Podcasts about pypi

  • 135PODCASTS
  • 420EPISODES
  • 43mAVG DURATION
  • 5WEEKLY NEW EPISODES
  • Jun 23, 2026LATEST

POPULARITY

20192020202120222023202420252026


Best podcasts about pypi

Latest podcast episodes about pypi

Python Bytes
#485 Creating memories

Python Bytes

Play Episode Listen Later Jun 23, 2026 38:20 Transcription Available


Topics covered in this episode: Backup Docker volumes locally or to any S3 Pyodide 314.0 Release nb-cli: A Command-Line Interface for AI Agents and Notebook Automation Hindsight Agent Memory That Learns Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python AWS Community Day Midwest tomorrow Wednesday the 24th in downtown Indianapolis, Six Feet Up is sponsoring and there are 2 Sixies presenting Connect with the hosts Michael: Mastodon / BlueSky / X / LinkedIn Calvin: Mastodon / BlueSky / X / LinkedIn Show: Mastodon / BlueSky / X Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesday at 7am PT. Older video versions available there too. Finally, if you want an bonus digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Backup Docker volumes locally or to any S3 Via Bryan Weber (thanks Bryan!), who spotted it over on Virtualization HowTo. Find Bryan at bryanwweber.com. offen/docker-volume-backup is a lightweight companion container that backs up the volumes your apps actually depend on, then ships them somewhere safe. It's tiny: written in Go and about 25MB compressed, roughly 1/20th the size of the shell-based image (jareware/docker-volume-backup) that inspired it. Drop it into your docker compose file as a backup service, mount the volumes you care about as read-only, and you're off. Push backups to a pile of destinations: a local directory, plus any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive, or SSH-compatible target. Mix and match as many as you want in one run. Recurring cron-style backups in a Compose setup, or one-off backups straight from the Docker CLI. Production-friendly touches worth calling out: Rotates away old backups so you don't quietly fill the disk. GPG encryption for your archives. Notifications on finished and failed runs (so you find out about failures before you need the backup). Stop a container during backup for a consistent snapshot using a simple docker-volume-backup.stop-during-backup=true label, then auto-restart it. Run custom commands during the backup lifecycle (great for a database dump before the file copy). Docker Swarm support, plus arm64 and arm/v7 builds. Hello, Raspberry Pi homelab. Fun aside from Bryan: he searched our back catalog for this tool and the search came back so fast he thought it hadn't run. Love to hear it. Calvin #2: Pyodide 314.0 Release PEP 783 is the real news — Pyodide maintainers used to hand-build 300+ packages. Now anyone can publish Pyodide wheels to PyPI with cibuildwheel. The version jump from 0.29 to 314.0 is intentional — it now tracks the Python version, so 314.x = Python 3.14. Binary compatibility is locked per Python cycle, meaning packages you build today won't break on the next Pyodide release. sqlite3, ssl, and lzma are back in the default stdlib — no more await pyodide.loadPackage("sqlite3"). Bigger download, but a much smoother experience for newcomers. bigint precision bug is fixed — values above 2^53 were silently losing precision when crossing the Python/JS boundary. The new JsBigInt type makes the roundtrip correct. Worth flagging if anyone is doing numeric work in a browser app. Experimental TCP sockets in Node.js — you can now connect Pyodide to a real database (MySQL, PostgreSQL, Redis tested) when running server-side. Blurs the line between "Python in the browser" and "Python runtime anywhere Wasm runs." Michael #3: nb-cli: A Command-Line Interface for AI Agents and Notebook Automation From Piyush Jain (Jupyter and LangChain maintainer) on the Jupyter blog: nb-cli: A Command-Line Interface for AI Agents and Notebook Automation. nb-cli is an experimental, Rust-based CLI to read, write, execute, and search Jupyter notebooks. The premise: agents are great at CLIs but terrible at hand-editing the nested JSON in an .ipynb, so let them operate on the notebook from the outside instead of running inside it. Works with or without a Jupyter server. No server? It reads/writes .ipynb files directly and talks to kernels over ZeroMQ. Connected to a live JupyterLab, your edits show up instantly via Y.js (the same CRDT Jupyter uses). Smart output format: instead of token-heavy JSON or ambiguous plain markdown, it uses @@cell / @@output sentinels with inline metadata. Less wasted context, unambiguous structure, and it degrades gracefully on truncation. The payoff is composability. "Add a summary section and run it" becomes one shell pipeline instead of six agent tool calls. And nb search notebook.ipynb --with-errors returns only the failing cells, so the agent skips the cells that worked. Claude Code tie-in: it ships as an agent skill. npx skills install jupyter-ai-contrib/nb-cli and your agent can drive notebooks via nb. Out of jupyter-ai-contrib, which aims to become an official Jupyter AI subproject. Still early (crates.io is at v0.0.5), so kick the tires before anything load-bearing. See also marimo-pair. Calvin #4: Hindsight Agent Memory That Learns AI agents forget everything between sessions — Hindsight gives them persistent memory that learns over time Simple three-method API: retain(), recall(), reflect() — store, retrieve, and reason over memories TEMPR retrieval runs semantic, keyword, graph, and temporal search in parallel for accurate results Automatically consolidates related facts into durable observations instead of piling up duplicates pip install hindsight-all runs the entire server in-process; integrates with LangChain, LlamaIndex, Pydantic AI, CrewAI, and more Extras Calvin: Clanker: A Word For The Machine **Ponytail — You know him. Long ponytail. Oval glasses. Has been at the company longer than the version control** **Klangk: Multi-User AI Sandboxing, Collaboration and Coding Platform** Cursor announces Origin performative-ui to quick start your new idea Michael: Astral Joins OpenAI: The Interview SpaceX to acquire Cursor And OpenAI renews Open Source support Portuguese subtitles are now available for Talk Python courses DSF is hiring including Six Feet Up support Joke: Oh Babe…

Les Cast Codeurs Podcast
LCC 341 - Endives ou Chicorée ?

