that makes Python extra good, the half million packages and other shady things people do.

04:40 And we're going to talk about this in the broader sense, not PyPI, but you know, in the open source space of like, well, what if, what if somebody took over a GitHub account for a little while or, or something?

04:50 Yeah.

04:50 So, and that, that's not on fire, but that's, there are battles being waged actively there.

04:57 I would say, right?

04:58 A hundred percent.

04:58 So it's a contrast, right?

05:00 There, I can speak with confidence that there is malware on PyPI right now as we speak, but like, yeah.

05:05 So that's, that's the case, right?

05:07 I think it really has to do with CPython is an incredibly mature project in like every sense of the word, like governance, security, design, all of these things.

05:17 Right.

05:18 And like, there's just a huge amount of people and resources being, being work, like working on CPython at any one moment.

05:25 And like contrast that to the, you said half a million, you know, I tend to focus on the like 95% of downloads by totality.

05:34 Right.

05:35 Because there, there's a lot of projects on PyPI that maybe don't have the supply chain criticality of others.

05:40 Right.

05:41 But yeah, absolutely.

05:42 A hundred percent.

05:43 And when you, I think when you hone in on that smaller window of projects, it ends up being a much better picture than,

05:51 I think it's, I think it's a hundred percent good picture.

05:53 Honestly, there are legitimate bugs that people have to deal with.

05:57 Like, you know, maybe there's a Django release that says we didn't validate the CRF token in, in this particular form.

06:04 So you should update your Django.

06:06 Right.

06:06 And that's, that's just a legit bug.

06:08 That's not people attempting to do bad things.

06:10 I mean, I can't even take really any credit for how secure and mature CPython is.

06:15 I'm such a late addition in the life of CPython, and like PyPI projects.

06:21 And so it really is the community.

06:23 I think it is just, there's so much investment and so much love and care happening in all these projects that it does speak volumes.

06:30 But that, I mean, that doesn't mean that we need to think that things need to be perfect or that it's necessarily a bad thing to have a vulnerability in a, in a project.

06:37 Because there's projects that are even more mature than CPython that have vulnerabilities all the time.

06:43 It's totally normal.

06:44 I think the important thing is just like knowing what to do when that happens.

06:48 And that's where I come in.

06:49 Yeah.

06:50 I don't want to belabor this because you know, the security angle.

06:52 Wow.

06:53 Interesting to me and central to what you're up to is not the topic, but I do think it's interesting that, the white house recently came out.

07:01 I think it was the white house.

07:02 It said we recommend Python and a couple other languages.

07:06 We basically, we, we recommend memory safe languages, which did you see that post?

07:10 You must have, right?

07:11 I certainly did.

07:12 And I actually had a, a big part of recommending that to the white house.

07:17 So when the.

07:18 No kidding.

07:19 I had no idea.

07:20 Yeah.

07:21 So the, the PSF, we responded to the request for information that CISA put out, or the office of the cyber director put out.

07:28 Yeah.

07:29 I think a year and change ago.

07:30 And in that post, we recommended CPython and Python in general as a memory safe language and went into all the details about like, yes, it's written in C, but like the language itself.

07:42 What people will actually be programming in is Python.

07:45 And we also emphasized how Python is a bridge into memory unsafe languages.

07:50 And because of all the focus on performance lately, it's actually like sometimes in some cases more performant to keep the code written in Python as opposed to writing it in C.

08:00 And so we emphasize a whole bunch of stuff.

08:01 And so I think that that had a, a small percentage of, of the reason why that was recommended.

08:07 Put it, put it, put it on the radar and positioned it correctly.

08:10 Maybe.

08:11 Exactly.

08:11 Awesome.

08:12 Well, congratulations.

08:13 I was just going to say that's kind of interesting, but I'll join more to it than that.

08:16 There's a lot happening behind the scenes.

08:18 Yeah.

08:20 Yeah.

08:20 There is.

08:21 All right.

08:21 Shall we talk about this language summit thing?

08:23 Let's do it.

08:24 Let's do it.

08:25 So, let's just, I mean, I gave it sort of a, a vague intro.

08:30 You wrote a nice blog post about it here on the Python blog.

08:34 just give us a sense of what the language summit, what is it for?

08:38 Is this something is like an open space I can go to or not?

08:42 No.

08:42 So, so it is, it is a specific space for Python core developers, to use.

08:50 And so I think the, the whole goal of this is to get a bunch of core developers in a room

08:55 together to discuss things, and to kind of get some recommendations, some ideas flowing,

09:02 maybe without necessarily like having the full formed thought, right.

09:08 Because like putting something out there, like completely radically changing the direction of

09:11 Python, that that's, that's, that's a lot to put that out just publicly, whatever.

09:16 And so this is like a place to collaborate for core developers and some special guests

09:21 because they're not everyone that's there as a core developer, but it is invite.

09:24 So you have to like apply to go and say why you want to go.

09:27 And then, yeah.

09:28 So it's not just folks who were, I can't remember if it was Sebastian Ramirez or Samuel Colvin

09:34 or something around the typing thing.

09:35 I remember some of those folks might've been at one of them because they're like, wait, we

09:40 can't change typing to be more performant where it completely ignores the runtime stuff.

09:44 Cause we have all these frameworks.

09:45 Right.

09:46 Right.

09:46 Yeah.

09:47 Yeah.

09:47 But the, the language summit, it, it's a whole bunch of different, like submitted topics.

09:51 People will talk and then there's discussion and some outcome.

09:55 Maybe there's no outcome.

09:56 Maybe there's like next steps.

09:58 Maybe we solve some problems within the time of the meeting.

10:02 And yeah, my job there was to, to actually like take down all the notes and write about

10:07 it and like publish these blog posts.

10:09 Cause one of the, one of the reasons why this is allowed to be like an invite only meeting is

10:13 that there is someone who is basically taking.

10:16 So I think it's a real careful balance.

10:17 Yeah.

10:18 And like, yeah.

10:19 And like what happened during the discussion so that the community can learn about what

10:24 actually happened without necessarily, you know, getting the rawness of it, I guess.

10:28 Yeah.

10:29 Yeah.

10:29 There's a real careful balance.

10:31 You got to strike between allowing the freedom to say whatever without public scrutiny.

10:36 But at the same time, you don't want it to be like, well, the Python cabal met.

10:40 They've decided.

10:41 Exactly.

10:42 They don't like, they don't like your idea or whatever.

10:44 Exactly.

10:45 Yeah.

10:47 It's cool.

10:47 So I'll point people up.

10:49 Obviously it's going to be in the show notes.

10:50 Point people at your writeup.

10:52 It's like a meta post, I guess.

10:54 Would you say that?

10:55 It's, it talks about, you know, sort of landing page.

10:58 Landing page.

10:59 Exactly.

11:00 Four, one, two, three, four, five, six, seven, eight, nine.

11:03 And then nine topics and presentations that were covered.

11:07 And then the lightning talks, which is also almost like another sub meta section.

11:11 So there's a, there's a lot to explore here and there's nice write-ups on each of these.

11:15 So where should we start?

