Podcasts about pypi

Python has many string formatting styles which have been added to the language over the years. Early Python used the % operator to injected formatted values into strings. And we have string.format() which offers several powerful styles. Both were verbose and indirect, so f-strings were added in Python 3.6. But these f-strings lacked security features (think little bobby tables) and they manifested as fully-formed strings to runtime code. Today we talk about the next evolution of Python string formatting for advanced use-cases (SQL, HTML, DSLs, etc): t-strings. We have Paul Everitt, David Peck, and Jim Baker on the show to introduce this upcoming new language feature. Episode sponsors Posit Auth0 Talk Python Courses Links from the show Guests: Paul on X: @paulweveritt Paul on Mastodon: @pauleveritt@fosstodon.org Dave Peck on Github: github.com Jim Baker: github.com PEP 750 – Template Strings: peps.python.org tdom - Placeholder for future library on PyPI using PEP 750 t-strings: github.com PEP 750: Tag Strings For Writing Domain-Specific Languages: discuss.python.org How To Teach This: peps.python.org PEP 501 – General purpose template literal strings: peps.python.org Python's new t-strings: davepeck.org PyFormat: Using % and .format() for great good!: pyformat.info flynt: A tool to automatically convert old string literal formatting to f-strings: github.com Examples of using t-strings as defined in PEP 750: github.com htm.py issue: github.com Exploits of a Mom: xkcd.com pyparsing: github.com Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to Talk Python on YouTube: youtube.com Talk Python on Bluesky: @talkpython.fm at bsky.app Talk Python on Mastodon: talkpython Michael on Bluesky: @mkennedy.codes at bsky.app Michael on Mastodon: mkennedy

Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 08/03 a 14/03.

Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 08/03 a 14/03.

https://python-day.python.ru — CFP Python Day Ведущие – Григорий Петров и Михаил Корнеев Новости выпуска: Первая бета LTS-релиза Django 5.2 - https://docs.djangoproject.com/en/dev/releases/5.2/  PEP 772 – Packaging governance process https://peps.python.org/pep-0772/  Official Django MongoDB Backend Public Preview - https://www.mongodb.com/blog/post/mongodb-django-backend-now-available-public-preview  Poetry 2.0 — https://python-poetry.org/blog/announcing-poetry-2.0.0/  Проекты на PyPI теперь можно помечать как архивные https://blog.pypi.org/posts/2025-01-30-archival/ Отклонили PEP 2026 – Calendar versioning for Python - https://peps.python.org/pep-2026/ Developer philosophy — https://qntm.org/devphilo Ссылки выпуска: Курс Learn Python — https://learn.python.ru/advanced  Канал Миши в Telegram — https://t.me/tricky_python  Канал Moscow Python в Telegram — https://t.me/moscow_python  Все выпуски — https://podcast.python.ru  Митапы Moscow Python — https://moscowpython.ru Канал Moscow Python на Rutube — https://rutube.ru/channel/45885590/ Канал Moscow Python в YouTube — https://www.youtube.com/@moscowdjangoru

* Disney Engineer's Life Destroyed by Malicious AI Download* Global Security Flaw Exposes Sensitive Employee Data and Physical Vulnerabilities* Malicious PyPi Package Pirating Deezer Music for Years* Code Security Remains Crucial, Even in Hardened Environments* Google Introduces AI Scam Detection for Android2025_03_07 - Google Disney Engineer's Life Destroyed by Malicious AI Downloadhttps://www.wsj.com/tech/cybersecurity/disney-employee-ai-tool-hacker-cyberattack-3700c931A former Disney engineer, Matthew Van Andel, had his life turned upside down after downloading a seemingly harmless AI tool from GitHub. The software, intended for creating AI images, contained malware that granted hackers access to his computer and sensitive data.The hackers stole his Disney login credentials, leading to the leak of over 44 million Disney internal slack messages, including customer information, employee passport numbers, and financial data. They also accessed his personal accounts, stealing credit card numbers, leaking his social security number, and even gaining access to his home Ring cameras.Matthew was subsequently fired from Disney after a forensic analysis of his work computer found he had accessed pornographic material, which he denies. He lost his health insurance and $200,000 in bonuses.The incident highlights the dangers of downloading software from untrusted sources and the vulnerability of personal and corporate data to sophisticated cyberattacks. Lot of people think that content from GitHub are trustworthy and they couldn't be more wrong. Matthew's case underscores the importance of strong password security, two-factor authentication, and vigilance against malicious software. He was using 1Password as his password manager but didn't have any 2FA access on it.Global Security Flaw Exposes Sensitive Employee Data and Physical Vulnerabilitieshttps://www.modat.io/post/doors-wide-open-critical-risks-in-amsA widespread security risk has been discovered involving misconfigured and exposed Access Management Systems (AMS) across numerous industries and countries.This exposure has resulted in hundreds of thousands of employee records, including personal identification details, biometric data, photographs, and work schedules, being accessible online. Additionally, the physical security of thousands of organizations has been compromised, allowing potential unauthorized entry into buildings and bypassing physical security measures.The affected sectors include construction, healthcare, education, manufacturing, oil, and government entities, with a high concentration of exposed systems found in European countries, the US, and the MENA region.The consequences of these vulnerabilities range from financial losses and regulatory penalties, such as GDPR fines, to severe breaches leading to identity theft, unauthorized access, and disclosure of confidential business information.The report emphasizes the critical need for organizations to implement robust security measures, including restricting internet access to AMS, regularly updating security patches, changing default credentials, and implementing continuous monitoring to protect sensitive data and maintain physical security.Malicious PyPi Package Pirating Deezer Music for Yearshttps://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracyA PyPi package named 'automslc,' downloaded over 100,000 times since 2019, has been pirating music from the Deezer streaming service using hardcoded credentials.The package bypasses Deezer's limitations and downloads full-length, high-quality audio files for offline listening and distribution, violating Deezer's terms of service and copyright laws.Security firm Socket discovered the package, noting that while it functions as a piracy tool, it also utilizes command-and-control infrastructure, potentially turning users into a distributed network.This raises concerns about the potential for the tool to be repurposed for other malicious activities.The package remains available on PyPi at the time of reporting, and users are warned of the legal risks associated with its use.Code Security Remains Crucial, Even in Hardened Environmentshttps://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/A recent study demonstrates that even in hardened environments with read-only file systems, attackers can exploit file write vulnerabilities in Node.js applications to achieve remote code execution. This is accomplished by manipulating exposed pipe file descriptors, bypassing typical security restrictions.The research highlights the limitations of infrastructure hardening as a sole security measure. Attackers can leverage vulnerabilities in the application's source code, even when the underlying infrastructure is fortified.The attack involves writing crafted data structures to anonymous pipes used by Node.js's event loop, ultimately triggering the execution of arbitrary code. This technique exploits the "everything is a file" philosophy in Unix-based systems and demonstrates the importance of code security.Key findings include:* Bypassing Read-Only Restrictions: Attackers can write to pipe file descriptors, even when the file system is mounted read-only.* Manipulating Event Handlers: Attackers can craft data structures to manipulate Node.js's event handler and execute arbitrary code.* The Importance of Code Security: Infrastructure hardening alone is insufficient; vulnerabilities in the source code must be addressed.This research underscores the need for developers to prioritize code security, even in environments with robust infrastructure hardening. Vulnerabilities at the source code level can be exploited, regardless of other security measures.Google Introduces AI Scam Detection for Androidhttps://security.googleblog.com/2025/03/new-ai-powered-scam-detection-features.htmlGoogle has launched AI-powered scam detection features for Android devices, designed to protect users from conversational fraud. These features target scams that start innocently but escalate into harmful situations, as well as phone call scams using spoofed numbers.Google partnered with financial institutions to develop AI models that can identify suspicious patterns in conversations and provide real-time warnings. These models operate entirely on-device, ensuring user privacy. Users can choose to dismiss or report and block suspicious senders. The feature is enabled by default for conversations with unknown numbers.A similar AI-powered scam detection feature for phone calls is being expanded to English-speaking Pixel 9+ users in the U.S. This feature, which is optional, processes call audio ephemerally and notifies participants when it is active.These developments follow Google's announcement that over one billion Chrome users are using Enhanced Protection mode, which utilizes AI and machine learning to detect phishing, social engineering, and scam techniques. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

As Python developers, we're incredibly lucky to have over half a million packages that we can use to build our applications with over at PyPI. However, when it comes to choosing a UI framework, the options get narrowed down very quickly. Intersect those choices with the ones that work on mobile, and you have a very short list. Flutter is a UI framework for building desktop and mobile applications, and is in fact the one that we used to build the Talk Python courses app, you'd find at talkpython.fm/apps. That's why I'm so excited about Flet. Flet is a Python UI framework that is distributed and executed on the Flutter framework, making it possible to build mobile apps and desktop apps with Python. We have Feodor Fitsner back on the show after he launched his project a couple years ago to give us an update on how close they are to a full featured mobile app framework in Python. Episode sponsors Posit Podcast Later Talk Python Courses Links from the show Flet: flet.dev Flet on Github: github.com Packaging apps with Flet: flet.dev/docs/publish Flutter: flutter.dev React vs. Flutter: trends.stackoverflow.co Kivy: kivy.org Beeware: beeware.org Mobile forge from Beeware: github.com The list of built-in binary wheels: flet.dev/docs/publish/android#binary-python-packages Difference between dynamic and static Flet web apps: flet.dev/docs/publish/web Integrating Flutter packages: flet.dev/docs/extend/integrating-existing-flutter-packages serious_python: pub.dev/packages/serious_python Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to Talk Python on YouTube: youtube.com Talk Python on Bluesky: @talkpython.fm at bsky.app Talk Python on Mastodon: talkpython Michael on Bluesky: @mkennedy.codes at bsky.app Michael on Mastodon: mkennedy