Les Cast Codeurs Podcast

Play Episode Listen Later Jun 22, 2026 67:11


JDK 26 optimise la JVM dans ses moindres recoins, le SDK Java d'Agent2Agent passe en 1.0, Micronaut 5 est là. Côté terrain, un retour d'expérience après 40 jours à coder avec 100 % d'IA : génie ou junior, Alzheimer numérique et dette technique invisible. Pendant ce temps, GitLab restructure, Microsoft suspend ses licences Claude Code, et un développeur injecte un prompt destructeur dans sa lib JUnit. La révolution IA a un coût et les boites commencent à s'en rendre compte. Enregistré le 12 juin 2026 Téléchargement de l'épisode LesCastCodeurs-Episode-341.mp3 ou en vidéo sur YouTube. News Langages Les améliorations de performance dans le JDK 26 https://inside.java/2026/06/09/jdk-26-performance-improvements/ Côté bibliothèques, l'API LazyConstant (anciennement StableValue) fait son entrée en prévisualisation pour permettre une initialisation paresseuse, sécurisée pour les threads et optimisée par le mécanisme de constant-folding de la JVM. L'extraction de chaînes de caractères via MemorySegment::getString a été revue pour réduire considérablement les allocations intermédiaires et les copies en mémoire off-heap, accélérant fortement les traitements sur les chemins critiques (hot paths). La méthode générée automatiquement hashCode() pour les classes de type record a été optimisée par la JVM pour atteindre un niveau de performance équivalent à une implémentation écrite manuellement. Le ramasse-miettes G1 bénéficie du JEP 522 qui redessine sa table de cartes (card-table) afin de réduire les coûts de synchronisation des barrières d'écriture, offrant un gain de débit de 5 % à 15 % sur les applications manipulant énormément de références d'objets. Grâce au JEP 516 (Project Leyden), le cache d'objets Ahead-of-Time (AOT) adopte un format de flux agnostique, ce qui lui permet d'être compatible avec n'importe quel Garbage Collector, y compris le ramasse-miettes à très faible latence ZGC. Le démarrage de la JVM s'accélère par défaut lorsqu'aucune taille de tas n'est configurée, car HotSpot n'applique plus de pourcentage initial (InitialRAMPercentage) mais démarre directement avec la taille minimale (MinHeapSize) pour éviter d'allouer des métadonnées inutiles. Les threads virtuels gagnent en robustesse en étant désormais capables de céder la main (yield) pendant les phases d'initialisation des classes, éliminant ainsi le risque de famine des threads porteurs (carrier threads). Le compilateur C2 JIT améliore son modèle de coût pour la vectorisation des boucles (SIMD) et se montre maintenant capable de compiler et d'optimiser des méthodes dotées de listes de paramètres extrêmement longues. Librairies Release candidate du A2A Java SDK supportant versions 0.3 et 1.0 en même temps https://medium.com/google-cloud/a2a-java-sdk-1-0-0-cr1-released-f0c651ec9139 Dernière étape avant la GA : Toutes les fonctionnalités prévues pour la version 1.0 sont finalisées. Migration simplifiée depuis la Beta1. Compatibilité v0.3 : Ajout d'une couche de compatibilité permettant aux agents v1.0 de communiquer avec les systèmes v0.3 (via JSON-RPC, gRPC ou REST). Support natif pour Android (nouvel AndroidHttpClient). Uniformisation des clients HTTP pour garantir une cohérence entre les versions. Nouveau parseur SSE (Server-Sent Events) conforme aux spécifications. Ça y est, le SDK Java de l'Agent 2 Agent Protocol est sorti en version 1.0 finale ! (avec compatibilité v0.3 et v1.0) https://medium.com/google-cloud/a2a-java-sdk-1-0-0-final-released-10c05b6aee34 Lancement officiel : Sortie de A2A Java SDK 1.0.0.Final, la première version stable (GA) du protocole Agent2Agent. Objectif du protocole : Standard ouvert (Linux Foundation) permettant aux agents IA de communiquer, déléguer des tâches et collaborer, indépendamment du langage ou du framework. Interopérabilité : Introduction de l'Integration Test Kit (ITK) pour valider la compatibilité entre les SDK (Java, Python, TypeScript, etc.). Transports supportés : Support complet et équivalent pour JSON-RPC, gRPC et HTTP+JSON/REST. Alignement total avec la spécification A2A 1.0.0. Passage aux Java records pour l'immutabilité et moins de code répétitif. Architecture interne basée sur un MainEventBus pour garantir la persistance et éviter les conditions de concurrence. Intégration d'OpenTelemetry pour le suivi et la surveillance. Support d'Android et compatibilité descendante avec la version 0.3. Installation : Gestion des dépendances via Maven BOM (org.a2aproject.sdk). Sortie de Micronaut 5.0 https://micronaut.io/2026/05/20/micronaut-framework-5-0-0-released/ Lancement majeur : Disponibilité générale de Micronaut 5, incluant une refonte de plus de 70 modules et la plateforme BOM. Baselines techniques : Support de Java 25, Groovy 5, Kotlin 2.3 et GraalVM 25.0.3. Optimisations internes : Amélioration significative des performances au démarrage et réduction de la surcharge à l'exécution via une refonte du conteneur IoC et du traitement à la compilation. Architecture HTTP : Support stable de HTTP/3, nouvelle API de formulaires (multipart) et annotations de nullabilité (JSpecify) pour une meilleure interopérabilité Kotlin/IDE. Configuration : Nouveau système d'importation de configuration (remplaçant le Bootstrap Configuration) et validateur de schéma JSON intégré. Fiabilité : Nouvelles API programmatiques pour les politiques de retry et circuit breaker. Sécurité & Outils : Mise à jour majeure des dépendances (Jackson 3, Ktor 3), rafraîchissement du Panneau de contrôle et diagnostics AOT améliorés. Écosystème : Mises à jour complètes pour les bases de données (Data, SQL, R2DBC, MongoDB, Redis), le cloud (AWS, Azure, GCP, OCI) et les tests (JUnit 6, Testcontainers 2.0). Évolutions notables : Intégration HTMX dans Micronaut Views, retrait du support RxJava 2 et migration de divers processeurs d'annotations vers des modules dédiés. Comment rajouter un agent IA dans une app Android, avec le tout nouveau framework ADK pour Kotlin https://glaforge.dev/posts/2026/05/21/wiring-adk-kotlin-agents-in-an-android-application/ Guillaume a participé au développement et au lancement du nouveau runtime ADK pour Kotlin et Android https://developers.googleblog.com/adk-kotlin-android-building-ai-agents/ Tutoriel sur comment intégrer un agent ADK dans une app Dépendances : Ajout du noyau ADK (google-adk-kotlin-core) et du processeur KSP dans build.gradle.kts. Sécurité API : Utilisation de local.properties pour stocker la clé API Gemini et l'exposer via BuildConfig afin d'éviter le hardcoding. Définition de l'agent : Création d'un objet LlmAgent configuré avec le modèle Gemini, des instructions spécifiques et des outils (ex: GoogleSearchTool). Utilisation de InMemoryRunner pour gérer automatiquement le contexte et l'historique de la session. Implémentation de runAsync avec StreamingMode.SSE pour un retour en temps réel dans l'interface. Threading : Exécution des requêtes réseau sur Dispatchers.IO et mise à jour de l'état de l'interface utilisateur sur Dispatchers.Main. Comment développer et hoster des agents IA sur la plateforme d'agents managés de DeepMind https://glaforge.dev/posts/2026/05/21/managed-agents-with-the-gemini-interactions-java-sdk/ L'équipe DeepMind de Google a lancé une plateforme d'agents managés sur son API Gemini Interactions https://blog.google/innovation-and-ai/technology/developers-tools/managed-agents-gemini-api/ Guillaume a implémenté un SDK Java pour utiliser cette API Gemini Interactions, qui donne entre autre accès à tous les modèles mais aussi à cette plateforme managée d'agents IA Agents managés : Permet d'exécuter des agents autonomes qui raisonnent, planifient et exécutent du code dans des environnements isolés (sandboxes), sans gestion d'infrastructure par le développeur. Environnement distant : Utilise des espaces de travail Linux éphémères dans le cloud via le paramètre remote, permettant l'accès réseau et la persistance des fichiers sur plusieurs appels. Agents prédéfinis : Accès immédiat à des agents spécialisés comme deep-research-pro (recherche multi-étapes) ou antigravity (tâches de codage généralistes). Agents personnalisés : Possibilité de configurer ses propres agents avec des instructions système dédiées, des outils spécifiques (exécution de code, recherche Google) et des règles réseau (egress) personnalisées. Architecture basée sur les étapes (Steps) : Utilise une structure de données typée (Step, Content) pour suivre le raisonnement de l'agent, ses appels de fonctions et ses résultats en temps réel. Outils et Schémas : Inclut des utilitaires pour générer des schémas JSON complexes via une interface fluide (DSL), par réflexion Java ou par parsing JSON. Streaming réactif : Support natif des événements en temps réel (SSE) pour suivre la progression de l'agent et recevoir les deltas de contenu au fur et à mesure de la génération. Flexibilité : Fournit un gestionnaire de routage (InteractionsHandler) pour créer facilement des serveurs proxy ou des backends intermédiaires traitant les interactions Gemini. Spring Boot 4.1 https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-4.1-Release-Notes Support natif pour Spring gRPC permettant de créer et tester facilement des applications clientes et serveurs basées sur Netty ou des Servlets via HTTP/2 Introduction du lazy fetching pour les connexions JDBC via la propriété spring.datasource.connection-fetch=lazy afin de ne prendre une connexion du pool que lorsqu'un Statement est réellement exécuté Amélioration de l'auto-configuration de Jackson permettant de définir globalement les contraintes de lecture/écriture pour les formats JSON, XML et CBOR via des propriétés de configuration Sécurisation des clients HTTP bloquants et réactifs face aux attaques SSRF grâce à l'introduction d'un InetAddressFilter bloquant les requêtes sortantes vers des adresses spécifiques Améliorations majeures autour d'OpenTelemetry avec le support complet des variables d'environnement OTel, la possibilité de désactiver le SDK via une propriété globale et l'ajout du support SSL sur les exporters OTLP Ajout de l'auto-configuration pour l'utilisation de Spring Batch avec MongoDB incluant un nouveau starter dédié spring-boot-batch-data-mongo Auto-configuration des endpoints @RedisListener sans nécessiter la déclaration manuelle d'un RedisMessageListenerContainer Dépréciation du support de Apache Derby (projet arrêté), suppression définitive du mode layertools du JAR et réintroduction du support de Spock 2.4 (avec Groovy 5) Upgrade des dépendances majeures de l'écosystème avec notamment Spring Framework 7.0.8, Spring Security 7.1.0 et Micrometer 1.17.0 Outillage Vous êtes plutôt endive ou chicorée ? La librairie Chicory qui permet d'exécuter du code WASM à partir de son application Java est forkée et rejointe la Bytecode Alliance pour continuer son développement https://bytecodealliance.org/articles/endive-and-the-next-chapter-of-webassembly-on-the-jvm Annonce d'Endive : Nouveau projet hébergé par la Bytecode Alliance ; fork de Chicory (moteur WebAssembly pur Java, sans dépendance native). ​Objectif principal : Permettre aux développeurs Java d'intégrer, charger et déployer des modules Wasm nativement via les workflows Java habituels. ​Compilateur "Redline" : Intégration à venir de Redline (basé sur Cranelift) pour compiler le Wasm en code machine natif ; performances comparables à Rust/Wasmtime. ​Zéro dépendance (Java 25+) : Grâce à l'API standard Foreign Function & Memory (Project Panama), l'exécution à vitesse native se fait sans composants externes. ​Modèle de Composants (Component Model) : Support futur prévu pour consommer des composants (Rust, Go, JS, etc.) via des interfaces typées et sécurisées directement dans la JVM. ​Prochaines étapes : Fusion de Redline, conformité stricte aux specs Wasm (dont WasmGC) et amélioration du support WASI. Un visualisateur de sessions de travail avec Antigravity https://glaforge.dev/posts/2026/06/11/antigravity-brain-visualizer/ Un projet open source construit avec Micronaut, LangChain4j et GraalVM pour analyser les sessions de travail avec l'outil de développement agentique Antigravity (de Google) Analyse toutes les étapes, les requêtes utilisateur, les outils utilisés, les erreurs rencontrées, les réponses du modèle Gemini fait une analyse pour comprendre les moments clés de cette session de travail Outil buildé avec l'aide d'Antigravity lui-même SBX-Kits : des environnements de développement simplifiés pour les débutants (et les autres) https://k33g.org/20260501-sbx-kits.html Philippe Charrière (:whale: ) présente SBX-Kits (Sandbox Kits), une initiative personnelle visant à simplifier radicalement la mise en place d'environnements de développement pour les débutants, en éliminant la complexité d'installation des outils traditionnels. Chaque "kit" est une archive prête à l'emploi contenant un outil de développement spécifique (comme un langage, un framework ou une base de données) configuré pour s'exécuter de manière isolée et portable. La philosophie du projet repose sur le principe de "zéro configuration" et "zéro dépendance globale", permettant de tester une technologie ou de commencer à coder immédiatement sans polluer son système d'exploitation. L'approche technique s'appuie sur des scripts légers et des binaires portables pré-packagés, offrant une alternative plus simple et moins gourmande en ressources que les conteneurs Docker ou les configurations d'IDE complexes pour l'apprentissage. L'objectif à terme est de proposer un catalogue de kits couvrant les technologies courantes (JavaScript, Python, petites bases de données) pour faciliter les ateliers de programmation et le prototypage rapide. De nombreux kits sont disponibles sur https://github.com/docker/sbx-kits-contrib ghui: une interface utilisateur en ligne de commande (TUI) interactive pour GitHub https://github.com/kitlangton/ghui ghui est un outil en ligne de commande (TUI) écrit en Rust qui fournit une interface visuelle, interactive et rapide directement dans le terminal pour interagir avec GitHub. Il permet de gérer ses pull requests, ses issues et ses notifications sans avoir à ouvrir son navigateur web ou à taper de longues commandes avec la CLI officielle de GitHub. L'outil propose une navigation fluide au clavier, des raccourcis efficaces, et permet de réaliser des actions courantes comme valider une PR, ajouter des commentaires, attribuer des reviewers ou inspecter les logs des GitHub Actions. Conçu pour être extrêmement réactif, ghui s'intègre naturellement dans le flux de travail des développeurs adeptes du terminal et du mode "sans souris". Sortie de Homebrew 6.0.0 https://brew.sh/2026/06/11/homebrew-6.0.0/ Introduction du mécanisme de sécurité Tap Trust : comme les dépôts tiers (taps) peuvent exécuter du code Ruby arbitraire non sandboxé sur la machine, Homebrew demande désormais une confiance explicite de l'utilisateur avant d'évaluer ou d'exécuter leur code. L'API JSON interne devient le choix par défaut, offrant un système plus léger et beaucoup plus rapide pour les développeurs. Sécurisation renforcée de l'environnement avec l'implémentation du sandboxing sur Linux. Évolution des comportements par défaut basés sur un sondage utilisateur : le mode "ask" est activé par défaut pour les développeurs, affichant un résumé des dépendances et une demande de confirmation avant toute action de brew install ou brew upgrade. Améliorations notables des performances globales, notamment un boost de ~30 % sur la vitesse de la commande brew leaves et la parallélisation de la récupération des bottles (binaires) lors des mises à jour. Ajout du support initial pour la prochaine version d'Apple, macOS 27 (Golden Gate). Multiples optimisations pour brew bundle, incluant une gestion plus sécurisée des installations de paquets npm. Méthodologies Retour d'expérience très détaillé et 100% humain sur 40 jours avec une équipe 100% AI hormis le superviseur https://www.linkedin.com/pulse/jai-vir%C3%A9-mon-%C3%A9quipe-de-dev-pour-une-100-ia-pendant-40-luc-bonnin-jlgjf/ Voici le résumé en bullet points : Expérimentation de 40 jours : remplacer une équipe de dev par 100% IA agentique (Cursor) sur un vrai projet en production (playthatsheet.com, 200k lignes de code legacy) Chiffres bruts : 2,3 milliards de tokens consommés, 1 477 prompts, 260 564 lignes ajoutées (+145%), 59% du code final produit par l'IA ROI vertigineux à court terme : 9 mois de travail humain livrés en 40 jours, coût total 260$ d'abonnement + 15 jours de supervision, ROI x18 Profil psy de l'IA : Alzheimer (oublis de contexte), schizophrène (change de méthodo), ado de 12 ans (refait les mêmes erreurs), oscille entre génie et junior sans prévenir Effet iceberg : la dette technique ne disparaît pas, elle se camoufle et s'accélère ; hallucinations = bombes à retardement détectables uniquement par relecture humaine ligne par ligne Paradoxe du bateau de Thésée : perte de paternité et de maîtrise fine du code, baisse de l'autonomie du dev humain qui valide sans avoir construit Arnaque du "monkey money" : consommation de tokens opaque, non corrélée à la complexité (écart de 350% sur des prompts identiques), facturation imprévisible donc impossible à budgéter Syndrome du bazooka : les devs utilisent l'IA même pour changer une couleur CSS, atrophie progressive des compétences et coût écologique délirant Risque stratégique : dépendance irréversible aux vendeurs de tokens (Nvidia, Anthropic, OpenAI), business non rentable qui devra augmenter ses prix Conseil final : approche Pareto, garder 20% du temps en code "fait main", nommer un responsable stratégie IA, l'humain senior reste irremplaçable pour superviser Une libraries de test JUnit cache un prompt qui demande aux coding agents d'effacer les tests https://arstechnica.com/security/2026/05/fed-up-with-vibe-coders-dev-sneaks-data-nuking-prompt-injection-into-their-code/ Agacé par les « vibe coders », un développeur introduit une injection de prompt destructrice dans son code Le développeur de jqwik (un moteur de tests pour JUnit 5) a volontairement inséré une injection de prompt dans la version 1.10.0 de sa bibliothèque Java pour saboter le travail des agents d'IA. L'instruction injectée via la sortie standard (stdout) ordonne textuellement aux LLM d'ignorer les consignes précédentes et de supprimer l'intégralité du code et des tests jqwik du projet. Pour dissimuler cette action aux yeux des développeurs humains, le mainteneur a utilisé des séquences d'échappement ANSI qui effacent la ligne d'injection dans les émulateurs de terminaux interactifs. La modification a été découverte par un utilisateur qui a pointé du doigt les risques majeurs et disproportionnés pour les machines des utilisateurs, bien que certains outils comme Claude d'Anthropic aient détecté et bloqué la consigne malveillante. Face aux critiques de la communauté et aux accusations de comportement infantile ou potentiellement illégal, le développeur a mis à jour ses notes de version pour documenter explicitement son opposition à l'usage de son outil par des IA, avant de refuser tout commentaire supplémentaire sur conseil de son avocat. La réalité du rôle de Principal Engineer https://leaddev.com/career-development/reality-being-principal-engineer Le passage au rôle de Principal Engineer marque une transition majeure où les compétences techniques ne suffisent plus, l'impact se mesurant désormais à travers l'influence, la stratégie et la capacité à aligner la technique avec les objectifs business. Contrairement aux attentes, le quotidien est souvent marqué par une forme d'isolement, car le poste se situe à l'intersection de la direction (qui attend des solutions) et des équipes techniques (qui attendent des directives), sans appartenance directe à un groupe précis. Le rôle exige d'accepter une grande part d'ambiguïté et l'absence de retours immédiats, les projets et les décisions stratégiques mettant parfois des mois ou des années à porter leurs fruits. La gestion du temps devient un défi critique, nécessitant de savoir naviguer entre les sollicitations constantes, la présence en réunion et le besoin de préserver des moments de réflexion approfondie pour concevoir des visions à long terme. La réussite à ce niveau repose sur le développement de compétences humaines pointues (soft skills), notamment la négociation, la communication vulgarisée auprès des profils non techniques, et la capacité à faire grandir les autres ingénieurs par le mentorat. Sécurité Une attaque de la chaîne d'approvisionnement npm utilise binding.gyp pour compromettre des dizaines de paquets https://cybersecuritynews.com/binding-gyp-supply-chain-attack-compromises-dozens-of-npm-packages/ Une nouvelle variante du ver auto-propageable "Shai-Hulud", baptisée "Miasma", cible l'écosystème npm (et PyPI sous le nom de "Hades") en dissimulant son exécution dans le fichier binding.gyp au lieu des scripts classiques preinstall ou postinstall. La technique, surnommée "Phantom Gyp", exploite le fait que npm lance automatiquement node-gyp rebuild dès qu'un fichier binding.gyp est présent à la racine d'un paquet pour compiler des modules natifs C/C++, exécutant ainsi le code malveillant dès la commande npm install. L'attaque contourne la plupart des outils de sécurité traditionnels car l'injection s'appuie sur l'évaluation récursive de commandes (via la syntaxe ) ou directement sur la fonction eval() de Python sous-jacente à GYP, cachée sous n'importe quelle clé du fichier. Le script malveillant télécharge un runtime alternatif (Bun) pour échapper aux détections comportementales de Node.js, puis moissonne les identifiants et secrets des développeurs et des environnements CI/CD (npm, GitHub, AWS, GCP, Azure, Kubernetes, HashiCorp Vault). Plus de 57 paquets npm (dont le SDK serveur de Vapi ou des outils liés à l'IA) et des dizaines de paquets PyPI ont été infectés via des comptes de mainteneurs compromis, le ver republiant automatiquement de nouvelles versions vérolées en utilisant les jetons volés. Loi, société et organisation Restructuration chez Gitlab https://about.gitlab.com/blog/gitlab-act-2/ GitLab entame une restructuration majeure pour s'adapter à l'ère de l'intelligence artificielle agentique, incluant une réduction d'effectifs planifiée de manière transparente et ouverte. L'entreprise prévoit de réduire de 30 % le nombre de pays où elle maintient de petites équipes, d'aplatir sa hiérarchie en supprimant jusqu'à trois niveaux de gestion, et de réorganiser la R&D en une soixantaine d'équipes plus petites et autonomes. Les processus internes vont être revus en intégrant des agents d'IA pour automatiser les revues, les approbations et les passages de relais afin d'accélérer le rythme de travail. La stratégie repose sur la conviction que le logiciel sera bientôt écrit par des machines et dirigé par des humains, ce qui va multiplier la demande de logiciels et transformer le rôle des ingénieurs vers la résolution de problèmes complexes. Sur le plan technique, GitLab reconstruit son infrastructure sous-jacente (notamment Git) pour supporter la charge massive générée par les agents d'IA, tout en misant sur l'orchestration du cycle de vie, la centralisation du contexte des données et une gouvernance intégrée. Le modèle économique évolue vers un système hybride combinant les abonnements classiques et une tarification à la consommation pour le travail effectué par les agents d'IA. Un LLM local sur un mac pourrait coûter plus cher en électricité qu'un modèle hébergé sur OpenRouter dans le cloud https://www.williamangel.net/blog/2026/05/17/offline-llm-energy-use.html Conclusion : L'inférence locale sur Mac M5 Max est 3x plus chère et 2x plus lente que le cloud (OpenRouter). Électricité : Négligeable (~0,02 $/heure pour 50-100W). Matériel (Le vrai coût) : Achat du Mac à 4 299 $; l'amortissement sur 3 à 5 ans plombe la rentabilité horaire. Coût au million de tokens (Gemma 4 31b) : Mac M5 Max : 0,40 à4, 79 (pour 10-40 tokens/s). OpenRouter : 0,38 à0, 50 (pour 60-70 tokens/s). Verdict pro : Le temps humain perdu à cause de la lenteur locale coûte infiniment plus cher que les tokens cloud. Privilégier les API (Anthropic, OpenRouter). Ai didn't kill your junior pipeline https://andrewmurphy.io/blog/ai-didnt-kill-your-junior-pipeline-you-did L'IA n'a pas tué le recrutement des juniors, les entreprises l'ont fait elles-mêmes, par effet de mode. Sans juniors, pas de futurs seniors : on retire l'échelle qui nous a tous fait monter. Tout le monde pêche dans le même bassin de seniors sans le réapprovisionner, pénurie garantie dans 3-5 ans. Une équipe 100% senior + IA est fragile : un départ et tout le savoir tacite s'évapore. Les juniors posent les "pourquoi ?" qui révèlent les bugs et processus absurdes ; l'IA, elle, exécute sans questionner. Les seniors s'atrophient aussi en déléguant leur réflexion à l'IA, pince à double effet sur les compétences. Dépendre des outils IA, c'est sous-traiter sa stratégie talents à des fournisseurs dont les prix vont tripler. Solution : redéfinir le rôle junior (revue de code IA + mentorat), pas le supprimer. Les rapports internes de Microsoft révèlent la crise des coûts de l'IA : les agents coûtent plus cher que les employés humains https://fortune.com/2026/05/22/microsoft-ai-cost-problem-tokens-agents/ Des données et rapports internes chez Microsoft et d'autres géants de la tech ébranlent la promesse de rentabilité de l'IA, révélant que le déploiement d'agents autonomes à l'échelle de l'entreprise revient souvent plus cher que de payer des humains pour le même travail. Le modèle de tarification à l'usage (basé sur les tokens) se heurte à la nature même des architectures agentiques : contrairement à un simple chatbot, un agent boucle, enchaîne les appels d'outils, crée des sous-agents et auto-évalue son code, ce qui multiplie la consommation de tokens par un facteur de 5 à 30, voire jusqu'à 1 000 fois pour des tâches de programmation complexes. L'impact financier sur les budgets de calcul cloud est immédiat ; par exemple, Uber a entièrement épuisé l'intégralité de son budget annuel 2026 dédié au codage par IA en l'espace de seulement quatre mois. Face à cette explosion des coûts, des retours en arrière drastiques sont observés : Microsoft a ainsi commencé à suspendre une grande partie de ses licences internes Claude Code pour rediriger d'urgence ses milliers de développeurs vers sa propre solution moins onéreuse, GitHub Copilot CLI. Les directeurs techniques (CTO) et acheteurs de solutions logicielles qui ont signé des contrats pluriannuels basés sur des projections de réduction de masse salariale se retrouvent pris au piège, les gains réels de productivité ne parvenant pas à compenser les factures d'infrastructure exorbitantes. Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 11-12 juin 2026 : DevQuest Niort - Niort (France) 11-12 juin 2026 : DevLille 2026 - Lille (France) 12 juin 2026 : Tech F'Est 2026 - Nancy (France) 15 juin 2026 : Jupyter Workshops: Demystifying MyST Markdown in Education - Orsay (France) 16 juin 2026 : Mobilis In Mobile 2026 - Nantes (France) 17-19 juin 2026 : Devoxx Poland - Krakow (Poland) 17-20 juin 2026 : VivaTech - Paris (France) 18 juin 2026 : Tech'Work - Lyon (France) 22-26 juin 2026 : Galaxy Community Conference - Clermont-Ferrand (France) 23-24 juin 2026 : MWCP 2026 - Paris (France) 24-25 juin 2026 : Agi'Lille 2026 - Lille (France) 24-26 juin 2026 : BreizhCamp 2026 - Rennes (France) 26-27 juin 2026 : LeHACK - Paris (France) 27 juin 2026 : Asynconf - Paris (France) 2 juillet 2026 : Azur Tech Summer 2026 - Valbonne (France) 2 juillet 2026 : MCP Connect Travel Edition - Paris (France) 2-3 juillet 2026 : Sunny Tech - Montpellier (France) 3 juillet 2026 : Agile Lyon 2026 - Lyon (France) 6-8 juillet 2026 : Riviera Dev - Sophia Antipolis (France) 28-30 août 2026 : State of the Map - Champs-sur-Marne (France) 4 septembre 2026 : JUG Summer Camp 2026 - La Rochelle (France) 10-11 septembre 2026 : Nantes Craft - Nantes (France) 17 septembre 2026 : dotAI - Paris (France) 17-18 septembre 2026 : API Platform Conference 2026 - Lille (France) 18 septembre 2026 : WordCamp Bretagne - Rennes (France) 18 septembre 2026 : dotJS - Paris (France) 18 septembre 2026 : WordCamp Bretagne - Rennes (France) 22 septembre 2026 : Salon Data 2026 - Nantes (France) 22-23 septembre 2026 : Agile en Seine & IA 2026 - Paris (France) 24 septembre 2026 : OWASP AppSec Days France 2026 - Paris (France) 24 septembre 2026 : PlatformCon Paris - Paris (France) 24 septembre 2026 : React Native Connection 2026 - Paris (France) 24-26 septembre 2026 : Paris Web 2026 - Paris (France) 25 septembre 2026 : SAP Inside Track Paris 2026 - Paris (France) 28-29 septembre 2026 : 4th Tech Summit on AI & Robotics - Paris (France) & Online 1 octobre 2026 : WAX 2026 - Marseille (France) 1-2 octobre 2026 : Volcamp - Clermont-Ferrand (France) 2 octobre 2026 : DevFest Perros-Guirec 2026 - Perros-Guirec (France) 5-9 octobre 2026 : Devoxx Belgium - Antwerp (Belgium) 8-9 octobre 2026 : Forum PHP 2026 - Marne-la-Vallée (France) 12 octobre 2026 : Dev With AI - Paris (France) 22-23 octobre 2026 : Agile Tour Bordeaux 2026 - Bordeaux (France) 26 octobre 2026 : Agile Tour Montpellier - Montpellier (France) 27-29 octobre 2026 : Directions EMEA 2026 - Paris (France) 29-30 octobre 2026 : BDX I/O 2026 - Bordeaux (France) 29-30 octobre 2026 : Agile Tour Nantais 2026 - Nantes (France) 29 octobre 2026-1 novembre 2026 : Pycon FR - Biarritz (France) 30 octobre 2026 : Cloud Nord 2026 - Lille (France) 4-5 novembre 2026 : Devoxx Morocco - Casablanca (Morocco) 14-15 novembre 2026 : Capitole du Libre - Toulouse (France) 19 novembre 2026 : DevFest Toulouse 2026 - Toulouse (France) 19 novembre 2026 : Agile Laval 2026 - Laval (France) 19 novembre 2026 : OVHcloud Summit - Paris (France) 19 novembre 2026 : Codeurs en Seine - Rouen (France) 27 novembre 2026 : DevFest Paris 2026 - Paris (France) 1-3 décembre 2026 : Apidays Paris - Paris (France) 2-3 décembre 2026 : Cloud Native AI Summit Europe - Paris (France) 4 décembre 2026 : DevFest Lyon 2026 - Lyon (France) 4 décembre 2026 : DevFest Dijon 2026 - Dijon (France) 9-10 décembre 2026 : OpenSource Expérience - Paris (France) 9-10 décembre 2026 : DevOps REX - Paris (France) 10 décembre 2026 : KCD Provence - Aix-en-Provence (France) 7-9 avril 2027 : Devoxx France 2027 - Paris (France) 3 juin 2027 : Cloud Native Days France 2027 - Paris (France) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via X/twitter https://twitter.com/lescastcodeurs ou Bluesky https://bsky.app/profile/lescastcodeurs.com Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/

