#off-topic

I appreciate everyone asking, of course

@hexed briar could you find time to review this please or delegate to us?

not true, I’ve stepped up and organized this for a while, it’s just that I have been waiting for the other organizers to respond. I’m deliberately calling out that I do not like the framing of nobody did things, if I’ve done the thing and got told to wait for review

I’ve kept things private since I don’t like blaming volunteers for their lack of time, been there, as you all know

at some point we have to face the real chance that we’re missing people because we didn’t launch in time

I do want to call out that in the future I would strongly recommend making the organization part of the PEP 772 responsibilities

Sorry! Had no idea

On the SC we invoke "The Pablo Rule" which basically is silence-is-assent (after a reasonable wait and a few friendly pings). If you find that things are blocked on a volunteer who has a lack of bandwidth (no blame, as you say, we've all been there), JFDI.

That's named for pablogsal I assume?

The one and only!

I feel like a switch just got flipped in GitHub, service-side. I'm suddenly seeing zizmor findings posted automatically as reviews by github-advanced-security[bot]. Anyone know what's up? It's literally flagging as broken PRs which incrementally improve pip-tools gaps identified by zizmor, which is kind of ... 🤣

seems like the zizmor action automatically uploads its findings to the Advanced Security API: https://github.com/jazzband/pip-tools/actions/runs/23966040269/job/69906056992#step:5:1

that's really cool, cc @steel crane

Yeah, we've had it on for a few weeks. I was (literally just!) getting into fixing the findings; but now something is posting reviews which is not something I wanted

Good example of it going slightly off the rails: https://github.com/jazzband/pip-tools/pull/2369
I didn't opt-in to that review. It's one of the first instances of that getting posted.

hmm. I wonder if it's gated on files changed or even the diff itself

Maybe? I am touching exactly the bits of CI which it's flagging. Just different attributes.

For display in a pull request check, an alert must meet all the following conditions:

All the lines of code identified by the alert exist in the pull request diff, including the first line of the alert.
The alert must exist in the lines of code added or edited in the pull request, not lines that were deleted.

https://docs.github.com/en/code-security/reference/code-scanning/sarif-files/sarif-support-for-code-scanning#source-file-locations

Oh, good find! That must be it. It makes sense of why recent CI tweaks didn't trigger it.

Yeah, this is unfortunately one of the incredibly unintuitive parts of how GH’s “advanced security” works — the PR that enables a tool doesn’t show any of its findings, but any subsequent tool that touches those lines will show them (even if the change doesn’t cause a delta in the findings)

But yeah, you can see the “ground truth” of what zizmor sees in your repo in the advanced security pane 🙂

I think that in The Before Times, while that DX might be a little unintuitive, it wouldn't be so jarring. Now it feels too similar to "uh-oh, someone clicked the copilot button"

But zizmor is doing a great job here! I'm just surprised by how GitHub presents the findings

Yeah, it’s very much not ideal and I think zizmor could probably do better too 😅 — I’ve thought about making the action do other things (like actually fail by default rather than plumb things into GHAS), but I’ve been hesitant to make that the default because of breakage/peoples’ assumptions around the current action behavior

Just discovered this Discord while reading the forums! 🙂

I've been doing some auditing of PyPI packages for supply chain safety concerns in light of recent events and put up a site to show Trusted Publishing status for the top 15k:
Trusty Pub: https://lmmx.github.io/trusty-pub/

It's here now! https://discuss.python.org/t/packaging-summit-at-pycon-us-2026/106911

Seems like the attendee form permissions need fixing?

(I won't be attending PyCon, but I just noticed).

uuh

thanks!

@silk jungle works now?

Fixed! 🎉

cheers 🙂

Looking at making a blog, stuck on the hardest problem, picking a domain name

I gave up on that battle and used github pages' default domain.

I may change that in the near-term future, but I also can't pick a domain name 🙃

I do actually own a domain name already, but I use it for strictly internal/personal projects. It isn't supporting anything remotely important.

I’m super happy with mine

https://shenanigans.dog/

NOOOO GitHub Pages killed my SSL again 😡

Yeahhh.... I'm not tying myself to GitHub pages

Cloudflare Pages?

I'm taking a look at them, yeah

There are lots of hosts out there depending on your taste. You can even use e.g. Neocities with content you pre-render with an SSG and skip all of their services

I do use GH Pages, but I don't feel "tied" to them because the page source is physically on my local drive, along with the SSG

It is super easy to migrate, yeah. It's just a bunch of static files.

I don't blog enough to care to make my blog super fancy.

I've done a fair bit of CSS work, because I mashed together some stuff my SSG provided and then ran into things that were just awful as a result
and also so that (in the next push, at least) I can drop Bootstrap

... actually, I've been sitting on these local changes for like probably over a month >_<

The last step is reviewing for copyediting/correct links etc. and reworking some About page stuff

@steel crane, if I wanted to pick your brain about cachecontrol a little, where would be the best forum for that? Here?

I've got a use-case where I think I'm going to want to call session.adapters["https://"].cache.delete(...) and I'm not sure if I'm signing myself up for some sad times ahead. I can file an issue if that's easier.

The context is that I've gotten a PR/proposal to use cachecontrol in check-jsonschema. And I think being able to clear an item from the cache is important for this to work.

here's good, but the answer is probably that i don't necessarily recommend CacheControl for new bits of work 😅 -- it's "maintained" but i pretty much just keep it alive and haven't had much time to clean it up or add new features to it

this is also worth reading since CacheControl's security model is a little...special: https://cachecontrol.readthedocs.io/en/master/security.html

(might not affect your use case)

with that said BaseCache.delete() is part of our public API so that should be fine to use, any issues you run into with it would be considered bugs on our end

Heard on the "maintained but not being updated" status! Thanks for the heads up. I'm likely to forge ahead, on the grounds that I think it's still the best existing art for caching in a requests-based stack...

It's not such a crazy complex project that I couldn't send a patch or two if there are issues I run into. 😁

What happens to really old pypi packages that weren't maintained for say 8 years?

do they linger around 'forever'?

yep

was wanting to publish a pypi package only to find out an 8 year old no longer maintaed pypi project already parked that name ( my fault for not checking on pypi but only on Github ) but that sucks

there's a process to take over abandoned packages, see https://peps.python.org/pep-0541/
I've done it a couple of times to reboot some dead packages

CBA

it's still in early development, so a name won't matter that much to me.

Had some fun with Opus 4.6 ( AI disclaimer ). I tasked it with making the best and most customizeable progress bar it can, garnered towards my main project.

https://github.com/NevermindNilas/barflow

it has one single C++ file which is the core and the rest is mostly python

here are the benchmark results and it's already in prod in my project

https://github.com/NevermindNilas/barflow/blob/main/benchmarks/results.md

ngl, I am impressed with how good AI has become. Kinda makes me worried for what Mythos is capable ( if true ).

if curated a bit, I might make a PR for pip* to migrate away from rich to it 🤣

pip?

also we don't accept native code

it's alright

a progress bar doesn't seem like the kind of thing that would need heavy optimization... ?

I think the issue is it's our biggest vendor by LoC

1-2s of overhead? I've never seen that much overhead from the progress bars, the first step I would suggest is disabling them

I will tkae that back, it's only about 70-100ms on my system from cold import to start of first iteration.

most of the import cost comes from markdown_it 🤔

pygments is only 0.3ms

PIP seems to also be 'taxed' by this overhead, although it varies a lot, sometimes it's 58ms other times it goes into the 70-80ms. IT seems to strip out markdown_it_py but it still gets most of the import tax from rich.

Oh, it gets lazy loaded anyway

for 99.9% of the usecases it won't matter at all, you will only really see any measureable difference in the hundreds of thousands maybe millions of it/s. I guess the only noreworthy mention is lowering the start-up time.

yeah I feel like that one is primarily about startup cost

Requests also would add a fair bit (still does when the deferred import gets triggered)

though I think that may have more to do with the total amount of architecture around the PipSession

I tried to dig into that once, but it was without proper profiling tools and it took me a while to accept that it was dumb to try that

for another project i'm optimizing, the PB was a heavy bottleneck.

iirc it optimized the hoth path by 30-40%

but yeah, it is a heavy vendor

Well Claude's security blocking works, trying to review a security issue:

⎿ API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered restrictions on violative cyber content and was blocked under Anthropic's Usage Policy. To request an exemption based on how you use Claude, fill out https://claude.com/form/cyber-use-case?token=... Please double press esc to edit your last message or start a new session for Claude Code to assist with a different task. If you are seeing this refusal repeatedly, try running /model claude-sonnet-4-20250514 to switch models.

what is going on 🙃

https://www.theregister.com/2026/03/06/ai_kills_software_licensing/

chardet got relicensed to MIT because the maintainer did a "clean-room rewrite" using AI coding tools

Still waiting for someone to relicense windows the same way so I can watch the fireworks

the true windows copilot, the copyright-free windows!

But anyway, this makes me glad that pip does not vendor chardet.

Software licensing is a joke in the day of AI

Opus / codex can look at the problem you are trying to fix with your project and recreate a clean-room rewrite of it, often times even better ( just look at the progress bar it cooked up with +-5 prompts + a couple of ones for benchmarking and qol optimizations ).

Unless your project is super complex or the problem you want to fix is just so big you may need more time.. but it is not impossible

Not glazing AI, but SAAS as we know it is dying out.

This is both scary but surprisingly really interesting at the same time

Somehow, not surprised at all

I never really liked the idea of SaaS in the first place, nor understood who the clients were supposed to be

Drop the "Saa" - and it's all Services 😉

yeah but that's kinda the problem!

So, uh, it seems like the new Ubuntu installer straight up doesn't support installing to LVM, LUKS, or other custom block devices? I was hoping to set up FDE with LVM on LUKS, but it seems like I need to configure everything manually?

It seems like I'd need to install Ubuntu unencrypted and then migrate the install to the encrypted volumes after the fact...

That's highly annoying.

I guess you have never paid for Nitro?

Correct.

Not sure I've ever seen such a list in a PEP before:

Supports
    PDM (Frost Ming)
    Poetry (Randy Döring)
    venv (Vinay Sajip)
    Virtualenv (Bernát Gábor)
    Tox (Bernát Gábor)
    Hatch (Cary Hawkins)

Lukewarm
    uv (Zanie Blue)

Opposes
    Hatch (Ofek Lev)

Source: https://peps.python.org/pep-0832/#project-support-for-this-pep

Ahaha

Lukewarm

Hot, lukewarm, and cold.

fyi:

https://discuss.python.org/t/hiring-sustainability-engineer-pypi/107002

Wait. Warehouse is built in Pyramid? I did not know that.

Yessir

Warehouse went through a number of frameworks when I first started it

When Warehouse started it was deployed side by side with legacy PyPI connected to the same database, and the legacy PyPI database uh, well it did not have an amazing schema 🙂

At first Warehouse was written in Django, as it was the framework I was most familiar with, but Django's ORM wasn't flexible enough to handle all the weirdness in the schema (some of the tables didnt' even have primary keys, foreign keys were often strings, more things I can't remember), so I had to ditch Django's ORM, and I decided if you're ditching Django's ORM you might as well ditch Django because you loose access to most of the Django ecosystem if you do that.