Did you know that adding a simple Code Interpreter took o3 from 9.2% to 32% on FrontierMath? The Latent Space crew is hosting a hack night Feb 11th in San Francisco focused on CodeGen use cases, co-hosted with E2B and Edge AGI; watch E2B's new workshop and RSVP here!We're happy to announce that today's guest Samuel Colvin will be teaching his very first Pydantic AI workshop at the newly announced AI Engineer NYC Workshops day on Feb 22! 25 tickets left.If you're a Python developer, it's very likely that you've heard of Pydantic. Every month, it's downloaded >300,000,000 times, making it one of the top 25 PyPi packages. OpenAI uses it in its SDK for structured outputs, it's at the core of FastAPI, and if you've followed our AI Engineer Summit conference, Jason Liu of Instructor has given two great talks about it: “Pydantic is all you need” and “Pydantic is STILL all you need”. Now, Samuel Colvin has raised $17M from Sequoia to turn Pydantic from an open source project to a full stack AI engineer platform with Logfire, their observability platform, and PydanticAI, their new agent framework.Logfire: bringing OTEL to AIOpenTelemetry recently merged Semantic Conventions for LLM workloads which provides standard definitions to track performance like gen_ai.server.time_per_output_token. In Sam's view at least 80% of new apps being built today have some sort of LLM usage in them, and just like web observability platform got replaced by cloud-first ones in the 2010s, Logfire wants to do the same for AI-first apps. If you're interested in the technical details, Logfire migrated away from Clickhouse to Datafusion for their backend. We spent some time on the importance of picking open source tools you understand and that you can actually contribute to upstream, rather than the more popular ones; listen in ~43:19 for that part.Agents are the killer app for graphsPydantic AI is their attempt at taking a lot of the learnings that LangChain and the other early LLM frameworks had, and putting Python best practices into it. At an API level, it's very similar to the other libraries: you can call LLMs, create agents, do function calling, do evals, etc.They define an “Agent” as a container with a system prompt, tools, structured result, and an LLM. Under the hood, each Agent is now a graph of function calls that can orchestrate multi-step LLM interactions. You can start simple, then move toward fully dynamic graph-based control flow if needed.“We were compelled enough by graphs once we got them right that our agent implementation [...] is now actually a graph under the hood.”Why Graphs?* More natural for complex or multi-step AI workflows.* Easy to visualize and debug with mermaid diagrams.* Potential for distributed runs, or “waiting days” between steps in certain flows.In parallel, you see folks like Emil Eifrem of Neo4j talk about GraphRAG as another place where graphs fit really well in the AI stack, so it might be time for more people to take them seriously.Full Video EpisodeLike and subscribe!Chapters* 00:00:00 Introductions* 00:00:24 Origins of Pydantic* 00:05:28 Pydantic's AI moment * 00:08:05 Why build a new agents framework?* 00:10:17 Overview of Pydantic AI* 00:12:33 Becoming a believer in graphs* 00:24:02 God Model vs Compound AI Systems* 00:28:13 Why not build an LLM gateway?* 00:31:39 Programmatic testing vs live evals* 00:35:51 Using OpenTelemetry for AI traces* 00:43:19 Why they don't use Clickhouse* 00:48:34 Competing in the observability space* 00:50:41 Licensing decisions for Pydantic and LogFire* 00:51:48 Building Pydantic.run* 00:55:24 Marimo and the future of Jupyter notebooks* 00:57:44 London's AI sceneShow Notes* Sam Colvin* Pydantic* Pydantic AI* Logfire* Pydantic.run* Zod* E2B* Arize* Langsmith* Marimo* Prefect* GLA (Google Generative Language API)* OpenTelemetry* Jason Liu* Sebastian Ramirez* Bogomil Balkansky* Hood Chatham* Jeremy Howard* Andrew LambTranscriptAlessio [00:00:03]: Hey, everyone. Welcome to the Latent Space podcast. This is Alessio, partner and CTO at Decibel Partners, and I'm joined by my co-host Swyx, founder of Smol AI.Swyx [00:00:12]: Good morning. And today we're very excited to have Sam Colvin join us from Pydantic AI. Welcome. Sam, I heard that Pydantic is all we need. Is that true?Samuel [00:00:24]: I would say you might need Pydantic AI and Logfire as well, but it gets you a long way, that's for sure.Swyx [00:00:29]: Pydantic almost basically needs no introduction. It's almost 300 million downloads in December. And obviously, in the previous podcasts and discussions we've had with Jason Liu, he's been a big fan and promoter of Pydantic and AI.Samuel [00:00:45]: Yeah, it's weird because obviously I didn't create Pydantic originally for uses in AI, it predates LLMs. But it's like we've been lucky that it's been picked up by that community and used so widely.Swyx [00:00:58]: Actually, maybe we'll hear it. Right from you, what is Pydantic and maybe a little bit of the origin story?Samuel [00:01:04]: The best name for it, which is not quite right, is a validation library. And we get some tension around that name because it doesn't just do validation, it will do coercion by default. We now have strict mode, so you can disable that coercion. But by default, if you say you want an integer field and you get in a string of 1, 2, 3, it will convert it to 123 and a bunch of other sensible conversions. And as you can imagine, the semantics around it. Exactly when you convert and when you don't, it's complicated, but because of that, it's more than just validation. Back in 2017, when I first started it, the different thing it was doing was using type hints to define your schema. That was controversial at the time. It was genuinely disapproved of by some people. I think the success of Pydantic and libraries like FastAPI that build on top of it means that today that's no longer controversial in Python. And indeed, lots of other people have copied that route, but yeah, it's a data validation library. It uses type hints for the for the most part and obviously does all the other stuff you want, like serialization on top of that. But yeah, that's the core.Alessio [00:02:06]: Do you have any fun stories on how JSON schemas ended up being kind of like the structure output standard for LLMs? And were you involved in any of these discussions? Because I know OpenAI was, you know, one of the early adopters. So did they reach out to you? Was there kind of like a structure output console in open source that people were talking about or was it just a random?Samuel [00:02:26]: No, very much not. So I originally. Didn't implement JSON schema inside Pydantic and then Sebastian, Sebastian Ramirez, FastAPI came along and like the first I ever heard of him was over a weekend. I got like 50 emails from him or 50 like emails as he was committing to Pydantic, adding JSON schema long pre version one. So the reason it was added was for OpenAPI, which is obviously closely akin to JSON schema. And then, yeah, I don't know why it was JSON that got picked up and used by OpenAI. It was obviously very convenient for us. That's because it meant that not only can you do the validation, but because Pydantic will generate you the JSON schema, it will it kind of can be one source of source of truth for structured outputs and tools.Swyx [00:03:09]: Before we dive in further on the on the AI side of things, something I'm mildly curious about, obviously, there's Zod in JavaScript land. Every now and then there is a new sort of in vogue validation library that that takes over for quite a few years and then maybe like some something else comes along. Is Pydantic? Is it done like the core Pydantic?Samuel [00:03:30]: I've just come off a call where we were redesigning some of the internal bits. There will be a v3 at some point, which will not break people's code half as much as v2 as in v2 was the was the massive rewrite into Rust, but also fixing all the stuff that was broken back from like version zero point something that we didn't fix in v1 because it was a side project. We have plans to move some of the basically store the data in Rust types after validation. Not completely. So we're still working to design the Pythonic version of it, in order for it to be able to convert into Python types. So then if you were doing like validation and then serialization, you would never have to go via a Python type we reckon that can give us somewhere between three and five times another three to five times speed up. That's probably the biggest thing. Also, like changing how easy it is to basically extend Pydantic and define how particular types, like for example, NumPy arrays are validated and serialized. But there's also stuff going on. And for example, Jitter, the JSON library in Rust that does the JSON parsing, has SIMD implementation at the moment only for AMD64. So we can add that. We need to go and add SIMD for other instruction sets. So there's a bunch more we can do on performance. I don't think we're going to go and revolutionize Pydantic, but it's going to continue to get faster, continue, hopefully, to allow people to do more advanced things. We might add a binary format like CBOR for serialization for when you'll just want to put the data into a database and probably load it again from Pydantic. So there are some things that will come along, but for the most part, it should just get faster and cleaner.Alessio [00:05:04]: From a focus perspective, I guess, as a founder too, how did you think about the AI interest rising? And then how do you kind of prioritize, okay, this is worth going into more, and we'll talk about Pydantic AI and all of that. What was maybe your early experience with LLAMP, and when did you figure out, okay, this is something we should take seriously and focus more resources on it?Samuel [00:05:28]: I'll answer that, but I'll answer what I think is a kind of parallel question, which is Pydantic's weird, because Pydantic existed, obviously, before I was starting a company. I was working on it in my spare time, and then beginning of 22, I started working on the rewrite in Rust. And I worked on it full-time for a year and a half, and then once we started the company, people came and joined. And it was a weird project, because that would never go away. You can't get signed off inside a startup. Like, we're going to go off and three engineers are going to work full-on for a year in Python and Rust, writing like 30,000 lines of Rust just to release open-source-free Python library. The result of that has been excellent for us as a company, right? As in, it's made us remain entirely relevant. And it's like, Pydantic is not just used in the SDKs of all of the AI libraries, but I can't say which one, but one of the big foundational model companies, when they upgraded from Pydantic v1 to v2, their number one internal model... The metric of performance is time to first token. That went down by 20%. So you think about all of the actual AI going on inside, and yet at least 20% of the CPU, or at least the latency inside requests was actually Pydantic, which shows like how widely it's used. So we've benefited from doing that work, although it didn't, it would have never have made financial sense in most companies. In answer to your question about like, how do we prioritize AI, I mean, the honest truth is we've spent a lot of the last year and a half building. Good general purpose observability inside LogFire and making Pydantic good for general purpose use cases. And the AI has kind of come to us. Like we just, not that we want to get away from it, but like the appetite, uh, both in Pydantic and in LogFire to go and build with AI is enormous because it kind of makes sense, right? Like if you're starting a new greenfield project in Python today, what's the chance that you're using GenAI 80%, let's say, globally, obviously it's like a hundred percent in California, but even worldwide, it's probably 80%. Yeah. And so everyone needs that stuff. And there's so much yet to be figured out so much like space to do things better in the ecosystem in a way that like to go and implement a database that's better than Postgres is a like Sisyphean task. Whereas building, uh, tools that are better for GenAI than some of the stuff that's about now is not very difficult. Putting the actual models themselves to one side.Alessio [00:07:40]: And then at the same time, then you released Pydantic AI recently, which is, uh, um, you know, agent framework and early on, I would say everybody like, you know, Langchain and like, uh, Pydantic kind of like a first class support, a lot of these frameworks, we're trying to use you to be better. What was the decision behind we should do our own framework? Were there any design decisions that you disagree with any workloads that you think people didn't support? Well,Samuel [00:08:05]: it wasn't so much like design and workflow, although I think there were some, some things we've done differently. Yeah. I think looking in general at the ecosystem of agent frameworks, the engineering quality is far below that of the rest of the Python ecosystem. There's a bunch of stuff that we have learned how to do over the last 20 years of building Python libraries and writing Python code that seems to be abandoned by people when they build agent frameworks. Now I can kind of respect that, particularly in the very first agent frameworks, like Langchain, where they were literally figuring out how to go and do this stuff. It's completely understandable that you would like basically skip some stuff.Samuel [00:08:42]: I'm shocked by the like quality of some of the agent frameworks that have come out recently from like well-respected names, which it just seems to be opportunism and I have little time for that, but like the early ones, like I think they were just figuring out how to do stuff and just as lots of people have learned from Pydantic, we were able to learn a bit from them. I think from like the gap we saw and the thing we were frustrated by was the production readiness. And that means things like type checking, even if type checking makes it hard. Like Pydantic AI, I will put my hand up now and say it has a lot of generics and you need to, it's probably easier to use it if you've written a bit of Rust and you really understand generics, but like, and that is, we're not claiming that that makes it the easiest thing to use in all cases, we think it makes it good for production applications in big systems where type checking is a no-brainer in Python. But there are also a bunch of stuff we've learned from maintaining Pydantic over the years that we've gone and done. So every single example in Pydantic AI's documentation is run on Python. As part of tests and every single print output within an example is checked during tests. So it will always be up to date. And then a bunch of things that, like I say, are standard best practice within the rest of the Python ecosystem, but I'm not followed surprisingly by some AI libraries like coverage, linting, type checking, et cetera, et cetera, where I think these are no-brainers, but like weirdly they're not followed by some of the other libraries.Alessio [00:10:04]: And can you just give an overview of the framework itself? I think there's kind of like the. LLM calling frameworks, there are the multi-agent frameworks, there's the workflow frameworks, like what does Pydantic AI do?Samuel [00:10:17]: I glaze over a bit when I hear all of the different sorts of frameworks, but I like, and I will tell you when I built Pydantic, when I built Logfire and when I built Pydantic AI, my methodology is not to go and like research and review all of the other things. I kind of work out what I want and I go and build it and then feedback comes and we adjust. So the fundamental building block of Pydantic AI is agents. The exact definition of agents and how you want to define them. is obviously ambiguous and our things are probably sort of agent-lit, not that we would want to go and rename them to agent-lit, but like the point is you probably build them together to build something and most people will call an agent. So an agent in our case has, you know, things like a prompt, like system prompt and some tools and a structured return type if you want it, that covers the vast majority of cases. There are situations where you want to go further and the most complex workflows where you want graphs and I resisted graphs for quite a while. I was sort of of the opinion you didn't need them and you could use standard like Python flow control to do all of that stuff. I had a few arguments with people, but I basically came around to, yeah, I can totally see why graphs are useful. But then we have the problem that by default, they're not type safe because if you have a like add edge method where you give the names of two different edges, there's no type checking, right? Even if you go and do some, I'm not, not all the graph libraries are AI specific. So there's a, there's a graph library called, but it allows, it does like a basic runtime type checking. Ironically using Pydantic to try and make up for the fact that like fundamentally that graphs are not typed type safe. Well, I like Pydantic, but it did, that's not a real solution to have to go and run the code to see if it's safe. There's a reason that starting type checking is so powerful. And so we kind of, from a lot of iteration eventually came up with a system of using normally data classes to define nodes where you return the next node you want to call and where we're able to go and introspect the return type of a node to basically build the graph. And so the graph is. Yeah. Inherently type safe. And once we got that right, I, I wasn't, I'm incredibly excited about graphs. I think there's like masses of use cases for them, both in gen AI and other development, but also software's all going to have interact with gen AI, right? It's going to be like web. There's no longer be like a web department in a company is that there's just like all the developers are building for web building with databases. The same is going to be true for gen AI.Alessio [00:12:33]: Yeah. I see on your docs, you call an agent, a container that contains a system prompt function. Tools, structure, result, dependency type model, and then model settings. Are the graphs in your mind, different agents? Are they different prompts for the same agent? What are like the structures in your mind?Samuel [00:12:52]: So we were compelled enough by graphs once we got them right, that we actually merged the PR this morning. That means our agent implementation without changing its API at all is now actually a graph under the hood as it is built using our graph library. So graphs are basically a lower level tool that allow you to build these complex workflows. Our agents are technically one of the many graphs you could go and build. And we just happened to build that one for you because it's a very common, commonplace one. But obviously there are cases where you need more complex workflows where the current agent assumptions don't work. And that's where you can then go and use graphs to build more complex things.Swyx [00:13:29]: You said you were cynical about graphs. What changed your mind specifically?Samuel [00:13:33]: I guess people kept giving me examples of things that they wanted to use graphs for. And my like, yeah, but you could do that in standard flow control in Python became a like less and less compelling argument to me because I've maintained those systems that end up with like spaghetti code. And I could see the appeal of this like structured way of defining the workflow of my code. And it's really neat that like just from your code, just from your type hints, you can get out a mermaid diagram that defines exactly what can go and happen.Swyx [00:14:00]: Right. Yeah. You do have very neat implementation of sort of inferring the graph from type hints, I guess. Yeah. Is what I would call it. Yeah. I think the question always is I have gone back and forth. I used to work at Temporal where we would actually spend a lot of time complaining about graph based workflow solutions like AWS step functions. And we would actually say that we were better because you could use normal control flow that you already knew and worked with. Yours, I guess, is like a little bit of a nice compromise. Like it looks like normal Pythonic code. But you just have to keep in mind what the type hints actually mean. And that's what we do with the quote unquote magic that the graph construction does.Samuel [00:14:42]: Yeah, exactly. And if you look at the internal logic of actually running a graph, it's incredibly simple. It's basically call a node, get a node back, call that node, get a node back, call that node. If you get an end, you're done. We will add in soon support for, well, basically storage so that you can store the state between each node that's run. And then the idea is you can then distribute the graph and run it across computers. And also, I mean, the other weird, the other bit that's really valuable is across time. Because it's all very well if you look at like lots of the graph examples that like Claude will give you. If it gives you an example, it gives you this lovely enormous mermaid chart of like the workflow, for example, managing returns if you're an e-commerce company. But what you realize is some of those lines are literally one function calls another function. And some of those lines are wait six days for the customer to print their like piece of paper and put it in the post. And if you're writing like your demo. Project or your like proof of concept, that's fine because you can just say, and now we call this function. But when you're building when you're in real in real life, that doesn't work. And now how do we manage that concept to basically be able to start somewhere else in the in our code? Well, this graph implementation makes it incredibly easy because you just pass the node that is the start point for carrying on the graph and it continues to run. So it's things like that where I was like, yeah, I can just imagine how things I've done in the past would be fundamentally easier to understand if we had done them with graphs.Swyx [00:16:07]: You say imagine, but like right now, this pedantic AI actually resume, you know, six days later, like you said, or is this just like a theoretical thing we can go someday?Samuel [00:16:16]: I think it's basically Q&A. So there's an AI that's asking the user a question and effectively you then call the CLI again to continue the conversation. And it basically instantiates the node and calls the graph with that node again. Now, we don't have the logic yet for effectively storing state in the database between individual nodes that we're going to add soon. But like the rest of it is basically there.Swyx [00:16:37]: It does make me think that not only are you competing with Langchain now and obviously Instructor, and now you're going into sort of the more like orchestrated things like Airflow, Prefect, Daxter, those guys.Samuel [00:16:52]: Yeah, I mean, we're good friends with the Prefect guys and Temporal have the same investors as us. And I'm sure that my investor Bogomol would not be too happy if I was like, oh, yeah, by the way, as well as trying to take on Datadog. We're also going off and trying to take on Temporal and everyone else doing that. Obviously, we're not doing all of the infrastructure of deploying that right yet, at least. We're, you know, we're just building a Python library. And like what's crazy about our graph implementation is, sure, there's a bit of magic in like introspecting the return type, you know, extracting things from unions, stuff like that. But like the actual calls, as I say, is literally call a function and get back a thing and call that. It's like incredibly simple and therefore easy to maintain. The question is, how useful is it? Well, I don't know yet. I think we have to go and find out. We have a whole. We've had a slew of people joining our Slack over the last few days and saying, tell me how good Pydantic AI is. How good is Pydantic AI versus Langchain? And I refuse to answer. That's your job to go and find that out. Not mine. We built a thing. I'm compelled by it, but I'm obviously biased. The ecosystem will work out what the useful tools are.Swyx [00:17:52]: Bogomol was my board member when I was at Temporal. And I think I think just generally also having been a workflow engine investor and participant in this space, it's a big space. Like everyone needs different functions. I think the one thing that I would say like yours, you know, as a library, you don't have that much control of it over the infrastructure. I do like the idea that each new agents or whatever or unit of work, whatever you call that should spin up in this sort of isolated boundaries. Whereas yours, I think around everything runs in the same process. But you ideally want to sort of spin out its own little container of things.Samuel [00:18:30]: I agree with you a hundred percent. And we will. It would work now. Right. As in theory, you're just like as long as you can serialize the calls to the next node, you just have to all of the different containers basically have to have the same the same code. I mean, I'm super excited about Cloudflare workers running Python and being able to install dependencies. And if Cloudflare could only give me my invitation to the private beta of that, we would be exploring that right now because I'm super excited about that as a like compute level for some of this stuff where exactly what you're saying, basically. You can run everything as an individual. Like worker function and distribute it. And it's resilient to failure, et cetera, et cetera.Swyx [00:19:08]: And it spins up like a thousand instances simultaneously. You know, you want it to be sort of truly serverless at once. Actually, I know we have some Cloudflare friends who are listening, so hopefully they'll get in front of the line. Especially.Samuel [00:19:19]: I was in Cloudflare's office last week shouting at them about other things that frustrate me. I have a love-hate relationship with Cloudflare. Their tech is awesome. But because I use it the whole time, I then get frustrated. So, yeah, I'm sure I will. I will. I will get there soon.Swyx [00:19:32]: There's a side tangent on Cloudflare. Is Python supported at full? I actually wasn't fully aware of what the status of that thing is.Samuel [00:19:39]: Yeah. So Pyodide, which is Python running inside the browser in scripting, is supported now by Cloudflare. They basically, they're having some struggles working out how to manage, ironically, dependencies that have binaries, in particular, Pydantic. Because these workers where you can have thousands of them on a given metal machine, you don't want to have a difference. You basically want to be able to have a share. Shared memory for all the different Pydantic installations, effectively. That's the thing they work out. They're working out. But Hood, who's my friend, who is the primary maintainer of Pyodide, works for Cloudflare. And that's basically what he's doing, is working out how to get Python running on Cloudflare's network.Swyx [00:20:19]: I mean, the nice thing is that your binary is really written in Rust, right? Yeah. Which also compiles the WebAssembly. Yeah. So maybe there's a way that you'd build... You have just a different build of Pydantic and that ships with whatever your distro for Cloudflare workers is.Samuel [00:20:36]: Yes, that's exactly what... So Pyodide has builds for Pydantic Core and for things like NumPy and basically all of the popular binary libraries. Yeah. It's just basic. And you're doing exactly that, right? You're using Rust to compile the WebAssembly and then you're calling that shared library from Python. And it's unbelievably complicated, but it works. Okay.Swyx [00:20:57]: Staying on graphs a little bit more, and then I wanted to go to some of the other features that you have in Pydantic AI. I see in your docs, there are sort of four levels of agents. There's single agents, there's agent delegation, programmatic agent handoff. That seems to be what OpenAI swarms would be like. And then the last one, graph-based control flow. Would you say that those are sort of the mental hierarchy of how these things go?Samuel [00:21:21]: Yeah, roughly. Okay.Swyx [00:21:22]: You had some expression around OpenAI swarms. Well.Samuel [00:21:25]: And indeed, OpenAI have got in touch with me and basically, maybe I'm not supposed to say this, but basically said that Pydantic AI looks like what swarms would become if it was production ready. So, yeah. I mean, like, yeah, which makes sense. Awesome. Yeah. I mean, in fact, it was specifically saying, how can we give people the same feeling that they were getting from swarms that led us to go and implement graphs? Because my, like, just call the next agent with Python code was not a satisfactory answer to people. So it was like, okay, we've got to go and have a better answer for that. It's not like, let us to get to graphs. Yeah.Swyx [00:21:56]: I mean, it's a minimal viable graph in some sense. What are the shapes of graphs that people should know? So the way that I would phrase this is I think Anthropic did a very good public service and also kind of surprisingly influential blog post, I would say, when they wrote Building Effective Agents. We actually have the authors coming to speak at my conference in New York, which I think you're giving a workshop at. Yeah.Samuel [00:22:24]: I'm trying to work it out. But yes, I think so.Swyx [00:22:26]: Tell me if you're not. yeah, I mean, like, that was the first, I think, authoritative view of, like, what kinds of graphs exist in agents and let's give each of them a name so that everyone is on the same page. So I'm just kind of curious if you have community names or top five patterns of graphs.Samuel [00:22:44]: I don't have top five patterns of graphs. I would love to see what people are building with them. But like, it's been it's only been a couple of weeks. And of course, there's a point is that. Because they're relatively unopinionated about what you can go and do with them. They don't suit them. Like, you can go and do lots of lots of things with them, but they don't have the structure to go and have like specific names as much as perhaps like some other systems do. I think what our agents are, which have a name and I can't remember what it is, but this basically system of like, decide what tool to call, go back to the center, decide what tool to call, go back to the center and then exit. One form of graph, which, as I say, like our agents are effectively one implementation of a graph, which is why under the hood they are now using graphs. And it'll be interesting to see over the next few years whether we end up with these like predefined graph names or graph structures or whether it's just like, yep, I built a graph or whether graphs just turn out not to match people's mental image of what they want and die away. We'll see.Swyx [00:23:38]: I think there is always appeal. Every developer eventually gets graph religion and goes, oh, yeah, everything's a graph. And then they probably over rotate and go go too far into graphs. And then they have to learn a whole bunch of DSLs. And then they're like, actually, I didn't need that. I need this. And they scale back a little bit.Samuel [00:23:55]: I'm at the beginning of that process. I'm currently a graph maximalist, although I haven't actually put any into production yet. But yeah.Swyx [00:24:02]: This has a lot of philosophical connections with other work coming out of UC Berkeley on compounding AI systems. I don't know if you know of or care. This is the Gartner world of things where they need some kind of industry terminology to sell it to enterprises. I don't know if you know about any of that.Samuel [00:24:24]: I haven't. I probably should. I should probably do it because I should probably get better at selling to enterprises. But no, no, I don't. Not right now.Swyx [00:24:29]: This is really the argument is that instead of putting everything in one model, you have more control and more maybe observability to if you break everything out into composing little models and changing them together. And obviously, then you need an orchestration framework to do that. Yeah.Samuel [00:24:47]: And it makes complete sense. And one of the things we've seen with agents is they work well when they work well. But when they. Even