The CyberWire
The court calls Google's bluff.

The CyberWire

Play Episode Listen Later Jun 11, 2026 31:20


Google faces liability for AI-generated claims. Washington pauses public AI model assessments. Anthropic ships a safer AI model. OpenAI disrupts influence operations. Ransomware operators get a powerful new backdoor. Urgent patches land for Ivanti and Veeam. PyPI supply chain attacks evolve. And a massive data breach triggers a record fine in South Korea. Our guest is Peter Barker, Chief Product Officer at Ping Identity, sharing how identity increasingly becomes the control plane for how work gets done. AI analyzes the FIFA World cup, one cliché at a time.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today's Industry Voices, we are joined by Peter Barker, Chief Product Officer at Ping Identity, sharing how identity increasingly becomes the control plane for how work gets done across humans, automation, and AI agents. You can read more from Ping Identity here. If you enjoyed this conversation, be sure to check out the full interview here. Selected Reading Landmark German ruling declares Google's AI Overviews are Google's own words and makes it liable for false answers (The Decoder) White House Reins In AI-Testing Unit as National-Security Concerns Grow (Wall Street Journal) Anthropic Releases ‘Safe' Version of Its Mythos A.I. Technology (The New York Times) PRC-linked influence operations are targeting AI debates in the US (OpenAI) Technical Analysis of MLTBackdoor (ThreatLabz) CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry (Rapid7) Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels (Socket) Veeam Patches Critical RCE Vulnerability in Backup & Replication published: yesterday (Beyond Machines) ‘Amazon.com of South Korea' Is Fined a Record $409 Million (The New York Times) The 2026 big soccer tournament, in clichés. (Sinch) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Python Bytes
#483 Thanks Brian

Python Bytes

Play Episode Listen Later Jun 9, 2026 28:40 Transcription Available


Topics covered in this episode: Vulnerability and malware checks in uv HTTP GET requests with the Python standard library Millions of AI agents imperiled by critical vulnerability in open source package alembic-git-revisions Extras Joke Watch on YouTube About the show Goodbye and Thanks Brian Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years. Calvin #1: Vulnerability and malware checks in uv release just yesterday by Astral https://astral.sh/blog/uv-audit uv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-audit Malware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute — including ones PyPI quarantined but lockfiles can still reference Enable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in preview Future roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only Michael #2: HTTP GET requests with the Python standard library If you're doing HTTP in Python, you're probably using one of three popular libraries: requests, httpx, or urllib3. There have been issues with httpx lately. Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included. But maybe less is more, especially in the age of agentic AI A good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow. Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package "BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette — the ASGI framework underlying FastAPI — with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server tooling The exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code execution MCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) — exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topology Fix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable version Open source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time — most are AI-generated noise, and real ones like this still compete for the same evenings and weekends Michael #4: alembic-git-revisions By Julien Danjou from Mergify Automatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'. See the introductory article Caused by two migrations landed with the same down_revision, and Alembic doesn't know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions. The insight: git already knows the order Extras Calvin: GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don't have this super power on the target name yet. train-%: uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS) Michael: Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread. Joke: Accurate

Datacenter Technical Deep Dives
Trusted Publishing

Datacenter Technical Deep Dives

Play Episode Listen Later Jun 9, 2026 59:11


Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you. Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number. Timestamps 0:00 Welcome & Introduction 4:00 Mike's PyCon US World Tour Recap 8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption 12:09 Why Long-Lived Tokens Fail: Four Attack Models 16:47 Case Study: The 2024 Ultralytics Compromise 21:44 What is Trusted Publishing? OIDC Explained 27:04 How the GitHub Actions Flow Actually Works 34:12 Other Registries: npm, RubyGems, crates.io, NuGet 36:34 Common Pitfalls & Debugging Tips 42:29 Provenance & Sigstore Attestations 44:22 The Step Everyone Forgets: Delete Your Old Token 47:06 Migration Guide & Getting Started This Week How to find Mike: https://www.linkedin.com/in/miketheman/ https://www.python.org/psf-landing/ Links from the show:

Software Engineering Radio - The Podcast for Professional Software Developers
SE Radio 722: Dwayne McDaniel on the Engineering Challenges of Secrets Management

Software Engineering Radio - The Podcast for Professional Software Developers

Play Episode Listen Later May 27, 2026 52:10


Dwayne McDaniel, developer advocate at GitGuardian.com, joins host Priyanka Raghavan to talk about the engineering challenges of secrets management. They explore what "secrets" really are in modern systems—far beyond passwords—including API keys, tokens, certificates, and machine identities, and how "secret sprawl" emerges across the SDLC. Drawing on reports from GitGuardian and Verizon, they discuss the growing scale of secret leaks and why credential abuse and phishing remain dominant attack vectors. They examine common leak points—from code repos and logs to CI/CD pipelines, containers, and SaaS integrations—and how cloud, DevOps, and AI tooling are amplifying risks. Priyanka quizzes Dwayne about recent supply chain attacks from pyPi and trivy ecosystems, highlighting recurring root causes like poor access control, long-lived credentials, and weak security hygiene. Finally, they consider detection, response, and modern solutions—short-lived credentials, secret scanning, and identity-based approaches like OWASP NHIR and SPIFFE/SPIRE—ending with practical advice for engineers to reduce blast radius and design for secure secret lifecycle management.

