Python Bytes: #300 A Jupyter merge driver for git

<p><strong>Watch the live stream:</strong></p> <a href='https://www.youtube.com/watch?v=PO6gv7BUAdg' style='font-weight: bold;'>Watch on YouTube</a><br> <br> <p><strong>About the show</strong></p> <p>Sponsored by <a href="http://pythonbytes.fm/foundershub2022"><strong>Microsoft for Startups Founders Hub</strong></a>.</p> <p>Special guest: <strong><a href="https://twitter.com/sethmlarson">Seth Larson</a></strong></p> <p><strong>Brian #1:</strong> <strong>Test your packages and wheels</strong></p> <ul> <li>I’ve been building some wheels the last couple of weeks with various tools: <ul> <li>flit, flit-core, and flit build</li> <li>hatch, hatchling, and hatch build</li> <li>setuptools, build_meta, and python -m build</li> </ul></li> <li>There are a few projects I’ve used to make sure my projects are in good shape <ul> <li><a href="https://pypi.org/project/wheel-inspect/">wheel-inspect</a> - you can inspect within Python code through <code>inspect_wheel()</code> function that converts to json. Or use on the command line with <code>wheel2json</code></li> <li><a href="https://pypi.org/project/check-wheel-contents/">check-wheel-contents</a> - a linter for wheels</li> <li><a href="https://pypi.org/project/tox/">tox</a> - easily test the building, installation, and running of a package locally <ul> <li>I actually start here, then utilize the other two tools</li> </ul></li> </ul></li> <li>Should have been obvious, but it wasn’t to me <ul> <li>Projects saved on git (such as gitHub) don’t keep wheels in git. (this was obvious)</li> <li>When installing from git using <code>pip install git+https://path/to/git/repo.git</code> <ul> <li>Your local pip will run the packaging backend to build the wheel before installing.</li> <li>Yet another way to test packaging.</li> </ul></li> </ul></li> </ul> <p><strong>Michael #2:</strong> <a href="https://www.fast.ai/2022/08/25/jupyter-git/"><strong>The Jupyter+git problem is now solved</strong></a></p> <ul> <li>Jupyter notebooks don’t work with git by default (they inherently have meaningless conflicts).</li> <li>With <a href="https://nbdev.fast.ai/">nbdev2</a>, the Jupyter+git problem has been totally solved. </li> <li>Uses a set of hooks which provide clean git diffs, solve most git conflicts automatically, and ensure that any remaining conflicts can be resolved entirely within the standard Jupyter notebook environment.</li> <li>The techniques used to make the merge driver work are quite fascinating</li> </ul> <p><strong>Seth #3:</strong> <a href="https://sethmlarson.dev/blog/help-test-system-trust-stores-in-python"><strong>Help us test system trust stores in Python</strong></a></p> <ul> <li>Package aiming to replace certifi called “truststore”, use system trust stores for HTTPS instead of a static list of certificates.</li> <li>Problem truststore is solving usually manifests in corporate networks: “unable to get local issuer certificate”.</li> <li>Experimental support added to pip to prove the implementation</li> <li>Users can try out the functionality and report issues.</li> </ul> <p><strong>Brian #4:</strong> <a href="https://pybit.es/articles/terminal-plotting-with-plotext/?utm_source=pocket_mylist"><strong>Making plots in your terminal with plotext</strong></a></p> <ul> <li>Bob Belderbos</li> <li>Tutorial on using <a href="https://pypi.org/project/plotext/">plotext</a> - that’s one t in the middle</li> <li>With the rise of CLI usage, plots are a nice addition.