11:17 And we want to kind of wrap up the conversation we were just having, because that was actually

11:22 a little bit of a topic at the language summit, right?

11:25 Yeah.

11:26 Security was definitely a topic at the language summit.

11:29 This, this was somewhat in the, in the recent light, like the light of XZ when XZ had happened.

11:35 Pablo, one of the release managers for CPython 3.10 and 3.11, I believe, brought this topic.

11:42 And it was basically discussing Python's like contribution and release and all of that model

11:49 in the light of XZ.

11:51 So like XZ, I'll just go over really quickly.

11:54 Yeah.

11:54 I'm sure.

11:55 Tell people about XZ.

11:56 Yeah.

11:56 I'm sure a lot of people have like heard of it at this point.

11:59 It was such a long game deal.

12:03 It was crazy.

12:04 So yeah.

12:05 What is the scary part?

12:06 What is XD utils?

12:07 And then what is the XC utils security issue?

12:10 Yeah.

12:10 So XD utils is a library written in C for basically processing archives of the XZ format, which is

12:20 just a compression format, like GZip, like any other compression format, Zotflee, Bratly, all

12:27 of those.

12:28 And so this library was maintained by a single person, big surprise.

12:34 And what is relatively little known, right?

12:38 Before all of this happened, I would say it was probably just adding features, fixing bugs

12:43 every once in a while, make a release and all of that.

12:46 And what ended up happening is this project was identified as a project that had very few

12:54 maintainers and also through a series of reasons had a linkage to SSH.

13:01 And so what ended up happening?

13:02 Yep.

13:03 And so SSH was...

13:05 If you can get into SSH and SSHD, then bad things are going to happen.

13:09 Yeah.

13:09 So the whole end goal of this entire operation was to get access to OpenSSH through like linking,

13:17 basically.

13:18 And so what ended up happening is a bunch of fake sock puppet accounts showed up after

13:25 this loan maintainer indicated that they were having a little bit of trouble maintaining the

13:30 project and like meeting user demands.

13:32 Like these sock puppet accounts show up like days before they were actually used and all kind

13:38 of in similar fashion, right?

13:40 And basically are pressuring this maintainer to either make them feel like they're not doing

13:46 a good job or to try to add a new maintainer.

13:49 In this case, Giatan is the pseudonym that this account used.

13:54 And what ended up happening is over a year of like legitimate positive contribution from this

14:03 account, this account was added as a like equivalent to a release manager, right?

14:08 Like someone who is approving PRs and merging things and is capable of accessing the actual archives

14:14 when releases happen.

14:15 And then a good chunk of time passes after that.

14:19 And there's a couple of little changes added that on their own are not an attack, but it

14:26 was preparing for an attack where essentially a small change was added into the release archives

14:34 that was not a part of the source tree that activated the entire attack chain.

14:39 And then when this started to like be pulled in downstream into things like Fedora, early

14:46 versions of Red Hat, this never went into any stable builds, but it was all the pre-releases.

14:50 This ended up getting onto people's machines and then was eventually discovered because of a very

14:56 small performance difference when logging into SSH.

15:00 Yeah.

15:01 And that was somebody who wasn't even looking, forgot the person's name, but they worked at

15:05 Microsoft and they were just on the Azure team or something.

15:08 And they, they just were like, why did this slow down a little bit?

15:10 That's weird.

15:11 And they're like, wait a minute, what is this doing in here?

15:14 Yeah.

15:15 It was on the verge.

15:16 And you know, what a long game.

15:18 One person, one account came along and was just, you know, I'm going to hear to help you.

15:23 I'm just going to make, I'm going to try to just become your best friend contributor.

15:27 And then another one is just abusing, like mentally abusing the people.

15:32 Like, why don't you just quit?

15:33 Why don't you get some more support?

15:34 And then like, who, well, let me reach out to some people who are helping me out recently.

15:38 And it turns out these are like two sides of the same coin.

15:41 Yep.

15:41 Exactly.

15:42 Yeah.

15:42 Shady.

15:43 Okay.

15:44 Luckily that got caught.

15:45 Cause you know, there's a lot of servers in the world that can be SSHed into.

15:48 And like, well, we got, you know, public private key encryption.

15:52 You can't break through that stuff.

15:54 Long as you don't use passwords, like you're going to be fine unless you're not.

15:57 So I received a lovely email on the day that this happened.

16:02 Report to the security response team for Python, because we of course use the XC utils libraries

16:09 because Python sports XC format as well.

16:12 And I, there was a, there was a lovely few seconds where I'm like, oh, this is either going to

16:16 be a fine day for me or a really bad day.

16:19 And it ended up being a fine day.

16:21 So that's good.

16:22 It's like, are we going to be canceling all our plans for next year?

16:26 Yeah.

16:27 Yep.

16:27 Am I going to have lots of questions to answer from like a concerned customers, users,

16:32 but it was fine.

16:33 Yeah.

16:34 Yeah.

16:34 I find this kind of stuff is a lot like everything's fine.

16:37 You relax.

16:38 Just work's going good.

16:40 Life's going good.

16:41 And then, you know, something's on fire just out of the blue and you have this, you know,

16:45 it takes your breath away moment.

16:46 Like, oh, does that apply to us as well?

16:49 Cause if it does, everything just changed.

16:51 And yeah, really glad I did.

16:55 This portion of talk Python to me is brought to you by Posit, the makers of Shiny, formerly

17:00 RStudio and especially Shiny for Python.

17:03 Let me ask you a question.

17:05 Are you building awesome things?

17:07 Of course you are.

17:08 You're a developer or a data scientist.

17:09 That's what we do.

17:10 And you should check out Posit Connect.

17:12 Posit Connect is a way for you to publish, share, and deploy all the data products that

17:18 you're building using Python.

17:20 People ask me the same question all the time.

17:22 Michael, I have some cool data science project or notebook that I built.

17:25 How do I share it with my users, stakeholders, teammates?

17:29 Do I need to learn FastAPI or Flask or maybe Vue or React.js?

17:34 Hold on now.

17:35 Those are cool technologies and I'm sure you'd benefit from them, but maybe stay focused on

17:39 the data project.

17:40 Let Posit Connect handle that side of things.

17:42 With Posit Connect, you can rapidly and securely deploy the things you build in Python.

17:47 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Ports, Dashboards, and APIs.

17:53 Posit Connect supports all of them.

17:55 And Posit Connect comes with all the bells and whistles to satisfy IT and other enterprise

18:01 requirements.

18:01 Make deployment the easiest step in your workflow with Posit Connect.

18:06 For a limited time, you can try Posit Connect for free for three months by going to talkpython.fm

18:11 slash Posit.

18:12 That's talkpython.fm/P-O-S-I-T.

18:15 The link is in your podcast player show notes.

18:17 Thank you to the team at Posit for supporting Talk Python.

18:21 One of the talks was Python security model after this issue, the XC utils backdoor.

18:28 Tell us about that.

18:29 Yeah.

18:29 So this entire talk was essentially just overviewing like, hey, is this possible?

18:35 Is this possible for CPython to be impacted by such an attack?

18:39 And I mean, the answer is yes.

