|
30 | 30 |
|
31 | 31 | 00:01:43 150 hours of Python courses? Yeah, that's right. Check them out at talkpython.fm/courses. |
32 | 32 |
|
33 | | -00:01:49 Hey, Seth. Welcome back to Talk Pythonomy. |
| 33 | +00:01:49 Hey, Seth. Welcome back to Talk Python to Me. |
34 | 34 |
|
35 | 35 | 00:01:52 >>Hey, Michael. |
36 | 36 |
|
|
62 | 62 |
|
63 | 63 | 00:02:55 projects specifically in like the HTTP and internet space. So like requests, urllib3, |
64 | 64 |
|
65 | | -00:03:02 TrustStore, things like that. |
| 65 | +00:03:02 Trust Store, things like that. |
66 | 66 |
|
67 | 67 | 00:03:05 >>Oh, awesome. Yeah. Thanks for everything you're doing there. And how's the role working out? I |
68 | 68 |
|
|
286 | 286 |
|
287 | 287 | 00:11:59 >>It was such a long game deal. It was crazy. So yeah. What is, >>That's the scary part. |
288 | 288 |
|
289 | | -00:12:05 >>What is XZutils and then what is the XZutils security issue? |
| 289 | +00:12:05 >>What is XZ-utils and then what is the XZ-utils security issue? |
290 | 290 |
|
291 | | -00:12:10 >>Yeah. So XZutils is a library written in C for basically processing archives of the XZ |
| 291 | +00:12:10 >>Yeah. So XZ-utils is a library written in C for basically processing archives of the XZ |
292 | 292 |
|
293 | 293 | 00:12:19 format, which is just a compression format like, like GZIP, like, you know, any other |
294 | 294 |
|
|
302 | 302 |
|
303 | 303 | 00:12:53 very few maintainers and also through a series of reasons had a linkage to SSH. And so what |
304 | 304 |
|
305 | | -00:13:02 ended up happening. Yep. And so SSH was >>If you can get into SSH and SSHD, then bad things are going to happen. |
| 305 | +00:13:02 ended up happening. Yep. And so SSH was , If you can get into SSH and SSHD, then bad things are going to happen. |
306 | 306 |
|
307 | 307 | 00:13:09 >>Yeah. So the whole end goal of this entire operation was to get access to open SSH |
308 | 308 |
|
|
366 | 366 |
|
367 | 367 | 00:16:01 on the day that this happened, report to the security response team for Python, because we, |
368 | 368 |
|
369 | | -00:16:06 of course, use the XC utils libraries because Python supports XC format as well. And I, |
| 369 | +00:16:06 of course, use the XZ utils libraries because Python supports XC format as well. And I, |
370 | 370 |
|
371 | 371 | 00:16:13 there was a, there was a lovely few seconds where I'm like, oh, this is either going to be |
372 | 372 |
|
|
414 | 414 |
|
415 | 415 | 00:18:16 podcast player show notes. Thank you to the team at Posit for supporting Talk Python. |
416 | 416 |
|
417 | | -00:18:21 One of the talks was Python security model after this issue, the XCUtils backdoor. Tell us about |
| 417 | +00:18:21 One of the talks was Python security model after this issue, the XZ-Utils backdoor. Tell us about |
418 | 418 |
|
419 | 419 | 00:18:28 that. Yeah. So this entire talk was essentially just overviewing like, "Hey, is this possible? |
420 | 420 |
|
|
506 | 506 |
|
507 | 507 | 00:22:37 binary file, which made it so that code reviewers- - Some of the test binary elements, |
508 | 508 |
|
509 | | -00:22:42 'cause if you've got a compression file utility, you've gotta have compressed files for your unit |
| 509 | +00:22:42 'cause if you've got a compression file utility, you've got to have compressed files for your unit |
510 | 510 |
|
511 | 511 | 00:22:47 test, right? - Exactly. So it was, basically, these files were checked in and there's just huge binary blobs that you can't actually get your |
512 | 512 |
|
|
518 | 518 |
|
519 | 519 | 00:23:11 script that allows them to be generated anytime and things like that. - Is it one of the changes, |
520 | 520 |
|
521 | | -00:23:17 I recently, I can't remember if this was on IPI or if this is a GitHub thing, but allowing GitHub |
| 521 | +00:23:17 I recently, I can't remember if this was on PyPI or if this is a GitHub thing, but allowing GitHub |
522 | 522 |
|
523 | 523 | 00:23:23 to be the thing that publishes directly, builds the wheels and uploads them to PyPI rather than |
524 | 524 |
|
|
622 | 622 |
|
623 | 623 | 00:27:57 Yeah, maybe. |
624 | 624 |
|
625 | | -00:27:59 Maybe, maybe we can make it happen. All right, next up, the REPL, or the PyREPL for the Python PyREPL. What's the deal with this? |
| 625 | +00:27:59 Maybe, maybe we can make it happen. All right, next up, the REPL, or the PyREPL for the Python REPL. What's the deal with this? |
626 | 626 |
|
627 | 627 | 00:28:06 Yeah, so this was a talk that was given by a couple of different core devs. I think this |
628 | 628 |
|
629 | | -00:28:12 included a bunch of people, Pablo, Lukasz, and Lissandros all gave this talk. And it was about, |
| 629 | +00:28:12 included a bunch of people, Pablo, Lukasz, and Lisandro all gave this talk. And it was about, |
630 | 630 |
|
631 | 631 | 00:28:18 hey, this new REPL that's coming in Python 3.13. Here's all the cool stuff that it can do, and |
632 | 632 |
|
|
644 | 644 |
|
645 | 645 | 00:29:01 have to, versus this where it's this completely separate and much more easy to contribute to |
