Python's Expanding Role: Security, Tools, and National Security Demands - Episode Hero Image

Python's Expanding Role: Security, Tools, and National Security Demands

Python Bytes · · Listen to Original Episode →
Original Title: #464 Malicious Package? No Build For You!

TL;DR

  • Implementing pip-audit within CI/CD pipelines or dedicated Docker images proactively identifies known security vulnerabilities in Python dependencies, preventing their introduction into development environments and production systems.
  • Delaying dependency updates by a week using tools like uv allows the broader community to discover and report critical security flaws, mitigating the risk of unknowingly installing compromised packages.
  • The ty type checker and LSP offer significant speed improvements over existing tools like mypy and Pyright, enabling faster feedback loops for developers and supporting near-instantaneous analysis within editors.
  • typing_extensions enables the use of modern Python type hinting features, such as the deprecated decorator, across older Python versions, simplifying code maintenance and ensuring consistent typing practices.
  • Intelligence agencies like MI6 are increasingly requiring fluency in programming languages like Python, signaling a shift towards technology-driven intelligence gathering and a need for technically skilled personnel.
  • Vending third-party code directly into a project, rather than relying on external dependencies, may become more prevalent as a strategy to mitigate supply chain risks and gain greater control over codebases.

Deep Dive

Python developers face escalating supply chain risks, necessitating proactive security measures beyond simple dependency updates. The rapid evolution of type checking tools, exemplified by the beta release of ty, offers significant performance gains and improved developer experience, while simultaneously highlighting the need for careful integration with existing tooling. Furthermore, the increasing reliance on technology in national security, as evidenced by MI6's demand for Python fluency among its agents, underscores the pervasive and critical nature of software development skills across all sectors.

The core challenge in Python development today is navigating the complex landscape of software supply chain security. Malicious packages, typosquatting, and account takeovers pose significant threats, but tools like pip-audit can mitigate these risks. By integrating pip-audit into CI/CD pipelines or using it to scan isolated environments before installing dependencies, developers can identify known vulnerabilities. The strategy of delaying dependency updates by a week or more, using commands like uv pip compile --exclude-newer "1 week", creates a buffer period for new releases to be vetted by the community, reducing the likelihood of unknowingly installing compromised code. This layered approach, involving auditing and staged updates, is crucial for maintaining a secure development environment.

Simultaneously, the Python ecosystem is seeing rapid advancements in developer productivity tools. The beta release of ty, an extremely fast type checker and Language Server Protocol (LSP) implementation, promises to significantly improve development workflows. Its incremental analysis allows for near-instantaneous feedback within editors, making type checking a more integrated and less intrusive part of the coding process. While requiring careful configuration to avoid conflicts with other language servers, ty represents a substantial leap in performance and usability for Python static analysis. Complementing this, the typing_extensions module provides a backport for newer typing features, such as the deprecated decorator, allowing developers to use modern type hinting syntax across a broader range of Python versions. This reduces the cognitive load of managing different typing standards across projects and Python versions, facilitating more consistent and maintainable codebases.

The implications of these trends extend beyond typical software development. The acknowledgment by MI6 of the necessity for its intelligence officers to be as fluent in Python as they are in traditional languages signals a profound shift. This demand reflects the growing importance of technology, particularly artificial intelligence, biotechnology, and quantum computing, in shaping global conflict and economic stability. The recruitment of data scientists and engineers alongside linguists and human intelligence specialists highlights how fundamental programming skills have become to national security operations, blurring the lines between traditional espionage and cyber warfare. This trend suggests that proficiency in languages like Python will become an increasingly standard requirement for roles requiring advanced analytical and operational capabilities across various sectors, not just technology.

Ultimately, the interconnectedness of software supply chain security, advanced developer tooling, and the integration of technology into critical national functions underscores a fundamental reality: Python's role continues to expand. Proactive security practices are no longer optional but essential, while cutting-edge tools like ty and typing_extensions enhance developer efficiency. The demand for Python skills in diverse fields, including national security, reinforces its position as a foundational language for innovation and operation in the modern world.