You can still see some Django-isms in the users table, since that was the first table I ported to be managed by Django and not legacy PyPI

Then I started writing my own web framework because my brain is damaged and I really do not like Flask

and Flask was the other one I was familiar with

(I was also not going to use a ORM at all, and was going to hand roll all the SQL statements, I still kinda wish we didn't use an ORM)

Then uh, Richard I think, maybe Ee? convinced me we had to use something off the shelf (which was the right call, but I was stubborn), so I rewrote it (whatever existed at that point in time) a third time out of my custom framework into Flask

I still did not like Flask, so I went looking for something else

found Pyramid, and it fit really nicely tbh. Could use SQLAlchemy (which was flexible enough to handle the weirdo schema), decent apps, and it was flexible enough to let us replicate some of the really weird edge cases from legacy PyPI

and tbh the Pyramid community was really great to us too, IIRC view derivers got added because when implementing Warehouse, I had very particular things I wanted to do, and I was heavily abusing tweens to make them work, and had to keep going to the Pyramid IRC and seeing what Iw as trying to do, gave rise to the view deriver idea

Sadly, Pyramid aged badly. I understand the appeal it had in the past, but it's not really modern. Plus, if not for the pkg_resources breakages, it would still be stalled/unmaintained

Modern in what way

(Serious question. I’ve not paid a ton to what’s happening in the web framework space, but I’m hard pressed to think of something I really wish pyrsmid had)

In my view, "modern" web framework in Python has

• type hints
• async (default or capable of it)
• good stack of dependencies
• is fully batteries included or easily extendable

What "bad" I see in Pyramid (dove into warehouse on few ocasions and I am maintaining a legacy Pyramid app)

• lack of type hints and heavily reliant on dynamic stuff (adding methods/code)
• no async
• promotes old (ancient?) paste config ini files
• brings a lot of stack, is pretty much spread across many smaller packages
• lacks maintenance (same goes for many of its dependencies)
• doesn't include openAPI for APIs or template engine for SSR by default, have to be provided with plugins

Gotcha. I personally don’t care too much about type hints or async. Neither one is super interesting to me for most web apps (type hints maybe a bit more than async).

Like I wouldn’t be against using async for most web apps, but I don’t think most web apps actually need it one way or the other lol

Paste is kinda weird, but I don’t really use it so it never bothered me

Well, warehouse is walking around it by configuring it with the code in Configurator. It's nice and I plan to introduce something similar in an app I am maintaining at some point to get rid of the ini files

Not providing some of that stuff is part of why I liked pyramid though 😅 I can use any renderer I like for instance! And I’ve thought about switching the html renderer on warehouse away from jinja2 to something else, because most template engines slow way down on the size of some of Simple’s api responses lol

Yea. I think most web frameworks require you to configure it in code using something similar? Pyramid is odd in that it has a non code method out of the box for configuration

I mostly care about type hints in public apis that one is forced to use (like request/response objects etc). But what I really love is how FastAPI (ab)uses typehints for serde operations

And I am not saying that using Pyramid is bad or something. To each their own I guess. It's just not a choice I would pick in 2026

I’ve used fastapi a little bit. I got annoyed it did the same thing flask did iirc. Magic threadlocal (or whatever the async equivalent is) variables for storing stuff like your database connections and stuff

I dunno why so many web frameworks seem to want to do that

It drives me bonkers

People seem to like that pattern though, so im the weird one 🙂

people don’t like passing contexts around in python

i agree that context state is easy to abuse

we had a contributor to numpy propose a context variable to control whether numpy returns scalars or zero-dimensional arrays for ufunc operations that currently return only scalars

and yeah that’s a thing that’s technically possible, but no way do i want to maintain that

Gary’s boundaries talk stuck with me when I first saw it

https://www.destroyallsoftware.com/talks/boundaries

it wasn’t primarily focused on things like db connections or whatever, but it applies and I think it’s really good

you should also not look at how the decimal module uses contextvars, it’s so overengineered

But yea. I know I’m the weird one for being fine with passing stuff around explicitly

I like how Axum handles it a bit. You get extractors so you can explicitly declare which bits you need, which solves some of the issues where your framework either has to pass in a big “here’s’ all your state” bag or your request handler has to have a bunch of parameters your views don’t normally need

But that is Rust and a world of compiled solutions, so a bit different

Yea, but you could do it at runtime in Python using type hints 😉

what put you off Flask?

Magic globals

I made a thing, a soundscape based on PyPI package data feed updates 🎶🐍📦🎶
Maybe you'll enjoy it too?
https://miketheman.github.io/listen-to-pypi/

that's awesome

a drone is so good for tying everything together

wow, it’s nuts how many new packages come in per minute

@timber sphinx i think you should add a big truck horn when a package gets quarantined

I heard big truck horn and I'm now intrigued

I am finally starting my migration to Neovim. This even isn't about neovim, but wow, turns out that using an actual plugin manager can save you so much headache :P

Vim's native pack support is convenient, but adding an integrated plugin manager is nice.

Oh wow, I've spent so much time configuring neovim already. I've just barely got LSP working in a way that I like.

but hey, now I have dotted autocompletion!

I've got neovim set up with home manager (https://nix-community.github.io/home-manager/) - it's more of a hassle but I like using the same pacman for most things

though half the time I end up opening Codium anyway, lol

I'm not very dexterous

Has anyone played around with CrossHair? https://github.com/pschanely/crosshair

Started doing a lot of property based testing, this looks like a nice compliment

I went to a Rust talk last night and the speaker was expressing invariants in their functions with lean in the doc string, and the tooling used that and the Rust code and formally verified the function. So looking for things in Python that are a step above regular property based testing.

that's cool, what were they using for that?

that's cool, what were they using for

I think I got the configuration good enough for the time being. Now I need to learn a bunch of vim commands and shortcuts.

Community consensus based development

what was it about?

https://tenor.com/view/thanos-perfectlybalanced-gif-18301221

Whether to implement RHS variables in packaging:
'3.9' < python_version

https://discuss.python.org/t/implementation-of-swapped-marker-order/107060

Time for some fun reading

-- Plugins!
local Plug = vim.fn['plug#']
vim.call('plug#begin')

Plug("drewtempelmeyer/palenight.vim")
Plug("vim-airline/vim-airline")
Plug("vim-airline/vim-airline-themes")
Plug("tpope/vim-fugitive")
Plug("airblade/vim-gitgutter")
-- Plug("preservim/nerdtree", { ["on"] = "NERDTreeToggle" })
-- Plug("dense-analysis/ale")
Plug("folke/todo-comments.nvim")
Plug("folke/which-key.nvim")
Plug("nvim-tree/nvim-web-devicons")
Plug("Bekaboo/dropbar.nvim")

vim.call('plug#end')
require("todo-comments").setup({})

Haha, this is starting to look like the average VSCode set up with a ton of plugins.

Why not vim.pack? Or lazy?

You might also like https://github.com/nvim-lua/kickstart.nvim

vim-plug seemed like a well supported option and I'm not too picky. I used to use vim's built-in pack, but I got sick of dealing with it.

I took a look at the kickstart configuration for inspiration, but I prefer to configure things from scratch.

Ever since I learned some vim motions, I've unironically used the s/in/out/g trick to edit text on Discord from time to time.

It feels surprisingly natural.

the only problem with that is when I try to type s/in/out/ as a joke and suddenly im editing my past comments 😅

Wait, that works!

I'm 100% nerding out, but I've recently discovered fzf. It's quite nice (both on the command line and as a vim plugin).

Wait until you discover telescope.nvim

Yeah... I don't think I need the extra features of telescope.

Seems nice, but I've already added enough features to nvim.

We're in the era of Microslop, indeed:

https://mrshu.github.io/github-statuses/

dang, not even multiple 8s

wait until it's <80%

or 77.77%

ZZ.ZZ% 😴

Wait a second

On March 18, 2026, GitHub designated GPT-5.3-Codex as the LTS model.
- https://docs.github.com/en/copilot/concepts/fallback-and-lts-models

Starting today, in our Copilot Student plan, we are removing GPT-5.3-Codex from the model picker. It remains available through auto model selection.
- https://github.blog/changelog/2026-04-27-copilot-student-gpt-5-3-codex-removal-from-model-picker/

How do you start removing your LTS model?

it stands for low-term support

Is that "removal" or "we're hiding it from folks who don't pay us a lot becuase they drain our resources for higher-paying customers"?

I mean

It remains available through auto model selection.
So... even they still have it
They... just don't get to pin to it?
I guess it keeps the students from demanding a higher cost modely be used every request?

• LTS models apply only to Copilot Business and Copilot Enterprise.
  https://docs.github.com/en/copilot/concepts/fallback-and-lts-models#about-long-term-support-lts-models

Therefore I understand that LTS doesn't apply to Student

The cost of all this subsided compute is clearly catching up

Oh no, my $200 plan uses $5000 worth of compute a month, what will happen long term

plan 📈
usage 📉

China will absolutely dominate the entry level pricing

Their models are good enough and like 2-5x cheaper

Does anyone know if Tidelift (which looks to be acquired by Sonar something) stopped its lifter program? Or maybe pipenv just stopped being funded?

It's still going. I suggest emailing them.

It occurred to me today we might soon see install instructions going from curl -LsSf {url of shell file} | sh to curl -LsSf {url of prompt file} | claude

I think I already saw something like that.

uvcodex

Argh. I've been out of the Windows world for years and now helping Python beginners with setup has gotten a lot more annoying
in particular, because https://www.python.org/downloads/release/pymanager-261/ defines a py command that conflicts with the previous launcher

People (including people who expect to learn to write code) nowadays apparently will even often struggle with the idea of running an installer and then running the installed application.

Or, for that matter, having a locally running application, as opposed to an "app" being a web page or an Electron thingy masquerading as a web page.

Now, in the name of ease of use and organization, Windows Python installs go a step beyond that? :/

For me, py (both new and old) on windows has always been well intended but with too many paper cuts for me to ever recommend to new users. I can't even recommend the official installer any more.

I will recommend conda or uv depending on their use case.

do we really jump through all these hoops just to avoid the path pollution caused by the C:\Program Files paradigm?

having spent some time touching the old msi installers for the 3.15 release: burn it with fire

ah, I just heard about https://peps.python.org/pep-0661/ being accepted

Oh wow, that was a long road for the size of the feature, glad it made it

Whenever I use sentinels, and can't use None, I never feel there's a standard pattern for me to follow

Got this out just in time, have to start preparing my 3.15 post next: https://iscinumpy.dev/post/starting-with-agentic-ai/

Oh, just realized sentinel is a builtin, very nice.

FWIW, I don’t think anthropic’s issue is your .edu address, I just think they limited the number of FOSS accounts they handed out and anthropic employees had the ability to move people around in the queue. I got my credits after Greg Smith adjusted my spot in the queue but Matti Picus managed to get one without doing that by happening to be one of the first people to apply. AFAIK none of the other maintainers at Quansight have gotten the credits.

thanks for the post though, lots of great advice!

And https://iscinumpy.dev/post/python-315/ is out now too

Thanks for the write-up! There are a few things not mentioned (or explained better than) in the “what's new” document

Btw: I read your older post about profiling packaging and you say that for this, the “types overlap”:

@singledispatch
def f(v: Version | str) -> str: ...

@f.register
def f(v: Version) -> str: ...

But nothing overlaps here: for some silly reason, the official way is to lie in the parameter and return signature of the fallback function when using singledispatch: the function decorated with @singledispatch is supposed to have the union of all registered functions’ parameter and return types.