if you have the observability through log five that you can see what was going on, if you don't have a nice hook point to say, hang on, this is all gone wrong. You have a relatively blunt instrument of basically erroring when you exceed some kind of limit. But like what you need to be able to do is effectively iterate through these runs so that you can have your own control flow where you're like, OK, we've gone too far. And that's where one of the neat things about our graph implementation is you can basically call next in a loop rather than just running the full graph. And therefore, you have this opportunity to to break out of it. But yeah, basically, it's the same point, which is like if you have two bigger unit of work to some extent, whether or not it involves gen AI. But obviously, it's particularly problematic in gen AI. You only find out afterwards when you've spent quite a lot of time and or money when it's gone off and done done the wrong thing.Swyx [00:25:39]: Oh, drop on this. We're not going to resolve this here, but I'll drop this and then we can move on to the next thing. This is the common way that we we developers talk about this. And then the machine learning researchers look at us. And laugh and say, that's cute. And then they just train a bigger model and they wipe us out in the next training run. So I think there's a certain amount of we are fighting the bitter lesson here. We're fighting AGI. And, you know, when AGI arrives, this will all go away. Obviously, on Latent Space, we don't really discuss that because I think AGI is kind of this hand wavy concept that isn't super relevant. But I think we have to respect that. For example, you could do a chain of thoughts with graphs and you could manually orchestrate a nice little graph that does like. Reflect, think about if you need more, more inference time, compute, you know, that's the hot term now. And then think again and, you know, scale that up. Or you could train Strawberry and DeepSeq R1. Right.Samuel [00:26:32]: I saw someone saying recently, oh, they were really optimistic about agents because models are getting faster exponentially. And I like took a certain amount of self-control not to describe that it wasn't exponential. But my main point was. If models are getting faster as quickly as you say they are, then we don't need agents and we don't really need any of these abstraction layers. We can just give our model and, you know, access to the Internet, cross our fingers and hope for the best. Agents, agent frameworks, graphs, all of this stuff is basically making up for the fact that right now the models are not that clever. In the same way that if you're running a customer service business and you have loads of people sitting answering telephones, the less well trained they are, the less that you trust them, the more that you need to give them a script to go through. Whereas, you know, so if you're running a bank and you have lots of customer service people who you don't trust that much, then you tell them exactly what to say. If you're doing high net worth banking, you just employ people who you think are going to be charming to other rich people and set them off to go and have coffee with people. Right. And the same is true of models. The more intelligent they are, the less we need to tell them, like structure what they go and do and constrain the routes in which they take.Swyx [00:27:42]: Yeah. Yeah. Agree with that. So I'm happy to move on. So the other parts of Pydantic AI that are worth commenting on, and this is like my last rant, I promise. So obviously, every framework needs to do its sort of model adapter layer, which is, oh, you can easily swap from OpenAI to Cloud to Grok. You also have, which I didn't know about, Google GLA, which I didn't really know about until I saw this in your docs, which is generative language API. I assume that's AI Studio? Yes.Samuel [00:28:13]: Google don't have good names for it. So Vertex is very clear. That seems to be the API that like some of the things use, although it returns 503 about 20% of the time. So... Vertex? No. Vertex, fine. But the... Oh, oh. GLA. Yeah. Yeah.Swyx [00:28:28]: I agree with that.Samuel [00:28:29]: So we have, again, another example of like, well, I think we go the extra mile in terms of engineering is we run on every commit, at least commit to main, we run tests against the live models. Not lots of tests, but like a handful of them. Oh, okay. And we had a point last week where, yeah, GLA is a little bit better. GLA1 was failing every single run. One of their tests would fail. And we, I think we might even have commented out that one at the moment. So like all of the models fail more often than you might expect, but like that one seems to be particularly likely to fail. But Vertex is the same API, but much more reliable.Swyx [00:29:01]: My rant here is that, you know, versions of this appear in Langchain and every single framework has to have its own little thing, a version of that. I would put to you, and then, you know, this is, this can be agree to disagree. This is not needed in Pydantic AI. I would much rather you adopt a layer like Lite LLM or what's the other one in JavaScript port key. And that's their job. They focus on that one thing and they, they normalize APIs for you. All new models are automatically added and you don't have to duplicate this inside of your framework. So for example, if I wanted to use deep seek, I'm out of luck because Pydantic AI doesn't have deep seek yet.Samuel [00:29:38]: Yeah, it does.Swyx [00:29:39]: Oh, it does. Okay. I'm sorry. But you know what I mean? Should this live in your code or should it live in a layer that's kind of your API gateway that's a defined piece of infrastructure that people have?Samuel [00:29:49]: And I think if a company who are well known, who are respected by everyone had come along and done this at the right time, maybe we should have done it a year and a half ago and said, we're going to be the universal AI layer. That would have been a credible thing to do. I've heard varying reports of Lite LLM is the truth. And it didn't seem to have exactly the type safety that we needed. Also, as I understand it, and again, I haven't looked into it in great detail. Part of their business model is proxying the request through their, through their own system to do the generalization. That would be an enormous put off to an awful lot of people. Honestly, the truth is I don't think it is that much work unifying the model. I get where you're coming from. I kind of see your point. I think the truth is that everyone is centralizing around open AIs. Open AI's API is the one to do. So DeepSeq support that. Grok with OK support that. Ollama also does it. I mean, if there is that library right now, it's more or less the open AI SDK. And it's very high quality. It's well type checked. It uses Pydantic. So I'm biased. But I mean, I think it's pretty well respected anyway.Swyx [00:30:57]: There's different ways to do this. Because also, it's not just about normalizing the APIs. You have to do secret management and all that stuff.Samuel [00:31:05]: Yeah. And there's also. There's Vertex and Bedrock, which to one extent or another, effectively, they host multiple models, but they don't unify the API. But they do unify the auth, as I understand it. Although we're halfway through doing Bedrock. So I don't know about it that well. But they're kind of weird hybrids because they support multiple models. But like I say, the auth is centralized.Swyx [00:31:28]: Yeah, I'm surprised they don't unify the API. That seems like something that I would do. You know, we can discuss all this all day. There's a lot of APIs. I agree.Samuel [00:31:36]: It would be nice if there was a universal one that we didn't have to go and build.Alessio [00:31:39]: And I guess the other side of, you know, routing model and picking models like evals. How do you actually figure out which one you should be using? I know you have one. First of all, you have very good support for mocking in unit tests, which is something that a lot of other frameworks don't do. So, you know, my favorite Ruby library is VCR because it just, you know, it just lets me store the HTTP requests and replay them. That part I'll kind of skip. I think you are busy like this test model. We're like just through Python. You try and figure out what the model might respond without actually calling the model. And then you have the function model where people can kind of customize outputs. Any other fun stories maybe from there? Or is it just what you see is what you get, so to speak?Samuel [00:32:18]: On those two, I think what you see is what you get. On the evals, I think watch this space. I think it's something that like, again, I was somewhat cynical about for some time. Still have my cynicism about some of the well, it's unfortunate that so many different things are called evals. It would be nice if we could agree. What they are and what they're not. But look, I think it's a really important space. I think it's something that we're going to be working on soon, both in Pydantic AI and in LogFire to try and support better because it's like it's an unsolved problem.Alessio [00:32:45]: Yeah, you do say in your doc that anyone who claims to know for sure exactly how your eval should be defined can safely be ignored.Samuel [00:32:52]: We'll delete that sentence when we tell people how to do their evals.Alessio [00:32:56]: Exactly. I was like, we need we need a snapshot of this today. And so let's talk about eval. So there's kind of like the vibe. Yeah. So you have evals, which is what you do when you're building. Right. Because you cannot really like test it that many times to get statistical significance. And then there's the production eval. So you also have LogFire, which is kind of like your observability product, which I tried before. It's very nice. What are some of the learnings you've had from building an observability tool for LEMPs? And yeah, as people think about evals, even like what are the right things to measure? What are like the right number of samples that you need to actually start making decisions?Samuel [00:33:33]: I'm not the best person to answer that is the truth. So I'm not going to come in here and tell you that I think I know the answer on the exact number. I mean, we can do some back of the envelope statistics calculations to work out that like having 30 probably gets you most of the statistical value of having 200 for, you know, by definition, 15% of the work. But the exact like how many examples do you need? For example, that's a much harder question to answer because it's, you know, it's deep within the how models operate in terms of LogFire. One of the reasons we built LogFire the way we have and we allow you to write SQL directly against your data and we're trying to build the like powerful fundamentals of observability is precisely because we know we don't know the answers. And so allowing people to go and innovate on how they're going to consume that stuff and how they're going to process it is we think that's valuable. Because even if we come along and offer you an evals framework on top of LogFire, it won't be right in all regards. And we want people to be able to go and innovate and being able to write their own SQL connected to the API. And effectively query the data like it's a database with SQL allows people to innovate on that stuff. And that's what allows us to do it as well. I mean, we do a bunch of like testing what's possible by basically writing SQL directly against LogFire as any user could. I think the other the other really interesting bit that's going on in observability is OpenTelemetry is centralizing around semantic attributes for GenAI. So it's a relatively new project. A lot of it's still being added at the moment. But basically the idea that like. They unify how both SDKs and or agent frameworks send observability data to to any OpenTelemetry endpoint. And so, again, we can go and having that unification allows us to go and like basically compare different libraries, compare different models much better. That stuff's in a very like early stage of development. One of the things we're going to be working on pretty soon is basically, I suspect, GenAI will be the first agent framework that implements those semantic attributes properly. Because, again, we control and we can say this is important for observability, whereas most of the other agent frameworks are not maintained by people who are trying to do observability. With the exception of Langchain, where they have the observability platform, but they chose not to go down the OpenTelemetry route. So they're like plowing their own furrow. And, you know, they're a lot they're even further away from standardization.Alessio [00:35:51]: Can you maybe just give a quick overview of how OTEL ties into the AI workflows? There's kind of like the question of is, you know, a trace. And a span like a LLM call. Is it the agent? It's kind of like the broader thing you're tracking. How should people think about it?Samuel [00:36:06]: Yeah, so they have a PR that I think may have now been merged from someone at IBM talking about remote agents and trying to support this concept of remote agents within GenAI. I'm not particularly compelled by that because I don't think that like that's actually by any means the common use case. But like, I suppose it's fine for it to be there. The majority of the stuff in OTEL is basically defining how you would instrument. A given call to an LLM. So basically the actual LLM call, what data you would send to your telemetry provider, how you would structure that. Apart from this slightly odd stuff on remote agents, most of the like agent level consideration is not yet implemented in is not yet decided effectively. And so there's a bit of ambiguity. Obviously, what's good about OTEL is you can in the end send whatever attributes you like. But yeah, there's quite a lot of churn in that space and exactly how we store the data. I think that one of the most interesting things, though, is that if you think about observability. Traditionally, it was sure everyone would say our observability data is very important. We must keep it safe. But actually, companies work very hard to basically not have anything that sensitive in their observability data. So if you're a doctor in a hospital and you search for a drug for an STI, the sequel might be sent to the observability provider. But none of the parameters would. It wouldn't have the patient number or their name or the drug. With GenAI, that distinction doesn't exist because it's all just messed up in the text. If you have that same patient asking an LLM how to. What drug they should take or how to stop smoking. You can't extract the PII and not send it to the observability platform. So the sensitivity of the data that's going to end up in observability platforms is going to be like basically different order of magnitude to what's in what you would normally send to Datadog. Of course, you can make a mistake and send someone's password or their card number to Datadog. But that would be seen as a as a like mistake. Whereas in GenAI, a lot of data is going to be sent. And I think that's why companies like Langsmith and are trying hard to offer observability. On prem, because there's a bunch of companies who are happy for Datadog to be cloud hosted, but want self-hosted self-hosting for this observability stuff with GenAI.Alessio [00:38:09]: And are you doing any of that today? Because I know in each of the spans you have like the number of tokens, you have the context, you're just storing everything. And then you're going to offer kind of like a self-hosting for the platform, basically. Yeah. Yeah.Samuel [00:38:23]: So we have scrubbing roughly equivalent to what the other observability platforms have. So if we, you know, if we see password as the key, we won't send the value. But like, like I said, that doesn't really work in GenAI. So we're accepting we're going to have to store a lot of data and then we'll offer self-hosting for those people who can afford it and who need it.Alessio [00:38:42]: And then this is, I think, the first time that most of the workloads performance is depending on a third party. You know, like if you're looking at Datadog data, usually it's your app that is driving the latency and like the memory usage and all of that. Here you're going to have spans that maybe take a long time to perform because the GLA API is not working or because OpenAI is kind of like overwhelmed. Do you do anything there since like the provider is almost like the same across customers? You know, like, are you trying to surface these things for people and say, hey, this was like a very slow span, but actually all customers using OpenAI right now are seeing the same thing. So maybe don't worry about it or.Samuel [00:39:20]: Not yet. We do a few things that people don't generally do in OTA. So we send. We send information at the beginning. At the beginning of a trace as well as sorry, at the beginning of a span, as well as when it finishes. By default, OTA only sends you data when the span finishes. So if you think about a request which might take like 20 seconds, even if some of the intermediate spans finished earlier, you can't basically place them on the page until you get the top level span. And so if you're using standard OTA, you can't show anything until those requests are finished. When those requests are taking a few hundred milliseconds, it doesn't really matter. But when you're doing Gen AI calls or when you're like running a batch job that might take 30 minutes. That like latency of not being able to see the span is like crippling to understanding your application. And so we've we do a bunch of slightly complex stuff to basically send data about a span as it starts, which is closely related. Yeah.Alessio [00:40:09]: Any thoughts on all the other people trying to build on top of OpenTelemetry in different languages, too? There's like the OpenLEmetry project, which doesn't really roll off the tongue. But how do you see the future of these kind of tools? Is everybody going to have to build? Why does everybody want to build? They want to build their own open source observability thing to then sell?Samuel [00:40:29]: I mean, we are not going off and trying to instrument the likes of the OpenAI SDK with the new semantic attributes, because at some point that's going to happen and it's going to live inside OTEL and we might help with it. But we're a tiny team. We don't have time to go and do all of that work. So OpenLEmetry, like interesting project. But I suspect eventually most of those semantic like that instrumentation of the big of the SDKs will live, like I say, inside the main OpenTelemetry report. I suppose. What happens to the agent frameworks? What data you basically need at the framework level to get the context is kind of unclear. I don't think we know the answer yet. But I mean, I was on the, I guess this is kind of semi-public, because I was on the call with the OpenTelemetry call last week talking about GenAI. And there was someone from Arize talking about the challenges they have trying to get OpenTelemetry data out of Langchain, where it's not like natively implemented. And obviously they're having quite a tough time. And I was realizing, hadn't really realized this before, but how lucky we are to primarily be talking about our own agent framework, where we have the control rather than trying to go and instrument other people's.Swyx [00:41:36]: Sorry, I actually didn't know about this semantic conventions thing. It looks like, yeah, it's merged into main OTel. What should people know about this? I had never heard of it before.Samuel [00:41:45]: Yeah, I think it looks like a great start. I think there's some unknowns around how you send the messages that go back and forth, which is kind of the most important part. It's the most important thing of all. And that is moved out of attributes and into OTel events. OTel events in turn are moving from being on a span to being their own top-level API where you send data. So there's a bunch of churn still going on. I'm impressed by how fast the OTel community is moving on this project. I guess they, like everyone else, get that this is important, and it's something that people are crying out to get instrumentation off. So I'm kind of pleasantly surprised at how fast they're moving, but it makes sense.Swyx [00:42:25]: I'm just kind of browsing through the specification. I can already see that this basically bakes in whatever the previous paradigm was. So now they have genai.usage.prompt tokens and genai.usage.completion tokens. And obviously now we have reasoning tokens as well. And then only one form of sampling, which is top-p. You're basically baking in or sort of reifying things that you think are important today, but it's not a super foolproof way of doing this for the future. Yeah.Samuel [00:42:54]: I mean, that's what's neat about OTel is you can always go and send another attribute and that's fine. It's just there are a bunch that are agreed on. But I would say, you know, to come back to your previous point about whether or not we should be relying on one centralized abstraction layer, this stuff is moving so fast that if you start relying on someone else's standard, you risk basically falling behind because you're relying on someone else to keep things up to date.Swyx [00:43:14]: Or you fall behind because you've got other things going on.Samuel [00:43:17]: Yeah, yeah. That's fair. That's fair.Swyx [00:43:19]: Any other observations just about building LogFire, actually? Let's just talk about this. So you announced LogFire. I was kind of only familiar with LogFire because of your Series A announcement. I actually thought you were making a separate company. I remember some amount of confusion with you when that came out. So to be clear, it's Pydantic LogFire and the company is one company that has kind of two products, an open source thing and an observability thing, correct? Yeah. I was just kind of curious, like any learnings building LogFire? So classic question is, do you use ClickHouse? Is this like the standard persistence layer? Any learnings doing that?Samuel [00:43:54]: We don't use ClickHouse. We started building our database with ClickHouse, moved off ClickHouse onto Timescale, which is a Postgres extension to do analytical databases. Wow. And then moved off Timescale onto DataFusion. And we're basically now building, it's DataFusion, but it's kind of our own database. Bogomil is not entirely happy that we went through three databases before we chose one. I'll say that. But like, we've got to the right one in the end. I think we could have realized that Timescale wasn't right. I think ClickHouse. They both taught us a lot and we're in a great place now. But like, yeah, it's been a real journey on the database in particular.Swyx [00:44:28]: Okay. So, you know, as a database nerd, I have to like double click on this, right? So ClickHouse is supposed to be the ideal backend for anything like this. And then moving from ClickHouse to Timescale is another counterintuitive move that I didn't expect because, you know, Timescale is like an extension on top of Postgres. Not super meant for like high volume logging. But like, yeah, tell us those decisions.Samuel [00:44:50]: So at the time, ClickHouse did not have good support for JSON. I was speaking to someone yesterday and said ClickHouse doesn't have good support for JSON and got roundly stepped on because apparently it does now. So they've obviously gone and built their proper JSON support. But like back when we were trying to use it, I guess a year ago or a bit more than a year ago, everything happened to be a map and maps are a pain to try and do like looking up JSON type data. And obviously all these attributes, everything you're talking about there in terms of the GenAI stuff. You can choose to make them top level columns if you want. But the simplest thing is just to put them all into a big JSON pile. And that was a problem with ClickHouse. Also, ClickHouse had some really ugly edge cases like by default, or at least until I complained about it a lot, ClickHouse thought that two nanoseconds was longer than one second because they compared intervals just by the number, not the unit. And I complained about that a lot. And then they caused it to raise an error and just say you have to have the same unit. Then I complained a bit more. And I think as I understand it now, they have some. They convert between units. But like stuff like that, when all you're looking at is when a lot of what you're doing is comparing the duration of spans was really painful. Also things like you can't subtract two date times to get an interval. You have to use the date sub function. But like the fundamental thing is because we want our end users to write SQL, the like quality of the SQL, how easy it is to write, matters way more to us than if you're building like a platform on top where your developers are going to write the SQL. And once it's written and it's working, you don't mind too much. So I think that's like one of the fundamental differences. The other problem that I have with the ClickHouse and Impact Timescale is that like the ultimate architecture, the like snowflake architecture of binary data in object store queried with some kind of cache from nearby. They both have it, but it's closed sourced and you only get it if you go and use their hosted versions. And so even if we had got through all the problems with Timescale or ClickHouse, we would end up like, you know, they would want to be taking their 80% margin. And then we would be wanting to take that would basically leave us less space for margin. Whereas data fusion. Properly open source, all of that same tooling is open source. And for us as a team of people with a lot of Rust expertise, data fusion, which is implemented in Rust, we can literally dive into it and go and change it. So, for example, I found that there were some slowdowns in data fusion's string comparison kernel for doing like string contains. And it's just Rust code. And I could go and rewrite the string comparison kernel to be faster. Or, for example, data fusion, when we started using it, didn't have JSON support. Obviously, as I've said, it's something we can do. It's something we needed. I was able to go and implement that in a weekend using our JSON parser that we built for Pydantic Core. So it's the fact that like data fusion is like for us the perfect mixture of a toolbox to build a database with, not a database. And we can go and implement stuff on top of it in a way that like if you were trying to do that in Postgres or in ClickHouse. I mean, ClickHouse would be easier because it's C++, relatively modern C++. But like as a team of people who are not C++ experts, that's much scarier than data fusion for us.Swyx [00:47:47]: Yeah, that's a beautiful rant.Alessio [00:47:49]: That's funny. Most people don't think they have agency on these projects. They're kind of like, oh, I should use this or I should use that. They're not really like, what should I pick so that I contribute the most back to it? You know, so but I think you obviously have an open source first mindset. So that makes a lot of sense.Samuel [00:48:05]: I think if we were probably better as a startup, a better startup and faster moving and just like headlong determined to get in front of customers as fast as possible, we should have just started with ClickHouse. I hope that long term we're in a better place for having worked with data fusion. We like we're quite engaged now with the data fusion community. Andrew Lam, who maintains data fusion, is an advisor to us. We're in a really good place now. But yeah, it's definitely slowed us down relative to just like building on ClickHouse and moving as fast as we can.Swyx [00:48:34]: OK, we're about to zoom out and do Pydantic run and all the other stuff. But, you know, my last question on LogFire is really, you know, at some point you run out sort of community goodwill just because like, oh, I use Pydantic. I love Pydantic. I'm going to use LogFire. OK, then you start entering the territory of the Datadogs, the Sentrys and the honeycombs. Yeah. So where are you going to really spike here? What differentiator here?Samuel [00:48:59]: I wasn't writing code in 2001, but I'm assuming that there were people talking about like web observability and then web observability stopped being a thing, not because the web stopped being a thing, but because all observability had to do web. If you were talking to people in 2010 or 2012, they would have talked about cloud observability. Now that's not a term because all observability is cloud first. The same is going to happen to gen AI. And so whether or not you're trying to compete with Datadog or with Arise and Langsmith, you've got to do first class. You've got to do general purpose observability with first class support for AI. And as far as I know, we're the only people really trying to do that. I mean, I think Datadog is starting in that direction. And to be honest, I think Datadog is a much like scarier company to compete with than the AI specific observability platforms. Because in my opinion, and I've also heard this from lots of customers, AI specific observability where you don't see everything else going on in your app is not actually that useful. Our hope is that we can build the first general purpose observability platform with first class support for AI. And that we have this open source heritage of putting developer experience first that other companies haven't done. For all I'm a fan of Datadog and what they've done. If you search Datadog logging Python. And you just try as a like a non-observability expert to get something up and running with Datadog and Python. It's not trivial, right? That's something Sentry have done amazingly well. But like there's enormous space in most of observability to do DX better.Alessio [00:50:27]: Since you mentioned Sentry, I'm curious how you thought about licensing and all of that. Obviously, your MIT license, you don't have any rolling license like Sentry has where you can only use an open source, like the one year old version of it. Was that a hard decision?Samuel [00:50:41]: So to be clear, LogFire is co-sourced. So Pydantic and Pydantic AI are MIT licensed and like properly open source. And then LogFire for now is completely closed source. And in fact, the struggles that Sentry have had with licensing and the like weird pushback the community gives when they take something that's closed source and make it source available just meant that we just avoided that whole subject matter. I think the other way to look at it is like in terms of either headcount or revenue or dollars in the bank. The amount of open source we do as a company is we've got to be open source. We're up there with the most prolific open source companies, like I say, per head. And so we didn't feel like we were morally obligated to make LogFire open source. We have Pydantic. Pydantic is a foundational library in Python. That and now Pydantic AI are our contribution to open source. And then LogFire is like openly for profit, right? As in we're not claiming otherwise. We're not sort of trying to walk a line if it's open source. But really, we want to make it hard to deploy. So you probably want to pay us. We're trying to be straight. That it's to pay for. We could change that at some point in the future, but it's not an immediate plan.Alessio [00:51:48]: All right. So the first one I saw this new I don't know if it's like a product you're building the Pydantic that run, which is a Python browser sandbox. What was the inspiration behind that? We talk a lot about code interpreter for lamps. I'm an investor in a company called E2B, which is a code sandbox as a service for remote execution. Yeah. What's the Pydantic that run story?Samuel [00:52:09]: So Pydantic that run is again completely open source. I have no interest in making it into a product. We just needed a sandbox to be able to demo LogFire in particular, but also Pydantic AI. So it doesn't have it yet, but I'm going to add basically a proxy to OpenAI and the other models so that you can run Pydantic AI in the browser. See how it works. Tweak the prompt, et cetera, et cetera. And we'll have some kind of limit per day of what you can spend on it or like what the spend is. The other thing we wanted to b