Cyber Morning Call
1013 - TrapDoor: novo ataque afeta npm, PyPI e crates.io

Cyber Morning Call

Play Episode Listen Later May 25, 2026 11:29


Referências do EpisódioTrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing ServicesAnalyzing Void Dokkaebi's Cython-Compiled InvisibleFerret MalwareFast and Furious – Nimbus Manticore Operations During the Iranian ConflictTracking Iranian APT Screening Serpens' 2026 Espionage CampaignsU.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalogRoteiro e apresentação: Carlos CabralEdição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

Python Bytes
#480 Proud Parents

Python Bytes

Play Episode Listen Later May 18, 2026 33:13 Transcription Available


Topics covered in this episode: Using Django Tasks in production Co-authored with Claude? PyPI packages are increasing rapidly httpx2 Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Using Django Tasks in production Tim Schilling shares how the Djangonaut Space website has been using Django's new tasks framework and some of the info missing from the official Django docs. Tasks require a third party package, django-tasks-db to actually run the tasks. Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example. With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors. Some wishes for the community to implement new tutorial in the Django docs Django Debug toolbar panel for tasks test/mock backend Great title for wish list: Thinks I'd like to see, but I'm too lazy to implement myself. Michael #2: Co-authored with Claude? Via Nik T. We don't put “executed on macOS”, “edited with PyCharm”, etc. in our commits. Why Claude? Seems like a growth hack to me, that I don't really care to participate in. Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open Source Adjust to turn off in ~/.claude/settings.json see the docs. { "attribution": { "commit": "", "pr": "" } } Brian #3: PyPI packages are increasing rapidly Artem Golubin There's been an increase of published packages per week on PyPI A pretty big increase in the last handful of months. 30% increase since 2025, clearly due to AI Artem is building hexora, a malicious Python code detector. Cool package too, it can: Audit project dependencies to catch potential supply-chain attacks Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories Analyze IoC files from past security incidents Audit new packages uploaded to PyPi. Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocess Side note: I don't think that's necessarily a false positive. Not malicious, but maybe a stupid-code-detector? Lots are LLM related, Lots have bots contributing code Publishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a feature Brian's proposal, PyPI should limit releases per day for any package to something a sane human would do, even if they make a mistake on a release, to maybe like 2-3, definitely under 10, in a day. And if the repo has obvious agent contributors listed, maybe lower to the limit to 1-2 a day? Honestly, “move fast and break things” doesn't apply to breaking the commons. Michael #4: httpx2 More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2. Michiel says “while we think httpxyz was definitely needed, we welcome httpx2 and think it should be the ‘blessed' fork.” Kludex, who is among other things maintainer of Starlette, was considering a fork As it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too. Also they already made some smart decisions: they are switching from certifi to truststore they are switching to compression.zstd on Python 3.14+, enabling zstd compression by default they merged httpcore and vendored it in their repository Discussion on Hacker News Extras Brian: The Four Horsemen of the LLM Apocalypse - Anarcat Django/JetBrains 2026 developer survey is open Pyrefly 1.0 : “meaning we are confident that Pyrefly is ready for production use.” Michael: Just about ready to release Python Web Security: OWASP Top 10 with Agentic AI course. Be sure to be on the courses newsletter to get notified. Joke: Proud Parents

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
SANS Stormcast Wednesday, May 13th, 2026: Microsoft Patch Tuesday; Large npm/pypi Compromise; Rubygems Attack

SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Play Episode Listen Later May 13, 2026 7:53


Microsoft Patch Tuesday https://isc.sans.edu/diary/32980 Tanstack npm and others compromised https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack Ruby Gems Attack https://x.com/maciejmensfeld/status/2054164602577940619

Cyber Morning Call
1006 - Mini Shai-Hulud: Novo ataque afeta pacotes populares no npm e PyPI

Cyber Morning Call

Play Episode Listen Later May 13, 2026 12:00


Referências do EpisódioMini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised​​Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages“Shai-Hulud, Here We Go Again”: 170+ Packages Hit Across npm & PyPiMay 2026 Security UpdatesMicrosoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesMicrosoft and Adobe Patch Tuesday, May 2026 Security Update ReviewMicrosoft's May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)Patch Tuesday - May 2026CVE-2026-44277 - Improper access control on API endpointsCVE-2026-26083 - Incorrect global authorizationOne Is a Fluke, 3 Is a Pattern: MCP Back-End VulnerabilitiesSAP Security Patch Day - May 2026Roteiro e apresentação: Carlos CabralEdição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

Cyber Morning Call
1002 - TCLBANKER: Nova versão de trojan mira 59 bancos e fintechs brasileiras

Cyber Morning Call

Play Episode Listen Later May 7, 2026 7:37


Referências do EpisódioTCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and OutlookMuddying the Tracks: The State-Sponsored Shadow Behind Chaos RansomwareOceanLotus suspected of using PyPI to deliver ZiChatBot malwareClickFix campaign uses fake macOS utilities lures to deliver infostealersRoteiro e apresentação: Carlos CabralEdição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

Paul's Security Weekly
Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Sararimen, Aaran Leyland - SWN #576

Paul's Security Weekly

Play Episode Listen Later Apr 28, 2026 28:30


Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Entrepreneurs, Sararimen, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-576

Cyber Security Headlines
PhantomRPC flaw, Checkmarx GitHub dark web data, PyPI package infostealer

Cyber Security Headlines

Play Episode Listen Later Apr 28, 2026 7:46


PhantomRPC flaw enables privilege escalation Checkmarx confirms GitHub data hit dark web PyPI package hacked to push infostealer Get the show notes here: https://cisoseries.com/cybersecurity-news-phantomrpc-flaw-checkmarx-github-dark-web-data-pypi-package-infostealer/ Thanks to our episode sponsor, Guardsqaure Your backend is only as secure as your frontend. Research shows that client-side compromise is now a primary driver of API risk. With sixty-three percent of leaders detecting mobile app tampering or cloning last year, don't leave your mobile app security to chance. Get multilayered protection for your entire mobile app ecosystem from the outside in. Learn more at Guardsquare.com.

Paul's Security Weekly TV
Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Sararimen, Aaran Leyland - SWN #576

Paul's Security Weekly TV

Play Episode Listen Later Apr 28, 2026 28:30


Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Entrepreneurs, Sararimen, Aaran Leyland, and More on the Security Weekly News. Show Notes: https://securityweekly.com/swn-576

Hack Naked News (Audio)
Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Sararimen, Aaran Leyland - SWN #576

Hack Naked News (Audio)

Play Episode Listen Later Apr 28, 2026 28:30


Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Entrepreneurs, Sararimen, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-576

Hack Naked News (Video)
Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Sararimen, Aaran Leyland - SWN #576

Hack Naked News (Video)

Play Episode Listen Later Apr 28, 2026 28:30


Elfsmasher, PYPI, Facebook, Glassworm, Medtronic, OpenSSH, Entrepreneurs, Sararimen, Aaran Leyland, and More on the Security Weekly News. Show Notes: https://securityweekly.com/swn-576

Patoarchitekci
Short #78: S3 Files, Trivy Pwnd, Codex Rescue, Uncensored Gemma, DHH o AI Coding

Patoarchitekci

Play Episode Listen Later Apr 24, 2026 28:14


“Senior engineers benefit from AI a lot more than juniors.” DHH zmienił front o 180 stopni, a Szymon dopowiada: “juniorzy mają obecnie przerąbane. Nie chciałbym być w tych spodniach.” Ewolucja czy rewolucja, skoro twórca Shape Up mówi, że książka jest do przepisania?

Privacy Please
S7, E270 - The 40-Minute Hack That Stole the Blueprint for AI | The Mercor Breach

Privacy Please

Play Episode Listen Later Apr 20, 2026 13:16 Transcription Available


Send us Fan MailA normal data breach steals names and passwords. This one may have stolen the recipe for building the world's most powerful AI models, and it happened through software most people will never notice until it breaks. We follow the Mercor breach from the first warning signs to the moment poisoned Python packages hit PyPI and spread in minutes across systems that were set to auto-update.  We walk through what Mercor actually does in the AI economy, especially RLHF (Reinforcement Learning from Human Feedback), and why that behind-the-scenes work shapes how tools from OpenAI, Anthropic, Meta, and Google behave. Then we unpack Lite LLM, the open source “plumbing” that connects apps to multiple AI services, and how a supply chain attack can bypass the company you're targeting by compromising the dependencies everyone trusts. From there, the focus shifts to the fallout: contractors whose Social Security numbers and identity documents may be exposed, companies scrambling to assess backdoors and credential theft, and the bigger fear that proprietary AI training data sets and labeling strategies are being auctioned on the dark web. We also dig into the compliance controversy around SOC2 and ISO 27001 style certifications and what happens when security audits become performance instead of protection. If you care about cybersecurity, data privacy, AI governance, and open source risk, listen through to the end for concrete steps you can take right now. Subscribe, share this with a friend who uses AI tools, and leave a review with your take on who should be held accountable.Support the show

The DevOps Kitchen Talks's Podcast
DKT94: Claude Code слили, Trivy взломали - новости DevOps

The DevOps Kitchen Talks's Podcast

Play Episode Listen Later Apr 14, 2026 88:35


Claude Code слили, Trivy взломали дважды, а LiteLLM воровал пароли - неделя, когда supply chain показал себя во всей красе.  О ЧЕМ ВЫПУСК Вернулись к формату новостей! Впервые собираем их через нашего Telegram-бота - присылайте свои через @dkt_news_bot. В этом выпуске: - Claude Code: утечка source map, 500K строк TypeScript, модель Капибара и тамагочи-бадди в исходниках - Anthropic DMCA: забанили 8000+ репозиториев, CloCode набрал 100K звезд за 24 часа - Ingress NGINX уходит на пенсию: разбираем Ingress2Gateway 1.0 для миграции на Gateway API - Trivy: сканер безопасности сам стал малварью через supply chain. Дважды - LiteLLM: credential stealer в PyPI пакетах v1.82.7/1.82.8 - AWS S3: региональные namespaces - предсказуемые имена бакетов - Нужна ли AI-агентам своя Jira? Практический вывод: Level 0 - никогда не ставь latest. Level 1 - пинни SHA-256 хеши и проверяй подписи контейнеров. ССЫЛКИ Поддержать наш подкаст:   - Patreon - https://www.patreon.com/c/devopskitchentalks   - Boosty - https://boosty.to/devopskitchentalks Присылайте новости через бота: @dkt_news_bot Все новости выпуска (ссылки, тезисы): https://dkt-ai.github.io/episodes-news/episodes/episode-92-ru Упомянутые ресурсы:   - Ingress2Gateway 1.0 - https://kubernetes.io/blog/2026/03/20/ingress2gateway-1-0-release/   - Trivy breach - https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/   - LiteLLM security update - https://docs.litellm.ai/blog/security-update-march-2026   - AWS S3 Regional Namespaces - https://aws.amazon.com/blogs/aws/introducing-account-regional-namespaces-for-amazon-s3-general-purpose-buckets/ ПОДКАСТ YouTube - www.youtube.com/@DevOpsKitchenTalks Apple Podcasts - https://apple.co/41O6mqA Spotify - https://t.ly/Jg5_2 Yandex Music - https://music.yandex.ru/album/10151746 PodBean - https://devopskitchentalks.podbean.com НАВИГАЦИЯ 00:00:00 - Введение: почти сотый выпуск и новый формат 00:03:50 - DKT News Bot: присылайте новости через Telegram 00:06:41 - Claude Code слили: source map утечка и что нашли 00:14:35 - Этика AI: Claude прикидывается человеком в PR 00:17:26 - Модель Капибара и тамагочи-бадди в исходниках 00:19:20 - DMCA и CloCode: Anthropic банит 8000+ репозиториев 00:30:08 - Ingress NGINX уходит: миграция через Ingress2Gateway 1.0 00:45:24 - Trivy: сканер безопасности сам стал малварью 00:55:54 - LiteLLM: credential stealer в PyPI пакетах 01:00:10 - AWS S3: региональные namespaces для бакетов 01:04:25 - Нужна ли AI-агентам своя Jira 01:15:17 - Экономика AI: подписки vs программисты 01:25:45 - Итоги и рекомендации по безопасности ПОДПИСЫВАЙТЕСЬ Telegram - https://t.me/DevOpsKitchenTalks Instagram - https://www.instagram.com/devopskitchentalks/ #DevOps #SupplyChain #Security #Kubernetes #ClaudeCode #Trivy #DKT

Resilient Cyber
Your AI Agent Is Running As Root

Resilient Cyber

Play Episode Listen Later Apr 8, 2026 44:32


When you fire up Claude Code, Cursor, or any AI coding agent, it launches with your full system permissions, your SSH keys, cloud credentials, browser passwords, every file on your machine. Most developers never think twice about it.Luke Hinds did. And then he built something about it.Luke is the creator of Sigstore, the cryptographic signing infrastructure now used by PyPI, Homebrew, GitHub, and Google as the industry standard for software supply chain security. In this episode, he joins Chris to talk about why he's watching the industry make the exact same mistake it made a decade ago, and what he built to try to stop it.We cover the full picture: why application-layer guardrails and system prompts fundamentally fail as security boundaries for AI agents (and what kernel-level enforcement actually means), the .md file as an emerging control plane attack surface, the OpenClaw wake-up call and what the skills marketplace ecosystem gets structurally wrong about trust and provenance, the approval fatigue problem and Anthropic's 17% false negative rate on Claude Code's auto-mode classifier, extending SLSA and Sigstore attestation frameworks to AI-generated code, and why LLM-as-a-judge may not be the silver bullet many are hoping for.Luke also makes a broader argument about where this is all heading — volumes of AI-generated code growing faster than human capacity to review it, junior engineers being priced out of the industry, and an aging cohort of engineers who can actually read and reason about code at depth. It's a candid, technically grounded conversation from someone who's been in open source security for 20+ years and has seen this movie before.nono is at nono.sh, one line to install, one line to run. No excuse not to

PolySécure Podcast
Teknik - Trivy... part 2 ou comment le supply chain est LE vecteur - Parce que... c'est l'épisode 0x737!