Don't ask me why. As a result I mostly put raise NotImplementedError as the body of the fallback function, then no type checker can get confused because “forgot” to handle a parameter type that's actually handled in a registered function

I'm very curious... How are folks in this community approaching code review when the size of an LLM-assisted PR from a known/trusted contributor gets very large, e.g. because an LLM was used to handle a refactor which has been considered desirable but daunting/laborious? (Not interested in discussing the merits of policies which ban such PRs right now, please. 🙂)
This is a relatively new experience for me. Almost all of my interactions with LLM-generated code have been of the spam/slop variety. But I've started to have more interactions where I want to take the PR seriously on the merits. But review is now... daunting.

Not to bury the lede, I'm looking at the pip-lock PR and trying to figure out... how do I tackle this? Asking to "break it up" doesn't even quite make sense since it's a whole new thing, and of necessity it's large?

I guess start with whether the tests make sense, and then look for anything malicious, and then see if the tests pass... ?

$ git diff main --shortstat -- tests
 50 files changed, 9987 insertions(+), 24 deletions(-)

😬 I think I need to find ways to ask to break it up, for starters.

But hey, at least there were 24 lines deleted! 😆

It just runs beyond my typical bound for "a PR I know how to review".

At $WORK I've definitely run into similar situations. e.g., inheriting someone's prototype and suddenly you need to take ownership of it. You can take it in stride and bugfix/triage things best you can. But I'm not accustomed to making that kind of call in FOSS.

ask an LLM to find the weak points 😆

i'm struggling with the same thing as a contributor -- zarr needs feature X, and feature X will necessarily require a lot of code changes. my current strategy is to break it into smaller PRs, and hope they get reviewed

I don't think LLMs should drastically change the shape of a good quality PR, a good contributor should be able to slim down their PR to tack just the part they need or into several pieces that can be applies one at a time

Timely: https://github.blog/ai-and-ml/generative-ai/agent-pull-requests-are-everywhere-heres-how-to-review-them/

Wow. Around 5k new packages in what? A week? Two?

Pypi is averaging about 800 new packages a day

Hits home here. Ive had contribs who branch out every granular feature like angels and others who drop a sloppy dooker. A lot of the time, probably best to politely reject, explain why, and ask for better than trying to mentally reverse engineer a monolith patch. Then they learn and the engagement drives quality, conduct, community.

For large refactorings, a draft PR with incremental commits is a good way to signal to a team, "hey im getting started", run checks along the way, and understand/communicate the evolution. Also opens the door for feedback and collaborative decisions throughout.

Breaking down a big refactoring into smaller concerns at least in a md or checklist, that can also talk to the evolution.

One big commit. No thanks. A defendable progression tho? Okay, fair is fair.

Woah woah woah! 1M incoming!

Has the new packages per day increased significantly post AI? (In the last 6 months or so)?

I only had 90 day stats off hand, but you should be able to query the distribution metadata table in BigQuery to answer that

uv accepts >=5.1.* because pip used to accept it, when uv started they got a bunch of requests to accept invalid metadata like that, but when pip dropped it I didn't see almost any complaints except that pip install requests== wouldn't show the available version numbers in the error any more

anyone online who could transfer the hatch-code repo to the PyPA GitHub org? Then I can publish a preview version to the marketplace this weekend!

Guess it ain’t happening this weekend

Actually nevermind, it worked anyway!

API Error: Server is temporarily limiting requests (not your usage limit) · Rate limited

Errr, thanks for clarifying?

I'm flying out to LA tomorrow and I'll be at PyCon US Thursday to Friday, if anyone wants to meet up and talk OSS or just say Hi feel free to DM me or @ me here

https://pypi.org/project/nvidia-vfx/#description I found this amazing wheel from Nvidia, but for the love of God I don't see any mention of what license it uses and whether I can use it commercially for my tool or not. It's what I have been wanting for ages now... it's annoying.

oh nvm, the wheel seems to have a pdf

Holy this is realllly big from NVidia, I am absolutely stunned

what’s the license?

It appears to be entirely custom

the licenses for a lot of nvidia packages are complicated

I recently found that the nvidia-cutlass-dsl-libs-base wheels can’t be built from source using open source code

Free for everything, commercial, redistribute and so forth, you must use a 3rd party notice, mention that you use Nvidia code and credit them

BTW, for folks who are at PyCon, there will be many of us NVIDIANs there too and we'd like to hear your feedback about our Python packaging story. What can improve to make it easier for you to consume NVIDIA Python packages? Please get in touch; though I'm not promising I can answer your questions, I can take your contact information and questions/feedback and follow up with the right people after the conference.

I managed to finetune the model for my specific use case.

Maxine ultra left, Maxine ultra + Denoise ultra, My finetune, Ground Truth. The model is really impressive for a Tiny CNN

looking forward to seeing everyone at PyCon US!I posted my schedule in the hatch channel for anyone that wants to find me and chat. I’ll also have a couple nights free and am close by at the Hyatt Regancy.

FYI I'm hanging out at the Marriott lobby bar for the next little bit if anyone is around I'm on the laptop/in cat-mushroom t-shirt, feel free to say hi

Cat mushroom?

Wow, the US visa requirements have expanded very significantly

OK, it turns out that the new Ubuntu installer can't install to existing LUKS or LVM volumes, but it can create new ones just fine. I've installed Ubuntu 26.04 LTS with partition encryption enabled.

It was a pretty seamless experience TBH. The installer does automate all of the set up away. I also let it handle automatic triple boot partitioning and it worked fine.

for the PyCon folks: there's a uv open space 1-2 PM and a python-build-standalone open space 2-2:30 PM in 201A

Ubuntu, Windows(?) and... ?

TempleOS of course

Ubuntu 25.10 and 26.04 + Windows 11

why 2 ubuntus?

I got a better question, why Ubuntu?

Is this the part where I say I use Arch BTW?

https://klipy.com/gifs/i-use-arch-btw-arch-linux--k01KRXQT8GD8X2QAVD146GCZ13P

I reinstall the OS when upgrading

so I'm temporarily triple booting until I get around to migrating fully

ah, I've always pretty much just yolo'd it :/

my needs are fairly simple, I guess

Do you have a genuine curiosity or you're trying to flex your linux distro superiority?

it was just a joke

no need to get worked up over it

I am at PyCon US sprints hanging out in the CPython room (Ballroom B) for a bit but if there's interesting packaging stuff happening lmk

@mighty flower I believe you said that if you have two requirements for a single package, loosly_constrained and tightly_constrained (where loosly constrained could be unconstrained), then the order matters to a resolver, you can get a different resolution? (Context: PEP 808 was just accepted, but there's one remaining question about allowing added metadata to be at any location or just at the end)

https://toot.cat/@Gankra/116620039878128846

I support this nomenclature

Reminder for those who went to PyCon US!
https://bsky.app/profile/jonafato.bsky.social/post/3mmjyelxmfs2x

How Claude Code starts rendering text on my machine after runnig it for an hour:

Coding is clearly a solved problem

🤣

Those are just the forbidden runes it uses to call to its dark gods, nothing to be concerned about

I just had a while bunch of GitHub CI Windows builds fail on bad network connections doing pip install steps; not resolved with a retry. I think there's an issue, but it's not impacting all of my projects. I'd be curious if anyone else runs into this.

I figured out that my earlier CI problems were caused by a bad pip cache, but the failure mode is new to me. I think the recent changes to how urllib3 handles chunked reads may have changed the flavor of error which is emitted. Maybe this was always possible? But I can't recall seeing it before:

ERROR: Could not install packages due to an OSError: ('Connection broken: IncompleteRead(17661 bytes read, 258 more expected)', IncompleteRead(17661 bytes read, 258 more expected))

I can't recall seeing that either. I wouldn't be surprised if urllib3 is proximately causing the issue, but ultimately it comes across to me like a consequence of pip having an http cache rather than a downloaded-file cache

Life?!

brian has left me for a wooden pole, im devastated

@hexed briar what now ;P

oh boy.

I don't even know you well enough to know if that hasn't actually happened.

@hexed briar it was a ill advised reference to the life of brian singing on the wooden poles ^^

Ah.

Well, I definitely didn't get that reference. 😆

today it took about 2.5 hours to get the toddler to sleep ^^ my humor is slightly off-track

hi :3

Hello hello!

Hi

@warped wraith is there currently a place to discuss batou?

good question. not really. but i'd be more than open to it 🙂

(both for discussing and for having a place)

@warped wraith my context is that im currently reiterating my system/home setup automation, unfortunately not nix based for reasons, - however the ansible setup is "problematic" and i don't want to reinvent something quite like batou (i did many years ago and it was a disaster)
however its not quite clear to me how to start with batou

yeah, i'd be happy to help.

right now my personal choice would be to give you a direct briefing, maybe in a jitsi session and in case that you are interested you could share your notes. i know that i'm not that good writing introductory stuff, but maybe you can then suggest things that can be improved in the docs.

additionally if you have suggestions for a public place where those discussions can become public record in the future, i'm open for suggestions.

i'll have to make some time for that + read into the documentation again a bit (else we'll waste too much time), if you use matrix we could just use the related gitter channel as a discussion point for now

we're starting out with matrix in my team currently but i haven't had much exercise yet. sounds like a good idea, though.

let me know when you have time/want to look at things and i'll make room in my schedule.

@warped wraith something that i directly wonder about - are there any components for building containers and are there any local ones that dont need ssh, and are there ones for system package managers (dnf/yum)

ssh isn't really needed in any case, there's a specific 'local' environment option that goes through execnet but just by spawning subprocesses

there's a collection of components outside of the core in "batou_ext" which might have some package manager support (we do have explicit stuff for nix and I think someone did something for apt and i know i have apt components in a cumulus deployment somewhere)

i'm also currently working on container stuff that is currently specific to nixos but should be possible to abstract later on, but that's maybe the wrong layer: its about using containers as lightweight vm replacements. you probably are talking about components to manage docker-style containers.

some of the components we have around are made in specific deployments first and abstracted later on and if we don't need them more than 2-3 times they don't make it to the central repo

I try to avoid putting incorrectly generalized greenfield solutions into the central repo - happened a number of times in the past and it's a pain ...

yeah, there is need for a incubator and iteration ^^ - what i want to do is stuff like a component that installs sublimetext/merge + licenses, stuff like vs code, git annex and similar, ensures everything i wana work with is checked out/installed/prepared

right

that's definitely possible to do and not that hard

i'd be happy to show you how i'm currently doing stuff with debian based packages

so you can give that a go with dnf/yum if you like

if you have a link to read into later that would be a good start, im about to get to work ^^ but today will be a mini sprint on setuptools_scm + release automation

sure

the code might currently be in a closed repo

but i can extract the relevant bits in a gist or so

@ionic tulip https://gist.github.com/ctheune/09ab1feba33c8d8d87d7c71c0c78fe76

those are the relevant parts

batou can be used in this ad hoc style quite easily to begin with and then expand on that and refactor as needed

@warped wraith i think my main comprehension barrier is that the variables/confingration transfer used in the components doesn't directly make sense to me, i'll use the gist as a base for some experiments, is there any tolling for sudo/become?

no, i expect that sudo has been setup in a way that either batou connects its agent as the proper user or that the environment grants passwordless sudo to the commands you need. i haven't investigated this further because we consider this a bootstrapping/provisioning issue which has been out of scope for batou until now.

the work on using transient containers as deployment targets does open up the whole provisioning discussion, so there's some thoughts going around in my head but nothing actionable, yet.

hmm, i guess etting up sudoers and/or a agent is acceptable hardship

it's really just sudoers

the agent is transient in any case, i was just referring to the way that batou starts the agent so that it has the correct permissions. usually that means sshing into some place + performing a sudo -ui equivalent

let me check whether sudo is supported for local deployments or whether that is tied to the ssh code

right, so at the moment only the ssh code is considering the sudo "turnaround" but we could add that to the local connection as well i guess

the alternative would be that you let batou connect via ssh to the local machine

which either then uses sudo or becomes root directly, depends a bit on the tradeoff

or as a last resort you can directly start batou with sudo and not deal with it internally at all

that also doesn't require any code changes right away 😉

in your situation batou works a bit like puppet where the agent would be started as root in any case

that being said, one of the tenets of batou is that you should never have to wrap the ./batou deploy <env> call into another shell script. prefixing that with sudo borders on acceptable, though 😉

im typically starting the deploy command as my own user, (right now a have a wrapper script that sets up a venv with ansible, then runs ansible - in case i use battou, the wrapper situation would stay the same

well you don't need venv wrapping with batou

the appenv already takes care of that

i've extracted that kind of wrapping functionality in its own little module (the release management for this is a bit unclear to me at the moment as it's just a self-contained file)

https://github.com/flyingcircusio/appenv

the readme there is not correct though, at the moment. i'm juggling a number of things that are fast moving parts at the moment, so sorry for that

i've gotta focus a bit for the next hours. happy to catch up later.