18:40 It really is.

18:41 Because if you have accounts that are willing to put years of effort into contributing good

18:48 code to CPython, right?

18:50 Like that, that is enough to become a core developer likely.

18:54 And if you're a core developer, it means you can merge PRs.

18:57 It means if you, I mean, if you get two core developer accounts promoted to this level of authorization, you can merge your own PRs with review, right?

19:05 Like we're the big focus on this talk was like, okay, how, how can we prevent this?

19:10 And if we in, in the ways that we can't prevent it, how can we be ready?

19:14 And kind of like a discussing whether or not we're ready at this point.

19:18 And I think the big consensus was that if we were to discover something like this that had already been merged into Python or had been released in Python, that we would be okay to be able to, to get it to like, get the word out.

19:32 Like that sort of infrastructure already exists.

19:34 And we're not too worried about that.

19:35 Like we're a CNA.

19:36 We can create a CVE really quickly.

19:38 We can get like the announcements out really quickly.

19:41 We can get releases out really quickly.

19:42 So like in that way, the reactive sense, we're okay.

19:46 In the proactive sense there, which is the more important one, but it's also the harder one.

19:51 We, yeah.

19:53 Because when nation states hire people to say the next three years of your job, it's, it's almost like, it's like a team, like a spy.

20:01 Yeah.

20:01 For multiple years.

20:02 It's like the CIA or MI6 or something, you know, on the code side, you know.

20:08 To be honest with you, it doesn't even need to necessarily be like nation state level stuff for this to happen.

20:13 That's true.

20:13 Because vulnerabilities in popular pieces of software are very, very lucrative.

20:20 You can sell them and people make a lot of money on selling vulnerabilities to projects.

20:25 But so why not grow your own, right?

20:27 Yeah.

20:30 Yeah.

20:31 So.

20:31 Go ahead.

20:32 One of the things I think is great is there's a really long release cycle.

20:35 Yeah.

20:35 Right.

20:36 And like a staged rollout.

20:38 So I don't know how many people jump in and install alpha one of some Python, but it's, it's pretty limited and it's not going to make it.

20:46 No, no.

20:47 Of course.

20:47 I know.

20:48 I see you raise your hand.

20:48 But I think that's going to be a good thing.

20:53 I think that's going to be a good thing.

20:54 update channel.

20:55 I think that's going to be a good thing.

20:56 I think that's going to be a good thing.

20:57 I think that's going to be a good thing.

20:58 I think that's going to be a good thing.

20:59 I think that's going to be a good thing.

21:00 I think that's going to be a good thing.

21:01 I think that's going to be a good thing.

21:02 I think that's going to be a good thing.

21:03 I think that's going to be a good thing.

21:04 I think that's going to be a good thing.

21:05 I think that's going to be a good thing.

21:06 I think that's going to be a good thing.

21:07 I think that's going to be a good thing.

21:08 I think that's going to be a good thing.

21:09 I think that's going to be a good thing.

21:10 I think that's going to be a good thing.

21:11 I think that's going to be a good thing.

21:12 I think that's going to be a good thing.

21:13 I think that's going to be a good thing.

21:14 I think that's going to be a good thing.

21:15 I think that's going to be a good thing.

21:16 I think that's going to be a good thing.

21:17 I think that's going to be a good thing.

21:18 I think that's going to be a good thing.

21:19 I think that's going to be a good thing.

21:20 I think that's going to be a good thing.

21:21 I think that's going to be a good thing.

21:22 I think that's going to be a good thing.

21:23 I think that's going to be a good thing.

21:24 I think that's going to be a good thing.

21:25 I think that's going to be a good thing.

21:26 I think that's going to be a good thing.

21:27 I think that's going to be a good thing.

21:28 I think that that helps in a way.

21:31 Obviously, people that are living on the edge, maybe they're the more valuable targets, but I mean, I'm not going to be the one to encourage that.

21:39 Yeah, I don't think that I think the biggest defenses against this, and this was what was discussed there, was trying to push things to be in the open.

21:50 Actually, in a way, open source is uniquely able to respond and be defended against for these sorts of attacks.

21:58 Because if this were to happen in Windows, for example, would we have had the almost immediate being able to debug what the actual attack was, how long this had been going on, what patches were bad?

22:12 Like that sort of visibility into the source code is something that was really important in being able to actually track this thing down.

22:19 Yeah.

22:20 And so having test files and binary files not checked into source code and instead generated.

22:26 So one of the parts of this attack that allowed it to go hidden for so long and be checked into source code was that almost all of the attack code was hidden extremely well in a binary file, which made it so that code reviewers could-

22:40 Some of the test binary elements.

22:43 Because if you've got a compression file utility, you've got to have compressed files for your unit test, right?

22:48 Mm-hmm.

22:49 Exactly.

22:50 So it was basically these files were checked in and there's just huge binary blobs that you can't actually get your eyeballs on to review.

22:57 We talk about like lots of eyeballs make for shallow bugs.

23:00 Well, if the eyeballs can't see the bugs, then you're not going to find them.

23:04 And so we talked about like removing binary files from the source code or making sure that all the binary files that are generated have like a script that allows them to generate at any time and things like that.

23:15 So is it one of the changes recently?

23:18 I can't remember if this was on IPI or if this is a GitHub thing, but allowing GitHub to be the thing that publishes directly builds the wheels and uploads them to PI PI rather than somebody downloading the code, building them and uploading it, which obviously that's a opaque step there.

23:36 Yeah, so other like other things that tie more strongly these whatever release artifacts are actually ending up on people's machines to the source code.

23:46 So that's I mean, I would call that build provenance.

23:49 There's a whole bunch of different frameworks that that works under.

23:53 But yeah, build provenance being able to tie in an artifact that's installed in your system back to the actual source code so that when you are evaluating that that artifact on whether you want to install that on your system or deciding whether to upgrade or whatever, you can look at the source code instead of writing at this like compiled binary.

24:12 That's something that I really want to focus on for like PI PI in the future.

24:15 But yeah, we're not there.

24:16 Awesome.

24:17 Yeah.

24:18 When you because when you look at a project, you say, well, let me see what the releases on GitHub.

24:22 If you know that literally that was the thing that compiled or got built and then that's what's on PI PI.

24:28 That's a different forensic analysis than.

24:31 Exactly.

24:32 Well, it's somebody's machine.

24:33 What it ends up nice like being nice is that it and this is the tough part is that I feel like a lot of people's behavior, which is to go on GitHub and say, you know, I'm going to get a lot of the work.

24:41 I'm going to get to go on GitHub and look at the diff between like tags.

24:44 That's what a lot of people do, but that's not actually what you should do.

24:47 You should be looking at the diff between the artifacts.

24:50 That's the thing that's actually installed on your machine, but that's way harder to do than looking at the tags.

24:54 So exactly.

24:55 We just crowdsource it.

24:56 We're all crowdsourcing it.

24:57 Like wait for the way we are.

24:59 I know where we are.

25:02 All right.

25:03 We're just related to this while we're still on this topic.

25:05 You know, you talked about the somewhere.

25:09 There we go.