PolySécure Podcast

Play Episode Listen Later Apr 4, 2026 42:27


Parce que… c'est l'épisode 0x737! Shameless plug 14 au 17 avril 2026 - Botconf 2026 20 au 22 avril 2026 - ITSec Code rabais de 15%: Seqcure15 28 et 29 avril 2026 - Cybereco Cyberconférence 2026 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 19 septembre 2026 - Bsides Montréal 1 au 3 décembre 2026 - Forum INCYBER - Canada 2026 24 et 25 février 2027 - SéQCure 2027 Description Contexte et rappel de l'épisode précédent Dans cet épisode technique, l'animateur reçoit à nouveau François Proulx pour faire le point sur une cyberattaque majeure dont les développements ont explosé depuis leur dernière conversation. L'épisode précédent portait sur une première attaque contre Trivy, un outil d'analyse de sécurité open source développé par l'entreprise israélienne Aqua Security. Trivy est massivement utilisé par de grandes entreprises pour inventorier les composants open source d'un projet (SBOM) et identifier les vulnérabilités associées (CVE). C'est précisément cette popularité qui en a fait une cible de choix. La deuxième vague : une réponse aux incidents incomplète À peine 20 jours après l'attaque initiale de fin février, Trivy a été compromis une seconde fois. La raison : Aqua Security n'avait pas révoqué la totalité des jetons d'accès (tokens) lors de sa réponse aux incidents. L'entreprise a attendu plusieurs jours avant de faire appel à une firme externe (Mend), ce qui lui a valu des critiques. Dans leur communiqué, ils ont admis avoir oublié de révoquer un token — et pas n'importe lequel : il s'agissait d'un token encore plus privilégié que celui utilisé lors de la première attaque, donnant accès à des dépôts privés internes contenant potentiellement de la propriété intellectuelle sensible. Cette deuxième attaque a été encore plus dévastatrice : non seulement Trivy a été empoisonné à nouveau, mais les GitHub Actions associées — des composants permettant d'intégrer Trivy dans des pipelines CI/CD — ont également été corrompues, y compris les versions antérieures. Ainsi, des organisations qui croyaient utiliser une version sûre et ancienne se sont retrouvées exposées sans le savoir. Une propagation en cascade Le vecteur initial était une vulnérabilité dans un workflow GitHub Actions du dépôt de Trivy, simple à exploiter mais peu connue. Les attaquants ont obtenu un token leur permettant de compiler et distribuer une version malveillante de Trivy sur les registres officiels — sans modifier le code source visible, ce qui rendait la détection plus difficile. Lorsque Trivy s'exécutait dans le pipeline CI/CD d'une entreprise victime, il agissait comme un info stealer : il exfiltrait les secrets et tokens présents dans l'environnement d'exécution. Ces tokens volés ont ensuite servi à compromettre d'autres projets, créant une chaîne de contamination à plusieurs niveaux : Premier ordre : Trivy lui-même, compromis chez Aqua Security. Deuxième ordre : les entreprises utilisant Trivy dans leurs pipelines, dont Checkmarx, un autre outil de sécurité applicative. Troisième ordre : des projets open source très populaires comme LiteLLM, une bibliothèque d'interfaçage avec des API de modèles de langage (LLM), dont le mainteneur semble avoir été compromis directement via son poste de travail. Environ 72 heures après l'attaque, des entreprises ont commencé à signaler publiquement que leurs tokens avaient été exfiltrés et réutilisés contre elles. Les attaquants se dévoilent Durant le week-end du 20 mars, le groupe responsable s'est révélé sur Twitter sous le nom Team PCP, en défaçant des dépôts GitHub pour prouver leurs accès. Ils ont ensuite établi des partenariats avec des groupes spécialisés dans les rançongiciels pour monétiser les accès obtenus — une évolution logique pour des acteurs en possession de téraoctets de secrets volés. Le FBI a officiellement nommé ce groupe et demandé à toutes les entreprises américaines victimes de déposer plainte. Selon François Proulx, le profil comportemental des attaquants — messages puérils, communication sur Telegram, manière de se vanter publiquement — laisse fortement penser qu'il s'agit d'adolescents, probablement situés hors du territoire américain, ce qui complique les poursuites. Pour entraver les équipes de réponse aux incidents, les attaquants ont utilisé des centaines de comptes GitHub légitimes achetés sur le marché noir (probablement issus de logs d'info stealers) pour inonder les fils de discussion d'incidents avec des commentaires génériques automatisés, rendant toute coordination difficile. Le problème structurel des dépendances transitives François Proulx soulève un enjeu critique lié à l'écosystème npm : la façon dont les contraintes de version sont définies dans les fichiers package.json. Lorsqu'une dépendance est déclarée de manière vague (ex. : axios: ^1.x), une mise à jour de routine peut automatiquement introduire une version compromise sans que le développeur s'en rende compte. La bibliothèque Axios, extrêmement populaire, a notamment été touchée dans cette attaque. Même avec un fichier de verrouillage (lock file), le risque n'est pas nul : une alerte de hash incohérent pourrait être ignorée ou, pire, conduire un développeur à régénérer le lock file en gelant ainsi la version malveillante. Ce que les développeurs peuvent faire François Proulx recommande deux mesures concrètes : Utiliser des outils de vérification en temps réel qui interceptent les téléchargements de composants npm ou PyPI pour les comparer à des listes de composants malveillants mises à jour plusieurs fois par heure. Adopter une période de gel (cool-off period) avant d'utiliser une nouvelle version d'une dépendance, afin de laisser à la communauté le temps de détecter d'éventuels problèmes. Il mentionne également Bagle, leur propre outil open source d'analyse locale, qui permet de détecter des secrets mal stockés sur un poste de travail (variables d'environnement, fichiers temporaires, etc.) sans rien envoyer à l'extérieur. Conclusion Au moment de l'enregistrement, le 2 avril, l'attaque était toujours en cours. Une grande partie des victimes ne sait même pas encore qu'elle a été compromise. Les semaines à venir risquent de révéler l'ampleur réelle des dégâts, notamment via les dépendances transitives. Cet épisode illustre à quel point la sécurité de la chaîne d'approvisionnement logicielle reste largement sous-estimée — et que ce réveil collectif, bien que douloureux, était peut-être nécessaire. Notes Teknik - Hackerbot-claw Collaborateurs Nicolas-Loïc Fortin François Proulx Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm

Python Bytes
#475 Haunted warehouses

Python Bytes

Play Episode Listen Later Mar 30, 2026 40:54 Transcription Available


Topics covered in this episode: Lock the Ghost Fence for Sandboxing MALUS: Liberate Open Source Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course **Patreon SupportersConnect with the hosts** Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Lock the Ghost The five core takeaways: PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them. uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way. This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews. Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed. Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live. Brian #2: Fence for Sandboxing Suggested by Martin Häcker “Some coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.” “JY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.” Source code on GitHub: https://github.com/Use-Tusk/fence Related: Simon Willison lethal trifecta for AI agents article from June 2025 Claude Code Sandboxing Michael #3: MALUS: Liberate Open Source via Paul Bauer The service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules. AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software. Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright? Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns Matthias Schoettle Avoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far Extras Brian: GitHub is asking to spy on us, that's nice Michael: Michael's new SaaS for podcasters: InterviewCue DigitalOcean's Spaces cold storage for infrequently accessed data Minor issue about my fire and forget post, was a latent bug? Fire and Forget at Textual follow up article Joke: Can you?

Security Conversations
Google's Cyber Disruption Unit; Coruna is Triangulation, US Bans Foreign-Made Routers

Security Conversations

Play Episode Listen Later Mar 28, 2026 152:24


(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.) Three Buddy Problem - Episode 91: This week we dig into Google's new cyber threat disruption unit announced at RSAC, Kaspersky confirming Coruna is a direct evolution of Operation Triangulation, and a cascading supply chain compromise that chained through LiteLLM, Trivy, and Checkmarx into thousands of software pipelines. Plus, VCs and the breathless AI hype, Apple's iOS 26.4 and silent patches, the FCC's ban on foreign-made routers, and Symantec catching an APT looking for Chinese military data. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu. 0:00 Intro & Pre-Show Banter 3:08 JAGS in San Francisco: RSAC week recap 6:05 Google Launches Cyber Disruption Unit — What's Actually New? 13:43 Why Separate Disruption Units Matter: ROI & Budget Justification 29:11 Haroon Meer's RSA Reality Check: The AI Hype Machine 32:37 The VC Ponzi Cycle & How Easy Money Hollowed Out Cybersecurity 47:32 ENT.ai & Tenex AI Hackathon at RSAC 53:08 Kaspersky Links Corona Exploit Kit to Operation Triangulation 1:08:09 Trenchant Cleanup & Lessons from Equation Group Burns 1:19:31 Apple iOS Patches, Hong Kong Device Passcode Law 1:27:53 Handala Hacks FBI Director Kash Patel's Personal Gmail 1:37:32 LeakBase Admin "Chucky" Arrested in Russia — FSB Gets the Data 1:45:38 Supply Chain Attacks: TeamPCP Hits LiteLLM & Trivy 2:04:34 FCC Bans Foreign-Made Routers — But What Do We Buy?

Padepokan Budi Rahardjo
Advis Keamanan LiteLLM

Padepokan Budi Rahardjo

Play Episode Listen Later Mar 28, 2026 7:33


Security advisory untuk LiteLLM, Trivy, PyPI, dan kawan-kawan.#security #securitybreach #ai

Backup Central's Restore it All
Emergency Episode: The PyPI Software Supply Chain Attack You Need to Know About

Backup Central's Restore it All

Play Episode Listen Later Mar 26, 2026 56:07 Transcription Available


A PyPI software supply chain attack hit LiteLLM — a library pulled into developer environments 97 million times a month — and if you use it, you may already be compromised. This wasn't a fake package or a typo-squatting trick. Attackers stole real credentials, published malicious code as the real thing, and walked out with SSH keys, cloud credentials, Kubernetes tokens, API keys, and more — all encrypted and sent home before anyone knew what happened.I'm doing something I've never done before: an emergency episode, recorded and published immediately because this is that serious. I brought in Dr. Mike Saylor, co-author of our book Learning Ransomware Response and Recovery, and my co-host Prasanna Malaiyandi to break down exactly what happened, how to find out if you were hit, and what you need to do to protect yourself going forward.We open with a story from 1982 that perfectly captures what this attack really is — getting poisoned by something you trusted completely. That framing matters. This wasn't a failure of the library. It was a failure of the supply chain. And it can happen again.Chapters:00:00:00 - Intro: Why this is an emergency episode00:01:35 - Meet the guests: Dr. Mike Saylor and Prasanna Malaiyandi00:02:31 - The Tylenol poisoning analogy and what it means for software supply chains00:05:51 - What LiteLLM is and what the malware actually did to your environment00:09:04 - Dependencies explained: why you're affected even if you didn't install LiteLLM directly00:12:24 - How to find out if you were hit: the first things to check right now00:14:23 - IOCs and TTPs: what to look for in your logs and on your systems00:19:07 - Network indicators: unusual traffic and what it tells you00:22:12 - How security teams can find out if developers installed it without telling anyone00:30:38 - Action items for the future: inventory, pinning, and hash verification00:36:55 - Sandboxing new downloads before they touch your environment00:37:59 - Immutable backups: why this attack makes the case for them00:40:33 - Modern authentication: MFA, its limits, and why passkeys matter00:46:53 - Where to get threat intel so you hear about attacks like this faster00:53:23 - Wrap-upIf you installed or upgraded LiteLLM on or after March 24, 2026 without a pinned version, stop what you're doing and listen to this episode first.The story:https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/ https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/ https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaignhttps://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/ https://www.upwind.io/feed/litellm-pypi-supply-chain-attack-malicious-release https://docs.litellm.ai/blog/security-update-march-2026 https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/ https://www.darktrace.com/resources/the-cisos-guide-to-cyber-aihttps://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/Resources:https://www.stopransomware.comhttps://www.cisa.govhttps://www.cve.org/

I am a Mainframer
I am a Mainframer: Sarah Julia Kriesch

I am a Mainframer

Play Episode Listen Later Mar 26, 2026 15:22


In this episode of the Mainframe Connect podcast's I Am a Mainframer series, Sarah Julia Kriesch, Senior Lead Mainframe Architect (Open Source) at Kyndryl, shares her journey from Linux system administration to leading the Linux Distribution Working Group at the Open Mainframe Project. Starting with her bachelor thesis on Kubernetes on mainframe through Germany's Academic Mainframe Consortium, Sarah transitioned from IBM to Axians consulting and founded the working group that coordinates Linux distributions on s390x.Sarah discusses how the group collaborates on upstream challenges, serves as a point of contact for developers (like COBOL compiler teams), secures hardware upgrades, and leverages the LinuxONE Community Cloud for free VMs. She highlights successes with Rust, PyPI modules, and multi‑architecture testing, plus her vision for blockchain networks connecting bank mainframes with confidential computing and integrated AI.Celebrating Women's History Month – Sarah exemplifies women leading mainframe innovation through open source collaboration and community building during Women's History Month.#mainframe #opensource #IamaMainframer #podcast #openmainframeproject #LinuxFoundation #Kyndryl #StevenDickens #SarahJuliaKriesch #LinuxONE #MainframeConnect #WomenInTech #WomensHistoryMonth

Risky Business
Risky Business #830 -- LiteLLM and security scanner supply chains compromised

Risky Business

Play Episode Listen Later Mar 25, 2026 63:53


On this week's show, Patrick Gray, Adam Boileau and James WIlson discuss the week's cybersecurity news. They talk through: TeamPCP's supply chain attack on Github, and they threw in an anti-Iran wiper, because why not?! Anthropic hooks up its models to just… use your whole computer After Stryker's Very Bad Day, CISA says maybe add some more controls around your Intune? Another iOS exploit kit shows up in the cyber bargain-bin The FTC decides to ban… all new home routers?! U wot m8?! Supermicro founder was personally sanction-busting Nvidia GPUs into China?! This week's episode is sponsored by enterprise browser maker, Island. Chief Customer Officer Bradon Rogers joins Pat to explain how its customers are using Island to control the use of personal AI services in regulated industries. This episode is also available on Youtube. Show notes ‘CanisterWorm' Springs Wiper Attack Targeting Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Andrej Karpathy on X: "Software horror: litellm PyPI supply chain" attack Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags Felix Rieseberg on X: "Today, we're releasing a feature that allows Claude to control your computer" A Top Google Search Result for Claude Plugins Was Planted by Hackers Lockheed Martin targeted in alleged breach by pro-Iran hacktivist CISA urges companies to secure Microsoft Intune systems after hackers mass-wipe Stryker devices FBI seems to seize website tied to Iranian cyberattack on Stryker Stryker confirms cyberattack is contained and restoration underway Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild Someone has publicly leaked an exploit kit that can hack millions of iPhones Russia-linked hackers use advanced iPhone exploit to target Ukrainians Apple rolls out first 'background security' update for iPhones, iPads, and Macs to fix Safari bug Post by @wartranslated.bsky.social — Bluesky Signal's Creator Is Helping Encrypt Meta AI Hacker says they compromised millions of confidential police tips held by US company Millions of 'anonymous' crime tips exposed in massive Crime Stoppers hack Feds Disrupt IoT Botnets Behind Huge DDoS Attacks FCC bans import of consumer-grade routers amid national security concerns White House pours cold water on cyber ‘letters of marque' speculation Google launches threat disruption unit, stops short of calling it ‘offensive' Supermicro's cofounder was just arrested for allegedly smuggling $2.5 billion in GPUs to China Cyberattack on vehicle breathalyzer company leaves drivers stranded across the US Man pleads guilty to $8 million AI-generated music scheme Two Israelis AI generated "intelligence" and sold it to Iran