@warped wraith on https://github.com/RonnyPfannschmidt/computer-specs i have hte current hack/ansible stuff

Right. Here's how the appenv wrapping works based on your example: https://github.com/ctheune/appenv-ansible-example

i like it, does it work as git submodule?

hmnhmnn... uhm ... depends a bit on what you wanna do I guess.

Pull in the content itself for appenv instead of copy

As I'm a bit new on discord. Is the idea to keep replying via reply or just continue the conversation? Reply doesn't seem to be the same as threads elsewhere (which is usually its own UI disaster)

I guess you could use a submodule and link it. At some point I'm going to consider using appenvs internal infrastructure to support a better update mechanism. I also like the challenge of keeping it simple enough so it can stay reasonably well manageable as a single file solution.

The only thing appenv checks for is whether the argv[0] is "appenv" to trigger the "you are talking to me" versus "you are talking to the target program"

I'm also still pondering the way we perform self-updating in batou where appenv is more or less a "bundle deal"

@ionic tulip i made a public matrix room for batou ... if you want to move the conversation from here. seems like we're hogging the channel (even though it's off-topic anyway 😉 ) Hmm. I guess this is the data you need? !yxgkXdiRRCcCpKWkrj:matrix.org

The link doesn't work, is it discoverable?

Found it

@bites moving that discussion to here. Bad UX is a very valid reason for users to switch away from platforms.

As for FOSS projects moving away from FOSS platforms for communication, it's kinda implied by the generally worse experience for the user, from the look and feel of the platform, to the support mechanisms to the user-facing documentation, to the extensibility. All of these play a part in informing choices.

But, like, by far how easy it is to use something is the biggest factor.

And every FOSS platform I've tried just doesn't do that well (other than, maybe Jitsi, but calling it a platform might be reaching).

@west basin ^

Well, that's a lot of hypotheticals which did not really inform the switch to Discord, but I do empathise with them. I think IRC is a terrible platform and I'm glad to be rid of it. I don't know if you've used Matrix but the de facto client for it is Element. Registration is trivial and its look and feel is no better or worse than Discord's. Instead of "servers" it has the recently launched "spaces". If you're curious about what these look like or how they work, they were presented at FOSDEM: https://fosdem.org/2021/schedule/event/matrix_communities/. They also discuss improvements they've made to first-timer user experience with social logins and whatnot. As for extensibility, Matrix has things like integration with Jitsi Meet and Gitter and IRC bridges. I'm not advocating that PyPA should move to Matrix but I'd like people to know that there exist viable FOSS alternatives.

I saw your tweet @hexed briar , I drew a lot of inspiration from your pip documentation rewrite while I reorganized (and as I currently overhaul) Black's documentation. So take that as a compliment 🙂

Thanks!

I have! FOSDEM 2021 was probably the most interesting use of Matrix's integrations that I've seen.

personally im just waiting for the matrix bridges to be good enough for the chat and then i may be primarily on matrix

I wrote this because I found myself multiple times wanting something like that

mainly when working with subprocesses

https://github.com/FFY00/python-iomux

might be useful for someone

the most obvious use-case would be to capture stdout and stderr and replay in the correct order

Like on GHA? 🤦 (cibuildwheel writes to stderr and stdout and it gets completely muddled) (PS: this needs to be live printing, so don't think it would fix the issue)

so cibuildwheel wants to capture but still keep the printing?

that should be doable

The problem is it prints logging output, but on GHA, stdout and stderr seems to get quite muddled. So the error messages can be interleaved with the normal output. But it's printed as it goes.

hum

this is more for the use-case of for eg.

let's say build wants to hide the backend output by default, and only print it if the build fails

if you save both stderr and stdout to the same buffer, you cannot replay correctly, because you don't know what should go to stdout and stderr

if you have them to different objects, you cannot replay them correctly, because you don't know the output order

so you use something like this

Lookin at the server profile pic: I see a snake, an egg, a wheel of cheese, twine. What are the platypus, the bird and half a lemon reference to?

https://monotreme.club/#/

yup, except it doesn't explain the bird and the lemon

But I like platypus as a packaging symbol

There are some explanations here https://discuss.python.org/t/the-packaging-platypus/1939/4

That’s not a lemon but an orange representing pip

why is there no love for the echidna?

@quartz yew https://github.com/pypa/setuptools_scm/pull/580 - its just starting, and far from done, but i thought i'd throw it your way to get input on what youd need in it so you can use it ideally all the time

you also probably add tests for non tagged versions

I mean

something with no tags

@quartz yew there are some already, unfortunately it needs git 2.32 to work, and annotated tags

Hence the rawhide docker file

yeah, no worries

Adding flit and trampolim PEP 621 support to scikit-hep/cookie 🙂 https://github.com/scikit-hep/cookie/pull/21

The editable library I wrote for the virtual wheel PEP has turned into a bit of a Frankenstein monster with a grotesque CLI which can be used to do editable installations from regular wheels, if anyone's into that kind of stuff: https://github.com/layday/frontend-editables#cli

that sounds terrifying lol

Sounds impressive to me 😂

What's life without some risk

layday glad you've taken an interest in editing

I've started on the skeleton of a setuptools plugin for PEP 660 https://github.com/dholth/setuptools_pep660/blob/master/src/setuptools_pep660/

wait, if you're talking about packaging in the off-topic channel...

Saw these baby alligators in the state park last week. Never saw any this small in the wild before.

Zero byte image, those alligators must've really been tiny :P

Baby alligators

Oh cool, so you'll take the pth file develop produces and put it in the wheel? Will be interesting to see if you can get a mapping out of setuptools to work around issues like https://github.com/pypa/setuptools/issues/1801

Paul M was looking at the .pth file but I might wind up taking the package-dir and packages listing directly.

Will probably resemble the existing develop command more, without the copying bits.

I was pretty surprised that 'put python files in a directory not named after the package' is the second example in the distutils docs

Not surprised that you can do it, but to brag about it right off the bat?

Yes, it should be trivially possible to get a mapping and through some importlib trickery expose only your package and not setup.py

So have any of you taken advantage of the 'install as app' feature of monotreme.club so you can have it as an icon on your phone or computer? It will even work offline in case of emergency.

Should I open source the website so we can improve the coloring page

setuptools being able to make editable installs for package dir specs would be awesome

since ages now i have wanted to use a mapping of src:my_package_folder

@ionic tulip that should be pretty easy

why do you want to use that mapping

It removes the possibility to import non installed and takes away one directory level

Currently it breaks for editable installs

@ionic tulip https://github.com/dholth/setuptools_pep660/blob/master/src/setuptools_pep660/editable_wheel.py is the prototype so far.

Paul's editables library can do it, all the necessary information including all the setup.py arguments is available under self.dist or whatever. Compare with the code that generates setuptools' top_level.txt metadata.

I didn't want to add features in the very first poc code.

Hmm, will try soon (it's 5 in the morning and im only awake due to splitting headache)

it's 11 pm here

http://explodingdog.com/title/itsslowhere.html

@ionic tulip is there any way to handle cases where I want to use pytest.mark.parametrize on fixtures?

per specific test

More context please

probably the easiest way to handle that is make that fixture a helper function

1sec

Should i come to the voice chat?

sure, but let me just get an example for you

Nm, my wife just appeared with wine

no worries

it would be something like this

@pytest.fixture()
def db(data):
    db = some_setup()
    db.filldata(data)

    yield db

    db.destroy()


@pytest.mark.parametrize('data', [0, 1, 2, 3, ...])
def test_something(db):
    db.do_something()

what I can come up is

@contextlib.contextmanager()
def db_builder(data):
    db = some_setup()
    db.filldata(data)

    yield db

    db.destroy()


@pytest.mark.parametrize('data', [0, 1, 2, 3, ...])
def test_something(data):
    with db_builder(data) as db:
        db.do_something()

but it not as clean 😛

like https://docs.pytest.org/en/6.2.x/fixture.html#factories-as-fixtures ?

yeah

that makes it slighly better

I still have to call the function though

which is a bit annoying if I want to use it several times

you can use indirect parametrisation:

@pytest.fixture
def db(request):
    db = some_setup()
    db.filldata(request.param)

    yield db

    db.destroy()

@pytest.mark.parametrize('db', [0, 1, 2, 3, ...], indirect=True)
def test_something(db):
    db.do_something()

@quartz yew what @west basin said 😁

ah, thanks!

@robust sandal you were right, nox is quite nice, just spent some time setting it up for a new project of mine and it's been fun. I had to switch my development mental model a bit, but it was nothing major. Feels nice to not have to mess around with virtual environments or complicated commands 🙂

Will have to spend more time with it before considering bringing it to any the major projects I maintain, but the first impressions have been excellent 😄

Thanks for pushing me to try it!

hrm. I've been reluctant to try it too since I thought it's primary selling point ("python for config") is an antifeature, but it sounds like it's got other nice features you liked then?

guess I should look at it again

Any reasons in particular why nox and not tox? (FYI tox 4 will have the option of python code as a configuration...)

I once tried to add an inline comment in tox.ini and configparser tucked it onto the value. That annoyed me so much that I haven’t used tox in my personal projects since. Please nobody ever use inis.

It's mostly just I like writing and using a Python file more than an INI file. This is probably amplified by the fact I more use Nox as a task runner so the flexibility that comes with a Python file is quite nice. I didn't know tox 4 supported Python code as a configuration though! I still have to use tox for other projects so maybe I'll look into tox 4 😄

hmmm, i wish tools like nox and tox would converge, ideally together with pre-commit as well (creation and management of envs, container runs, actions & co)

Me too

Is the reason that 2.bit_length() does not work but 2.0.is_integer() does work (along with methods on string literals, etc) solvable now that there's a new parser? Just seems like a weird quirk.

(Working on updating tutorial materials and thought of that)

Though pre-commit does lots of other envs too, like Ruby, Docker, etc.