25:10 There's also a big news around CVEs, which are official vulnerability numbering.

25:16 So they're referenced through all those cybersecurity talk and stuff.

25:23 Right.

25:24 You can describe it better.

25:25 But so big news is that the PSF now, and you alluded to this, is now an official numbering authority.

25:31 So rather than saying there's a problem with Python, who is going to sort of officially call this out and write it up and so on.

25:39 Like you guys can do that directly now.

25:40 Right.

25:41 Yeah.

25:42 So like CVEs are basically it's a set of identifiers and records that show what's like a bunch of metadata about vulnerabilities in software is what it is.

25:52 And it's only one system.

25:53 And it's only one system.

25:53 There are a bunch of other like vulnerability databases, but CVE seems to be the one that everyone uses or references.

25:59 And so what being a CVE numbering authority gives us is it makes it so that someone at the PSF can like operate the CVE UI and workflow and all of that to say like, oh, we want to create a new CVE ID on behalf of the Python team or on behalf of the pip team.

26:19 And what that ends up meaning is that because we are part of the process instead of having to go to some other entity.

26:27 So like Mitre or Red Hat or, you know, Microsoft, there's a whole bunch of CNAs.

26:32 There's a there's over 100 now, I think.

26:34 Instead of going to someone else that, you know, isn't as well versed in Python or, you know, our release schedule or any of those things.

26:43 Right. We get to inject the knowledge that we have about Python into all of these records, into all these advisories.

26:50 And it makes it so that we don't actually have to talk to someone else to be able to handle a vulnerability and to end.

26:56 Right. So like before you would potentially have a reporter going to talk to someone else and getting a CVE ID and then they would come talk to us.

27:04 And by that point, like it was it's hard to like make a determination and there's a whole bunch of things have already happened.

27:10 And maybe there's messes that need to get cleaned up to make sure that it's not confusing.

27:13 So by owning the entire process, we're able to make sure that things are as little confusing as possible.

27:20 Like what actually needs to be done for users when we publish these things?

27:24 Yeah, that's great. I want to move off the security angle here because I know there's so much more to talk about.

27:30 However, you know, but you guys do it. Have you considered or ever run any sort of bug bounty program?

27:36 We don't have a bug bounty program right now. I mean, the hard part with the bug bounty program is it takes money.

27:41 So if if you would like to see a bug bounty program happening at the PSF, get in touch with the PSF. Send email.

27:49 Yeah, I think incentives are really aligned there.

27:52 There's a lot of companies that have this tooling at the center of their data center.

27:57 So maybe.

27:58 Yeah, maybe.

27:58 Maybe. Maybe. Maybe we can make it happen.

28:00 All right. Next up, the REPL or the PI REPL for the Python PI REPL.

28:05 What's the deal with this?

28:06 Yeah, so this was a a talk that was given by a couple of different core devs.

28:12 I think this included a bunch of people. Pablo, Lukash and Lissandros all gave this talk and it was about, hey, this new REPL that's coming in Python 3.13.

28:23 Here's all the cool stuff that it can do and how it makes the usability so much better for people.

28:29 And they demoed a whole bunch of the new features, which was really exciting.

28:33 There was lots of applause showing off a few of these like little little features.

28:38 And I think that the the other side of it is like because this new REPL is written in Python and not written in C, it lowers the barrier for contributions and maintenance drastically.

28:50 Before the REPL was like super entwined with like the parser and all of these other really low level details of Python that a lot of people probably didn't want to get involved with if they didn't have to.

29:02 Versus this where it's this completely separate and much more easy to contribute to piece of software.

29:09 Yeah. And did this come from the PyPy project?

29:13 Yes, this was PYPy. And I think that there's been some some back and forth contributing back, contributing forward, all of that, which is also really great. Right. Having one REPL shared between two different implementations.

29:24 Yeah, that's great. Just working and working better together. More people working on it.

29:28 I always caught PYPy because some people call Python packaging index PyPy.

29:34 But that's also this other thing. So anyway, it's a part of every one of my days. Right.

29:40 I'm sure that I because a lot of the times, you know, a significant percentage of my work as a security person is being in working groups that are not Python related at all.

29:50 And yeah, there's a lot of PyPys flying around. Yeah.

29:53 You talk about NumP being on PyPy and you're like, OK, hold on.

29:56 Hold on. Could be two different things.

30:00 There's a lot going on here.

30:01 Yeah. So this is really interesting.

30:04 I haven't really played with it much.

30:06 I honestly don't spend a ton of time in the bear Python REPL.

30:10 Like if I'm I'm REPLing a lot of times I'm in the JetBrains sort of enhanced REPL that's inside PyCharm, something like that.

30:19 But and I think partly because there was a lot of challenges with the bear Python REPL, right?

30:25 There's no autocomplete. But worse than that was if you've got a five line function and you want to edit it, you've kind of got to go to the top heart hitter.

30:33 Like it's it really was hard to work with blocks of code.

30:37 There's no color, things like that.

30:40 Yeah. Color is the standard for you don't have color in your terminal at this point.

30:44 Like even 20 basically given up at that point.

30:47 I have an emoji and you don't have color. I mean, emojis.

30:51 Got to have like the rainbow prompt, maybe like the logo of the thing that starts a starship.

30:57 Oh, yeah. I was well. I didn't even consider the ASCII art and possibly the ASCII art in color.

31:01 No, seriously, though, I do think it sounds like a minor deal, but just the readability of having highlighting and stuff.

31:09 Yeah. Syntax highlighting is huge. Syntax highlighting is like really huge.

31:12 That's not a part of the current REPL, I don't think.

31:14 But like it becomes much more possible because this PyRipple exists.

31:19 Yeah, exactly. Yeah.

31:21 I think that like the biggest thing, yeah, like the whole blocks of code.

31:25 I just remember the demo of them showing like, oh, you have like five lines.

31:29 You have to hit up, up, up like four times hit enter.

31:32 It's just like, oh, my God.

31:33 If you mess it up, you got to start over.

31:34 You got to start over.

31:35 And you're just, you're just sad.

31:37 You just contemplate putting it in a file instead of doing this in the REPL.

31:40 Exactly. That's why I'm not in there.

31:42 I avoid being in there because it's hard.

31:44 This will be really, really great for people that are just starting Python journey.

31:48 Because I think that a lot of people learning and starting off will use the REPL straight up.

31:53 Yes.

31:54 Instead of an IDE.

31:55 Like having this, there was a big focus on like teachability and documenting it and making it work the same.

32:01 Like if you actually like read the post, like what the discussions were about for like everyone is basically totally in favor.

32:07 They loved it.

32:08 But they wanted to make sure that this was going to be like a consistent experience.

32:11 Specifically, like Carol Willing had this big point about like having a consistent experience being really important for teaching Python across different operating systems.

32:21 So.

32:22 Yeah.

32:22 And something a little bit, a little bit better than up, up, up five times and don't get it out of order.

32:26 Exactly.

32:27 Yeah.

32:28 So I guess one of the, I don't know if this was discussed, but one of the challenges of this, I think is it requires, and it's not necessarily bad, but just a challenge is I think it requires the new windows terminal rather than say CMD.exe, the older style.