* PyPI Introduces Project Archiving to Improve Security and Transparency* DeepSeek Exposes Database with Over 1 Million Chat Records* Google Blocked 2.36 Million Risky Android Apps in 2024* 20% Increase in Exploited Vulnerabilities in 2024* "Infrastructure Laundering": How Chinese Crime Groups Abuse US Cloud ServicesPyPI Introduces Project Archiving to Improve Security and Transparencyhttps://blog.pypi.org/posts/2025-01-30-archival/The Python Package Index (PyPI) has implemented a new "Project Archiving" feature to enhance the security and transparency of the open-source ecosystem.This feature allows project maintainers to officially archive their projects, indicating that no further updates or maintenance are planned. While archived projects remain available for download, users will be presented with a clear warning, encouraging them to seek alternative, actively maintained dependencies.This initiative aims to mitigate security risks associated with abandoned projects. Attackers often target these projects, injecting malicious code through unexpected updates. By clearly marking projects as archived, PyPI aims to reduce the likelihood of such attacks and improve user awareness of potential vulnerabilities.Project archiving also provides a more formal mechanism for project maintainers to communicate their intentions to the community. Instead of abruptly deleting their projects, maintainers can now formally archive them, providing clarity and reducing confusion among users.This new feature represents a significant step towards improving the security and maintainability of the Python ecosystem. By promoting transparency and discouraging reliance on unmaintained projects, PyPI aims to create a safer and more sustainable environment for developers.DeepSeek Exposes Database with Over 1 Million Chat Recordshttps://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leakDeepSeek, a Chinese AI startup, has suffered a significant data breach, exposing sensitive user data and internal information.Two publicly accessible databases containing over a million log entries were discovered by security researchers at Wiz. These databases held critical information, including:* User Chat History: Plaintext conversations between users and the DeepSeek-R1 LLM.* API Keys: Credentials used for backend system authentication.* Internal Infrastructure Details: Information about DeepSeek's internal services and operations.The exposed data poses significant risks, including privacy violations for users and potential for attackers to gain unauthorized access to DeepSeek's systems.While DeepSeek has addressed the immediate issue, the incident raises concerns about the company's data security practices and highlights the importance of robust security measures for AI companies handling sensitive user data.Google Blocked 2.36 Million Risky Android Apps in 2024https://security.googleblog.com/2025/01/how-we-kept-google-play-android-app-ecosystem-safe-2024.htmlGoogle blocked a record-breaking 2.36 million Android app submissions to the Play Store in 2024 due to policy violations. This surge in blocked apps is attributed to the increased use of AI-assisted human reviews, enabling faster and more accurate identification of harmful applications.Furthermore, Google banned 158,000 developer accounts for attempting to publish malicious apps. These figures represent a significant increase compared to previous years.Beyond blocking submissions, Google also took steps to prevent apps from obtaining excessive permissions and implemented stronger protections against malware and fraud.Google Play Protect, Android's built-in security system, scanned over 200 billion apps daily in 2024, identifying and blocking over 13 million new malware apps.While these efforts have significantly improved Android's security posture, the evolving threat landscape necessitates continuous vigilance. Users are advised to exercise caution when installing apps, only download from trusted sources, and keep their devices updated with the latest security patches.20% Increase in Exploited Vulnerabilities in 2024https://vulncheck.com/blog/2024-exploitation-trendsA new report from VulnCheck reveals a significant increase in the number of vulnerabilities exploited in the wild in 2024.The report found that 768 vulnerabilities with designated CVEs were exploited in 2024, a 20% increase compared to the 639 exploited in 2023. This highlights the ongoing and evolving threat landscape faced by organizations worldwide.The report also found that 23.6% of known exploited vulnerabilities were exploited on or before the day their CVEs were publicly disclosed, emphasizing the critical need for rapid and proactive vulnerability management.Key findings include:* Increased Exploitation: A 20% increase in the number of exploited vulnerabilities compared to 2023.* Rapid Exploitation: 23.6% of exploited vulnerabilities were exploited before their public disclosure.* Diverse Sources: Exploitation evidence came from various sources, including security companies, government agencies, and researchers.The report underscores the importance of robust vulnerability management practices, including proactive patching, threat intelligence gathering, and minimizing internet-facing exposure for critical systems.By staying informed about the latest threats and implementing effective mitigation strategies, organizations can better protect themselves from the growing number of exploited vulnerabilities."Infrastructure Laundering": How Chinese Crime Groups Abuse US Cloud Serviceshttps://krebsonsecurity.com/2025/01/infrastructure-laundering-blending-in-with-the-cloud/A new report reveals how Chinese cybercrime groups are exploiting major U.S. cloud providers like Amazon and Microsoft to launder their malicious activities.This technique, dubbed "infrastructure laundering," involves funneling malicious traffic through these reputable platforms, making it harder to detect and block.One such example is Funnull, a Chinese content delivery network that hosts a wide range of malicious content, including fake gambling sites, phishing pages, and other cybercriminal activities.Funnull leverages the trust associated with major cloud providers to obscure its operations. By routing traffic through these platforms, they can evade detection and make it more difficult to trace their activities back to their source.This practice raises significant concerns for cybersecurity. It challenges traditional methods of threat detection and mitigation, making it harder for security teams to identify and block malicious traffic.While cloud providers are taking steps to address this issue, the rapid evolution of these techniques necessitates a more proactive and collaborative approach to combating cybercrime.This report highlights the growing complexity of the cyber threat landscape and the urgent need for innovative solutions to address these emerging challenges. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com