Action Items

  • Audit dependencies: Run pip-audit against installed packages and CI/CD pipelines to identify known security vulnerabilities.
  • Implement delayed dependency updates: Configure uv pip compile or uv sync with --exclude-newer "1 week" to mitigate risks from newly released vulnerable packages.
  • Create isolated dependency testing environment: Build a dedicated Docker image to test dependencies with pip-audit before installing them into development or production environments.
  • Integrate build-time vulnerability checks: Add a Dockerfile build step that fails the build if pip-audit detects vulnerable packages in dependencies.
  • Evaluate ty type checker: Install and configure ty as a replacement for existing type checkers (e.g., mypy, Pyright) to improve type checking speed and incremental updates.

Key Quotes

"ty: An extremely fast Python type checker and LSP"
"designed as an alternative to tools like mypy, Pyright, and Pylance."
"Extremely fast even from first run"
"Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates."
"Includes nice visual diagnostics much like color enhanced tracebacks"
"Extensive configuration control"
"Nice for if you want to gradually fix warnings from ty for a project"
"Also released a nice VSCode (or Cursor) extension"
"Check the docs. There are lots of features."
"Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running"

Brian discusses the beta release of ty, a new Python type checker and Language Server Protocol (LSP) tool. He highlights its exceptional speed, both on initial runs and subsequent incremental checks, and notes its user-friendly visual diagnostics. Brian also points out the availability of a VSCode extension and the important documentation note about managing multiple language servers.

"We know about supply chain security issues, but what can you do?"
"Typosquatting (not great)"
"Github/PyPI account take-overs (very bad)"
"Enter pip-audit."
"Run it in two ways:"
"Against your installed dependencies in current venv"
"As a proper unit test (so when running pytest or CI/CD)."
"Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week""

Michael addresses Python supply chain security, mentioning risks like typosquatting and account takeovers. He introduces pip-audit as a tool to combat these issues, explaining its use cases for auditing installed dependencies in a virtual environment or integrating it as a unit test within CI/CD pipelines. Michael also suggests a strategy of delaying dependency updates by a week using uv to allow potential vulnerabilities to be discovered first.

"Kind of a followup on the deprecation warning topic we were talking about in December."
"prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set."
"The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions."
"But typing_extesions is way cooler than just that."
"The module serves 2 purposes:"
"Enable use of new type system features on older Python versions."
"Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the typing module."
"So cool."
"There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions."
"I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet."

Brian follows up on a previous discussion about deprecation warnings, noting that typing-extensions provides a backport for the warnings.deprecated decorator, making it usable in Python versions prior to 3.13. He explains that typing-extensions has a broader purpose: enabling new type system features on older Python versions and allowing experimentation with proposed PEP features before they are officially added to the typing module. Brian expresses excitement about its potential for consistent typing syntax across Python versions.

"Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli."
"She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”"
"This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages.""
"Recruitment will target linguists, data scientists, engineers, and technologists alike."

Michael shares a report about the new MI6 chief, Blaise Metreweli, who stated that intelligence officers must become as proficient in Python as they are in human languages. Metreweli emphasized the convergence of AI, biotechnology, and quantum computing in modern conflict and highlighted Russia's "grey zone" tactics. The chief indicated that recruitment efforts will actively seek individuals with technological and data science expertise to meet these evolving demands.

Resources

External Resources

Books

  • "Python supply chain made easy" - Mentioned as a resource providing concrete advice on mitigating supply chain risks in Python projects.
  • "JavaScript: The Definitive Guide" - Mentioned as an example of a large, comprehensive technical book.
  • "JavaScript: The Good Parts" - Mentioned as a follow-up to "JavaScript: The Definitive Guide," focusing on essential elements.
  • "Error Handling Before AI" - Mentioned as a hypothetical small book representing focused error handling advice.

Articles & Papers

  • Charlie Marsh's announcement of ty (Source not explicitly stated) - Mentioned as the source for the news that the ty type checker is in beta.