</li> <li>Bob’s plot is great, but check out the options in the plotext docs <ul> <li>lots-o-plots</li> <li>streaming data</li> <li>images</li> <li>subplots</li> </ul></li> <li>so fun</li> </ul> <p><strong>Michael #5:</strong> <a href="https://github.com/sponsfreixes/jinja2-fragments"><strong>jinja2-fragments</strong></a></p> <ul> <li>Carson from HTMX (see <a href="https://talkpython.fm/episodes/show/321/htmx-clean-dynamic-html-pages">podcast</a> and <a href="https://training.talkpython.fm/courses/htmx-flask-modern-python-web-apps-hold-the-javascript">course</a>) wrote about <a href="https://htmx.org/essays/template-fragments/"><strong>template fragments</strong></a>.</li> <li>My jinja_partials project sorta fulfills this, but not really.</li> <li>I had <a href="https://twitter.com/sponsfreixes/status/1566671693774348288"><strong>a nice discussion</strong></a> with Sergi Pons Freixes who uses jinja_partials about this.</li> <li>He created <a href="https://github.com/sponsfreixes/jinja2-fragments"><strong>Jinja2 fragments</strong></a></li> </ul> <p><strong>Seth #6:</strong> <a href="https://slsa.dev/blog/2022/08/slsa-github-workflows-generic-ga"><strong>SLSA 3 Generic Builder for GitHub Actions GA</strong></a></p> <ul> <li>Supply chain Levels for Software Artifacts, or SLSA (“salsa”)</li> <li>Tools to attest to and verify “provenance” of artifacts, ie “where it came from”</li> <li>Prove cryptographically that artifacts are built from a specific GitHub repository, commit, tag. Another future defense against stolen PyPI credentials/accounts.</li> <li>Generic builder means you can sign anything, like wheels/sdists</li> </ul> <p><strong>Extras</strong> </p> <p>Brian: </p> <ul> <li>Bring your pytest books to <a href="https://pybay.com">PyBay</a>, if you want them signed. <ul> <li>I’m only bringing a small amount.</li> </ul></li> <li>I’ll be presenting <ul> <li>"Sharing is Caring - pytest fixture edition” at 3:05</li> <li>“Experts Panel on Testing in Python” at 7:00</li> </ul></li> <li>And be a zombie on my 8 am flight back unless I can change my reservation.</li> <li>That’s this weekend, Sat Sept 10, in SF</li> </ul> <p>Michael:</p> <ul> <li><a href="https://techcrunch.com/2022/08/25/heroku-announces-plans-to-eliminate-free-plans-blaming-fraud-and-abuse/"><strong>Heroku announces plans to eliminate free plans</strong></a></li> <li><a href="https://www.extremetech.com/extreme/339162-white-house-bans-paywalls-on-taxpayer-funded-research?source=science"><strong>Banned paywalls</strong></a></li> <li>PyPI phisher identified: <a href="https://www.darkreading.com/application-security/researchers-identify-threat-actor-behind-recent-phishing-attack-targeting-pypi-users"><strong>Actor Phishing PyPI Users Identified</strong></a> and <a href="https://arstechnica.com/information-technology/2022/09/actors-behind-pypi-supply-chain-attack-have-been-active-since-late-2021/"><strong>Actors behind PyPI supply chain attack have been active since late 2021</strong></a></li> <li><a href="https://twitter.com/btskinn/status/1566528546872385542?cn=ZmxleGlibGVfcmVjcw%3D%3D&amp;refsrc=email"><strong>Major Python CVE</strong></a><strong>:</strong> <a href="https://twitter.com/btskinn/status/1566528546872385542?cn=ZmxleGlibGVfcmVjcw%3D%3D&amp;refsrc=email">CVE-2020-10735: Prevent DoS by large int[HTML_REMOVED]str conversions</a></li> </ul> <p>Seth: </p> <ul> <li><a href="https://github.com/kitao/pyxel">Pyxel, retro game engine for Python</a>, v1.8.0 added experimental <a href="https://twitter.com/kitao/status/1564234852185960449">web support</a> with WASM</li> </ul> <p><strong>Joke:</strong> <a href="https://twitter.com/iamsegunajibola/status/1564996116550242305"><strong>Dev just after work</strong></a></p>