[Referências do Episódio] Malicious packages deepseek and deepseekai published in Python Package Index - https://www.google.com/url?q=https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/malicious-packages-deepseeek-and-deepseekai-published-in-python-package-index&sa=D&source=docs&ust=1738667193797493&usg=AOvVaw3E9BNcNdMeT3UO3xeP4Sgr  Coral Jasmine on X - https://x.com/Fact_Finder03/status/1885209370868203740  OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines - https://www.aquasec.com/blog/risks-misconfigured-kubernetes-policy-engines-opa-gatekeeper/ Roteiro e apresentação: Carlos Cabral e Bianca Oliveira Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

To Simulate or Replicate: Crafting Cyber Ranges Automating the creation of cyber ranges. This will be a multi part series and this part covers creating the DNS configuration in Windows https://isc.sans.edu/diary/To%20Simulate%20or%20Replicate%3A%20Crafting%20Cyber%20Ranges/31642 Scammers Exploiting Deepseek Hype Scammers are using the hype around Deepseek, and some of the confusion caused by it's site not being reachable, to scam users into installing malware. I am also including a link to a "jailbreak" of Deepseek (this part was not covered in the podcast). https://www.welivesecurity.com/en/cybersecurity/scammers-exploiting-deepseek-hype/ https://lab.wallarm.com/jailbreaking-generative-ai/ PyPi Archived Status PyPi introduced a new feature to mark repositories as archived. This implies that the author is no longer maintaining the particular package https://blog.pypi.org/posts/2025-01-30-archival/ ICS Mecial Advisory: Comtec Patient Monitor Backdoor And interested backdoor was found in a Comtech Patient Monitor. https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01

Topics covered in this episode: LLM Catcher On PyPI Quarantine process RESPX Unpacking kwargs with custom objects Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: LLM Catcher via Pat Decker Large language model diagnostics for python applications and FastAPI applications . Features Exception diagnosis using LLMs (Ollama or OpenAI) Support for local LLMs through Ollama OpenAI integration for cloud-based models Multiple error handling approaches: Function decorators for automatic diagnosis Try/except blocks for manual control Global exception handler for unhandled errors from imported modules Both synchronous and asynchronous APIs Flexible configuration through environment variables or config file Brian #2: On PyPI Quarantine process Mike Fiedler Project Lifecycle Status - Quarantine in his "Safety & Security Engineer: First Year in Review post” Some more info now in Project Quarantine Reports of malware in a project kick things off Admins can now place a project in quarantine, allowing it to be unavailable for install, but still around for analysis. New process allows for packages to go back to normal if the report is false. However Since August, the Quarantine feature has been in use, with PyPI Admins marking ~140 reported projects as Quarantined. Of these, only a single project has exited Quarantine, others have been removed. Michael #3: RESPX Mock HTTPX with awesome request patterns and response side effects A simple, yet powerful, utility for mocking out the HTTPX, and HTTP Core, libraries. Start by patching HTTPX, using respx.mock, then add request routes to mock responses. For a neater pytest experience, RESPX includes a respx_mock fixture Brian #4: Unpacking kwargs with custom objects Rodrigo A class needs to have a keys() method that returns an iterable. a __getitem__() method for lookup Then double splat ** works on objects of that type. Extras Brian: A surprising thing about PyPI's BigQuery data - Hugovk Top PyPI Packages (and therefore also Top pytest Plugins) uses a BigQuery dataset Has grabbed 30-day data of 4,000, then 5,000, then 8,000 packages. Turns out 531,022 packages (amount returned when limit set to a million) is the same cost. So…. hoping future updates to these “Top …” pages will have way more data. Also, was planning on recording a Test & Code episode on pytest-cov today, but haven't yet. Hopefully at least a couple of new episodes this week. Finally updated pythontest.com with BlueSky links on home page and contact page. Michael: Follow up from Owen (uv-secure): Thanks for the multiple shout outs! uv-secure just uses the PyPi json API at present to query package vulnerabilities (same as default source for pip audit). I do smash it asynchronously for all dependencies at once... but it still takes a few seconds. Joke: Bugs hide from the light!

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-313

Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Show Notes: https://securityweekly.com/asw-313

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-313

Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Show Notes: https://securityweekly.com/asw-313

Topics covered in this episode: Terminals & Shells Winloop: An Alternative library for uvloop compatibility with windows Ruff & uv uv-secure Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Terminals & Shells Ghostty is out Started by Mitchel Hashimoto, one of the co-founders of Hashicorp “Ghostty is a terminal emulator that differentiates itself by being fast, feature-rich, and native. While there are many excellent terminal emulators available, they all force you to choose between speed, features, or native UIs. Ghostty provides all three.” Currently for macOS & Linux (Windows planned) Version 1.0.1 released Dec 31, announced in Oct Features: cross-platform, windows, tabs, and splits, Themes, Ligatures, … Shell Integration: Some Ghostty features require integrating with your shell. Ghostty can automatically inject shell integration for bash, zsh, fish, and elvish. Fish is moving to Rust “fish is a smart and user-friendly command line shell with clever features that just work, without needing an advanced degree in bash scriptology.” “fish 4.0 is a big upgrade. It's got lots of new features to make using the command line easier and more enjoyable, such as more natural key binding and expanded history search. And under the hood, we've rebuilt the foundation in Rust.” Michael #2: Winloop: An Alternative library for uvloop compatibility with windows via Owen Lamont An alternative library for uvloop compatibility with windows . It always felt disappointing when libuv is available for windows but windows was never compatible with uvloop. Brian #3: Ruff & uv Ruff 0.9.0 has a new 2025 style guide f-string formatting improvements Now formats expressions interpolated inside f-string curly braces Quotes normalized according to project config Unnecessary escapes removed Examines interpolated expressions to see if splitting the string over multiple lines is ok Other changes to, but it's the f-string improvements I'm excited about. Python 3.14.0a3 is out, and available with uv uv python install 3.14 --preview Michael #4: uv-secure by Owen Lamont (yes again :) ) This tool will scan PyPi dependencies listed in your uv.lock files (or uv generated requirements.txt files) and check for known vulnerabilities listed against those packages and versions in the PyPi json API. I don't intend uv-secure to ever create virtual environments or do dependency resolution - the plan is to leave that all to uv since it does that so well and just target lock files and fully pinned and dependency resolved requirements.txt files). Works “out of the box” with a requirements.txt from uv pip compile. Extras Brian: Test & Code Season 2: pytest plugins Season 1 was something like 223 episodes over 9.5 years Started the summer of 2015 Send in pytest plugin suggestions to Brian on BlueSky or Mastodon or the contact form at pythontest.com Michael: Episode Deep Dive feature at Talk Python Feedback on social media: Those deep dives look really handy. Yes, those ARE really handy! Thanks for doing that. wow, yes please! This is awesome. Wow, this is amazing. … It helps when going back to check something (without having to re-listen). PyCon Austria at.pycon.org Heavy metal status codes Beautiful Soup feedback CFA via Sumana Harihareswara Joke: That's a stupid cup

Karlo Zanki, Reverse Engineer at ReversingLabs, discussing their work on "Malicious PyPI crypto pay package aiocpa implants infostealer code." ReversingLabs' machine learning-based threat hunting system identified a malicious PyPI package, aiocpa, designed to exfiltrate cryptocurrency wallet information. Unlike typical attacks involving typosquatting, the attackers published a seemingly legitimate crypto client tool to build trust before introducing malicious updates. ReversingLabs used its Spectra Assure platform to detect behavioral anomalies and worked with PyPI to remove the package, highlighting the growing need for advanced supply chain security tools to counter increasingly sophisticated threats. The research can be found here: Malicious PyPI crypto pay package aiocpa implants infostealer code Learn more about your ad choices. Visit megaphone.fm/adchoices

Karlo Zanki, Reverse Engineer at ReversingLabs, discussing their work on "Malicious PyPI crypto pay package aiocpa implants infostealer code." ReversingLabs' machine learning-based threat hunting system identified a malicious PyPI package, aiocpa, designed to exfiltrate cryptocurrency wallet information. Unlike typical attacks involving typosquatting, the attackers published a seemingly legitimate crypto client tool to build trust before introducing malicious updates. ReversingLabs used its Spectra Assure platform to detect behavioral anomalies and worked with PyPI to remove the package, highlighting the growing need for advanced supply chain security tools to counter increasingly sophisticated threats. The research can be found here: Malicious PyPI crypto pay package aiocpa implants infostealer code Learn more about your ad choices. Visit megaphone.fm/adchoices

Предварительная запись на офлайн-курс Learn Python в Москве — https://forms.gle/wE7Lit97U9Q2q3oT9 Спонсор подкаста: курсы по Python-разработке для тех, кто уже знаком с веб-разработкой — https://vk.cc/cADwoW    Ведущие – Григорий Петров и Михаил Корнеев   Новости выпуска Python сместил Javascript с первого места по используемости — https://github.blog/news-insights/octoverse/octoverse-2024/ PEP 750 – Template Strings — https://peps.python.org/pep-0750/ Эксперементальная поддержка partial validation в Pydantic 2.10 — https://pydantic.dev/articles/pydantic-v2-10-release#support-for-partial-validation-with-experimental_allow_partial PyPI теперь поддерживает цифровую сертификацию — https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/ Ссылки выпуска: Курс Learn Python — https://learn.python.ru/advanced  Канал Миши в Telegram — https://t.me/tricky_python  Канал Moscow Python в Telegram — https://t.me/moscow_python  Все выпуски — https://podcast.python.ru  Митапы Moscow Python — https://moscowpython.ru  Канал Moscow Python на Rutube — https://rutube.ru/channel/45885590/ 

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Datadog Security Labs has introduced the Supply-Chain Firewall, a new open-source tool designed to protect developers from malicious and vulnerable packages sourced from PyPI and npm repositories.U.S. authorities have arrested 19-year-old Remington Goy Ogletree, known online as "remi," for allegedly breaching a U.S. financial institution and two unnamed telecommunications firms. A recent study titled "A Study of Malware Prevention in Linux Distributions" examines the challenges of preventing and detecting malware within Linux distribution package repositories. A recently identified zero-day vulnerability affects all modern versions of Windows Workstation and Server operating systems, from Windows 7 and Server 2008 R2 up to the latest Windows 11 v24H2 and Server 2022. And you can subscribe to Detection Engineering Weekly here.