I do feel rather silly adding pre-commit to a nox session. 😄

Indeed, having other languages easily avaliable for certain tasks is useful for tasks/updaters

If Nox supports running tasks in other languages, why not 🙂 Tying sessions to Python environments is a self-imposed restriction, not a necessity

Is anyone else having an issue where their GitHub Actions are stuck?

Yes, they were stuck for tox for hours, but got unstuck like 12 hours ago

yeah, seems to be a thing accross Github, platformdirs has the same

some jobs hang indefinitely, and then a cancel+run unblocks it sometimes

I've enabled threads now 🙂

Threads in discord? Don't see them if that's what you were referring too.

test

Still no setuptools_scm channel, so happy to see https://github.com/pypa/setuptools_scm/pull/580 - just describing the process to someone and saw that PR 🙂

There is #setuptools_scm

I just created it 😛

Currently irritated at the Trove Classifiers showing Python :: 3.10 above 3.5-3.9 instead of below 3.9 on PyPI. 🙂

There was an issue for it (https://github.com/pypa/warehouse/issues/8843), but it's apparently fixed. Something must have regressed.

@hexed briar im wondering yet again about externalizing the deprecation mechanism used in pip to put it in for pytest and setuptools_scm as well as pluggy and a few others,

Which bits?

the bits for gone_in + picking error vs deprecation

im trying to make it so deprecation messages one wants to trigger can be declared either in full or as something to format with extra information + maybe some helpers to put them into deprecations/aliases

Is there a dedicated TUF Vs transparency log discussion forum? It seems to clog up the various TUF github issues

@cold estuary it's my understanding that since the EOL of Python 3.5 you can't get python without pip but with setuptools without actively trying to do it

Eg pip uninstall pip

https://github.com/pypa/setuptools/pull/2711#discussion_r663216703

@ionic tulip not sure what you meant by setuptools 40 eggifieng wheels

it fetches wheels and then turns them into eggs

What lol TIL

Also what's ez-setup for? Isn't it only to upgrade distribute to setuptools?

@onyx sphinx it was a way to bootstrap recent enough setuptools from setup.py as setuptools does not self-restart when necessary and thus breaks stuff

(aka setuptools 40 code running in a workingset that has setuptools 45 activated wrongly too late)

Ew

@ionic tulip I've previously considered building something that generates an sdist that's just a tar archive of pip and a whl just extracting one to install the other

Horrendous

But seeing python_requires >= 3.6 I thought effectively prohibited environments without support for installing a whl

At least naturally occurring ones

I can definitely build one by downgrading setuptools and removing pip

When I was looking at removing cetfifi and wincertstore from setuptools I couldn't find a way to create an environment with setuptools but without pip or a working ssl module without intentionally damaging the environment

Problems arise from legacy setuptools + legacy pip in a system

Modern tools just work as pip handles build requires

As for sdist, please let it stay as honest sdist, a bdist trojan sound like pain

any Windows users, what's your preferred development environment? do you use Cygwin, scoop, PowerShell?

No Cygwin, yes Scoop, used to Powershell but now a more exotic shell

I quite like Scoop, I use nix on macOS and I miss being able to install desktop apps with my package manager

https://sethmlarson.dev/blog/2021-10-18/tests-arent-enough-case-study-after-adding-types-to-urllib3

@undone sinew do you know if there's any reason Debian disables PIE in Python?

this introduces a big performance hit -- edit: on certain scenarios

Nope, but I'll ask

Apparently for performance. You have anything you can point to to show that PIE improves performance? IIRC there is overhead

@quartz yew: ^^

Both start-up time from dynamic linking, and the lost register

👋

Pablo from CPython is gonna join

I have been summoned

The PIE argument for performance doesn't work in x64

x64 has double the number of registers: x86 offers 16 total registers of which 15 registers can be used for computation. Also, x64 uses an addressing mode that is relative to the instruction pointer, so it already requires indirection

And the linker is actually slower due to compilation without PIE

Because weak symbols

Check out this in debian:

root@84bba5f36854:/# LD_DEBUG=all python3.8 -c pass |& grep malloc |& grep binding
     30641:     binding file /lib/x86_64-linux-gnu/libc.so.6 [0] to python3.8 [0]: normal symbol `malloc' [GLIBC_2.2.5]
     30641:     binding file /lib64/ld-linux-x86-64.so.2 [0] to /lib/x86_64-linux-gnu/libc.so.6 [0]: normal symbol `malloc' [GLIBC_2.2.5]
     30641:     binding file python3.8 [0] to /lib/x86_64-linux-gnu/libc.so.6 [0]: normal symbol `malloc' [GLIBC_2.2.5]

This:

1. Binds libc's malloc to python
2. Binds python malloc to libc
3. Binds libc's malloc to libc

Compare with a PIE build:

❯ LD_DEBUG=all python -c pass |& grep "\`malloc'" |& grep binding |& grep python
    448938:     binding file /usr/lib/libc.so.6 [0] to /usr/lib/libc.so.6 [0]: normal symbol `malloc' [GLIBC_2.2.5]
    447600:     binding file /home/pablogsal/.pyenv/versions/3.10.0/bin/python [0] to /usr/lib/libc.so.6 [0]: normal symbol `malloc' [GLIBC_2.2.5]
    447600:     binding file /home/pablogsal/.pyenv/versions/3.10.0/bin/python [0] to /usr/lib/libc.so.6 [0]: normal symbol `malloc' [GLIBC_2.2.5]

Not only that, you get incorrect interposition for malloc

For example, attach gdb to Debian's python and check for the malloc symbol:

(gdb) call dlsym(0, "malloc")
$1 = (void *) 0x41f610 <malloc@plt>
(gdb) info symbol 0x41f610
malloc@plt in section .plt of /usr/bin/python3.9

It basically points to the PLT jump inside the executable, which is super dangerous

Compare this with a sane PIE build:

(gdb) call (void*)dlsym(0, "malloc")
$1 = (void *) 0x7ffff7aa8320 <malloc>
(gdb) info symbol 0x7ffff7aa8320
malloc in section .text of /usr/lib/libc.so.6

It points correctly to libc

This is a security concern and makes a lot of tools dangerous to use, specially if they interpose malloc at runtime. Thiss will explode if you interpose malloc in CPython for debugging or tracing pourposes at runtime because you get the ddress of malloc, that gives you the PLT jump in CPython and then you patch the address of malloc in CPython..... To point at itself

From https://nebelwelt.net/files/12TRpie.pdf:

x64, the 64bit extension of x86 does not have the same limitations as 32bit x86. First of all, x64 doubles the number of registers: x86 offers 16 total registers of which 15 registers
can be used for computation. Secondly, x64 uses an addressing mode that is relative to the instruction pointer, thereby removing the need to use an extra register for PIE.

A quick evaluation for x64 reports an average overhead of 3.61% and a geometric mean of 2.34% for an -O3 optimization level on the same system using the “test” dataset of SPEC CPU2006.

SPEC CPU2006 is an absolutely demanting benchmarking codebase, so in the CPython case is going to be even lower

In short: I think not using PIE is dangerous, potentially incorrect, it drives the dynamic loader crazy, it may make starput and loading slower and actually doesn't yield any performance benefits over the 3% mark (and that's probably being quite optimistic)

Being said this, I apologize a lot for the wall of text. Is very late here and I wanted to describe everything I know before going to bed so you don't need to wait for my responses to know the whole story 😅

and I misinterpreted the issue initially, so sorry about that

It may also make extensions slower if they end binding to the malloc() in the Python binary

because that makes 2 jumps instead of 1

But not the executable, the executable always will need at least 1

OK, so we're not expecting PIE to be faster, but not expecting a big overhead either. And yes, there are real security benefits.

I'll relay this to doko

He did say that he'd re-evaluate

I skipped the wall of text, but took notice of its location. Looks handy. 😄

@nocturne swallow is there any way to make a tox environment depend on all default environments?

I essentially want a coverage environment that will depend on py*, without having to maintain the full list (py36,py37,py38,py39,py310...)

https://github.com/tox-dev/tox/issues/1152

It is only one PR away 😉

ah, great!

Just let the setup.cfg only projects work

It's for the best

it's not

but 🤷

I think the text of PEP 517 needs to be edited to do that. If it specifies a build backend must call setuptools.build_meta:__legacy__, then the doors are open to whatever setuptools feels like like doing today.

Can we get a easy_install.__legacy__ backend?

Well that is selecting, not depending, that would be a follow up PR

And as far as only one pr away that's actually a very complicated PR but WIP

@hexed briar FYI: Integrating pep517 installer into Debian's build process: https://salsa.debian.org/python-team/tools/dh-python/-/merge_requests/20

Yayie!

a build-dep on python-build (>> 0.7.0)

Will pip switch to python-build and python-installer so pep517/8 can go back to being implementation defined? /s

Well... I don't think either is happening unless someone throws a bunch of developer time on it.

Well, there's this (unfinished) monstrosity in the build repo to make it possible for pip to use build: https://github.com/pypa/build/pull/361

Co-maintainer of black popping by, FYI Black has deprecated Python 2 support. Assuming things go as expected the support will be dropped sometime in January 2022 along side the first stable release and the enforcement of our new stability policy (https://black.readthedocs.io/en/latest/the_black_code_style/index.html#stability-policy). I think most PyPA projects are Python 3 only at this point with the notable exception of virtualenv but I wanted to err on the side of safety.

P.S. thank you @hexed briar for your insight, contributions, and encouragement pushing us to do these long overdue changes :)

I think pep517 runs on py2 still

I think there might be a “second” wave of Py2 drops Jan 2022. Manylinux dropping manylinux1 will be taking out many of the remaining compiled packages.

?

Most of the projects I'm on that still support Python 2 will drop it by Jan 2022. pybind11, scikit-build, plumbum, awkward, particle, at least. That why I think there might be a second... Actually maybe a third wave (2020, then in Jan 2021 when pip dropped it, so that would be three waves)

I think virtualenv will also drop python 2 support in January 22

I've completed my anti version capping post. Is anyone interested in reviewing it? I'd be happy to add your name at the bottom if you want me to. Warning, though, it's 14 pages long, only a hair shorter than https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html. Also not nearly as enjoyable to read, I might see if I can add a bit to make it more palpable. But that would make it even longer 🤦‍♂️

I'd be up for it

sure, please send it

I will try to review it

I still need to review layday's PR first 😅

Happy to take a look too

setuptools had a CLI? I thought it is just import lib.

Q: Why you shouldn't invoke setup.py directly
A: TL;DR: The setuptools team no longer wants to be in the business

Fair enough, but it would be better to state that it is impossible to reliably scan Python dependencies that are dynamically constructed in setup.py. Which brings all up all kinds of security and funding issues.

Be that so, it's not the reason setuptools does not want to maintain the legacy command line invocations

And PEP-621 or setup.cfg addresses that issue, but not relevant for deprecation of the cli endpoints

Tbh I didn't even know you could use setup.py easy_install

Count me in, although, as you might notice, I closed my Discord tab and am catching up now. :P

Very in time for the latest packaging drama! https://twitter.com/SylvainCorlay/status/1459851830926655496

Yeah, I saw that and wished my post was ready. But Paul Ganssle had some largish changes that needed to be done for it.

that was in context of Sphinx and docutils: there's been a few recent docutils releases which broke things for Sphinx, and part of the problem is RTD pinned an old Sphinx 1.8.5 from 2019 (for old projects) and Sphinx is up to 4.x

on some issue it was recommended that if you pin Sphinx, you should also pin docutils (which has been on 0.x for nearly 20 years...)

anyway, Sphinx has now released 1.x - 4.x versions which cap the docutils version
https://github.com/sphinx-doc/sphinx/issues/9807

👋 i'm new here 😄

arrived here from the warehouse repo while looking for prior art/thoughts on "can pypi.org help users figure out if a new version of a package is legit or was created with bad intentions".

is this a/the place to ponder that and hear what others have thought about this already?