32:44 So it just works out of the box on macOS and on Linux, but on windows, you got to be a little careful about how you run it.

32:49 Is that right?

32:49 So I actually don't know what the current status of all of this is because the time has marched on since these blog posts have happened.

32:56 Yeah.

32:57 Yeah.

32:58 There has been a lot of work done on the windows side that the current team, like the team that presented this didn't have any windows experience.

33:05 And so they didn't know really how hard it was going to be.

33:09 I think that there's been a lot of strides in the windows side of things.

33:12 So I think the situation's better.

33:14 I don't know offhand if CMD that exe is supported or if it's just the new windows terminal, but I, yeah, I think it's fine.

33:21 It was sitting in windows terminal.

33:22 Like people need to be using that thing.

33:24 Anyway, it's true.

33:25 It's like opening up on your Mac and just having like the bare white bash, I guess it's Z shell these days, but just the completely, you know, non fixed font.

33:35 Like, what is this thing that you are running?

33:37 Like, you're like, the terminal is horrible.

33:39 Like, well, that thing is, but you know, you could make it a lot nicer by the way.

33:42 And, you know, it's, it's similar, trade off there.

33:46 Right.

33:47 And windows world.

33:48 So, okay.

33:49 Exactly.

33:50 Interesting.

33:51 Next one is, should we, should we adopt?

33:54 Should we adopt calendar versioning?

33:56 We're beyond zero verse.

33:58 So that's really good.

33:59 But there's been a, a reluctance to have Python four, but we've got three 12, three 13.

34:06 Are we just going to have three dot 128 or should we come up with something else?

34:12 Right.

34:13 What is calendar versioning and should we adopt it and how many digits should it have?

34:16 Yeah.

34:17 So this was, presented on by Hugo, who is the new release manager for Python three 14 and 15, which maybe that's a little presumptive saying those numbers.

34:27 cause if this goes through, that would not be the case anymore.

34:30 he's going to work himself straight out of a job here.

34:33 What's going on?

34:34 Yeah.

34:35 this is, this was, there were definitely jokes about like, this is just your attempt to, to get out of being the release manager for these releases.

34:43 but yeah, that, so Hugo proposed this, what this is kind of like a pre PEP feeling out of how this situation should be.

34:52 And like trying to pare down the options, I think was Hugo's biggest, biggest question or what should we do it?

34:58 And should we pare down the options?

35:00 Cause there's a million different ways we can do calendar versioning.

35:02 and yeah, I think if you scroll down, there was like a slide that had just, you know, every single possible calendar versioning possibility for Python and all the different languages.

35:13 but yeah, counter version is like really common for programming languages and other things that are similar to Python.

35:19 and so this was basically like, Hey, we have this yearly release cycle that is been working for a while and we're probably going to keep doing it.

35:28 Should we, it's worth pointing out for people who don't know that it used to be 18 months.

35:32 And so the calendar version, it would get a little out of phase or something there, but now, now that it's yearly in the fall, it really lines up perfectly.

35:40 Yeah.

35:41 And so this kind of assumes that we're going to keep doing the yearly thing, which I'm fine with the yearly thing, but yeah, as, as long as we kept the yearly schedule, it would look like.

35:49 Like the release year would line up with whatever the, so it would be like the ended, the one that was like most agreed upon was like three dot.

35:58 And then a two digit year, or what would end up becoming a three digit year when we roll over to a hundred, assuming that Python's still using them, you know, a hundred years.

36:06 but yeah, so like, that was kind of like the one that was most palatable to core devs or people were most excited about.

36:12 And I think the big reason why switching to like a Calver year was interesting is that we have this thing called like support lifetime.

36:21 So like how long is CPython supported?

36:24 How long do you get security fixes?

36:26 How long do you get bug fixes?

36:27 and so being able to do math is easier.

36:30 Yeah, exactly.

36:31 Like, let me put this out to the audience.

36:33 Is Python 3.8 supported or is it not supported?

36:36 I don't know.

36:37 You gotta do, you gotta do math.

36:38 You gotta think about it.

36:39 yeah.

36:40 yeah, so three, seven just recently dropped support, right?

36:43 Which is crazy.

36:44 Cause that seems like a pretty new version of my mind, but I totally make sense.

36:48 but if you just knew it's supported for how many years, six years, five years, it's five years for security releases, I believe.

36:55 Yeah.

36:56 So then you're like, it's 2025.

36:58 So, you know, 20, 20 out becomes a lot easier.

37:01 And there was also say like, do I have the current one, right?

37:05 If you're not tracking it super carefully, like three 11, is that the latest?

37:08 Like, I don't know.

37:09 I only use Python every like once a month.

37:11 What was the 2023?

37:12 Oh, I see.

37:13 Well, I mean, that's not the latest one.

37:14 Okay.

37:15 Yeah.

37:16 So it was just an interesting conversation about figuring out what the best potential option

37:20 was.

37:21 And then Hugo ended up creating a pep.

37:22 And I think that's being discussed right now.

37:24 So cool.

37:25 Why not 2024?

37:27 Why 24?

37:28 Because that feels, I don't know.

37:30 It just feels like you've just point shifted what you're doing now rather than, then really

37:36 clearly.

37:37 Because, you know, as a new person coming in, you don't see that go, it's 24.

37:40 So it must be 2024.

37:41 And unless you really like put together the calendar.

37:44 But if it's a dot 2024, you're like, I bet that's the year, you know?

37:48 Right.

37:49 Yeah.

37:50 And then eventually in the not too distant future, there will be a Python 3.24.

37:54 Exactly.

37:55 Yeah.

37:56 We'll see.

37:57 So there's going to be a PEP around this, you say.

37:58 In fact, it says right here, PEP 604, right?

38:01 I think it's pep.

38:02 What is it like?

38:03 Well, you know, that's just the yearly announcement.

38:05 That's the yearly cycle.

38:06 If you scroll down all the way to the bottom, it'll, I think it's like peps.

38:09 Yeah.

38:10 There's a lot of peps.

38:11 Drafting.

38:12 It just says drafting a pep.

38:13 Oh, give that a click.

38:14 I'm pretty sure there's a number 2026.

38:16 There we go.

38:17 Okay.

38:18 Yeah.

38:19 Oh, so that's going to be a while.

38:20 So they released this pep.

38:21 Well, so the, I'm just kidding.

38:23 The most, the most important part of this discussion was that the, the Python version 3.14 be, be preserved.

38:32 Python.

38:33 Yeah.

38:34 Well, it wasn't allowed for three, three 14 to change it.

38:38 Yeah.

38:39 The only thing that I can think of that you would have the two digits is that there's a lot of code and regular expressions and junk out there that checks for that.

38:46 But you know, if we talk about some of the other stuff out there, like that's a pretty minor change.

38:51 Like for example, free thread Python.

38:53 Yes.

38:54 Free thread Python.

38:55 It's here.

38:56 It is here.

38:57 Sort of.

38:58 You know, what actually really surprised me is that when I saw this PEP come through, was it 702 or something like that?