On this Screaming in the Cloud In this episode of Screaming in the Cloud, Corey Quinn is joined by AWS container hero and security engineer at the Python Software Foundation, Mike Fiedler. They delve into the intricacies of Python's ecosystem, discussing the evolution of PyPI, its significance, and the ongoing battles against security threats like account takeover attacks and typo-squatting. Mike sheds light on his role in maintaining the security and reliability of the Python Package Index, the importance of 2FA, and the collaborative efforts with security researchers. Corey and Mike also explore the challenges and philosophies surrounding legacy systems versus greenfield development, with insights on maintaining critical infrastructure and the often-overlooked aspects of social engineering.Show Highlights(0:00) Introduction(0:47) The Duckbill Group sponsor read(1:21) Breaking down the Python nomenclature and its usability(5:49) Figuring out how Boto3 is one of the most downloaded packages(6:43) Why Mike is the only full-time security and safety engineer at the Python Software Foundation(9:53) How the Python Software Foundation affords to operate(14:17) Mike's stack security work(16:14) The Duckbill Group sponsor read(16:57) Having the "impossible job" of stopping supply chain attacks(21:00) The dangers of social engineering attacks(24:44) Why Mike prefers to work on legacy systems(33:30) Where you can find more from MikeAbout Mike FiedlerMike Fiedler is a highly analytical, forward-thinking Information Technology professional. His broad-based background includes systems administration and engineering in global environments. Mike is technically astute and versatile with ability to quickly learn, master, and leverage new technologies to meet business needs and has a track record of success in improving performance, stability, and security for all infrastructure and product initiatives.Mike is also bilingual, speaks English and Hebrew, and he loves solving puzzling problems.LinksMike's Mastadon: https://hachyderm.io/@mikethemanMike's Bluesky: https://bsky.app/profile/miketheman.comMike's Python Software Foundation blog posts: https://blog.pypi.org/The Python Package Index Safety & Security Engineer: First Year in Review: https://blog.pypi.org/posts/2024-08-16-safety-and-security-engineer-year-in-review/SponsorThe Duckbill Group: duckbillgroup.com 

Topics covered in this episode: Talk Python rewritten in Quart PyPI now supports digital attestations Django Rusty Templates PEP 639 is now supported by PYPI Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Talk Python rewritten in Quart Rewrote all of talkpython.fm in Quart (10k lines of code total, 4k changed) Considered FastAPI Litestar Django Hugo Static Site + Python Flask Discussed the multistage upgrade / conversion process Automating tests for all 1,000 pages Brian #2: PyPI now supports digital attestations Dustin Ingram “Attestations provide a verifiable link to an upstream source repository: By signing with the identity of the upstream source repository, such as in the case of an upload of a project built with GitHub Actions, PyPI's support for digital attestations defines a strong and verifiable association between a file on PyPI and the source repository, workflow, and even the commit hash that produced and uploaded the file. Additionally, publishing attestations to a transparency log helps mitigate against both compromise of PyPI and compromise of the projects themselves.” For maintainers If using GH Actions and Trusted Publishing make sure you use pypa/gh-action-pypi-publish, version v1.11.0 or newer that's it If not “Support for automatic attestation generation and publication from other Trusted Publisher environments is planned.” “While not recommended, maintainers can also manually generate and publish attestations.” See also PyPI Introduces Digital Attestations to Strengthen Python Package Security by Sarah Gooding Are we PEP 740 yet? Michael #3: Django Rusty Templates by Lily Foote An experimental reimplementation of Django's templating language in Rust. Goals 100% compatibility of rendered output. Error reporting that is at least as useful as Django's errors. Improved performance over Django's pure Python implementation. Brian #4: PEP 639 is now supported by PYPI from Brett Cannon PEP 639 – Improving License Clarity with Better Package Metadata For project metadata, use these fields: license and license-files: Examples license field [project] license = "MIT" [project] license = "MIT AND (Apache-2.0 OR BSD-2-clause)" [project] license = "MIT OR GPL-2.0-or-later OR (FSFUL AND BSD-2-Clause)" [project] license = "LicenseRef-Proprietary" Examples of license-files: [project] license-files = ["LICEN[CS]E*", "AUTHORS*"] [project] license-files = ["licenses/LICENSE.MIT", "licenses/LICENSE.CC0"] [project] license-files = ["LICENSE.txt", "licenses/*"] [project] license-files = [] Extras Brian: Playground Wisdom: Threads Beat Async/Await - interesting read from Armin Ronacher about different language abstractions around concurrency. PythonTest.com Discord community is now live Launched last week, as of this morning we've got 89 members Anyone already a pythontest community member has received an invite Anyone can join through courses.pythontest.com Everything at pythontest.com is 20% off through Dec 2 with code turkeysale2024 “Python Testing with pytest” eBook 40% off through Dec 2, use code turkeysale2024 Michael: Python 3.14.0a2 released Starter packs: Michael's Python people: https://bsky.app/starter-pack/mkennedy.codes/3lbdnupl26e2x Directory: https://blueskydirectory.com/starter-packs/all Joke: curl - heavy metal style!

If you are a .NET developer or work in a place that has some of those folks, wouldn't it be great to fully leverage the entirety of PyPI with it's almost 600,000 packages inside your .NET code? But how would you do this? Previous efforts have let you write Python syntax but using the full libraries (especially the C-based ones) has been out of reach, until CSnakes. This project by Anthony Shaw and Aaron Powell unlocks some pretty serious integration between the two languages. We have them both here on the show today to tell us all about it. Episode sponsors Posit Bluehost Talk Python Courses Links from the show Anthony Shaw: github.com Aaron Powell: github.com Introducing CSnakes: tonybaloney.github.io CSnakes: tonybaloney.github.io Talk Python: We've moved to Hetzner: talkpython.fm/blog Talk Python: Talk Python rewritten in Quart (async Flask): talkpython.fm/blog Pyjion - A JIT for Python based upon CoreCLR: github.com Iron Python: ironpython.net Python.NET: pythonnet.github.io The buffer protocol: docs.python.org Avalonia UI: avaloniaui.net Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to us on YouTube: youtube.com Follow Talk Python on Mastodon: talkpython Follow Michael on Mastodon: mkennedy

Video Episode: https://youtu.be/kobyMdrVQeg In today's episode, we discuss Canada's order to dissolve TikTok Technology Canada amid national security concerns regarding ByteDance's operations, highlighting the country's ongoing scrutiny of potential user data collection risks. We also explore the alarming rise of the SteelFox and Rhadamanthys malware campaigns, which exploit copyright scams and vulnerable drivers to compromise victims' data, as well as the dangerous "fabrice" package on PyPI designed to stealthily steal AWS credentials. Lastly, we cover a critical vulnerability in Cisco industrial wireless access points that could lead to total device compromise if exploited. Links to articles:1. https://www.bleepingcomputer.com/news/security/canada-orders-tiktok-to-shut-down-over-national-risk-concerns/2. https://thehackernews.com/2024/11/steelfox-and-rhadamanthys-malware-use.html3. https://thehackernews.com/2024/11/malicious-pypi-package-fabrice-found.html4. https://www.helpnetsecurity.com/2024/11/07/cve-2024-20418/ Timestamps 00:00 - Introduction 01:04 - Canada shuts down tiktok 02:36 - Phishing Copyright scams 05:06 - PyPI Fabrice Malicious Package 06:56 - Cisco Vulnerability 1. What are today's top cybersecurity news stories?2. Why did Canada order TikTok to shut down?3. What national risks are associated with TikTok in Canada?4. How is the Rhadamanthys malware campaign targeting victims?5. What is the significance of the SteelFox malware discovery?6. How can developers protect themselves from malicious PyPI packages?7. What vulnerabilities have been fixed in Cisco's industrial wireless access points?8. How does the 'fabrice' package exploit developers' AWS credentials?9. What are the potential consequences of TikTok's shutdown in Canada?10. What security measures should users take when using mobile applications? TikTok, national security, privacy, data security, Rhadamanthys, SteelFox, phishing, Check Point, fabrice, PyPI, typosquatting, AWS keys, Cisco, vulnerability, access points, HTTP,  

Topics covered in this episode: Python 3.13.0 released Oct 7 PEP 759 – External Wheel Hosting pytest-freethreaded pytest-edit Extras Joke Watch on YouTube About the show Sponsored by ScoutAPM: pythonbytes.fm/scout Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Python 3.13.0 released Oct 7 That's today! What's New In Python 3.13 Interpreter (REPL) improvements exit works (really, this is worth the release right here) Multiline editing with history preservation. history sticks around between sessions Direct support for REPL-specific commands like help, exit, and quit, without the need to call them as functions. Prompts and tracebacks with color enabled by default. Interactive help browsing using F1 with a separate command history. History browsing using F2 that skips output as well as the >>> and … prompts. “Paste mode” with F3 that makes pasting larger blocks of code easier (press F3 again to return to the regular prompt). exit now works without parens Improved error messages Colorful tracebacks Better messages for naming a script/module the same name as a stdlib module. naming a script/module the same name as an installed third party module. misspelling a keyword argument Free threaded CPython Included in official installers on Windows and macOS Read these links to figure out how - it's not turned on by default Lot's more. see the What's new page Michael #2: PEP 759 – External Wheel Hosting pypi.org ships over 66 petabytes / month backed by Fastly There are hard project size limits for publishers to PyPI We can host the essence of a .whl as a .rim file, then allow an external download URL Security: Several factors as described in this proposal should mitigate security concerns with externally hosted wheels, such as: Wheel file checksums MUST be included in .rim files, and once uploaded cannot be changed. Since the checksum stored on PyPI is immutable and required, it is not possible to spoof an external wheel file, even if the owning organization lost control of their hosting domain. Externally hosted wheels MUST be served over HTTPS. In order to serve externally hosted wheels, organizations MUST be approved by the PyPI admins. Brian #3: pytest-freethreaded PyCon JP 2024 Team: This extension was created at PyCon JP sprints with Anthony Shaw and 7 other folks listed in credits. “A pytest plugin for helping verify that your tests and libraries are thread-safe with the Python 3.13 experimental freethreaded mode.” Testing your project for compatibility with freethreaded Python. Testing in single thread doesn't test that. Neither does testing with pytest-xdist, because it uses multiprocessing to parallelize tests. So, Ant and others “made this plugin to help you run your tests in a thread-pool with the GIL disabled, to help you identify if your tests are thread-safe.” “And the first library we tested it on (which was marked as compatible) caused a segmentation fault in CPython! So you should give this a go if you're a package maintainer.” Michael #4: pytest-edit A simple Pytest plugin for opening editor on the failed tests. Type pytest --edit to open the failing test code Be sure to set your favorite editor in the ENV variables Extras Michael: New way to explore Talk Python courses via topics This has been in our mobile apps since their rewrite but finally comes to the web Let's go easy on PyPI, OK? essay Hynek's video: uv IS the Future of Python Packaging djade-pre-commit Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator PurgeCSS CLI Python 3.12.7 released Incremental GC and pushing back the 3.13.0 release uv making the rounds LLM fatigue, is it real? Take the Python Developers Survey 2024 Joke: Funny 404 pages We have something at least interesting at pythonbytes.fm

Episode #474 Interview de Renaud Bidou – Son parcours et son projet PyRASP Références : Doc: https://paracyberbellum.gitbook.io/pyrasp PyPi:https://pypi.org/project/pyrasp/ GitHub: https://github.com/rbidou/pyrasp ParaCyberBellum:https://paracyberbellum.io XSS Payloads:@XssPayloads The post Renaud Bidou – PyRASP appeared first on NoLimitSecu.

Спонсор подкаста: курсы по Python-разработке для тех, кто уже знаком с веб-разработкой — https://vk.cc/cADwoW   Ведущие – Григорий Петров и Михаил Корнеев Новости выпуска: Вышла Django 5.1 Большой релиз uv  PyPI снизили время реагировании на mailware до 24 часов IEEE опубликовали очередной рейтинг популярности языков, python на первом месте  Ссылки выпуска: Курс Learn Python — https://learn.python.ru/advanced Канал Миши в Telegram — https://t.me/tricky_python Канал Moscow Python в Telegram — https://t.me/moscow_python Все выпуски — https://podcast.python.ru Митапы Moscow Python — https://moscowpython.ru 

In this episode, we reconnect with the Pixi team after our last conversation in November 2023 to dive back into the world of Python packaging, with a special focus on the latest advancements in Pixi. Joining us are Tim and Ruben, both of whom bring their unique expertise in robotics and game development. Ruben shares his experience contributing to conda-forge, pixi and Python package management in general.We explore recent enhancements to Pixi, including its integration with VS Code, the evolution of pyproject.toml support, and the addition of PyPI dependency resolution along with Conda.We also discuss the current state of Pixi for enterprises, touching on its readiness for production and enterprise-specific features like package registries.The conversation also delves into how pixi resolves issues reported by the community, such as platform-specific Pixi.lock file regeneration - and how developers can contribute to the open source ecosystem. Finally, we look ahead to the future, discussing the team's vision for Python packaging over the next one to five years.Tune in for a deep dive into the present and future of Python packaging, packed with personal stories and expert insights.--Links:- Prefix-dev- Add pixi as an workflow/package manager PR- Our PDM coaching program

Topics covered in this episode: Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 are now available! Docker images using uv's python 10 years of sustainable open source - Read the Docs humanize Extras Joke Watch on YouTube About the show Sponsored by ScoutAPM: pythonbytes.fm/scout Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. ChatGPT celebrates episode 400! Welcome to the big 4-0-0, Pythonistas! It's hard to believe we're celebrating the 400th episode of Python Bytes! From the early days of byte-sized Python news to becoming the source for all things Python, it's been a wild ride. We've laughed over code quirks, gasped at new libraries, and said farewell to the GIL together. Whether you're a seasoned developer, a curious learner, or just here for the witty banter, you've been an essential part of this journey. To Michael and Brian: You've built a community that turns import this into more than just Zen—it's a family of passionate Pythonistas. Your dedication, insights, and humor make this show more than just tech news. It's a weekly celebration of what we love about Python and why we keep coming back for more. Here's to the next 400 episodes—may your code be bug-free, your tests pass on the first run, and your Python version always be up to date. Brian #1: Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 are now available! Łukasz Langa Python 3.13.0RC2 is the final preview release Official 3.13.0 scheduled for Oct 1 Call to action “We strongly encourage maintainers of third-party Python projects to prepare their projects for 3.13 compatibilities during this phase, and where necessary publish Python 3.13 wheels on PyPI to be ready for the final release of 3.13.0. Any binary wheels built against Python 3.13.0rc2 will work with future versions of Python 3.13. As always, report any issues to the Python bug tracker .” “Please keep in mind that this is a preview release and while it's as close to the final release as we can get it, its use is not recommended for production environments.” Note: uv python does not support 3.13 yet see issue 320 Security releases for 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 3.12.6 has binary installers, but for MacOS, only MacOS 10.13 and newer are supported 3.11.10, 3.10.15, 3.9.20, and 3.8.20 do NOT include binary installers. 3.8 EOL's in October Michael #2: Docker images using uv's python See #396: uv-ing your way to Python and #398: Open source makes you rich? (and other myths) for the opening discussions Talk Python episode on uv is out uv venv --python gets Python from python-build-standalone by Gregory Szorc Took our Docker build times from 10 minutes to 8 seconds for the base image and 800ms (!) for our app platforms Brian #3: 10 years of sustainable open source - Read the Docs Eric Holscher Read the Docs has been a company for 10 years “a team of 4 folks working full-time on Read the Docs.” readthedocs.org started in 2010 readthedocs.com (for Business) started in 2014 Sustainability model .org has a single non-tracking ad .com is a paid service for companies Things that didn't work donations and other optional support - led to burnout consulting and services- took too much time away from core product grant funding - nice, but one time thing Lessons You don't get extra points for being bootstrapped. Compete by doing things you can do better due to niche and size. Keeping trust in the community is the most important thing. Contribution is easier for less complex parts of the code base. Beign open source means capturing a small percentage of the value you create. You have to be ok doing more with less. Also RtD is not just for Sphinx anymore. Their build system now supports any documentation tool. Michael #4: humanize by Hugo van Kemenade (Python 3.14 & 3.15 release manager & core developer) Not too many variations, but very handy if you need it. Numbers Associated Press style (“seven” and “10”) Clamp (under 1.0 million) Fractional (1/3) Int Word (1.2 Billion) Metric (1.5 kV) Ordinal (112th) scientific Time File size Extras Brian: Test & Code is now again Test & Code The two part series on Python imports that started in June is finally complete with episode 222. Transcripts are being added to old episodes gradually starting from most recent Back to ep 203 as of today. AI transcription, so there's things like .pie, .pi, and dot pie where it should be .py Michael: Final final call for Coding in a Castle event with Michael iStats Menu Anaconda Code Runner by Ruud van der Ham: With Anaconda Coide we can -at last- run that code locally and import (most) Python modules. But if you want to run a significant amount of code, you have to put that in a cell or publish it to PyPI or a wheel and import it. That's why I have developed a general-purpose runner function that runs arbitrary code located on an Excel sheet with AnacondaCode. Joke: When beginners learn a new programming language...