646 | 646 |
|
647 | | -00:29:08 piece of software. Yeah. And did this come from the PyPy project? Yes, this was PyPy. And I think |
| 647 | +00:29:08 piece of software. Yeah. And did this come from the PyPI project? Yes, this was PyPI. And I think |
648 | 648 |
|
649 | 649 | 00:29:15 that there's been some back and forth, contributing back, contributing forward, all of that, which is |
650 | 650 |
|
|
690 | 690 |
|
691 | 691 | 00:31:11 highlighting is like really huge. That's not a part of the current REPL, I don't think, but like |
692 | 692 |
|
693 | | -00:31:15 it becomes much more possible because this PyREPL exists. Yeah, exactly. Yeah. I think that like |
| 693 | +00:31:15 it becomes much more possible because this Py REPL exists. Yeah, exactly. Yeah. I think that like |
694 | 694 |
|
695 | 695 | 00:31:23 the biggest thing, yeah, like the whole blocks of code, I just remember the demo of them showing |
696 | 696 |
|
|
858 | 858 |
|
859 | 859 | 00:38:18 so that's going to be a while until they released this pep. Well, so I'm just kidding. The most, |
860 | 860 |
|
861 | | -00:38:23 the most important part of this discussion was that the, the Python version 3.14 B B preserved |
| 861 | +00:38:23 the most important part of this discussion was that the, the Python version 3.14 B preserved |
862 | 862 |
|
863 | | -00:38:31 PI on, so yeah, cool. It wasn't allowed for three, three 14 to change it. |
| 863 | +00:38:31 Py on, so yeah, cool. It wasn't allowed for three, three 14 to change it. |
864 | 864 |
|
865 | 865 | 00:38:37 Yeah. The only thing that I can think of that you would have the two digits is that there's a lot of |
866 | 866 |
|
|
936 | 936 |
|
937 | 937 | 00:41:43 about two things, memory and threading. Right. And we just don't do that in Python. We just, |
938 | 938 |
|
939 | | -00:41:48 I think we have just leveraged the fact that the Gill gives us kind of enough coarse grain granularity, |
| 939 | +00:41:48 I think we have just leveraged the fact that the GIL gives us kind of enough coarse grain granularity, |
940 | 940 |
|
941 | 941 | 00:41:56 the execution of our code that it's just not something we hit a lot. And we don't try to do |
942 | 942 |
|
|
956 | 956 |
|
957 | 957 | 00:42:41 kind of split in the ecosystem and then have it converge together. I think that's like the |
958 | 958 |
|
959 | | -00:42:46 overall plan is like, Hey, we gotta, we gotta have a way that if this is really not working out, |
| 959 | +00:42:46 overall plan is like, Hey, we got to, we got to have a way that if this is really not working out, |
960 | 960 |
|
961 | 961 | 00:42:51 we can go back. But if it is working, we need a way that we can actually land this thing as the |
962 | 962 |
|
|
1010 | 1010 |
|
1011 | 1011 | 00:45:07 language. Chinese, ask me something else. Yeah. Yeah. Right. Like next question. |
1012 | 1012 |
|
1013 | | -00:45:12 Yeah. So this was, this was a, it's almost almost like a big status update on where Python is in the |
| 1013 | +00:45:12 Yeah. So this was, this was a, it's almost like a big status update on where Python is in the |
1014 | 1014 |
|
1015 | 1015 | 00:45:21 mobile space, which is really exciting because they've made a ton of progress on getting like |
1016 | 1016 |
|
1017 | 1017 | 00:45:26 actual tiering of support for these platforms. So if you don't know, Python has a like platform |
1018 | 1018 |
|
1019 | | -00:45:33 support tiers where it's like tier one is like X 86 Linux, right? Like that's a 90% of PI PI |
| 1019 | +00:45:33 support tiers where it's like tier one is like X 86 Linux, right? Like that's a 90% of PyPI |
1020 | 1020 |
|
1021 | 1021 | 00:45:40 downloads are, are that like, yeah, probably want to support that one. And then as things like Mac |
1022 | 1022 |
|
|
1100 | 1100 |
|
1101 | 1101 | 00:49:06 be, be a game changer and just, you know, it's not on, it wasn't here. Almost surprised me that it |
1102 | 1102 |
|
1103 | | -00:49:11 wasn't here, but front end stuff, WebAssembly, PyScripts, Pyodide, all those things I think are |
| 1103 | +00:49:11 wasn't here, but front end stuff, Web Assembly, PyScript, Pyodide, all those things I think are |
1104 | 1104 |
|
1105 | 1105 | 00:49:17 in that same realm. Although they can just kind of ship stuff to the web because there's no gate |
1106 | 1106 |
|
|
1234 | 1234 |
|
1235 | 1235 | 00:55:10 you know, parallelism in Python. Yeah. Yeah. How do we isolate the stuff |
1236 | 1236 |
|
1237 | | -00:55:13 so that we can avoid the guilt? We take it out and add different algorithms or do we just |
| 1237 | +00:55:13 so that we can avoid the GIL? We take it out and add different algorithms or do we just |
1238 | 1238 |
|
1239 | 1239 | 00:55:18 make copies of the interpreter and run them in isolation, but then you have this |
1240 | 1240 |
|
|
1371 | 1371 | 01:00:53 at talkpython.fm/youtube. This is your host, Michael Kennedy. Thanks so much for listening. |
1372 | 1372 |
|
1373 | 1373 | 01:00:58 I really appreciate it. Now get out there and write some Python code. |
1374 | | - |
0 commit comments