39:03 It said, we're going to allow free threaded Python, which I'm going to have you explain for folks in a moment, but you're going to have to have a special build of it.

39:11 And I thought, oh, well, that means if you want to play with it, you're going to have to build your own.

39:15 But I noticed that the installers now give you an option for it.

39:18 Yeah, they do.

39:19 Yeah.

39:20 The installers.

39:21 Side by side install.

39:22 Right.

39:23 Yeah.

39:24 That gets put onto your actual like.

39:26 Yes.

39:27 Python T is what you type instead of Python.

39:29 Yeah.

39:30 If you want the free threaded one.

39:31 Yeah.

39:32 It.

39:32 I mean, free threading is here.

39:34 I mean, there's options.

39:35 If you're compiling yourself, you just enable some options.

39:38 And I think I go over that in the actual blog post to the options that you actually use to try it out.

39:43 And yeah, it free threading essentially is it's a way to remove the GIL and move to a different like reference counting model object counting model.

39:54 And which is quite exciting for a lot of people, but it will what it will end up meaning is that a lot of the packages that are written in C or that are relying on CPython APIs will have to get either, you know, tweaked a little bit to like use these slightly different C APIs to make it so that they play nicely with having no

40:13 no GIL enabled and with the new memory management.

40:16 Yeah.

40:17 Yeah.

40:18 It's super exciting.

40:19 It's a variety of changes in the ecosystem basically.

40:20 Yeah.

40:21 Just because you have threads doesn't mean you get perfect scalability across the cores.

40:26 Can't remember who wrote this article.

40:28 Is it Simon Wilson?

40:30 Maybe.

40:31 Who did some.

40:32 Yeah.

40:33 I'm pretty sure Simon Wilson wrote one that said, look, we're going to take an algorithm that can is kind of embarrassingly parallel and parallelize it.

40:40 And it turned out to be something like 50% gain per core.

40:45 So it was like he had eight cores and it was four times faster with three threaded Python than without, which is still, if you can get your code to run four times faster, that's still really good.

40:55 Right.

40:56 Yeah.

40:57 It's going to have, like you said, I think it's going to have an interesting requirement put on all the people building packages.

41:05 Right.

41:06 Yeah.

41:06 And I know when I hear people say, I think maybe you just said like, oh, it's going to be the C extension packages that are really going to have to deal with it.

41:14 They, they'll have to do locks in their thing.

41:17 I think even in the Python code, there's certainly algorithms that have multiple steps that they'll get some data here.

41:25 They'll work with the data.

41:26 They'll make some changes.

41:27 Then they'll put the data back in the same place.

41:29 And even that would be subject to a race condition.

41:32 Yeah.

41:33 I think we're, you know, I've in long in the past did a lot of C++.

41:37 I did a lot of C# and in communities like that, people are like always focused.

41:41 They're like, always kind of crazy about two things, memory and threading.

41:45 Right.

41:46 And we just don't do that in Python.

41:48 We just, I think we have just leveraged the fact that the Gil gives us kind of enough core screen granularity, the execution of our code, that it's just not something we hit a lot.

41:59 And we don't try to do a ton of threading because it doesn't work all that well.

42:03 However, this, this could expose lots of stuff.

42:06 This could put a new focus on that.

42:08 Yeah, definitely.

42:09 Yeah.

42:10 Just having more people using threading with Python that that's going to be huge for finding thread safety issues.

42:17 Yeah.

42:19 It's, it's just really exciting.

42:20 I think that, and there's another blog post, a completely separate one that talks about like the C API.

42:26 And there was some mention about like free threading and evolving the API so that it's a lot easier to use from a three, a free threading perspective.

42:33 so like there's a ton of work happening in here to make this as easy, hopefully brief kind of split in the ecosystem and then have it converge together.

42:45 And then we're going to, we're going to, we're going to, we're going to have a way that if this is really not working out, we can go back.

42:52 But if it is working, we need a way that we can actually land this thing as the default.

42:56 Yeah.

42:57 Right. Right. Right. Right. And the PEP discusses. This is like, we're going to, we're going to see how it goes, which is really interesting.

43:03 but I think it's not breaking in the sense that you can't still run Python three with the thing that you've got.

43:11 You just might not be able to enable this free threading aspect of it for some time.

43:16 Whereas from two to three, it's like, you cannot run this library on three period.

43:22 There's no scenario which this is going to work because it needs to take into account this and it doesn't.

43:28 And so it's out.

43:29 So I feel like there's more time and space to evolve it.

43:33 And you could say, well, in this space, you know, in this data science section of the world, we use these seven libraries and we're going to work and make them compatible so that we can get way better performance.

43:44 Or, you know, we're going to work to make sure that FastAPI and Pydantic support it really well so that we can scale our web servers better.

43:51 Yeah, no, this will be huge for, for like web and data.

43:55 I think that a lot of people are excited for this for a really good reason.

43:58 Yeah. Yeah. I totally agree. I totally agree.

44:00 Okay. So this is a big deal.

44:02 It's coming in three 13, but you've got to run Python T for now.

44:06 Yeah, it's a three 13, but it's also available in the pre releases.

44:09 The first release candidate for three 13 is out.

44:12 So give it a test. If you haven't given it a test, give it a test.

44:15 Yeah. Very cool.

44:16 All right. What, what one do we want to talk about next?

44:19 We got just a couple more minutes to cover.

44:22 We've got, what about Python and mobile?

44:25 I think that one's, I know there's the black swan talk that Keith Russell McGee gave and Carol willing also sort of shouted out.

44:36 Like there's a couple of places that are really, really important computationally in the world that Python kind of isn't.

44:43 Yeah.

44:44 We should have it there.

44:45 And those number one has got to be mobile.

44:47 Yeah.

44:48 Mobile and front end for me, mobile and front end are the two.

44:50 And like a far distant behind that is like, could I get a single binary out of my app that I can give to someone?

44:58 That's a different, that also is in there, but it's, it's like not as important as, Hey, I want to, I want to build some mobile apps.

45:04 Can I use, you know, I want to learn that with an easy language.

45:07 Can I use Python?

45:08 Like, ask me something else.

45:10 Yeah. Yeah. Right.

45:11 Like next question.

45:12 Yeah. So this was, this was a, it's almost like a, a big status update on where Python is in the mobile space, which is really exciting because they've made a ton of progress on getting like actual tiering of support for these platforms.

45:30 so if you don't know, Python has a like platform support tiers where it's like tier one is like x86 Linux, right?

45:38 Like that's a, you know, 90% of PI PI downloads are, are that like, yeah, probably want to support that one.

45:44 and then it's things like macOS, you know, x86 and arm and all of that.

45:48 Right.

45:49 and then lower down there's tier two, which is, you know, the platforms that they have people that are interested in them.

45:55 But if those people were to go away, then we wouldn't actually have a way to support them.

45:59 And tier three is like even more so.

46:01 Right. so having tier three support, for Python, for both Android and iOS for three 13, like that's super exciting.

46:08 It means that these things are getting actively tested.

46:11 there's like integration testing on real platforms and that there's people that care about it that are fixing bugs.