Hacker News Recap
March 24th, 2026 | Microsoft's "fix" for Windows 11

Hacker News Recap

Play Episode Listen Later Mar 25, 2026 15:12


This is a recap of the top 10 posts on Hacker News on March 24, 2026. This podcast was generated by wondercraft.ai (00:30): Microsoft's "fix" for Windows 11Original post: https://news.ycombinator.com/item?id=47500335&utm_source=wondercraft_ai(01:56): Wine 11 rewrites how Linux runs Windows games at kernel with massive speed gainsOriginal post: https://news.ycombinator.com/item?id=47507150&utm_source=wondercraft_ai(03:23): Is anybody else bored of talking about AI?Original post: https://news.ycombinator.com/item?id=47508745&utm_source=wondercraft_ai(04:50): Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromisedOriginal post: https://news.ycombinator.com/item?id=47501426&utm_source=wondercraft_ai(06:17): Apple BusinessOriginal post: https://news.ycombinator.com/item?id=47504112&utm_source=wondercraft_ai(07:43): Goodbye to SoraOriginal post: https://news.ycombinator.com/item?id=47508246&utm_source=wondercraft_ai(09:10): Mystery jump in oil trading ahead of Trump post draws scrutinyOriginal post: https://news.ycombinator.com/item?id=47504060&utm_source=wondercraft_ai(10:37): Epoch confirms GPT5.4 Pro solved a frontier math open problemOriginal post: https://news.ycombinator.com/item?id=47497757&utm_source=wondercraft_ai(12:04): So where are all the AI apps?Original post: https://news.ycombinator.com/item?id=47503006&utm_source=wondercraft_ai(13:30): LaGuardia pilots raised safety alarms months before deadly runway crashOriginal post: https://news.ycombinator.com/item?id=47503965&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

Exploit Brokers - Hacking News
6 Zero-Days Exploited NOW, Lazarus Poisons npm, AI-Generated Malware & More | HN62

Exploit Brokers - Hacking News

Play Episode Listen Later Feb 26, 2026 24:18


Microsoft just dropped patches for SIX actively exploited zero-day vulnerabilities — and that's just the beginning. In this week's Hacking News, we break down the February 2026 Patch Tuesday emergency, North Korea's Lazarus Group poisoning npm and PyPI through fake job recruiters, nation-state hackers weaponizing Google's Gemini AI (including malware that writes its own payloads), a massive Dutch telecom breach affecting 6.2 million people, and a U.S. government contractor breach that ballooned from 4 million to potentially tens of millions affected. This is Exploit Brokers by Forgebound Research — cybersecurity news, threat intelligence, and insights. Whether you're a security analyst, developer, or just someone who wants to stay informed, this episode has something for you.

Cyber Security Today
BeyondTrust Zero-Day Exploited,

Cyber Security Today

Play Episode Listen Later Feb 16, 2026 10:33


This episode covers multiple active threats and security changes. It warns of an actively exploited critical BeyondTrust remote access vulnerability (CVE-2026-1731, CVSS 9.9) enabling pre-authentication remote code execution in Remote Support and Privileged Remote Access, noting SaaS was patched while on-prem deployments require urgent manual updates and may already be compromised. Microsoft details an evolution of the ClickFix social engineering technique where victims are tricked into running NSLookup commands that use attacker-controlled DNS responses as a malware staging channel, leading to payload delivery (including a Python-based RAT) and persistence via startup shortcuts, alongside increased Lumma Stealer activity.  Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst Researchers also report Mac-focused campaigns abusing AI-generated content and malicious search ads to push copy-paste terminal commands that install an info stealer (MaxSync) targeting Keychain, browsers, and crypto wallets. T The show describes fake recruiter campaigns targeting developers with coding tests containing malicious dependencies on repositories like NPM and PyPI, linked to the "Gala" operation and nearly 200 packages. Finally, it reviews NPM's authentication overhaul after a supply-chain worm incident—revoking classic long-lived tokens, moving to short-lived session credentials, encouraging MFA and OIDC trusted publishing—while noting remaining risks such as MFA phishing, non-mandatory MFA for unpublish, and the continued ability to create long-lived tokens. 00:00 Sponsor: Meter + Today's Cybersecurity Headlines 00:48 Urgent Patch: BeyondTrust Remote Access RCE (CVE-2026-1731) Actively Exploited 02:45 ClickFix Evolves: DNS Lookups (nslookup) Used as Malware Staging 04:34 Mac Malware via AI Search Results: Fake Terminal Commands Deliver Info-Stealer 06:08 Fake Recruiters, Real Malware: Coding Tests Poison Dev Environments 07:19 NPM Security Overhaul After Supply-Chain Worm—What's Better, What Still Risks 09:11 Wrap-Up, Thanks, and Sponsor Message

Moscow Python: подкаст о Python на русском
Новости мира Python за январь 2026

Moscow Python: подкаст о Python на русском

Play Episode Listen Later Feb 6, 2026 71:14


Чтобы научиться программировать и разбираться в тонкостях Python 3.12 записывайтесь на базовый курс Learn Python — https://clck.ru/3MuShF Новости выпуска: убивают ли Python инкрементальные улучшения релиз Pandas 3.0 недавние тренды Django Security Team в CPython и psutils избавились от busy-polling при работе с subprocess  PyPI в 2025 году PEP 822 — d-string или новый синтаксис для многострочных строковых литералов без лишних отступов Ведущие – Григорий Петров и Михаил Корнеев Ссылки выпуска: Курс Learn Python — https://learn.python.ru/advanced Канал Миши в Telegram — https://t.me/tricky_python Канал Moscow Python в Telegram — https://t.me/moscow_python Все выпуски — https://podcast.python.ru Митапы Moscow Python — https://moscowpython.ru Канал Moscow Python на Rutube — https://rutube.ru/channel/45885590/ Канал Moscow Python в VK — https://vk.com/moscowpythonconf 

Python Bytes
#466 PSF Lands $1.5 million

Python Bytes

Play Episode Listen Later Jan 19, 2026 41:19 Transcription Available


Topics covered in this episode: Better Django management commands with django-click and django-typer PSF Lands a $1.5 million sponsorship from Anthropic How uv got so fast PyView Web Framework Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Better Django management commands with django-click and django-typer Lacy Henschel Extend Django manage.py commands for your own project, for things like data operations API integrations complex data transformations development and debugging Extending is built into Django, but it looks easier, less code, and more fun with either django-click or django-typer, two projects supported through Django Commons Michael #2: PSF Lands a $1.5 million sponsorship from Anthropic Anthropic is partnering with the Python Software Foundation in a landmark funding commitment to support both security initiatives and the PSF's core work. The funds will enable new automated tools for proactively reviewing all packages uploaded to PyPI, moving beyond the current reactive-only review process. The PSF plans to build a new dataset of known malware for capability analysis The investment will sustain programs like the Developer in Residence initiative, community grants, and infrastructure like PyPI. Brian #3: How uv got so fast Andrew Nesbitt It's not just be cause “it's written in Rust”. Recent-ish standards, PEPs 518 (2016), 517 (2017), 621 (2020), and 658 (2022) made many uv design decisions possible And uv drops many backwards compatible decisions kept by pip. Dropping functionality speeds things up. “Speed comes from elimination. Every code path you don't have is a code path you don't wait for.” Some of what uv does could be implemented in pip. Some cannot. Andrew discusses different speedups, why they could be done in Python also, or why they cannot. I read this article out of interest. But it gives me lots of ideas for tools that could be written faster just with Python by making design and support decisions that eliminate whole workflows. Michael #4: PyView Web Framework PyView brings the Phoenix LiveView paradigm to Python Recently interviewed Larry on Talk Python Build dynamic, real-time web applications using server-rendered HTML Check out the examples. See the Maps demo for some real magic How does this possibly work? See the LiveView Lifecycle. Extras Brian: Upgrade Django, has a great discussion of how to upgrade version by version and why you might want to do that instead of just jumping ahead to the latest version. And also who might want to save time by leapfrogging Also has all the versions and dates of release and end of support. The Lean TDD book 1st draft is done. Now available through both pythontest and LeanPub I set it as 80% done because of future drafts planned. I'm working through a few submitted suggestions. Not much feedback, so the 2nd pass might be fast and mostly my own modifications. It's possible. I'm re-reading it myself and already am disappointed with page 1 of the introduction. I gotta make it pop more. I'll work on that. Trying to decide how many suggestions around using AI I should include. It's not mentioned in the book yet, but I think I need to incorporate some discussion around it. Michael: Python: What's Coming in 2026 Python Bytes rewritten in Quart + async (very similar to Talk Python's journey) Added a proper MCP server at Talk Python To Me (you don't need a formal MCP framework btw) Example one: latest-episodes-mcp.png Example two: which-episodes-mcp.webp Implmented /llms.txt for Talk Python To Me (see talkpython.fm/llms.txt ) Joke: Reverse Superman

IT Privacy and Security Weekly update.
EP 274.5 Deep Dive. More Moxie in the IT Privacy and Security Weekly Update for the week ending January

IT Privacy and Security Weekly update.

Play Episode Listen Later Jan 15, 2026 17:00


Core messagePersonal AI, consumer devices, and global networks are converging into a new arena where data, infrastructure, and talent are strategic assets, not just products.Policy, open-source security, and novel computing architectures provide early but meaningful counterweights to surveillance capitalism and cyber conflict.AI: privacy vs conveniencePrivacy-first AI like Moxie Marlinspike's Confer uses open-source code, end‑to‑end encryption, on‑device keys, and secure hardware to ensure user conversations cannot be read even by the service operator.​Google's Gemini-powered Gmail adds an AI Inbox, thread summaries, and writing aids that mine inbox content to generate to‑dos and answers, while promising not to use email data to train foundation models and allowing opt‑outs.​Corporate missteps and surveillance“Worst in Show” critics highlight products like over‑engineered smart fridges, Ring facial recognition, and disposable gadgets as emblematic of poor repairability, expanded surveillance, and e‑waste.Wegmans' biometric collection and Google's outreach encouraging teens to remove parental supervision show how corporate policies can quietly shift control and weaken privacy and safety norms.Tech as geopolitical battlefieldCampaigns such as China-linked “Salt Typhoon” exploit weaknesses in legacy telecom protocols like SS7, enabling interception of calls and texts from U.S. officials and potentially users worldwide.Taiwan's arrest warrant for OnePlus's CEO over alleged illegal recruitment reflects broader state-backed efforts by China to secure foreign tech talent and IP through front companies and incentive programs.Emerging safeguards and breakthroughsCalifornia's DROP platform operationalizes its Delete Act, letting residents issue one verified request that compels all registered data brokers to delete personal data and comply on a recurring schedule under penalty of fines.​Anthropic's $1.5M partnership with the Python Software Foundation strengthens security for CPython and PyPI, hardening open‑source supply chains while funding community sustainability.Sandia's neuromorphic computing results show brain‑inspired hardware can efficiently solve complex partial differential equations, hinting at future high‑performance systems that are far more energy‑efficient than today's supercomputers.

IT Privacy and Security Weekly update.
More Moxie in the IT Privacy and Security Weekly Update for the week ending January 13th., 2026

IT Privacy and Security Weekly update.

Play Episode Listen Later Jan 14, 2026 19:06


EP 274.  In this week's update:Moxie Marlinspike, architect of Signal's groundbreaking privacy standards, now brings his uncompromising approach to secure, user-controlled artificial intelligence with the launch of Confer.The fifth annual Worst in Show anti-awards returned to CES 2026, shining a harsh spotlight on the year's most wasteful, invasive, and counterproductive consumer electronics.Wegmans has quietly expanded biometric surveillance in its New York City stores, collecting facial, iris, and voice data from every shopper under the stated goal of safety and security.California's new DROP law marks a major victory for consumer privacy, empowering residents to delete their personal information from hundreds of data brokers with a single request.Google faces intense backlash after directly notifying 13-year-olds that they can unilaterally remove parental supervision from their accounts, raising serious concerns about child safety and parental authority.Chinese state-sponsored hackers, operating under the long-running Salt Typhoon campaign, have compromised email accounts of staff on multiple powerful U.S. House committees.Anthropic has committed $1.5 million over two years to the Python Software Foundation, targeting major security improvements to CPython and PyPI to protect millions of developers and users.Neuromorphic computers, designed to emulate the human brain's architecture, have demonstrated remarkable efficiency and accuracy in solving complex partial differential equations, challenging conventional assumptions about their capabilities.Let's go get the moxie.Find this week's full transcript here.

