Python Bytes

#464 Malicious Package? No Build For You!

Listen Later
Topics covered in this episode:
  • ty: An extremely fast Python type checker and LSP
  • Python Supply Chain Security Made Easy
  • typing_extensions
  • MI6 chief: We'll be as fluent in Python as we are in Russian
  • Extras
  • Joke
    • Watch on YouTube

    About the show

    Connect with the hosts

    • Michael: @[email protected] / @mkennedy.codes (bsky)
    • Brian: @[email protected] / @brianokken.bsky.social
    • Show: @[email protected] / @pythonbytes.fm (bsky)

      • Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

      Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

      Brian #1: ty: An extremely fast Python type checker and LSP

      • Charlie Marsh announced the Beta release of ty on Dec 16
      • “designed as an alternative to tools like mypy, Pyright, and Pylance.”
      • Extremely fast even from first run
      • Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.
      • Includes nice visual diagnostics much like color enhanced tracebacks
      • Extensive configuration control
        • Nice for if you want to gradually fix warnings from ty for a project
        • Also released a nice VSCode (or Cursor) extension
          • Check the docs. There are lots of features.
          • Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running

            • Michael #2: Python Supply Chain Security Made Easy

            • We know about supply chain security issues, but what can you do?
              • Typosquatting (not great)
              • Github/PyPI account take-overs (very bad)
              • Enter pip-audit.
              • Run it in two ways:
                1. Against your installed dependencies in current venv
                2. As a proper unit test (so when running pytest or CI/CD).
                3. Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"
                4. Follow up article: DevOps Python Supply Chain Security
                  1. Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.
                    1. Run pip-compile / uv lock --upgrade to generate the new lock file
                    2. Test in a ephemeral pip-audit optimized Docker container
                    3. Only then if things pass, uv pip install / uv sync
                    4. Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.

                      5. Brian #3: typing_extensions

                      • Kind of a followup on the deprecation warning topic we were talking about in December.
                      • prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.
                      • The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.
                      • But typing_extesions is way cooler than just that.
                      • The module serves 2 purposes:
                        • Enable use of new type system features on older Python versions.
                        • Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the typing module.
                        • So cool.
                        • There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.
                        • I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.

                          • Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian

                          • "Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli.
                          • She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”
                          • This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages."
                          • Recruitment will target linguists, data scientists, engineers, and technologists alike.

                            • Extras

                            Brian:

                            • Next chapter of Lean TDD being released today, Finding Waste in TDD
                              • Still going to attempt a Jan 31 deadline for first draft of book.
                              • That really doesn’t seem like enough time, but I’m optimistic.
                              • SteamDeck is not helping me find time to write
                                • But I very much appreciate the gift from my fam
                                • Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.

                                  • Michael:

                                  • Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."
                                    • Blog post
                                    • Release page
                                    • Reuven Lerner has a video series on Pandas 3

                                      • Joke: Error Handling in the age of AI

                                      • Play on the inversion of JavaScript the Good Parts
                                        • ...more
                                        View all episodesView all episodes
                                        Download on the App Store
                                        Python BytesBy Michael Kennedy and Brian Okken
                                        • 4.7
                                        • 4.7
                                        • 4.7
                                        • 4.7
                                        • 4.7

                                        4.7

                                        212 ratings

                                        More shows like Python Bytes

                                        View all
                                        Software Engineering Radio - the podcast for professional software developers by team@se-radio.net (SE-Radio Team)

                                        Software Engineering Radio - the podcast for professional software developers

                                        274 Listeners

                                        The Changelog: Software Development, Open Source by Changelog Media

                                        The Changelog: Software Development, Open Source

                                        287 Listeners

                                        Software Engineering Daily by Software Engineering Daily

                                        Software Engineering Daily

                                        624 Listeners

                                        Talk Python To Me by Michael Kennedy

                                        Talk Python To Me

                                        582 Listeners

                                        Test & Code by Brian Okken

                                        Test & Code

                                        70 Listeners

                                        Super Data Science: ML & AI Podcast with Jon Krohn by Jon Krohn

                                        Super Data Science: ML & AI Podcast with Jon Krohn

                                        303 Listeners

                                        Data Engineering Podcast by Tobias Macey

                                        Data Engineering Podcast

                                        146 Listeners

                                        Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

                                        Syntax - Tasty Web Development Treats

                                        989 Listeners

                                        CoRecursive: Coding Stories by Adam Gordon Bell - Software Developer

                                        CoRecursive: Coding Stories

                                        189 Listeners

                                        DataFramed by DataCamp

                                        DataFramed

                                        268 Listeners

                                        Practical AI by Practical AI LLC

                                        Practical AI

                                        205 Listeners

                                        The Stack Overflow Podcast by The Stack Overflow Podcast

                                        The Stack Overflow Podcast

                                        62 Listeners

                                        The Real Python Podcast by Real Python

                                        The Real Python Podcast

                                        141 Listeners

                                        Oxide and Friends by Oxide Computer Company

                                        Oxide and Friends

                                        66 Listeners

                                        The Pragmatic Engineer by Gergely Orosz

                                        The Pragmatic Engineer

                                        71 Listeners