46:17 And this is exactly what you need, to get your platform supported.

46:21 And so this is all being provided by Anaconda funding this project and be aware.

46:27 Okay. Yeah, that's right. They are, you know, be aware and Keith has been on this for a long time, but in a kind of come along and put more time and energy behind it, in terms of funding and people as well.

46:38 I'm not sure, but certainly in funding, that's awesome.

46:41 Mm hmm. Yeah. So I think this was, it was both a status report and also kind of trying to figure out how these sorts of platforms can get tested, more easily and like actually not having constant breaking because these platforms are so different from, you know, what almost every other core developer is using to develop a Python or a lot more limited in terms of capabilities, and like locked down in a security perspective too.

47:06 And they have no regard for backwards compatibility. I, I got, I, you know, I have mobile apps for the talk Python courses that are in both iOS and Android's app stores.

47:18 And I'll get messages like, Hey, dear developer, if, we see that you're built against three year old APIs.

47:25 If you don't rebuild and republish your app in the next six months, we're taking it out. The last one I do this for was Google. I'm like three, three years. Okay. Can we, no, we can't get any better compatibility than that. Like I just got to keep re-uploading the same thing. Even if there's no changes. Like, so, you know, that's just a different mentality of like, ah, we changed all that. We don't like that anymore.

47:46 Yeah. Luckily I'm, I'm actually not sure how affected Python in particular is by things like that. Cause that's like utilizing APIs, like mobile SDK APIs versus like the operating system of the phone, which.

47:59 Yeah. Right. Like people would build apps with Python and then they would be subjected to these emails. And it's not even that I was necessarily using any of those APIs. It's just like, we see you're compiled against the wrong version. So try again, you know?

48:11 Yeah, no, the, yeah, the, the difficulties that I've, at least from, from this talk have, figured out is that like these platforms are just a lot more locked down. So like a lot of system calls won't be available that the test suite like assumes are available always.

48:25 Sure. It's almost like a circuit Python sort of deal, but not that extreme.

48:30 Yeah. It's like somewhere in the middle and figuring out how to all work together happily and develop on this similar code base that has all these different target platforms.

48:40 Yeah, absolutely. Absolutely. Awesome. Well, I'm, I'm really excited. I'm all here for it. If, if three years ago, I think it was when we started working on those mobile apps, if I could have used Python in a really solid way, a hundred percent, those apps would be built in Python.

48:54 But just, there's so many, so much tooling and stuff around that. You got to create a signed APK before you upload. There's a lot of stuff going on there. And so, hopefully they, they get that. That would be a game changer.

49:07 And just, you know, it's not on, it wasn't here. Almost surprised me that it wasn't here, but front end stuff, WebAssembly, PySerscripts, Pyodide, all those things I think are in that same realm.

49:19 Although they can just kind of ship stuff to the web because there's no gatekeepers, but still.

49:23 Yeah.

49:24 Was that mentioned anywhere during the summit that just didn't make a post?

49:29 No, Wasm was not, there was no topic about Wasm specifically at, at this language summit.

49:36 Yeah, sure. I think there was the previous year.

49:38 Previous year there was. Yeah.

49:39 Should we make PDB better? Does it matter? Are people using PDB? What do you think?

49:43 Yeah. So this, this was all about PDB is Python's debugger for people that don't know. if you've never used it, it lets you kind of like drop into set a breakpoint in Python and then drop into that exact spot with all the context and everything, which is really.

49:58 Right. At a lower level. Yeah. At a lower level than a VS Code or PyCharm.

50:02 Right. Exactly. Yeah.

50:03 Like seeing all these like super internals of Python, if that, if that's something that you really need. Right. and so this was a talk, that was mostly about, okay, we're, we have PDB, but now we have all of these new models like free threading and all of that. And also we're being a little bit held back by backwards compatibility. there's like a specific, really specific point where, because of backwards compatibility reasons.

50:31 And PDB is a part of the Python standard library. It becomes difficult to break backwards compatibility, even if it would mean you get a bunch of really good stuff out of it. you can't always do that because people are depending on it. And I think that the, yeah, the recommendation was maybe we should develop this outside of the standard library so we can, you know, be, yeah.

50:52 Break backwards compatibility if it's not necessary and, and make it so that we can support multiple versions instead of just having it be per version. And yeah.

51:00 Yeah. Yeah. That's, that's a good idea. That's exactly what I was thinking. Cause you know, there's the whole dead batteries talk. Like, does this still belong here? I'm not necessarily thinking this should not be in Python, but you know, yeah.

51:11 Yeah. Yeah. Something broken out maybe, but take that exact code, break it out, but you know, enhance it kind of independently.

51:18 Yeah. And I think the concern from, from some people in the room was that, oh, if we break this out onto PPI, then it would potentially mean that it would not get the same level of contribution that PDB sees because it's part of Python. Right. Sure. And I mean, totally valid in my opinion too. Like being a part of Python is a huge, like blessing of like, yeah, this is something important. Right. Um.

51:29 But I, I think that there's, there's other ways to signal that that's something important. Like if you look at like my pie, my pie is underneath the Python GitHub organization. And so maybe something like that, right. Where it's this tool that is very actively used by core developers for development. And it is a little bit more,

51:59 more official than, you know, just some random person putting something up on pipe. Yeah. This is core developers supporting this. And black is that way too, I believe. Right. It is. Yeah. So maybe something to signal just a little bit more of an official. This is a core developer tool. Here's why you should contribute to it instead of just, you know, a random project on pipe. Yeah. Which definitely wouldn't be in that case.

52:19 It would not. It would definitely not. All right. How about, how about a quick review of maybe some, some of the lightning talks? Yeah. Any of these stands?

52:29 out. You know, obviously Rust and Python is, seriously a one. yeah. Emily's talk was, yeah. I was going to say, Emily's got a good one. Emily has a really good one because, and this is like, it's, it's almost meta, right? Because lightning talks, are not submitted ahead of time. You actually have to submit them during other people's talks. like to the list that you want to talk about this and then put together some slides really quickly.

52:56 So yeah, these talks are pretty impressive in that way having your minutes, but the Emily's talk was about, it was kind of like wrapping up a theme that was being heard multiple times over the course of the language summit.

53:09 but obviously this is a problem outside of the language summit too, which is that when someone goes to make a prototype for a pep, they are given at least today, not a whole lot of support, for doing that prototype because it's basically like, oh, we think that this should be developed outside of the standard library.

53:27 initially, right. Like that's a really common, determination that the steering council comes to. and so being able to have kind of like a, a standardized way that people do a PEP prototype outside of the standard library. So things like creating a repo and like having all of this existing infrastructure set up and, maybe even hosting it under the Python.

53:49 So to the Python GitHub organization to give it some like air of officiality of like, yeah, this is something like really big is happening here. It's not just like someone in a corner writing something right. Like giving some more grandiosity to, to the work that's being done and not just kind of saying, oh, go away.

54:05 Like that is a question. Right. But that's kind of how it can land sometimes.

54:10 Right. And maybe setting up people for success, at least this is what we're going to expect from you. If you go through this process, then you've got, you're further down the pipeline of having that conversation for a pep.