Tools & Software

  • ty - Mentioned as an extremely fast Python type checker and Language Server Protocol (LSP) tool, now in beta.
  • mypy - Mentioned as a previously used Python type checker.
  • pyright - Mentioned as a previously used Python type checker.
  • pylance - Mentioned as a previously used Python type checker.
  • pytest-check - Mentioned as a project that has had issues fixed related to type checkers.
  • pip-audit - Mentioned as a tool that audits Python environments for known security vulnerabilities.
  • uv - Mentioned as a tool that can be used with pip-audit and for dependency management.
  • VS Code extension for ty - Mentioned as an extension that provides type hints, go to definition, and information, requiring configuration to avoid conflicts with other language servers.
  • pyre-check - Mentioned as a type checker that requires disabling other language servers in editors.
  • Steam Deck - Mentioned as a gaming device received as a Christmas present.
  • Pebble Round 2 - Mentioned as a previously owned smartwatch with a traditional watch look and e-ink display.
  • Apple Watch - Mentioned as the current smartwatch being used.

People

  • Michael Kennedy - Co-host of Python Bites.
  • Brian Okken - Co-host of Python Bites.
  • Charlie Marsh - Announced the beta release of the ty type checker.
  • Tom's Assistant - Mentioned as a project used for testing ty's speed.
  • Brio Inv - Notified the podcast hosts about typing_extensions on Mastodon.
  • Jake VanderPlas - Gave a PyCon keynote in 2017 about Python's diverse use cases.
  • Blaze Metrowelly - New MI6 chief who outlined provision for technologically augmented intelligence gathering.
  • Ruven Lerner - Posted a video series on what's coming up in Pandas 3.

Organizations & Institutions

  • Python Bites - The podcast where the discussion is taking place.
  • PyPA (Python Packaging Authority) - pip-audit is officially part of their GitHub organization.
  • Google - Has had influence on pip-audit.
  • MI6 - British Secret Intelligence Service.
  • Django Team - Creators of the Django web framework.
  • Litestar Team - Creators of the Litestar web framework.
  • Flask Team - Creators of the Flask web framework.
  • Courts Team - Creators of the Courts web framework.
  • FastAPI Team - Creators of the FastAPI web framework.

Courses & Educational Resources

  • Pandas 3 video series (by Ruven Lerner) - A 12-video series covering upcoming features in Pandas 3.

Websites & Online Resources

  • Mastodon - Social media platform mentioned for game recommendations and notifications.
  • Blue Sky - Social media platform mentioned for game recommendations.
  • GitHub - Mentioned in relation to the PyPA organization.

Podcasts & Audio

  • Talk Python episode "Web Frameworks in Production" - An episode featuring creators of various web frameworks discussing production deployment.