Python Bytes
#462 LinkedIn Cringe

Python Bytes

Play Episode Listen Later Dec 15, 2025 35:40 Transcription Available


Topics covered in this episode: Deprecations via warnings docs PyAtlas: interactive map of the top 10,000 Python packages on PyPI. Buckaroo Extras Joke Watch on YouTube About the show Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Deprecations via warnings Deprecations via warnings don't work for Python libraries Seth Larson How to encourage developers to fix Python warnings for deprecated features Ines Panker Michael #2: docs A collaborative note taking, wiki and documentation platform that scales. Built with Django and React. Made for self hosting Docs is the result of a joint effort led by the French

Python Bytes
#461 This episdoe has a typo

Python Bytes

Play Episode Listen Later Dec 9, 2025 28:50 Transcription Available


Topics covered in this episode: PEP 798: Unpacking in Comprehensions Pandas 3.0.0rc0 typos A couple testing topics Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: PEP 798: Unpacking in Comprehensions After careful deliberation, the Python Steering Council is pleased to accept PEP 798 – Unpacking in Comprehensions. Examples [*it for it in its] # list with the concatenation of iterables in 'its' {*it for it in its} # set with the union of iterables in 'its' {**d for d in dicts} # dict with the combination of dicts in 'dicts' (*it for it in its) # generator of the concatenation of iterables in 'its' Also: The Steering Council is happy to unanimously accept “PEP 810, Explicit lazy imports” Brian #2: Pandas 3.0.0rc0 Pandas 3.0.0 will be released soon, and we're on Release candidate 0 Here's What's new in Pands 3.0.0 Dedicated string data type by default Inferred by default for string data (instead of object dtype) The str dtype can only hold strings (or missing values), in contrast to object dtype. (setitem with non string fails) The missing value sentinel is always NaN (np.nan) and follows the same missing value semantics as the other default dtypes. Copy-on-Write The result of any indexing operation (subsetting a DataFrame or Series in any way, i.e. including accessing a DataFrame column as a Series) or any method returning a new DataFrame or Series, always behaves as if it were a copy in terms of user API. As a consequence, if you want to modify an object (DataFrame or Series), the only way to do this is to directly modify that object itself. pd.col syntax can now be used in DataFrame.assign() and DataFrame.loc() You can now do this: df.assign(c = pd.col('a') + pd.col('b')) New Deprecation Policy Plus more - Michael #3: typos You've heard about codespell … what about typos? VSCode extension and OpenVSX extension. From Sky Kasko: Like codespell, typos checks for known misspellings instead of only allowing words from a dictionary. But typos has some extra features I really appreciate, like finding spelling mistakes inside snake_case or camelCase words. For example, if you have the line: *connecton_string = "sqlite:///my.db"* codespell won't find the misspelling, but typos will. It gave me the output: *error: `connecton` should be `connection`, `connector` ╭▸ ./main.py:1:1 │1 │ connecton_string = "sqlite:///my.db" ╰╴━━━━━━━━━* But the main advantage for me is that typos has an LSP that supports editor integrations like a VS Code extension. As far as I can tell, codespell doesn't support editor integration. (Note that the popular Code Spell Checker VS Code extension is an unrelated project that uses a traditional dictionary approach.) For more on the differences between codespell and typos, here's a comparison table I found in the typos repo: https://github.com/crate-ci/typos/blob/master/docs/comparison.md By the way, though it's not mentioned in the installation instructions, typos is published on PyPI and can be installed with uv tool install typos, for example. That said, I don't bother installing it, I just use the VS Code extension and run it as a pre-commit hook. (By the way, I'm using prek instead of pre-commit now; thanks for the tip on episode #448!) It looks like typos also publishes a GitHub action, though I haven't used it. Brian #4: A couple testing topics slowlify suggested by Brian Skinn Simulate slow, overloaded, or resource-constrained machines to reproduce CI failures and hunt flaky tests. Requires Linux with cgroups v2 Why your mock breaks later Ned Badthelder Ned's taught us before to “Mock where the object is used, not where it's defined.” To be more explicit, but probably more confusing to mock-newbies, “don't mock things that get imported, mock the object in the file it got imported to.” See? That's probably worse. Anyway, read Ned's post. If my project myproduct has user.py that uses the system builtin open() and we want to patch it: DONT DO THIS: @patch("builtins.open") This patches open() for the whole system DO THIS: @patch("myproduct.user.open") This patches open() for just the user.py file, which is what we want Apparently this issue is common and is mucking up using coverage.py Extras Brian: The Rise and Rise of FastAPI - mini documentary “Building on Lean” chapter of LeanTDD is out The next chapter I'm working on is “Finding Waste in TDD” Notes to delete before end of show: I'm not on track for an end of year completion of the first pass, so pushing goal to 1/31/26 As requested by a reader, I'm releasing both the full-so-far versions and most-recent-chapter Michael: My Vanishing Gradient's episode is out Django 6 is out Joke: tabloid - A minimal programming language inspired by clickbait headlines

PyBites Podcast
The Power of One Clear Goal: Kishan Patel on building a Developer Mindset

PyBites Podcast

Play Episode Listen Later Nov 24, 2025 39:10


What if levelling up your Python career didn't require a multitude of courses—just one clear commitment? In this episode of the Pybites Podcast, we talk with Kishan Patel, a Dallas-based data engineer who set a single goal: become the best Python developer he could be. That focus led him to ship three real-world projects, publish his first PyPI package, and build a stronger, more decisive developer mindset.We also discuss how breaking the cycle of perfectionism, using coaching for accountability, and developing a thoughtful, balanced approach to AI can  help you build with more confidence and stay focused on the real skills that move your Python journey forward. Kishan's contacts:Personal site: https://www.kishanpatel.dev/YouTube channel: https://www.youtube.com/@KPDataDevBlog: https://kpdata.dev/blog/LinkedIn: https://www.linkedin.com/in/kishanpatel789/Circle: https://pybites.circle.so/u/4fe60026Chrome extensions mentioned in the ep:Undistracted: https://chromewebstore.google.com/detail/undistracted-hide-faceboo/pjjgklgkfeoeiebjogplpnibpfnffkng?hl=enMonochrome Mode: https://chromewebstore.google.com/detail/monochrome-mode-grayscale/fmiaojphifnoicpdhhcniiekcpfbkidj?hl=enBooks: Cosmic Python: https://www.cosmicpython.com/Dune: https://en.wikipedia.org/wiki/Dune_(novel)The One Thing: https://pybitesbooks.com/books/ov23vQEACAAJ______

Hacker Public Radio
HPR4503: One time passwords using oathtool

Hacker Public Radio

Play Episode Listen Later Nov 5, 2025


This show has been flagged as Clean by the host. Oathtool 06 OATH Options and Oathtool The OATH standard has several options. You need to know which OATH options the site you wish to log into uses in order to use OATH. 07 Options - TOTP versus HOTP There are two different types of OATH one time passwords, HOTP and TOTP. HOTP uses a counter. I won't go into more detail on HOTP as I haven't come across anyone using it. TOTP uses the current time instead of a counter. The time is fed into the OATH algorithm along with the shared secret to generate a new password on both ends of the connection. All the instances of OATH that I am familiar with use TOTP. 08 TOTP Mode Totp has different "modes". These modes are hash encoding algorithms such as SHA1, SHA256, or SHA512. The correct mode must be selected in order to log in using OATH with TOTP. 09 Encoding - Hex versus Base32 Both ends of the connection must be initialized with a shared secret or key which is required as part of the OATH algorithm. This key could be encoded in one of two forms, either hexadecimal or base32. Web sites often do not document which encoding method they are using. If you cannot determine the encoding of the key by simply looking at it you may need to use trial and error during your first OATH log in attempts to see which type of key has been used. 10 Github and Pypi Options Github and Pypi are two of the most prominent web sites using OATH. Both use the same options, TOTP with SHA1 mode, and base32 encoding. 11 Using Oathtool oathtool is a simple command line application which generates one time passwords for use with OATH. It can be run in a terminal. However, can also be turned into a simple GUI application using Zenity. Will discuss this in more detail later. By default oathtool uses hotp and hex encoding. To use totp and base32 encoding you must specify these on the command line. To specify base32 encoding for use with for example Github, pass the "-b" or "--base32" argument on the command line. To specify TOTP, pass the "--totp" argument on the command line. By default, oathtool uses SHA1 with totp, so you don't need to specify that if you require SHA1. If you need a different TOTP mode, you specify that as part of the TOTP argument separated by an "=" character. For example "--totp=SHA256". 12 Oathtool Example Here is a simple example of using oathtool to create a one time password to use with Github or Pypi. Open a terminal and type the following. oathtool -b --totp SOMEBIGBASE32SECRETCODE The one time password will be printed out in the terminal. You can try this out without using a valid key so long as it is a valid base32 string. When used with a valid key you then enter that one time password into Github, Pypi, or other web site where it asks for the one time password. Note that I have not covered in the above how to store and retrieve the key securely, as that is too big of a topic to cover here. 13 Zenity Example Oathtool is a command line application, but if you are using Linux it is simple to convert it into a GUI application by using "Zenity". Zenity is a simple to use package that creates GUI windows on the command line or in a shell script. There are two steps to the proceess. First create the OTP from the key by using oathtool and save it in a variable. Next, call a Zenity "info" window with the OTP as part of the provided text. You can now copy and paste the OTP from the window into your web browser. To close the window, click on the "OK" button. See the previous note on storing the key securely. hprcode=$(oathtool -b --totp SOMEBIGBASE32SECRETCODE) zenity --info --width=150 --title="HPR 2FA" --text="2FA code is: nn $hprcode n" If you are using Gnome you can make the script launchable from the desktop by creading a ".desktop" file in the "Desktop" directory. Provide feedback on this episode.

Python Bytes
#453 Python++

Python Bytes

Play Episode Listen Later Oct 16, 2025 36:17 Transcription Available


Topics covered in this episode: * PyPI+* * uv-ship - a CLI-tool for shipping with uv* * How fast is 3.14?* * air - a new web framework built with FastAPI, Starlette, and Pydantic.* Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: PyPI+ Very nice search and exploration tool for PyPI Minor but annoying bug: content-types ≠ content_types on PyPI+ but they are in Python itself. Minimum Python version seems to be interpreted as max Python version. See dependency graphs and more Examples content-types jinja-partials fastapi-chameleon Brian #2: uv-ship - a CLI-tool for shipping with uv “uv-ship is a lightweight companion to uv that removes the risky parts of cutting a release. It verifies the repo state, bumps your project metadata and optionally refreshes the changelog. It then commits, tags & pushes the result, while giving you the chance to review every step.” Michael #3: How fast is 3.14? by Miguel Grinberg A big focus on threaded vs. non-threaded Python Some times its faster, other times, it's slower Brian #4: air - a new web framework built with FastAPI, Starlette, and Pydantic. An very new project in Alpha stage by Daniel & Audrey Felderoy, the “Two Scoops of Django” people. Air Tags are an interesting thing. Also Why? is amazing “Don't use AIR” “Every release could break your code! If you have to ask why you should use it, it's probably not for you.” “If you want to use Air, you can. But we don't recommend it.” “It'll likely infect you, your family, and your codebase with an evil web framework mind virus, , …” Extras Brian: Python 3.15a1 is available uv python install 3.15 already works Python lazy imports you can use today - one of two blog posts I threatened to write recently Testing against Python 3.14 - the other one Free Threading has some trove classifiers Michael: Blog post about the book: Talk Python in Production book is out! In particular, the extras are interesting. AI Usage TUI Show me your ls Helium Browser is interesting. But also has Python as a big role. GitHub says Languages Python 97.4%

Talk Python To Me - Python conversations for passionate developers
#523: Pyrefly: Fast, IDE-friendly typing for Python

Talk Python To Me - Python conversations for passionate developers

Play Episode Listen Later Oct 13, 2025 67:00 Transcription Available


Python typing got fast enough to feel invisible. Pyrefly is a new, open source type checker and IDE language server from Meta, written in Rust, with a focus on instant feedback and real-world DX. Today, we will dig into what it is, why it exists, and how it plays with the rest of the typing ecosystem. We have Abby Mitchell, Danny Yang, and Kyle Into from Pyrefly here to dive into the project. Episode sponsors Sentry Error Monitoring, Code TALKPYTHON Agntcy Talk Python Courses Links from the show Abby Mitchell: linkedin.com Danny Yang: linkedin.com Kyle Into: linkedin.com Pyrefly: pyrefly.org Pyrefly Documentation: pyrefly.org Pyrefly Installation Guide: pyrefly.org Pyrefly IDE Guide: pyrefly.org Pyrefly GitHub Repository: github.com Pyrefly VS Code Extension: marketplace.visualstudio.com Introducing Pyrefly: A New Type Checker and IDE Experience for Python: engineering.fb.com Pyrefly on PyPI: pypi.org InfoQ Coverage: Meta Pyrefly Python Typechecker: infoq.com Pyrefly Discord Invite: discord.gg Python Typing Conformance (GitHub): github.com Typing Conformance Leaderboard (HTML Preview): htmlpreview.github.io Watch this episode on YouTube: youtube.com Episode #523 deep-dive: talkpython.fm/523 Episode transcripts: talkpython.fm Theme Song: Developer Rap

Python Bytes
#452 pi py-day (or is it py pi-day?)

Python Bytes

Play Episode Listen Later Oct 9, 2025 40:36 Transcription Available


Topics covered in this episode: * Python 3.14* * Free-threaded Python Library Compatibility Checker* * Claude Sonnet 4.5* * Python 3.15 will get Explicit lazy imports* Extras Joke Watch on YouTube About the show Sponsored by DigitalOcean: pythonbytes.fm/digitalocean-gen-ai Use code DO4BYTES and get $200 in free credit Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Python 3.14 Released on Oct 7 What's new in Python 3.14 Just a few of the changes PEP 750: Template string literals PEP 758: Allow except and except* expressions without brackets Improved error messages Default interactive shell now highlights Python syntax supports auto-completion argparse better support for python -m module has a new suggest_on_error parameter for “maybe you meant …” support python -m calendar now highlights today's date Plus so much more Michael #2: Free-threaded Python Library Compatibility Checker by Donghee Na App checks compatibility of top PyPI libraries with CPython 3.13t and 3.14t, helping developers understand how the Python ecosystem adapts to upcoming Python versions. It's still pretty red, let's get in the game everyone! Michael #3: Claude Sonnet 4.5 Top programming model (even above Opus 4.1) Shows large improvements in reducing concerning behaviors like sycophancy, deception, power-seeking, and the tendency to encourage delusional thinking Anthropic is releasing the Claude Agent SDK, the same infrastructure that powers Claude Code, making it available for developers to build their own agents, along with major upgrades including checkpoints, a VS Code extension, and new context editing features And Claude Sonnet 4.5 is available in PyCharm too. Brian #4: Python 3.15 will get Explicit lazy imports Discussion on discuss.python.org This PEP introduces syntax for lazy imports as an explicit language feature: lazy import json lazy from json import dumps BTW, lazy loading in fixtures is a super easy way to speed up test startup times. Extras Brian: Music video made in Python - from Patrick of the band “Friends in Real Life” source code: https://gitlab.com/low-capacity-music/r9-legends/ Michael: New article: Thanks AI Lots of updates for content-types Dramatically improved search on Python Bytes (example: https://pythonbytes.fm/search?q=wheel use the filter toggle to see top hits) Talk Python in Production is out and for sale Joke: You do estimates?