I believe the only thing PyPI does right now is optional GPG signing so you can do it if it’s your thing

I don’t think people working on the topic are generally on this server, but some of them wrote PEP 458 on integrating The Update Framework (but you probably already knew that given you’re coming from the Warehouse repo?)

didn't know that, thanks for the pointer. now reading pep458

the direction i was thinking in is making it easy to answer questions like "was this release published by a user who doesn't usually publish releases for this package?" or "does the user who published this release have 2FA turned on?" or "does this release roughly fit with the release cadence of this package?" and things like that which give you some data points on the question of "is this a malicious release or not?"

So it’s less about actually hardening things from the technical aspect, but solving things from the human side aided by tech. There are details to be filled of course and I can think of some features this needs to depend on (e.g. the long-discussed “draft release” feature) but the ideas are interesting. If you have more detailed thoughts https://discuss.python.org is probably the place to write them down (you can reach more diverse people there as well who may have more thoughts in this area).

The PyPI grants package immutability, so once the malicious release is uploaded, it should be hard to hide it. That should also come with a source availability and reproducible builds to validate binaries. And at this point PyPI would become Debian. 😄

Having a public cibuildwheel server would be excellent

What should it do? Upload sources to it and get wheels?

Sort of like piwheels but for every platform

So they (https://www.piwheels.org/) are rebuilding everything as wheels for RPi? Because PyPI doesn't build them. And people don't need to open an account and upload sources manually.

Wow, that's interesting - https://github.com/pypa/warehouse/issues/10399

You can fetch arbitrary files present on Fastly through pypi.org domain.

piwheels have bandwidth stats - https://github.com/piwheels/stats/blob/master/2021q3.ipynb - that's another thing I was denied by PyPI maintainers in https://github.com/pypa/warehouse/issues/10355

The way Dustin closes issues at PyPI tracker triggers me off. If I am not alone there, the warehouse contributor retention should be much lower compared to other similar project that don't do this.

https://en.wikipedia.org/wiki/Norwegian_butter_crisis -- TIL, and I find this hilarious.

If someone was in Norway during this time, I am really curious if you know stories.

@rough anvil I'm sorry, but do you have anything to add to the discussions here beyond complaining?

I've seen you complaining how your PRs aren't being reviewed (newsflash: nearly everyone here is an unpaid volunteer and we all have limited time), how you aren't being paid for contributing to PyPA projects (newsflash: basically no one here is), how you think PSF should adopt cryptocurrency (this isn't something that's on topic for this forum) etc.

For me personally, all the discussions I've seen you involved in (here, and in the various PyPA GitHub projects) have been generally corrosive; which makes it less likely that I'd spent my free time trying to review your PRs or whatever.

how "evil" would it be if setuptools_scm would ship a flit_core wrapper that could be used as build backend and would force flit to to get the version metadata from the scm

I don't see why that would be evil

I personally don't understand the fascination with having the version in Python, who has ever introspected package versions that way? The fact that this is only an idiom renders it completely useless for systematically extracting version numbers from packages

I get it if you're building a CLI and want to print out the version... but otherwise, meh.

I use it all the time, the first thing I'd check or ask someone to do is print out package.__version__. It's such a common idiom, and usually it's helping debug a specific package that follows it.

at Datadog, Agent integrations use packages' in-code defined version for monitoring in some cases

I'd rather setuptools_scm be completely generic (even of setuptools), I'd like to use it in scikit-build even after setuptools becomes optional. 🙂 (and in trampolim, etc)

Systematic version checking is fine, package.__version__ sort of assumes you already know the package. If you are looping over something systematically, then importlib.metadata would be fine.

@robust sandal we are close to generic, it's just that I rather update a editable install with a git hook than putting magic evil Metadata into a script

And I want to get off setuptools as well

@robust sandal one thing I really don't get is wanting to get scm data from inside a package, that code path will be at best incorrect on a Normal install, and on editable it is still quite a pain

In general, I don't think it's very important in an editable install. That's generally not a fixed version anyway.

@robust sandal are you aware of any efforts to use memory mapped network byteordered structs/borrowed strings for inputs in computational stuff

Fair enough. But instead of saying that we all unpaid volunteers, I am trying to change the situation, and complain only when there is no other way to ask for support. I am envyhappy that people here can support themselves when submitting PRs and waiting for them to be reviewed. Personally, I am not that good financially, and I supported by other people, so the faster I can complete this metadata stuff, the faster I can get to other things. Sorry if that spills out, but I don't see the reason why contributions from unhappy people should not be accepted. Rants are part of communication about issues. If you can't influence the issues, just ignore them. Don't expect everybody to smile if you're in Russia.

Then you aren't abiding by the "setuptools" part of the name. :)

https://discuss.python.org/t/requires-python-upper-limits/12663 might be of interest.

But why does Poetry error out? Why can't it constrain the Python version in the lock file only?

I'd like it too, but it doesn't. Neither does PDM. These are technically different things; your library's public Requires-Python metadata slot does not need to match the lock file you use in development's allowed Python versions, but both systems do not take this into account. Your Requires-Python should relate to what you think your library will support.

Poetry's love of tight constraints on everything likely will make this hard for them to change. Not sure about PDM.

Unrelated, but I love that PDM's usage of PEP 621 means you can select any PEP 621 backend, not just PDM, and still use PDM. I'm using flit_core and PDM for a project. 🙂

I don’t have much time to involve in the discussion unfortunately, but this is not specific to Requires-Python. Upper bounding is a generally unsolved problem in dependency resolution, and having an artificial Requires-Python upper bound is fundamentally not any different from having one for say Numpy. And this automatically use old versions with seemingly correct constraint but not actually different and thus fail to emit good errors is a general problem in pip’s resolver, not just for Requires-Python.

If you want to educate users to change how they write version ranges (which is proposed as a solution), try to educate them to always provide a sensible lower bound fundamentally solves more problems than try to tell them to not use an upper bound (which brings its own problems).

That's why I wrote a whole 10,000 word blog post on version capping. 🙂 But upper bounds on Python version is fundamentally different than upper bounds on libraries. The reason is two-fold; one, you can't change your Python version to make the solve work for an upper cap. You are simply trading a possible failure for a scripted one. And even if you could (only conda), you usually want to have control over the Python version because it affects so much. Second, if you make a lock file, you pin every package except you cannot pin Python. You can't force 3.8.9 or even 3.8 - you make it work for a range of Python versions. Every normal "package" is fully locked.

That's also why I don't like Poetry adding Python as a package in the package list - under locking, Python does not behave at all like a library.

I'm taking it you also like Solution 1?

Also poetry treats the python version bound differently to other version bounds

In that python version is viral because you have to have a subset of valid Python versions of your deps

But that doesn't apply for anything else

Eg you can depend on
coffee == 2
Which depends on water < 60
And water >= 0, <100

It’s due to the fact it can’t lock Python. It locks everything else.

So it tries to calculate the ranges that the lock file will be valid, then forces you to set something within that

Reading https://developers.google.com/optimization/cp right now. Is it how the dependency resolution works in practice?

I think it's related - but the problem is, most dependency resolution systems (poetry, pdm, pip now too) assume metadata is perfect, and do things a normal person would not to (like looking for older packages with looser upper constraints)

I remember a discussion about moving a package to flit (maybe one in the PyPA, maybe not), and mentioning another package in the PyPA to flit next year - but I don't remember where or what packages. @hexed briar , perhaps? Currently discussion wheel, since it has a chicken-egg problem with setuptools & PEP 517. Flit would fix that.

do you mean packaging? the one that got switched back to setuptools after initially trying out flit

packaging and build have discussed moving to flit

No, I think this was much newer than that - in fact, I think packaging was the "second" package mentioned, the one planning to move next year, but I'm not sure. I clearly remember the tone of the text, it was something like "If you can't work with this, you should solve your problem, because more things will be moving next year" sort of a tone.

I don't know, I can't think of another project in the PyPA where that discussion might've happened

pradyunsg/installer is using flit. I'd be surprised if pypa/build and pypa/packaging don't end up making the switch next year.

Up to the maintainers 😊

Of course.

I believe you're referring to https://discuss.python.org/t/debundling-the-next-pip-release-will-require-handling-pyproject-toml-based-build-backends/12329

Yep, that's it!

i wish the flit maintainer wasnt so hostile about scm metadata, it practically means i cant use flit in any of my projects plus its an ad absurdum for pypa packages being deliberately incompatible

Someone did write flit-scm package...

@ionic tulip hey there! if you have an hour or 2 of free time this week... I would really like to release v1 (non-rc) of my Hatch (https://github.com/ofek/hatch) rewrite next week and I would love it if there was an initial plugin for your SCM logic 🙂

I already wrote 2:

• https://github.com/ofek/hatch-containers for running environments inside Docker containers
• https://github.com/ofek/hatch-mypyc for compiling code with https://github.com/mypyc/mypyc

docs: https://ofek.dev/hatch/latest/plugins/about/

I'm assuming for such a plugin you'll need to implement:

• https://ofek.dev/hatch/latest/plugins/version-source/ for getting the version
• https://ofek.dev/hatch/latest/plugins/build-hook/ for writing that to a file

afair that was a hack by @west basin which was not meant for more detailed consumption

i can help if there is anything needed on the setuptools_scm side, im not going to write a plugin myself

in particular since there is a completely new concept of version hooks ahd schemes in that lib as well

is it tightly coupled with setuptools?

not anmyore

im just bringing back gumby elf on top of pep 660 and pep621 and will sue setuptools_scm there

oh nice! is there a separate lib or is the api in setuptools_scm itself?

in setuptools_scm itself - the cofiguration api is still a bit involved, but in most cases it can be trimmed down to getting a configuration and then buiding on top of it

@junior narwhal btw, im happy to discuss rearranging version scemes and adding tagging cappabilities to setuptools_scm (if it would mean better shared tooling there)

Is there any written rules/materials about the status of aliases on PyPI (same package uploaded under different names, in my case a tool that is exporting multiple CLI commands)? I don't think PEP 541 mentions it explicitly, since name-squatting section seem to only cover useless/empty packages.

Seems strange, is this like one package per script with otherwise same contents? Wouldn't that break uninstall?

To me an alias would be a different package that's practically empty that depends on another one

Like uh tox4 and pytest-celery

Python stats from https://mayeut.github.io/manylinux-timeline/ Jan 10 (would be better averaged, but still interesting):
2.7: 5.8%
3.5: 1.5%
3.6: 15.1%
3.7: 54.7%
3.8 17.9%
3.9: 5.3%
3.10: 0.2%
This is based on downloads for 3,564 packages providing manylinux wheels. The full graph is interesting too. This of course is linux users that are using binary packages (but lots of packages have binaries, so a pretty wide sample). I'd expect Windows and macOS users to be much, much more highly biased toward recent versions.

The most interesting thing to me is how wildly popular 3.7 is. I read that 1.8, 2.7, and 3.6 were especially special/popular releases, but I don't know what's up with 3.7. I can think of some major OS's with 3.6, but 3.7 seems well out of proportion; it took the most popular python (from a 2.7/3.6 tie) in middle 2020 and it's still gaining in popularity (from 2.7-3.6 users, I hope!)