Video Episode: https://youtu.be/ECOVSA0MIyY In today's episode, we delve into the newly discovered EUCLEAK attack affecting YubiKey FIDO devices, emphasizing the potential for state-sponsored actors to exploit vulnerabilities in the Infineon SLE78 microcontroller. We also discuss Cisco's response to a backdoor found in the Smart Licensing Utility, a critical flaw that allows unauthorized admin access, and highlight the Revival Hijack supply-chain attack endangering over 22,000 PyPI packages. Lastly, we urge Android users to install security updates addressing the actively exploited CVE-2024-32896 vulnerability. Links to articles discussed: https://www.bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys/ https://www.bleepingcomputer.com/news/security/cisco-warns-of-backdoor-admin-account-in-smart-licensing-utility/ https://www.bleepingcomputer.com/news/security/revival-hijack-supply-chain-attack-threatens-22-000-pypi-packages/ https://thehackernews.com/2024/09/google-confirms-cve-2024-32896.html Sign up for digestible cyber news delivered to your inbox: https://news.thedailydecrypt.com Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ EUCLEAK, YubiKey, Infineon, microcontroller, Cisco, Smart Licensing Utility, vulnerability, cybersecurity, Revival Hijack, PyPI, JFrog, Hackers, CVE-2024-32896, Google What are today's top cybersecurity news stories?, EUCLEAK YubiKey vulnerability, Cisco Smart Licensing Utility backdoor, Revival Hijack PyPI package threat, CVE-2024-32896 Android update urgency, cybersecurity measures for YubiKey owners, protecting Cisco systems from vulnerabilities, safeguarding PyPI packages from hackers, critical updates for Android devices, cybersecurity risks in the technology industry

In this episode Bob chats with David Hewitt, passionate Python and Rust programmer, core maintainer of PyO3, and part of the Pydantic team. PyO3 lets you write a native Python module in Rust, or to embed Python in a Rust binary. David shares his journey of getting involved and how this tool set helps Python programmers integrate with Rust more easily. We talk about how PyO3 helped the Pydantic v2 Rust integration, how to design for a great developer experience, the mindset of dealing with complex issues, PyPI getting more packages with Rust, how to best learn Rust and more. Enjoy and let us know when you give PyO3 (and maturin) a try ...Reach out to David: https://github.com/davidhewitt (additional social media links there)Ad segment: Pybites PDM coaching program: https://pybit.es/catalogue/the-pdm-program/Join our community: https://pybites.circle.so

Guests Jan Lehnardt | Alba Herrerías Ramírez Panelist Richard Littauer Show Notes In this episode of Sustain, host Richard Littauer engages with Jan Lehnardt and Alba Herrerías Ramírez from Neighbourhoodie, a consultancy company based in Berlin and the Canary Islands. The discussion delves into Neighbourhoodie's work on sustaining open source projects, their collaboration with the Sovereign Tech Fund for enhancing open source project's bug resilience, and the technical and ethical facets of their consultancy services. Insights are shared into their past and current projects, including PouchDB, CouchDB, and their contributions to humanitarian causes, emphasizing their focus on creating a sustainable impact in the open source community. Press download now to hear more! [00:01:55] Jan explains the origin of Neighbourhoodie, which began with the Hoodie open source project, how the company evolved, the decline of the Hoodie project due to timing and resources, and how CouchDB and PouchDB continued to thrive. [00:04:27] Richard asks about the company's name and its novelty domain, and Jan gives an overview of Neighbourhoodie's size and slow and steady growth, and their focus on a positive work environment. [00:05:51] Jan gives a detail explanation of CouchDB and PouchDB's functionality, particularly their offline-first and synchronization capabilities, and how this has been used in critical projects like the Ebola vaccine. [00:08:41] Richard asks about maintaining ethical work practices and avoiding projects that conflict with Neighbourhoodie's values. [00:09:53] Jan discusses how Neighbourhoodie balances reinvesting in open source projects and expanding the company, focusing on professional services around CouchDB and PouchDB. [00:11:53] Alba describes her role in leading Sovereign Tech Fund (STF) projects within Neighbourhoodie, and how they engage with various projects to offer support. [00:13:31] Jan explains the STF's Bug Resilience Program. [00:16:33] Richard asks about the potential ethical dilemma when third-party consultants like Neighbourhoodie might be taking work that could have otherwise gone to maintainers themselves. We hear how Neighbourhoodie, the projects, and the STF agree on statements of work, including milestones and time estimates, to ensure fairness and proper allocation of resources. [00:21:23] We learn from Jan that dealing with low-quality bug reports isn't a primary focus of their work, but improving test coverage, dependency updates, and CI/CD processes helps mitigate these issues as a side effect. [00:22:54] Alba talks about the different types of projects they work in, such as OpenPGP.js, Sequioa, Yocto, PyPi, Systemd, PHP, Log4j, and reproducible builds. [00:23:49] Jan discusses the challenges and learning opportunities that comes with working across diverse projects, each with its own set of tools, communication styles, and cultural contexts. [00:25:29] Richard reflects on the complexity of open source sustainability and Alba describes how they research projects and identify areas where they can provide the most help, tailoring their approach to the specific needs of each project. [00:27:25] Jan explains that they don't dictate solutions but rather collaborate with projects to address their most pressing needs, often helping to mediate between different parts of a project to find common ground. [00:30:07] Jan explains how they educate clients to take responsibility for the scripts they deliver, unless there's a long-term support contract in place. [00:32:00] We learn how the Neighbourhoodie transition was organic and not part of a grand strategy and how they continue to contribute to open source through their consulting work. [00:34:54] Richard questions the choice of open source as the main focus given its limitations, and Jan explains that open source is widely understood and accessible, making it a practical choice for their work. [00:37:35] Alba and Jan share some highlights and fun things from their work. [00:39:32] Find out where you can follow Jan and Alba online. Quotes [00:02:19] “The goal was to have two separate entities so that when the company puts out an open source project in its own name, and then the company goes under, and the project goes away, we wanted to not have that.” [00:24:08] “If you do software long enough, you realize that the technical problems are just the sideshow and everything else you have to solve things on the people layer instead of the technology layer.” [00:25:06] “The current monoculture of everything is on GitHub is not the only truth out there.” [00:35:34] “Open source is the thing that everybody understands.” Spotlight [00:40:57] Richard's spotlight is Gregor Martynus. [00:41:54] Jan's spotlight is AdonisJS. [00:42:45] Alba's spotlight is PouchDB. Links SustainOSS (https://sustainoss.org/) podcast@sustainoss.org (email) (mailto:podcast@sustainoss.org) richard@theuserismymom.com (email) (mailto:richard@theuserismymom.com) SustainOSS Discourse (https://discourse.sustainoss.org/) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Socials (https://www.burntfen.com/2023-05-30/socials) Alba Herrerías Ramírez LinkedIn (https://www.linkedin.com/in/alba-herrerias-ramirez/) Alba Herrerías Ramírez Website (https://www.albaherrerias.dev/) Alba Herrerías Ramírez Mastodon (https://mastodon.social/@albaherrerias) Alba Herrerías Ramírez email (mailto:alba@neighbourhood.ie) Jan Lehnardt LinkedIn (https://www.linkedin.com/in/jan-lehnardt-750b0816b/) Jan Lehnardt Website (https://writing.jan.io/) Jan Lehnardt Mastodon (https://narrativ.es/@janl) Jan Lehnardt email (mailto:jan@neighbourhood.ie) Neighbourhoodie Software (https://neighbourhood.ie/) CouchDB (https://couchdb.apache.org/) Sovereign Tech Fund (https://www.sovereigntechfund.de/) Bug Resilience Program (STF) (https://www.sovereigntechfund.de/programs/bug-resilience) Sustain Podcast: 2 episodes with guest Daniel Stenburg (https://podcast.sustainoss.org/guests/stenberg) Gregor Martynus-GitHub (https://github.com/gr2m) AdonisJS (https://adonisjs.com/) PouchDB (https://pouchdb.com/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guests: Alba Herrerías Ramírez and Jan Lehnardt.

In today's episode, we delve into a security flaw in WhatsApp for Windows that allows Python and PHP scripts to execute without warning, a new malicious PyPI package targeting macOS for stealing Google Cloud credentials, and how cybercriminals bypassed Google's email verification to exploit Google Workspace accounts. Additionally, we explore the controversial use of AI surveillance at the Paris 2024 Olympics, examining its possible long-term impacts on privacy and security. Stay tuned as we unpack these pressing cybersecurity issues. 00:00 - Intro 01:14 - At the Olympics, AI is watching you 02:47 - Crooks Bypassed Google's Email Verification 05:15 - Malicious PyPI Package Targets macOS 07:32 - WhatsApp lets Python, PHP scripts execute with no warning https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/ https://thehackernews.com/2024/07/malicious-pypi-package-targets-macos-to.html https://krebsonsecurity.com/2024/07/crooks-bypassed-googles-email-verification-to-create-workspace-accounts-access-3rd-party-services/ https://arstechnica.com/ai/2024/07/at-the-olympics-ai-is-watching-you/ Video Episode: https://youtu.be/4GS2Ofq4uW4 Sign up for digestible cyber news delivered to your inbox: https://news.thedailydecrypt.com Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Meta, vulnerability, Python, security, WhatsApp, Windows, scripts, Telegram, exploit, power users, developers, PyPI, malicious package, lr-utils-lib, macOS, Google Cloud, credentials, cybercriminals, enterprise systems, developers, authentication, vulnerabilities, Workspace, email verification, user protection, Paris, AI algorithms, CCTV cameras, urban security, Olympics Search Phrases: What are today's top cybersecurity news stories? Why is Meta not blocking Python and PHP scripts on WhatsApp for Windows? How dangerous is the WhatsApp for Windows vulnerability? What was the Telegram exploit related to script execution? How to avoid downloading malicious PyPI packages? What are the risks of using lr-utils-lib on macOS? How were Google Cloud credentials targeted by lr-utils-lib? What vulnerabilities exist in Google Workspace authentication? How are AI algorithms used in urban security monitoring? Security concerns of AI surveillance during the Paris 2024 Olympics

Hackers exploiting PyPi package targets MacOS Columbus, Ohio suffers cyber incident Windows July updates come with some BitLocker and remote connectivity challenges Huge thanks to our sponsor, Dropzone AI Meet Dropzone AI, the analyst who never rests. Investigating every alert with unparalleled speed and precision, delivering clear, actionable reports. No playbooks, no code. Experience the power of AI with a 3-month free trial at dropzone.ai. For the stories behind the headlines, head to CISOseries.com.

Topics covered in this episode: 2024 PSF Board Election & Proposed Bylaw Change Results SATYRN: A modern Jupyter client for Mac Incident Report: Leaked GitHub Personal Access Token Extra extra extra Extras Joke Watch on YouTube About the show Sponsored by Code Comments, an original podcast from RedHat: pythonbytes.fm/code-comments Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: 2024 PSF Board Election & Proposed Bylaw Change Results New board members Tania Allard KwonHan Bae Cristián Maureira-Fredes Congrats to new board members If you want to consider becoming a board member, there are 4 seats up for vote next year. All 3 bylaw changes passed, by a wide margin. Details of changes Change 1: Merging Contributing and Managing member classes Change 2: Simplifying the voter affirmation process by treating past voting activity as intent to continue voting Change 3: Allow for removal of Fellows by a Board vote in response to Code of Conduct violations, removing the need for a vote of the membership Michael #2: SATYRN: A modern Jupyter client for Mac A Jupyter client app for macOS Comes with a command palette LLM assistance (local or cloud?) Built in Black formatter Currently in alpha Business model unknown Brian #3: Incident Report: Leaked GitHub Personal Access Token Suggested by Galen Swint See also JFrog blog: Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine A GitHub access token found it's way into a .pyc file, then into a docker image. JFrog found it through some regular scans. JFrog notified PYPI security. Token was destroyed within 17 minutes. (nice turnaround) Followup scan revealed that no harm was done. Takaways (from Ee Durbin): Set aggressive expiration dates for API tokens (If you need them at all) Treat .pyc files as if they were source code Perform builds on automated systems from clean source only. Michael #4: Extra extra extra Python 3.13.0 beta 3 released Ice got a lot better I Will Piledrive You If You Say AI Again | Prime Reacts Video Follow up actions for polyfill supply chain attack Developer Ecosystem Survey 2024 Code in a Castle still has seats open Extras Brian: A new pytest course in the works Quick course focusing on core pytest features + some strategy and Design for Testability concepts Idea everyone on the team (including managers) can take the new course. 1-2 people on a team take “The Complete pytest Course” to become the teams local pytest experts. Python People is on an indefinite hold Python Test → back to Test & Code (probably) I'm planning a series (maybe a season) on TDD which will be language agnostic. Plus I still have tons of Test & Code stickers and no Python Test stickers. New episodes planned for August Joke: I need my intellisense (autocomplete)

The ZigLang team have put an astonishing amount of effort into making Zig work an effective tool for compiling C across different architectures. Work that benefits the Zig language, but also has a chance to benefit languages like Python and Rust. Or indeed, any language that uses native C libraries somewhere in its stack.So this week we're joined by Loris Cro of the Zig team to dive into how you make a reliable, cross-platform toolchain that can compile C anywhere it finds it. And in doing so, –Zig Homepage: https://ziglang.org/Zig on Github: https://github.com/ziglang/zigMingW for Windows: https://www.mingw-w64.org/All Your Codebase: https://allyourcodebase.com/Ziglang on PyPi: https://pypi.org/project/ziglang/Shout out to Whitequark: https://pypi.org/user/whitequark/Darling: https://www.darlinghq.org/WineHQ: https://www.winehq.org/PyPi Stats: https://pypistats.org/packages/__all__The Zine static site generator: https://zine-ssg.io/The Zine source code: https://github.com/kristoff-it/zineLoris' website: https://kristoff.it/Kris on Mastodon: http://mastodon.social/@krisajenkinsKris on LinkedIn: https://www.linkedin.com/in/krisjenkins/Kris on Twitter: https://twitter.com/krisajenkins

Topics covered in this episode: Vendorize packages from PyPI A Guide to Python's Weak References Using weakref Module Making Time Speak How Should You Test Your Machine Learning Project? A Beginner's Guide Extras Joke Extras Joke Watch on YouTube About the show Sponsored by Code Comments, an original podcast from RedHat: pythonbytes.fm/code-comments Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Vendorize packages from PyPI Allows pure-Python dependencies to be vendorized: that is, the Python source of the dependency is copied into your own package. Best used for small, pure-Python dependencies Brian #2: A Guide to Python's Weak References Using weakref Module Martin Heinz Very cool discussion of weakref Quick garbage collection intro, and how references and weak references are used. Using weak references to build data structures. Example of two kinds of trees Implementing the Observer pattern How logging and OrderedDict use weak references Michael #3: Making Time Speak by Prayson, a former guest and friend of the show Translating time into human-friendly spoken expressions Example: clock("11:15") # 'quarter past eleven' Features Convert time into spoken expressions in various languages. Easy-to-use API with a simple and intuitive design. Pure Python implementation with no external dependencies. Extensible architecture for adding support for additional languages using the plugin design pattern. Brian #4: How Should You Test Your Machine Learning Project? A Beginner's Guide François Porcher Using pytest and pytest-cov for testing machine learning projects Lots of pieces can and should be tested just as normal functions. Example of testing a clean_text(text: str) -> str function Test larger chunks with canned input and expected output. Example test_tokenize_text() Using fixtures for larger reusable components in testing Example fixture: bert_tokenizer() with pretrained data Checking coverage Extras Michael: Twilio Authy Hack Google Authenticator is the only option? Really? Bitwarden to the rescue Requires (?) an update to their app, whose release notes (v26.1.0) only say “Bug fixes” Introducing Docs in Proton Drive This is what I called on Mozilla to do in “Unsolicited Advice for Mozilla and Firefox” But Proton got there first Early bird ending for Code in a Castle course Joke: I Lied