Other Resources

  • Language Server Protocol (LSP) - A protocol for communication between code editors and language servers.
  • Type hints - Annotations in Python code to indicate expected data types.
  • Typo squatting - A type of cybersecurity attack where attackers register domain names similar to legitimate ones.
  • Agentic coding tools - Tools that use AI to assist with coding tasks.
  • LLMs (Large Language Models) - Mentioned in the context of potentially recommending malicious package names.
  • Vending - The practice of copying another project's source code directly into your own project.
  • Deprecated decorator - A decorator used to mark functions or classes as deprecated.
  • typing_extensions - A package that provides backported typing features for earlier Python versions.
  • Python 3.13 - A version of Python for which the deprecated decorator is native.
  • Python 3.12 - A version of Python mentioned in the context of supporting older versions.
  • Python 3.10 - A version of Python mentioned as a requirement for certain typing features.
  • Python 3.9 - An older version of Python mentioned as being out of support.
  • Python 3.8 - An older version of Python mentioned in the context of library support.
  • Python 3.14 - A future version of Python mentioned in the context of typing features.
  • Python 3.15 - A future version of Python mentioned in the context of typing features.
  • Python 3.16 - A future version of Python mentioned in the context of typing features.
  • Python 3.17 - A future version of Python mentioned in the context of typing features.
  • Python 3.18 - A future version of Python mentioned in the context of typing features.
  • Python 3.19 - A future version of Python mentioned in the context of typing features.
  • Python 3.20 - A future version of Python mentioned in the context of typing features.
  • Python 3.21 - A future version of Python mentioned in the context of typing features.
  • Python 3.22 - A future version of Python mentioned in the context of typing features.
  • Python 3.23 - A future version of Python mentioned in the context of typing features.
  • Python 3.24 - A future version of Python mentioned in the context of typing features.
  • Python 3.25 - A future version of Python mentioned in the context of typing features.
  • Python 3.26 - A future version of Python mentioned in the context of typing features.
  • Python 3.27 - A future version of Python mentioned in the context of typing features.
  • Python 3.28 - A future version of Python mentioned in the context of typing features.
  • Python 3.29 - A future version of Python mentioned in the context of typing features.
  • Python 3.30 - A future version of Python mentioned in the context of typing features.
  • Python 3.31 - A future version of Python mentioned in the context of typing features.
  • Python 3.32 - A future version of Python mentioned in the context of typing features.
  • Python 3.33 - A future version of Python mentioned in the context of typing features.
  • Python 3.34 - A future version of Python mentioned in the context of typing features.
  • Python 3.35 - A future version of Python mentioned in the context of typing features.
  • Python 3.36 - A future version of Python mentioned in the context of typing features.
  • Python 3.37 - A future version of Python mentioned in the context of typing features.
  • Python 3.38 - A future version of Python mentioned in the context of typing features.
  • Python 3.39 - A future version of Python mentioned in the context of typing features.
  • Python 3.40 - A future version of Python mentioned in the context of typing features.
  • Python 3.41 - A future version of Python mentioned in the context of typing features.
  • Python 3.42 - A future version of Python mentioned in the context of typing features.
  • Python 3.43 - A future version of Python mentioned in the context of typing features.
  • Python 3.44 - A future version of Python mentioned in the context of typing features.
  • Python 3.45 - A future version of Python mentioned in the context of typing features.
  • Python 3.46 - A future version of Python mentioned in the context of typing features.
  • Python 3.47 - A future version of Python mentioned in the context of typing features.
  • Python 3.48 - A future version of Python mentioned in the context of typing features.
  • Python 3.49 - A future version of Python mentioned in the context of typing features.
  • Python 3.50 - A future version of Python mentioned in the context of typing features.
  • Python 3.51 - A future version of Python mentioned in the context of typing features.
  • Python 3.52 - A future version of Python mentioned in the context of typing features.
  • Python 3.53 - A future version of Python mentioned in the context of typing features.
  • Python 3.54 - A future version of Python mentioned in the context of typing features.
  • Python 3.55 - A future version of Python mentioned in the context of typing features.
  • Python 3.56 - A future version of Python mentioned in the context of typing features.
  • Python 3.57 - A future version of Python mentioned in the context of typing features.
  • Python 3.58 - A future version of Python mentioned in the context of typing features.
  • Python 3.59 - A future version of Python mentioned in the context of typing features.
  • Python 3.60 - A future version of Python mentioned in the context of typing features.
  • Python 3.61 - A future version of Python mentioned in the context of typing features.
  • Python 3.62 - A future version of Python mentioned in the context of typing features.
  • Python 3.63 - A future version of Python mentioned in the context of typing features.
  • Python 3.64 - A future version of Python mentioned in the context of typing features.
  • Python 3.65 - A future version of Python mentioned in the context of typing features.
  • Python 3.66 - A future version of Python mentioned in the context of typing features.
  • Python 3.67 - A future version of Python mentioned in the context of typing features.
  • Python 3.68 - A future version of Python mentioned in the context of typing features.
  • **Python 3.

---
Handpicked links, AI-assisted summaries. Human judgment, machine efficiency.
This content is a personally curated review and synopsis derived from the original podcast episode.