I don't know why 3.7 is so popular but I personally can't think of anything I'd like to use from 3.8-3.10 that isn't backportable, perhaps with the exception of match statements

Version capping lovers/haters: typing_extensions recommends users cap it now: https://github.com/python/typing/issues/1023

I'm not sure if they are recommending it exactly but why would you upper cap a backport?

It makes no sense

Oh so they plan to remove old backports when they bump the major number?

yeah

Why not just make it reexport the stdlib one? Backward incompatible removals will break the ability to use the library at all, since it's so foundational and we don't have nested dependencies in Python (you could do this in JS)

Or have a deprecation warning + deprecation period, that's much more Pythonic.

I don't understand why they don't just up the minimum required Python version then? Are they gonna remove backports for type constructs introduced in patch versions of Python?

Actually that would work as well, so uh...

If you release typing_extensions 5 with 3.8 as the minimum required Python, and remove typing_extensions.Protocol, then anyone still supporting Python 3.8 is broken - if they didn't put an if on the typing_extension import and use import Protocol from instead of fully qualified names, they are even broken on 3.8+. They have to pin typing_extensions==4.*. But that immediately means they conflict with a library that requires typing_extensions>=5 - which libraries are supposed to be able to do, that's the point of a backport, to let users stuck on older versions use newer features!

I didn't imagine they'd simply remove it, only that they'd import it from the stdlib instead

Lol, issue closed because we didn't allow an honest debate 😁I feel we brought more arguments than he did 🤷‍♂️

Positional only arguments (for API design) was a big one for NumPy. All the nice type updates that also can affect runtime (getitem on types, union operator for types), union operator for dicts, etc.

The people I didn't include were siding with us, too, like JelleZijlstra and hautsaninja . Not one heart or thumbsup on his side.

And all I was asking was for the readme not to ask people to cap. It's going to be much harder in the future to convince libraries to not cap typing-extensions if they see this README. Like what literally happened on TensorFlow. If they had capped to <4, we'd have the same problem again already.

https://github.com/twisted/twisted/blob/trunk/setup.cfg#L37 twisted doesn't pin

Most packages don't add upper caps, it's only been in the last 1-2 years that capping has started to show up. Solvers don't handle upper caps correctly, also - if A adds an upper cap, and B puts a high lower cap, it will backsolve and grab the old A before the upper cap was added. If most packages don't upper cap, this is doesn't happen much.

Is there a way to get better visibility for https://discuss.python.org/t/pattern-matching-and-paths/12819 ? No one responded to that, maybe it was the wrong place to open it?

typing-sig

Even though it's about pattern matching, and not typing?

Alright you tempted me enough to read your very long indeed blog post. I didn't know these issues I was seeking on the psf/black were part of this entire mess 🙂

I'm tempted to add two small additions to it - one on how "smart" solvers back-solve to find older, uncapped versions to complete a solve, creating really bizarre errors from pulling old versions hidden from the user, and a mention about why asking users to cap versions doesn't work (some users, including me, will sometimes not listen and will keep it uncapped); you can't rely on everyone being capped, regardless of how many people actually read your README, and that asking people to cap also means you are signing up for backporting security updates to older versions. Okay, that's three.

Those sounds pretty fair to be me, and yeah the resolver does sometimes decide on a very out of date solve which has annoyed me before

Actually why are you trying to parametrise str and os.PathLike? You don't need to be able to match args on a protocol or a built-in type, case str() | os.PathLike(): ... should work by falling back on isinstance

If you wanna bind os.PathLike you can do os.PathLike() as a

case (str() | os.PathLike()) as a would also avoid repetition :)

@ebon nymph do you have a link to the pyproject.toml formatter by chance?

Sorry Ronny, it might have been a misunderstanding previously, the ini2toml project implements a AST-like data structure for intermediate-representation and than transforms it into a "pretty-printed" TOML (all the points you have mentioned before are still pending) using tomlkit/atoml. But we currently don't have a formatter per-se. If someone write the intermediate representation, the code in the project might help.

oh, i see

Any good tricks to test a PEP 518 requirements list against a local package? I'd like to make sure requires = [..., local-package, ...] pulls the local-package I'm working on, not the PyPI one. I was looking around a bit in @quartz yew 's mesonpy, but didn't see if that was done here. (I'm actively testing for something that is only broken when using the temporary virtual environment, so can't just disable it)

not really

I would just create a venv and install whatever you want there

then run pypa/build without isolation

pypa/build will warn error out if there are any missing dependencies and stuff

if you want to have a more automated way of doing this, to integrate in te, CI, etc, you can make you own tool for it

should be fairly simple

The problem is only exposed by the moving nature of the temporary directories. CMake remembers the location of ninja, but the location of the executable moves between invocations when there's a disposable venv every time!

My thought was to pre-build my package in a directory, then provide that directory in PIP_EXTRA_INDEX_URL (but that's not yet working for me)

I still don't fully understand the issue

you control the virtual environment location

@robust sandal yeah, this was very tough to get right 🙂 https://github.com/ofek/hatch/blob/master/tests/backend/downstream/integrate.py#L87

Thanks @junior narwhal ! That was just enough to get me there. I needed PIP_FIND_LINKS and I needed to use PIP_NO_INDEX to force the local packages and pip downloading things everything first.

This is what I ended up with: https://github.com/scikit-build/scikit-build/blob/1ca19f5f04ee543a7b1048909935b6d03f84b5c3/tests/conftest.py#L14-L29

I'll also be eventually working on some finer grained tests, which I can use virtualenv's for, but I need at least a few that run the entire process.

@hexed briar is there anything that can be done to ensure the timely inclusion of durations and short times into toml as 1.0 is out

Putting more free time on my calendar, if possible. 😅

hmm, i don't think we get the required temporal and dimensional engineering capabilities on time for that

Damn. 3.7 - Is that Ubuntu LTS and most distro version?

cooper@home1:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.3 LTS"
cooper@home1:~$ python3 -V
Python 3.8.10

Got 20.04 LTS I run on all my personal shit - Desktop is Fedora tho - It's latest 3.9 I think

No. Ubuntu LTS skipped 3.7, actually. 18.04 was 3.6 and 20.04 is 3.8. CentOS is still 3.6, even for 8 (they basically are only interested in AppStreams now, I think)

AWS perhaps?

I deadsnakes all my ubuntu installs anyways

Only way to live:

cooper@home1:~$ python3.11 -V
Python 3.11.0a4+

I don’t particularly like deadsnakes since it intentionally inherits too many quirks from Debian’s system Python. But it’s an OK way to live.

And what's the bad parts of that?

And what's your alternative? Build yourself?

Yeah basically build myself. I use pyenv’s python-build script, which automatically downloads the source and sorts out most of the autoconf things.

Debian patches the heck out of distutils and sysconfig and can have weird issues when you pip install a package globally (and in some edge cases even in virtual environments, although those are considered bugs and all known ones have been fixed)

Yeah I venv all as@mostly dev in latest current release (3.10 branch atm) and use latest 3.11@to repro CI failures in 3.11 …

So it works fine

Deadsnakes gets debian's bugs, which breaks pypa/build, I agree. 😄

lol pip's name is not obvious

for context this is Python Discord's first trivia night of 2022

Here’s a real trivia: Nowhere in the official documentation will you find the answer to this question. Officially pip is just pip, the name does not stand for anything

I think there's a wikipedia entry, and the original announcement noted that it's a recursive acronym "pip installs packages"

https://ianbicking.org/blog/2008/10/pyinstall-is-dead-long-live-pip.html

The name pip is a acronym and declaration: pip installs packages.

Right now this doesn’t work well with egg directories (i.e., packages installed with easy_install), though that shouldn’t be too hard to resolve.

Has that been resolved?

https://twitter.com/John_Sandall/status/1494715944043753479?t=C-cr8u8PoFRmUfDyfexpPQ&s=19

https://thehackerblog.com/zero-days-without-incident-compromising-angular-via-expired-npm-publisher-email-domains-7kZplW4x/

This is because hypermodern python installs everything into dev; all style checkers, all type checkers, etc. And everything is capped, of course (fixed in newer hypermodern versions, which helps a little). Is this what hatch's environments solve? (I always use pre-commit + nox, so that nothing that is independent is co-installed, and wouldn't dump everything into one environment)

But my solution doesn't lock additional_dependencies (hasn't been a problem), a multi-environment lockfile could, though.

This is just computing the resolution afaik

Yes, it's a resolution for a massive number of dependencies (started as https://github.com/cjolowicz/cookiecutter-hypermodern-python/blob/955c2571b8ac619d53439dbb05a4086bc996f2fe/{{cookiecutter.project_name}}/pyproject.toml#L28-L51 ), some of which are designed to be apps, not libraries

It's mostly all commented out https://github.com/john-sandall/poetry-speed-test/blob/main/pyproject.toml#L31

I think the timing tests were from before then. It takes about a minute for me to solve with the comments.

Is this what hatch's environments solve?

yes

Hmm, was liking the idea of isinstance(x, A | B) for 3.10 only code a lot more until I realized that it's not possible to completely avoid tuple of types; except ErrorA | ErrorB doesn't work.

there's still time to get a new PEP in for 3.11 before beta 1 on 2022-05-06!

This might not even need a PEP and can be a simple feature request (since “this syntax should be useful at runtime” is already settled on)

Where should I make a simple feature request? If I was to work on a PEP I'd probably work on overridable short circuiting and/or (numpy, etc), something to make extras easier to self reference (packaging), exception traceback frame hiding (IPython, rich, pytest, etc), a __pretty__ protocol (rich, etc), ... None of which I have time for. 🙂

An Enhancement issue on bugs.python.org

(Or GitHub if you make it after the migration)

https://bugs.python.org/issue46967

hmm, @robust sandal its a bit unfortunate, but the A|B syntax may likely have a little extra runtime cost

and it blurs the semantics of the | operator, so it's probably not a good idea IMO

Honestly it's weird that except matching doesn't use isinstance

afaik it used to on Python 2

It does?

I don’t know if Python 2 literally uses the function, but except does follow a logic closer to isisntance on Python 2

For example

import abc

class MyExceptionABC(Exception):
    __metaclass__ = abc.ABCMeta

class MyException(Exception):
    pass

MyExceptionABC.register(MyException)

try:
    raise MyException
except MyExceptionABC:
    print("caught")

This prints caught on Python 2, but the Python 3 equivalent would let MyException bubble up

huh I always thought it was isinstance (or well its behaviour) under the hood

I guess I haven't made enough custom exceptions to realize it's not :)

The algorithm it uses isn't exposed anywhere either so it makes exceptiongroup backporting a bit painful

Ah yeah I think it uses issubclass on Python 2

I think related to the fact sys.exc_info() might only have the type and not the instance in in python 2

Can I transfer pip-with-requires-python to pypa? Re: https://github.com/psf/requests/pull/6091#discussion_r834551612

PEP609 says to post to

https://mail.python.org/archives/list/pypa-committers@python.org/

But I won't unless people think it will fly

I'm -1 on requests recommending people install it unless it's a pypa project

We'd be onboard to adopt it if it's a formalized tool for fixing the pip bricking problems. Otherwise, we can internalize those values in our setup.py to modify the error message by python version.

Make a post on discuss.python.org? That's publicly archived, unlike this Discord server which is more temporal.