54:20 Yeah, definitely. And like, if you're wanting to write something that is for Python, you know, you probably don't necessarily care about like setting up these exact workflows for publishing to PyPI. Like that's just a whole bunch of things that are in your way to actually being successful. So having that all be figured out already ahead of time for you makes things a lot easier for you.

54:41 Yep. Yep. Yep. Yep. Let's, let's finish out with Yuri Silvanov's presentation, efficient data sharing between sub interpreters. And it's interesting because we talked about free threaded Python, but the year before the big news was sub interpreters and Eric Snow's work. And those are not directly competing type of things, but in a sense, they're kind of competing.

55:04 Yeah, they're definitely competing for being like the, the model of how to do efficient, you know, parallelism in Python.

55:12 Yeah. Yeah. How do we isolate the stuff so that we can avoid the guilt and we take it out and add different algorithms or do we just make copies of the interpreter and run them in isolation? But then you have this data sharing issue. I can't just share a pointer easily. Right. So what's this about?

55:27 Yeah. So Yuri basically came with, and this was also a, if you want the extended version, Yuri also gave like an actual PyCon talk about this library that he's developed called MemHive.

55:40 And then, yeah. What's it called?

55:41 MemHive. Like M-E-M-H-I-V-E. Yeah.

55:44 All right. Awesome. And just for everyone listening, just this week, last week, recently, all the videos of all the talks are now available on YouTube.

55:52 So it's been a while coming, but you can go watch it now.

55:55 Exactly. So go watch them all. If you, if you missed out on my talk, go watch them.

55:58 But yeah, this, so this library in particular is, it's basically a way using immutable data structures.

56:06 There's this immutable data structure called an H-A-M-T. I actually don't know what it's short for, but it's a hash, hash array map tree.

56:14 There we go. It was in the, I wrote it down.

56:18 And it's essentially like a way to have this tree that can be passed around and shared without like worrying what the other processes, sub interpreters are.

56:30 They're not processes.

56:31 The other sub interpreters are doing to this data structure.

56:33 So it enables a more efficient and safe way of sharing data.

56:38 That's kind of like in a tree structure.

56:40 And I think one, the demo that he ended up giving was about a dictionary like data structure where, you know, you have a million keys and a bunch of sub interpreter workers working on that data.

56:50 And they're able to, because it is using this immutable data structure, the modifications and changes are all safe, but it's also like super scalable and performant.

56:59 Yeah.

57:00 Yeah.

57:00 The thing about parallelism and multi-threading is if it's immutable, you can have many things as you want reading from the same memory.

57:06 It's only when they start writing, does it matter?

57:08 So.

57:08 Exactly.

57:09 Yeah.

57:09 This, this like has a way, a mechanism to capture the rights in a way that is safe so that like the current one can see what has been written.

57:17 And then the other ones aren't affected because their copy is not changed.

57:22 Okay.

57:22 That sounds very interesting.

57:23 We talked about the coming compatibility matrix of free threaded Python.

57:28 This won't have that issue, right?

57:30 This operates in the every version of Python.

57:33 Yeah.

57:33 So this, I would assume that this sort of module would be able to say like, I am ready for a guild free world.

57:40 So that's like the mechanism that I believe CPython has, has adopted for saying that your C module is ready for not having a guild.

57:49 You actually have to opt into it.

57:51 And then that module will, will be allowed to run in a free threaded Python.

57:55 Yeah.

57:55 It's something I recently learned is there's separate wheeled builds for free threaded Python as well.

58:01 Yeah.

58:01 That's, that's interesting.

58:02 Yeah.

58:03 It's its own.

58:03 I don't know exactly the phrase for it, but yeah, its own wheel tag platform target or whatever.

58:09 Yeah.

58:10 Yeah.

58:11 Like free threaded gets appended to, you know, macOS arm 64 or whatever.

58:15 Exactly.

58:16 Yeah.

58:16 Awesome.

58:17 All right.

58:18 Seth, this has been great.

58:19 How about some parting thoughts?

58:21 Let's close this out.

58:22 Let's just take aways from, from the whole experience.

58:26 Yeah.

58:26 I mean, the language summit is lovely.

58:28 One of the things that's like most important to me is like this whole aspect of storytelling.

58:33 And so that's why I felt really, really happy that I was invited along to, to be able to tell

58:37 these stories to all of you.

58:38 And I think that having all of these different narratives all in one place of all of these huge

58:44 themes about what Python is going through all at once, right?

58:48 Like it's really incredible how many different things are happening in Python all at once.

58:54 Because like sometimes when you're focusing on just one or just two, you know, you don't

58:59 have this huge context of, wow, Python is changing in like at least 20 different ways all at once.

59:04 And we're somehow doing really, really well.

59:05 I would say like, yeah, I have no doubt about any of any of these huge changes that Python

59:11 is going through, like to, to take it in the wrong direction.

59:14 Like I'm feeling hopeful and excited about all of them.

59:16 So it's an exciting time.

59:17 Yeah, I am as well.

59:18 And it is really tricky to get a picture, a holistic picture of, of the progress.

59:23 Cause there's a lot of different groups doing different things and there's no one person's

59:28 or one company's job to get somebody to come and tell that story.

59:32 So yeah.

59:33 Thanks for giving us the insight here.

59:34 It's been awesome.

59:35 Yeah.

59:36 Thanks for being on the show and I'm sure we'll have you back soon.

59:38 Yeah.

59:39 Sounds good.

59:39 Thanks for having me.

59:40 See ya.

59:41 This has been another episode of Talk Python to Me.

59:44 Thank you to our sponsors.

59:46 Be sure to check out what they're offering.

59:47 It really helps support the show.

59:49 This episode is sponsored by Posit Connect from the makers of Shiny.

59:53 Publish, share, and deploy all of your data projects that you're creating using Python.

59:58 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Reports, Dashboards, and APIs.

01:00:04 Posit Connect supports all of them.

01:00:07 Try Posit Connect for free by going to talkpython.fm/posit, P-O-S-I-T.

01:00:12 Want to level up your Python?

01:00:14 We have one of the largest catalogs of Python video courses over at Talk Python.

01:00:18 Our content ranges from true beginners to deeply advanced topics like memory and async.

01:00:23 And best of all, there's not a subscription in sight.

01:00:26 Check it out for yourself at training.talkpython.fm.

01:00:29 Be sure to subscribe to the show, open your favorite podcast app, and search for Python.

01:00:34 We should be right at the top.

01:00:35 You can also find the iTunes feed at /itunes, the Google Play feed at /play,

01:00:40 and the direct RSS feed at /rss on talkpython.fm.

01:00:44 We're live streaming most of our recordings these days.

01:00:47 If you want to be part of the show and have your comments featured on the air,

01:00:51 be sure to subscribe to our YouTube channel at talkpython.fm/youtube.

01:00:55 This is your host, Michael Kennedy.

01:00:57 Thanks so much for listening.

01:00:58 I really appreciate it.

01:01:00 Now get out there and write some Python code.

01:01:02 I'll see you next time.

Back to show page