PyBites Podcast
#203: Automating API Documentation with Zylosystems

PyBites Podcast

Play Episode Listen Later Oct 2, 2025 49:39


If you've ever stayed up late churning out API docs when you'd rather be anywhere else, you'll relate to this week's guest. Nick Park felt that same pain as a server engineer, which pushed him to build Zylo-docs, an AI tool that takes the grunt work out of documentation.Nick's journey has been anything but linear—from AWS trainer to experimenting with generative AI in the fashion world, before realising his real passion was helping developers. In this episode, we talk about following your passion, finding product-market fit, and being open to pivots along the way.Check out Zylo-docs on PyPI or their site to find out more.Website: https://zylo-docs.devLibrary: https://pypi.org/project/zylo-docs/Nick's Linkedin: https://www.linkedin.com/in/searchingstar/___If you found this podcast helpful, please consider following us!Start Here with Pybites: https://pybit.esDeveloper Mindset Newsletter: https://pybit.es/newsletter

Cyber Briefing
September 26, 2025 - Cyber Briefing

Cyber Briefing

Play Episode Listen Later Sep 26, 2025 9:29


If you like what you hear, please subscribe, leave us a review and tell a friend!A wave of cyber incidents is impacting governments, companies, and users worldwide, including fake PyPI login sites, BRICKSTORM malware targeting supply chains, WordPress backdoors creating admin accounts, and Chinese RedNovember hackers attacking global governments. Sensitive data exposures continue with thousands of Indian bank records leaked online and the Neon call-recording app shutting down after revealing users' phone numbers, recordings, and transcripts.

Talk Python To Me - Python conversations for passionate developers
#520: pyx - the other side of the uv coin (announcing pyx)

Talk Python To Me - Python conversations for passionate developers

Play Episode Listen Later Sep 23, 2025 60:11 Transcription Available


A couple years ago, Charlie Marsh lit a fire under Python tooling with Ruff and then uv. Today he's back with something on the other side of that coin: pyx. Pyx isn't a PyPI replacement. Think server, not just index. It mirrors PyPI, plays fine with pip or uv, and aims to make installs fast and predictable by letting a smart client talk to a smart server. When the client and server understand each other, you get new fast paths, fewer edge cases, and the kind of reliability teams beg for. If Python packaging has felt like friction, this conversation is traction. Let's get into it. Episode sponsors Six Feet Up Talk Python Courses Links from the show Charlie Marsh on Twitter: @charliermarsh Charlie Marsh on Mastodon: @charliermarsh Astral Homepage: astral.sh Pyx Project: astral.sh Introducing Pyx Blog Post: astral.sh uv Package on GitHub: github.com UV Star History Chart: star-history.com Watch this episode on YouTube: youtube.com Episode #520 deep-dive: talkpython.fm/520 Episode transcripts: talkpython.fm Developer Rap Theme Song: Served in a Flask: talkpython.fm/flasksong --- Stay in touch with us --- Subscribe to Talk Python on YouTube: youtube.com Talk Python on Bluesky: @talkpython.fm at bsky.app Talk Python on Mastodon: talkpython Michael on Bluesky: @mkennedy.codes at bsky.app Michael on Mastodon: mkennedy

Python Bytes
#449 Suggestive Trove Classifiers

Python Bytes

Play Episode Listen Later Sep 15, 2025 31:29 Transcription Available


Topics covered in this episode: * Mozilla's Lifeline is Safe After Judge's Google Antitrust Ruling* * troml - suggests or fills in trove classifiers for your projects* * pqrs: Command line tool for inspecting Parquet files* * Testing for Python 3.14* Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: Mozilla's Lifeline is Safe After Judge's Google Antitrust Ruling A judge lets Google keep paying Mozilla to make Google the default search engine but only if those deals aren't exclusive. More than 85% of Mozilla's revenue comes from Google search payments. The ruling forbids Google from making exclusive contracts for Search, Chrome, Google Assistant, or Gemini, and forces data sharing and search syndication so rivals get a fighting chance. Brian #2: troml - suggests or fills in trove classifiers for your projects Adam Hill This is super cool and so welcome. Trove Classifiers are things like Programming Language :: Python :: 3.14 that allow for some fun stuff to show up in PyPI, like the versions you support, etc. Note that just saying you require 3.9+ doesn't tell the user that you've actually tested stuff on 3.14. I like to keep Trove Classifiers around for this reason. Also, License classifier is deprecated, and if you include it, it shows up in two places, in Meta, and in the Classifiers section. Probably good to only have one place. So I'm going to be removing it from classifiers for my projects. One problem, classifier text has to be an exact match to something in the classifier list, so we usually recommend copy/pasting from that list. But no longer! Just use troml! It just fills it in for you (if you run troml suggest --fix). How totally awesome is that! I tried it on pytest-check, and it was mostly right. It suggested me adding 3.15, which I haven't tested yet, so I'm not ready to add that just yet. :) BTW, I talked with Brett Cannon about classifiers back in ‘23 if you want some more in depth info on trove classifiers. Michael #3: pqrs: Command line tool for inspecting Parquet files pqrs is a command line tool for inspecting Parquet files This is a replacement for the parquet-tools utility written in Rust Built using the Rust implementation of Parquet and Arrow pqrs roughly means "parquet-tools in rust" Why Parquet? Size A 200 MB CSV will usually shrink to somewhere between about 20-100 MB as Parquet depending on the data and compression. Loading a Parquet file is typically several times faster than parsing CSV, often 2x-10x faster for a full-file load and much faster when you only read some columns. Speed Full-file load into pandas: Parquet with pyarrow/fastparquet is usually 2x–10x faster than reading CSV with pandas because CSV parsing is CPU intensive (text tokenizing, dtype inference). Example: if read_csv is 10 seconds, read_parquet might be ~1–5 seconds depending on CPU and codec. Column subset: Parquet is much faster if you only need some columns — often 5x–50x faster because it reads only those column chunks. Predicate pushdown & row groups: When using dataset APIs (pyarrow.dataset) you can push filters to skip row groups, reducing I/O dramatically for selective queries. Memory usage: Parquet avoids temporary string buffers and repeated parsing, so peak memory and temporary allocations are often lower. Brian #4: Testing for Python 3.14 Python 3.14 is just around the corner, with a final release scheduled for October. What's new in Python 3.14 Python 3.14 release schedule Adding 3.14 to your CI tests in GitHub Actions Add “3.14” and optionally “3.14t” for freethreaded Add the line allow-prereleases: true I got stuck on this, and asked folks on Mastdon and Bluesky A couple folks suggested the allow-prereleases: true step. Thank you! Ed Rogers also suggested Hugo's article Free-threaded Python on GitHub Actions, which I had read and forgot about. Thanks Ed! And thanks Hugo! Extras Brian: dj-toml-settings : Load Django settings from a TOML file. - Another cool project from Adam Hill LidAngleSensor for Mac - from Sam Henri Gold, with examples of creaky door and theramin Listener Bryan Weber found a Python version via Changelog, pybooklid, from tcsenpai Grab PyBay Michael: Ready prek go! by Hugo van Kemenade Joke: Console Devs Can't Find a Date

Moscow Python: подкаст о Python на русском
Новости мира Python за июль 2025

Moscow Python: подкаст о Python на русском

Play Episode Listen Later Sep 10, 2025 75:54


Чтобы научиться программировать и разбираться в тонкостях Python 3.12 записывайтесь на базовый курс Learn Python — https://clck.ru/3MuShF Ведущие – Григорий Петров и Михаил Корнеев   Новости выпуска: 20 лет Django; Python 3.14 rc1; Reflections on 2 years of CPython's JIT Compiler: The good, the bad, the ugly; PEP 792 – Project status markers in the simple index; PyPi и inbox.ru.   Ссылки выпуска: Курс Learn Python — https://learn.python.ru/advanced Канал Миши в Telegram — https://t.me/tricky_python Канал Moscow Python в Telegram — https://t.me/moscow_python Все выпуски — https://podcast.python.ru Митапы Moscow Python — https://moscowpython.ru Канал Moscow Python на Rutube — https://rutube.ru/channel/45885590/ Канал Moscow Python в VK — https://vk.com/moscowpythonconf   Курс «Основы Python» от Learn Python — это отличный старт для новичков в программировании. За несколько уроков вы освоите базовый синтаксис, научитесь работать с данными и получите первый опыт для успешного старта карьеры в ИТ. Подробности: https://clck.ru/3MuShF

The Cybersecurity Defenders Podcast
#244 - Intel Chat: Trend Micro Apex One, PyPI domains, RingReaper & Openbaar Ministrie attack

The Cybersecurity Defenders Podcast

Play Episode Listen Later Sep 1, 2025 29:53


In this episode of The Cybersecurity Defenders Podcast, we discuss some intel being shared in the LimaCharlie community.CISA has added CVE-2025-54948, a critical vulnerability in Trend Micro Apex One, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that the flaw has been actively exploited in the wild.PyPI has introduced new security measures to detect and respond to expired domains tied to user accounts, aiming to shut down a known supply chain attack vector: domain resurrection.A recently discovered post-exploitation tool named RingReaper is gaining attention for its sophisticated evasion strategy: abusing the Linux kernel's io_uring interface to operate undetected by standard endpoint detection and response (EDR) systems.A cyberattack on the Netherlands' Openbaar Ministerie (OM), the Public Prosecution Service, has unexpectedly disrupted speed enforcement across the country.Support our show by sharing your favorite episodes with a friend, subscribe, give us a rating or leave a comment on your podcast platform.This podcast is brought to you by LimaCharlie, maker of the SecOps Cloud Platform, infrastructure for SecOps where everything is built API first. Scale with confidence as your business grows. Start today for free at limacharlie.io.

Python Bytes
#445 Auto-activate Python virtual environments for any project

Python Bytes

Play Episode Listen Later Aug 18, 2025 29:46 Transcription Available


Topics covered in this episode: pyx - optimized backend for uv * Litestar is worth a look* * Django remake migrations* * django-chronos* Extras Joke Watch on YouTube About the show Python Bytes 445 Sponsored by Sentry: pythonbytes.fm/sentry - Python Error and Performance Monitoring Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: pyx - optimized backend for uv via John Hagen (thanks again) I'll be interviewing Charlie in 9 days on Talk Python → Sign up (get notified) of the livestream here. Not a PyPI replacement, more of a middleware layer to make it better, faster, stronger. pyx is a paid service, with maybe a free option eventually. Brian #2: Litestar is worth a look James Bennett Michael brought up Litestar in episode 444 when talking about rewriting TalkPython in Quart James brings up scaling - Litestar is easy to split an app into multiple files Not using pydantic - You can use pydantic with Litestar, but you don't have to. Maybe attrs is right for you instead. Michael brought up Litestar seems like a “more batteries included” option. Somewhere between FastAPI and Django. Brian #3: Django remake migrations Suggested by Bruno Alla on BlueSky In response to a migrations topic last week django-remake-migrations is a tool to help you with migrations and the docs do a great job of describing the problem way better than I did last week “The built-in squashmigrations command is great, but it only work on a single app at a time, which means that you need to run it for each app in your project. On a project with enough cross-apps dependencies, it can be tricky to run.” “This command aims at solving this problem, by recreating all the migration files in the whole project, from scratch, and mark them as applied by using the replaces attribute.” Also of note The package was created with Copier Michael brought up Copier in 2021 in episode 219 It has a nice comparison table with CookieCutter and Yoeman One difference from CookieCutter is yml vs json. I'm actually not a huge fan of handwriting either. But I guess I'd rather hand write yml. So I'm thinking of trying Copier with my future project template needs. Michael #4: django-chronos Django middleware that shows you how fast your pages load, right in your browser. Displays request timing and query counts for your views and middleware. Times middleware, view, and total per request (CPU and DB). Extras Brian: Test & Code 238: So Long, and Thanks for All the Fish after 10 years, this is the goodbye episode Michael: Auto-activate Python virtual environment for any project with a venv directory in your shell (macOS/Linux): See gist. Python 3.13.6 is out. Open weight OpenAI models Just Enough Python for Data Scientists Course The State of Python 2025 article by Michael Joke: python is better than java

Python Bytes
#443 Patching Multiprocessing

Python Bytes

Play Episode Listen Later Aug 4, 2025 26:13 Transcription Available


Topics covered in this episode: rumdl - A Markdown Linter written in Rust * Coverage 7.10.0: patch* * aioboto3* * You might not need a Python class* Extras Joke Watch on YouTube About the show Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: rumdl - A Markdown Linter written in Rust via Owen Lamont Supports toml file config settings Install via uv tool install rumdl. ⚡️ Built for speed with Rust - significantly faster than alternatives

Talk Python To Me - Python conversations for passionate developers
#505: t-strings in Python (PEP 750)

Talk Python To Me - Python conversations for passionate developers

Play Episode Listen Later May 13, 2025 71:59 Transcription Available


Python has many string formatting styles which have been added to the language over the years. Early Python used the % operator to injected formatted values into strings. And we have string.format() which offers several powerful styles. Both were verbose and indirect, so f-strings were added in Python 3.6. But these f-strings lacked security features (think little bobby tables) and they manifested as fully-formed strings to runtime code. Today we talk about the next evolution of Python string formatting for advanced use-cases (SQL, HTML, DSLs, etc): t-strings. We have Paul Everitt, David Peck, and Jim Baker on the show to introduce this upcoming new language feature. Episode sponsors Posit Auth0 Talk Python Courses Links from the show Guests: Paul on X: @paulweveritt Paul on Mastodon: @pauleveritt@fosstodon.org Dave Peck on Github: github.com Jim Baker: github.com PEP 750 – Template Strings: peps.python.org tdom - Placeholder for future library on PyPI using PEP 750 t-strings: github.com PEP 750: Tag Strings For Writing Domain-Specific Languages: discuss.python.org How To Teach This: peps.python.org PEP 501 – General purpose template literal strings: peps.python.org Python's new t-strings: davepeck.org PyFormat: Using % and .format() for great good!: pyformat.info flynt: A tool to automatically convert old string literal formatting to f-strings: github.com Examples of using t-strings as defined in PEP 750: github.com htm.py issue: github.com Exploits of a Mom: xkcd.com pyparsing: github.com Watch this episode on YouTube: youtube.com Episode transcripts: talkpython.fm --- Stay in touch with us --- Subscribe to Talk Python on YouTube: youtube.com Talk Python on Bluesky: @talkpython.fm at bsky.app Talk Python on Mastodon: talkpython Michael on Bluesky: @mkennedy.codes at bsky.app Michael on Mastodon: mkennedy