I wonder if we could get this directly in pip if we can figure out package self-dependency

i.e. make the latest pip depend on pip<something; python < 3.7 etc

The versions of pip that did not know about requires-python also did not handle self-references too well, IIRC.

Uh good point

Also you don't really want to drag that baggage around in pip itself forever

FWIW, requests moved away from trying to recommend how to deal with issues on EOL Python versions + EOL pip versions.

@hexed briar FYI eli is no longer archlinux staff

he got removed for CoC violations

Oof. I didn't know -- thanks for the heads up!

Oh no. Wherever Eli popped up, i was happy because that meant upstream bugs got fixed and big projects tackled.

https://old.reddit.com/r/archlinux/comments/i0l1h4/jrnl_dependency_nightmare_what_do_you_make_of_it/g0291x7/

Creative way of distributing a bundle of packages: https://github.com/vmware/vsphere-automation-sdk-python 😆
Who thought about this deserve kudos for the resourcefulness

Definitely the first time I've seen something like this: https://github.com/vmware/vsphere-automation-sdk-python/blob/58bd111c1cd3c380fca0b7c233cc92a7b1aadaa2/setup.py#L16-L24

Precisely... The install via VCS link "accidentally" makes the local wheels available, so the setup script can list them.

ughh, bad memories lol https://github.com/vmware/vsphere-automation-sdk-python/issues/38#issuecomment-617912444

Hacks like this are why I wish we never gave people a turing-complete way to define metadata. :(

Seems like vmware might be changing their mind about publishing on PyPI: https://github.com/pypa/pypi-support/issues/1811

heya

Ugh why does appdirs/platformdirs return Library/Preferences on Mac for the user config dir? Apps should never write to Preferences, plists are managed by the system - the Mac equivalent of .config is Application Support

plists are not managed by the system, ~/Library/Preferences/[Application Name] belongs to the application

The plists in there are all created by the applications individually (generally via NSPreferences if you use Cocoa). And if I recall correctly there’s no rule saying you can’t write something other than plists in there either.

Although conventionally indeed Application Support is a more common place for arbitrary data files

open an issue?

They are managed by the system in the sense that you aren't creating any of them manually, there's just the 1 API that's used to manage plist prefs

This what the the Apple guidelines say:

Contains the user’s preferences. You should never create files in this directory yourself. To get or set preference values, you should always use the NSUserDefaults class or an equivalent system-provided interface.

https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/MacOSXDirectories/MacOSXDirectories.html

That would be a breaking change so it's not gonna happen

@west basin an open issue could implore us to make such a change in a potential major release

more correct behavior, in time, has no blockers (imo)

This was already sort of being tracked in https://github.com/platformdirs/platformdirs/issues/47, I left a comment there

Should I think of typing.Final as “const” … trying to understand its usage

Const pointer to a (potentially mutable) object

Is the right way of thinking about it

It's like a tool type-checker enforceable version of the SCREAMING_SNAKE_CASE convention. Often you use both

Well it's not enforced at runtime so more like type checker enforceable, no?

Yes, that would be a better way of putting it. I didn't think I needed to clarify it, but I realize linters probably already enforce the screaming snake case convention.

iirc Mypyc will cause runtime errors

Yeah, but only if you use mypyc 😂 few do so

Yeah the only major uses I've seen in the wild are mypy itself and black.

Blog posts are being written about mypyc though, so perhaps that'll change in the not so distant future (I'm writing one and someone else is too)

when we drop py2 I plan on using Mypyc for all our Agent Integrations at Datadog

Revolution of mypyc 💪

My series takes a more negative view on using mypyc for production 😅

You don't like to live dangerously like @junior narwhal

It's still alpha quality software. Black is actually stuck on mypy 0.920(? might be the 0.91x series) as there's a show stopping bug lol

You could argue using mypyc on black is already living dangerously :p

surprisingly only three crash reports have been filed since the start of the year

I got to use cibuildwheel for the first time building the mypyc wheels which was neat. I had a real fun time of "not reading the documentation thoroughly and regretting it" 😄

😂

{project} is a silent killer

I was so confused why pytest couldn't find any tests

JS has a neat linter that upgrades your mutable bindings to const - one of these for typing.Final would be neat

@upper hill you meant the "pypa discord" https://discuss.python.org/t/pep-rfc-python-package-index-warehouse-json-api-v1/9205/20?u=ichard26 no?

Sure did

Unlucky.

Beer time now.

Cheers, stay safe!

*goes and checks COVID numbers in 🇺🇸 *

Yolo

relevant https://glyph.twistedmatrix.com/2022/04/you-should-compile-your-python-and-heres-why.html

Surprised there's no mention of Nuitka

Some people don't use src/ directories, so we can't have nice things. 😄

The guidance on using a src layout isn’t easy to find. Is there anything using clear language? I just found this comment, but not the to-be-created guide @hexed briar talks about in it: https://github.com/pypa/packaging.python.org/issues/320#issuecomment-495990983

I have written a very short "intro" about the src-layout here: https://setuptools.pypa.io/en/latest/userguide/package_discovery.html#src-layout

(as part of setuptools docs, it is biased towards that backend)

relevant https://github.com/python/cpython/pull/31542#issuecomment-1117253331

hopefully Python one day no longer includes the current working directory by default 🙂

I'd much prefer that over src-layout

I think far to many people rely on that behavior 😦

@junior narwhal i would much prefer if src would get mapped to the target.package ensuring one always needs a install or a editable install

wouldn't no longer including the current working directory require an install or editable install?

Src always seemed cleaner to me

But I may be weird

FWIW I was taught to use src before coming to Python and took some time to adjust

I’ve also been sold on the benefits of source. I was a standout

@junior narwhal i prefer requiring a install/editable install

(so many import missmatch errors in pytest due to "files" instead of modules and packages)

I guess https://discuss.python.org is not tracked by https://status.python.org/

Weird issue with extras: root seems to be an invalid name for an extra - is that expected? It doesn't seem to be making it into the metadata at all (setuptools setup.cfg configuration)

should work with Hatchling

This is a package that could (and probably should) move to hatchling. Though I am curious as to why it didn't work. (I also like the replacement "uproot" vs. "root" in this case better - uproot is our python package, while root is the classic C++ package)

@nocturne swallow On pyproject-fmt, I've always put requires above build-backend, since that's the logical order (the build-backend comes from the requires packages), and that's the way the pep's show it too. I'm guessing you are just making it alphabetical, but you have custom order for project already.

It's a hard coded list 😅

Yes, but could build-system also be a hard-coded list? It's only two items. 😄

I feel it should - I wonder where we should report it - Maybe https://github.com/python/pythondotorg/

Opened an issue about the format as we discussed privately: https://github.com/tox-dev/pyproject-fmt/issues/22

Going to be short on time for a while, review coming up. :/

Thank you very much @upper hill, I will see if they already have an issue, otherwise I will open a new one.

wat

Collecting platformdirs@ git+https://github.com/platformdirs/platformdirs.git#egg=platformdirs
  Cloning https://github.com/platformdirs/platformdirs.git to /tmp/pip-install-_mxeut0w/platformdirs_8149d2784e624f2faafb7f316f16df5e
  Running command git clone --filter=blob:none --quiet https://github.com/platformdirs/platformdirs.git /tmp/pip-install-_mxeut0w/platformdirs_8149d2784e624f2faafb7f316f16df5e
  Resolved https://github.com/platformdirs/platformdirs.git to commit fe858f0cff62ac3db495c1f0c93d559348e721a8
  Installing build dependencies: started
  Installing build dependencies: finished with status 'error'
  error: subprocess-exited-with-error
  
  × pip subprocess to install build dependencies did not run successfully.
  │ exit code: 1
  ╰─> [5 lines of output]
      Collecting hatchling>=0.22.0
        Downloading hatchling-0.24.0-py2.py3-none-any.whl (58 kB)
           ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 58.8/58.8 KB 3.3 MB/s eta 0:00:00
      ERROR: Could not find a version that satisfies the requirement hatch-vcs (from versions: none)
      ERROR: No matching distribution found for hatch-vcs
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

py3.7+

oh nvm

https://github.com/ichard26/black-deps-ci/runs/6361888562?check_suite_focus=true

pypi incident?

status page all green 🤔

I'll try rerunning the failed jobs, but the error is weird

yeah seems to be a weird transient issue @junior narwhal how strange...

Network issues happen from time to time

I've been playing with WSL, and wow, this might make windows a top tier dev environment now

yeah it's amazing

@junior narwhal im wondering - for pure python packages could hatch be enabled to produce the wheels even without a build env as long as all the necessary dependencies are available (and/or better cache them) (to remove the env creation delay)

🤦 wrong channel

yes hatchling build

just used PEP 562 for the first time https://github.com/pypa/hatch/blob/2250ca92a19ad67d16e26b39130f7237d339d5c3/src/hatch/cli/new/migrate.py#L266-L279

it unlocks god mode

I mean, it doesn't unlock it, you could do that already, just with more code 😅

but it is very useful to lazy load module attributes

I read 582 and was quite confused when I looked at the link... Ahh, yes, I've loved __dir__, that does actually unlock proper completions; I'd always do a def __dir__() -> list[str]: return __all__ on public modules. For __getattr__, here's the Python < 3.7 impl for plumbum: https://github.com/tomerfiliba/plumbum/blob/5fa1452846aae4a1fd2904bf145b0801c2050508/plumbum/__init__.py#L92-L114

Not necessarily that much more code, just much nicer code. 🙂

That's pretty cool (especially __dir__)

reminds me that now that apipkg has dropped python 3.6 and lower it should use the new apis

@robust sandal plumbum looks pretty interesting for sorting some scripting pains

This really does look hacked, the last change to the repo is 2014, but the PyPI releases are all from 2022, everything else is deleted. https://twitter.com/joerick/status/1529008261650952192

Any pointers to tools to manage a pypi mirror with focus on limiting packages to a list of preapproved (security vetted ) packages?

perhpas devpi with a whitelist for the upstream?

https://packaging.python.org/en/latest/guides/index-mirrors-and-caches/

Anyone know if there is any way I can actually specify a dependency on apsw ||https://rogerbinns.github.io/apsw/download.html|| in my pyproject.toml?

currently the way to install it seems to be (only on windows):

pip install git+https://github.com/rogerbinns/apsw --global-option=fetch --global-option=--all --global-option=build --global-option=--enable-all-extensions

Mainly want to make sure that it really is not possible or I overlooked some new thing that makes it possible, before giving up and reaching for the duct-tape.

TIL this exists ... Should probably update it.

adds to list

I'm at a loss... is there a way to write a file from an open buffer without reading into memory at all?

with resources.open_binary(package, name) as reader, open(os.path.join(directory, name), 'wb') as writer:
    writer.write(reader.read())

I really can't find a way

I don't think so no, because you have no idea what's backing that buffer, so you're stuck with the lowest common denominator operations

There is https://docs.python.org/3/library/shutil.html#shutil.copyfileobj that lets you move the problem to python stdlib. But I don't know offhand what optimizations it uses

it reads in chunks, which lowers memory usage, but I don't know if it does any other optimizations

@junior narwhal @quartz yew unfortunately its explicitly not using sendfile - those are only used in the copy helpers

@junior narwhal https://github.com/python/cpython/blob/9912b3d989b0cb442e9f9d55fbdd30d55591e2fc/Lib/shutil.py#L84-L167 has some examples of faster stuff, the apos are a bit of a pain