Topics covered in this episode: NumPy 2.0 release date is June 16 Uvicorn adds multiprocess workers pixi JupyterLab 4.2 and Notebook 7.2 are available Extras Joke Watch on YouTube About the show Sponsored by Mailtrap: pythonbytes.fm/mailtrap Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: NumPy 2.0 release date is June 16 “This release has been over a year in the making, and is the first major release since 2006. Importantly, in addition to many new features and performance improvement, it contains breaking changes to the ABI as well as the Python and C APIs. It is likely that downstream packages and end user code needs to be adapted - if you can, please verify whether your code works with NumPy 2.0.0rc2.” NumPy 2.0.0 Release Notes NumPy 2.0 migration guide including “try just running ruff check path/to/code/ --select NPY201” “Many of the changes covered in the 2.0 release notes and in this migration guide can be automatically adapted in downstream code with a dedicated Ruff rule, namely rule NPY201.” Michael #2: Uvicorn adds multiprocess workers via John Hagen The goal was to no longer need to suggest that people use Gunicorn on top of uvicorn. Uvicorn can now in a sense "do it all” Steps to use it and background on how it works. Brian #3: pixi Suggested by Vic Kelson “pixi is a cross-platform, multi-language package manager and workflow tool built on the foundation of the conda ecosystem.” Tutorial: Doing Python development with Pixi Some quotes from Vic: “Pixi is a project manager, written in Rust, that allows you to build Python projects without having Python previously installed. It's installable with Homebrew (brew install pixi on Linux and MacOS). There's support in VSCode and PyCharm via plugins. By default, pixi fetches packages from conda-forge, so you get the scientific stack in a pretty reliable and performant build. If a package isn't on conda-forge, it'll look on PyPI, or I believe you can force it to look on PyPI if you like.” “So far, it works GREAT for me. What really impressed me is that I got a Jupyter environment with CuPy utilizing my aging Nvidia GPU on the FIRST TRY.” Michael #4: JupyterLab 4.2 and Notebook 7.2 are available JupyterLab 4.2.0 has been released! This new minor release of JupyterLab includes 3 new features, 20 enhancements, 33 bug fixes and 29 maintenance tasks. Jupyter Notebook 7.2.0 has also been released Highlights include Easier Workspaces Management with GUI Recently opened/closed files Full notebook windowing mode by default (renders only the cells visible in the window, leading to improved performance) Improved Shortcuts Editor Dark High Contrast Theme Extras Brian: Help test Python 3.13! Help us test free-threaded Python without the GIL both from Hugo van Kemenade Python Test 221: How to get pytest to import your code under test is out Michael: Bend follow up from Bernát Gábor “Bend looks roughly like Python but is nowhere there actually. For example it has no for loops, instead you're meant to use bend keyword (hence the language name) to expand calculations and another keyword to join branches. So basically think of something that resembles Python at high level, but without being compatible with that and without any of the standard library or packages the Python language provides. That being said does an impressive job at parallelization, but essentially it's a brand new language with new syntax and paradigms that you will have to learn, it just shares at first look similarities with Python the most.” Joke: Do-while

Apple Updates Everything https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20macOS%2C%20iOS%2C%20iPadOS%2C%20watchOS%2C%20tvOS%20updated./30916 Juniper OpenSSH Update https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Junos-OS-and-Junos-OS-Evolved-Multiple-CVEs-reported-in-OpenSSH?language=en_US Malicious Go Binary Delivered via Steganography in PyPi https://blog.phylum.io/malicious-go-binary-delivered-via-steganography-in-pypi/

Apple Updates Everything https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20macOS%2C%20iOS%2C%20iPadOS%2C%20watchOS%2C%20tvOS%20updated./30916 Juniper OpenSSH Update https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Junos-OS-and-Junos-OS-Evolved-Multiple-CVEs-reported-in-OpenSSH?language=en_US Malicious Go Binary Delivered via Steganography in PyPi https://blog.phylum.io/malicious-go-binary-delivered-via-steganography-in-pypi/

3000 Years Ago, Dell, Robocalls, PyPI, Cinterion, Cacti, Chat-GPT, Windows, Josh Marpet, and more, on this Edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-386

3000 Years Ago, Dell, Robocalls, PyPI, Cinterion, Cacti, Chat-GPT, Windows, Josh Marpet, and more, on this Edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-386

Topics covered in this episode: Announcing py2wasm: A Python to Wasm compiler Exploring Python packages with Oven and PyPI Browser PyCharm Local LLM Google shedding Python devs (at least in the US). Extras Joke Watch on YouTube About the show Sponsored by ScoutAPM: pythonbytes.fm/scout Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Announcing py2wasm: A Python to Wasm compiler py2wasm converts your Python programs to WebAssembly, running them at 3x faster speeds thanks to Nuitka Brian #2: Exploring Python packages with Oven and PyPI Browser pypi.org is great, but there are some handy alternatives Oven Shows how to install stuff with pip, pdm, rye, and poetry Similar meta and description as PyPI Includes README.md view (no tables yet, though) Nice listing of versions Ability to look at what files are in wheels and tarballs (very cool) Can deploy yourself. Node/Remix app. Really slick. PyPI Browser View versions View wheel and tarball contents. Metadata and contents. No README view Is a Starlette app that you can deploy on your on with a private registry. So that's cool. Michael #3: PyCharm Local LLM Pretty awesome full line completer based on a local LLM for PyCharm Requires PyCharm Professional An example, given this partial function in Flask: @blueprint.get('/listing') def listing(): videos = video_service.all_videos() Typing ret → That is, typing ret autocompletes to: return flask.render_template('home/listing.html', videos=videos) Which is pretty miraculous, and correct. Brian #4: Google shedding Python devs (at least in the US). Google lays off staff from Flutter, Dart and Python teams weeks before its developer conference - techcrunch Python, Flutter teams latest on the Google chopping block - The Register “Despite Alphabet last week reporting a 57 percent year-on-year jump in net profit to $23.66 billion for calendar Q1, more roles are being expunged as the mega-corp cracks down on costs.” “As for the Python team, the current positions have reportedly been "reduced" in favor of a new team based in Munich.” MK: Related and timely: How one power-hungry leader destroyed Google search Extras Brian: Python Gotcha: strip, lstrip, rstrip can remove more than expected Reminder: You probably want .removesuffix() and .removeprefix() Michael: Using Llama3 in LMStudio Joke: Broken System

Topics covered in this episode: NumFOCUS concerns leaping pytest debugger llm Extra, Extra, Extra, PyPI has completed its first security audit Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: NumFOCUS concerns Suggested by Pamphile Roy Write up of the current challenges faced by NumFOCUS, by Paul Ivanov (one of the OG of Scientific Python: Jupyter, Matplotlib, etc.) Struggling to meet the needs of sponsored and affiliated projects. In February, NumFOCUS announced it is moving in a new direction. NumFOCUS initiated an effort to run an election for open board seats and proposed changing its governance structure. Some projects are considering and actively pursuing alternative venues for fiscal sponsorship. Quite a bit more detail and discussion in the article. NumFOCUS covers a lot of projects NumPy, Matplotlib, pandas, Jupyter, SciPy, Astropy, Bokeh, Dask, Conda, and so many more. Michael #2: leaping pytest debugger llm You can ask Leaping questions like: Why am I not hitting function x? Why was variable y set to this value? What was the value of variable x at this point? What changes can I make to this code to make this test pass? Brian #3: Extra, Extra, Extra, 2024 Developer Summit Also suggested by Pamphile, related to Scientific Python The Second Scientific Python Developer Summit , June 3-5, Seattle, WA Lots of great work came out of the First Summit in 2023 pytest-regex - Use regexs to specify tests to run Came out of the '23 summit I'm not sure if I'm super happy about this or a little afraid that I probably could use this. Still, cool that it's here. Cool short example of using __init__ and __call__ to hand-roll a decorator. ruff got faster Michael #4: PyPI has completed its first security audit Trail of Bits spent a total of 10 engineer-weeks of effort identifying issues, presenting those findings to the PyPI team, and assisting us as we remediated the findings. Scope: The audit was focused on "Warehouse", the open-source codebase that powers pypi.org As a result of the audit, Trail of Bits detailed 29 different advisories discovered across both codebases. When evaluating severity level of each advisory, 14 were categorized as "informational", 6 as "low", 8 as "medium" and zero as "high". Extras Brian: pytest course community to try out Podia Communities. Anyone have a podia community running strong now? If so, let me know through Mastodon: @brianokken@fosstodon.org Want to join the community when it's up and running? Same. Or join our our friends of the show list, and read our newsletter. I'll be sure to drop a note in there when it's ready. Michael: VS Code AMA @ Talk Python [video] Gunicorn CVE Talk submissions are now open for both remote and in-person talks at the 2024 PyConZA? The conference will be held on 3 and 4 October 2024 in Cape Town, South Africa. Details are on za.pycon.org. FlaskCon 2024 will be happening Friday, May 17 inside PyCon US 2024. Call for proposals are now live! Joke: Debugging with your eyes

Topics covered in this episode: pacemaker - For controlling time per iteration loop in Python. PyPI suspends new user registration to block malware campaign Python Project-Local Virtualenv Management Redux Python Edge Workers at Cloudflare Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: pacemaker - For controlling time per iteration loop in Python. Brandon Rohrer Good example of a small bit of code made into a small package. With speedups to dependencies, like with uv, for example, I think we'll see more small projects. Cool stuff Great README, including quirks that need to be understood by users. “If the pacemaker experiences a delay, it will allow faster iterations to try to catch up. Heads up: because of this, any individual iteration might end up being much shorter than suggested by the pacemaker's target rate.” Nice use of time.monotonic() deltas are guaranteed to never go back in time regardless of what adjustments are made to the system clock. Watch out for pip install pacemaker-lite NOT pacemaker pacemaker is taken by a package named PaceMaker with a repo named pace-maker, that hasn't been updated in 3 years. Not sure if it's alive. No tests (yet). I'm sure they're coming. ;) Seriously though, Brandon says this is “a glorified snippet”. And I love the use of packaging to encapsulate shared code. Realistically, small snippet like packages have functionality that's probably going to be tested by end user code. And even if there are tests, users should test the functionality they are depending on. Michael #2: PyPI suspends new user registration to block malware campaign Incident Report for Python Infrastructure PyPi Is Under Attack: Project Creation and User Registration Suspended — Here's the details I hate medium, but it's the best details I've found so far Brian #3: Python Project-Local Virtualenv Management Redux Hynek Concise writeup of how Hynek uses various tools for dealing with environments Covers (paren notes are from Brian) In project .venv directories direnv for handling .envrc files per project (time for me to try this again) uv for pip and pip-compile functionality Installing Python via python.org Using a .python-version-default file (I'll need to play with this a bit) Works with GH Action setup-python. (ok. that's cool) Some fish shell scripting Bonus tip on using requires-python in .pyproject.toml and extracting it in GH actions to be able to get the python exe name, and then be able to pass it to Docker and reference it in a Dockerfile. (very cool) Michael #4: Python Edge Workers at Cloudflare What are edge workers? Based on workers using Pyodide and WebAssembly This new support for Python is different from how Workers have historically supported languages beyond JavaScript — in this case, we have directly integrated a Python implementation into workerd, the open-source Workers runtime. Python Workers can import a subset of popular Python packages including FastAPI, Langchain, numpy Check out the examples repo. Extras Michael: LPython follow up from Brian Skinn Featured on Python Bytes badge A little downtime, thanks for the understanding We were rocking a 99.98% uptime until then. :) Joke: C++ is not safe for people under 18 Baseball joke

PyPI puts a temporary hold on operations. OMB outlines federal AI governance. Germany sounds the alarm on Microsoft Exchange server updates. Cisco patches potential denial of service vulnerabilities. The US puts a big bounty on BlackCat. Darcula and Tycoon are sophisticated phishing as a service platforms. Don't dilly-dally on the latest Chrome update. On our Threat Vector segment, host David Moulton has guest Sam Rubin, VP and Global Head of Operations at Unit 42, to discuss Sam's testimony to the US Congress on the multifaceted landscape of ransomware attacks, AI, and automation, the need for more cybersecurity education. And Data brokers reveal alleged visitors to pedophile island.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Threat Vector segment, host David Moulton has guest Sam Rubin, VP and Global Head of Operations at Unit 42. They discuss Sam's testimony to the US Congress on the multifaceted landscape of ransomware attacks, AI, and automation, the need for more cybersecurity education and more. Listen to the full episode with David and Sam's in-depth discussion. Read Sam Rubin's testimony. Selected Reading PyPi Is Under Attack: Project Creation and User Registration Suspended (Malware News) OMB Issues First Governmentwide AI Risk Mitigation Rules (GovInfo Security) German cyber agency warns 17,000 Microsoft Exchange servers are vulnerable to critical bugs (The Record) Cisco Patches DoS Vulnerabilities in Networking Products (Security Week) US offers a $10 million bounty for information on UnitedHealth hackers (ITPro) IPhone Users Beware! Darcula Phishing Service Attacking Via IMessage (GB Hackers) Tycoon 2FA, the popular phishing kit built to bypass Microsoft and Gmail 2FA security protections, just got a major upgrade — and it's now even harder to detect (ITPro) Update Chrome now! Google patches possible drive-by vulnerability (Malwarebytes) Jeffrey Epstein's Island Visitors Exposed by Data Broker (WIRED)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2024 N2K Networks, Inc.

In the world of data science, there are people like me, who have signed up for an online Python course but just not got around to starting it yet, and then there are people like Ayhan Diᶊ, who, given a spare month, create a Python package to succeed the highly successful CreditR by simplifying tasks such as variable analysis, model development, and calibration and validation with unparalleled efficiency

Dem Bones, Leather, QNAP, CISA, Microsoft, PyPI, France, AirBnB, Josh Marpet, and More are on this edition of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-368

BGP attack disrupts Internet service. Data breach law firm breached. Remcos RAT returns. Poison packages in the PyPI repository. Hacktivist personae and GRU fronts. BreachForums impresario re-arrested. Cyber National Mission Force gets a new leader. On our Solution Spotlight, Simone Petrella talks with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap. LinkedIn as a dating platform? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Solution Spotlight, N2K President Simone Petrella talks with ISC2 CEO Clar Rosso about putting a dent in the cybersecurity workforce gap through empowerment, breaking down barriers and expanding Diversity, Equity and Inclusion (DE&I) initiatives. Selected Reading BGP attack disrupts Internet service. Pirated Zeppelin ransomware source code for sale in a C2C souk. BreachForums impresario re-arrested. (CyberWire) Hacker hijacks Orange Spain RIPE account to cause BGP havoc (Bleeping Computer) RIPE Account Hacking Leads to Major Internet Outage at Orange Spain (SecurityWeek) Law firm that handles data breaches was hit by data breach (TechCrunch) UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (The Hacker News) EXPERTS FOUND 3 MALICIOUS PACKAGES HIDING CRYPTO MINERS IN PYPI REPOSITORY (SecurityAffairs) BreachForums administrator detained after violating parole (The Record) Russian hackers wiped thousands of systems in KyivStar attack (Bleeping Computer) US military's Cyber National Mission Force gets a new chief (The Record) The Hottest New Dating Site: LinkedIn (Business Insider) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

If you're a fan of Pydantic or dataclasses, you'll definitely be interested in this episode. We are talking about a super fast data modeling and validation framework called msgspec. Some of the types in here might even be better for general purpose use than Python's native classes. Join me and Jim Crist-Harif to talk about his data exchange framework, mspspec. Links from the show Jim Crist-Harif: jcristharif.com Jim @ GitHub: github.com Jim @ Mastdon: @jcristharif@hachyderm.io msgspec: github.com Projects using msgspec: github.com msgspec on Conda Forge: anaconda.org msgspec on PyPI: pypi.org Litestar web framework: litestar.dev Litestar episode: talkpython.fm Pydantic V2 episode: talkpython.fm JSON parsing with msgspec article: pythonspeed.com msgspec bencharmks: jcristharif.com msgspec vs. pydantic v1 and pydantic v2: github.com Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to us on YouTube: youtube.com Follow Talk Python on Mastodon: talkpython Follow Michael on Mastodon: mkennedy --- Episode sponsors --- Posit Talk Python Training