73 min listen
Unavailable
ratings:
Length:
23 minutes
Released:
Apr 5, 2018
Format:
Podcast episode
Description
Sponsored by Datadog: pythonbytes.fm/datadog
Brian #1: ZeroVer: 0-based Versioning
“Software's most popular versioning scheme!”
“Cutting-edge software versioning for minimalists”
My favorite April Fools prank this year.
Calls out many popular projects for never reaching 1.0
From the about page:
“ZeroVer is the world's most popular software versioning convention, and the only one shown to harness the innovative power of zero. The benefits are innumerable and the effects on the software world are profound.”
“Version 0.0.1 of ZeroVer was published by Mahmoud Hashemi, with help from Moshe, Mark, Kurt, and other patient collaborators, on 2018-04-01. ZeroVer is satire, please do not use it. We sincerely hope no project release schedules were harmed as a result of this humble attempt at programmer humor.”
Michael #2: GitHub Security Alerts Detected over Four Million Vulnerabilities
Last year GitHub launched “GitHub security alerts”
GitHub’s security alerts notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories.
Nearly half of all displayed alerts are responded to within a week and the rate of vulnerabilities resolved in the first seven days has been about 30%.
When that statistics is restricted to only repositories with recent contributions, i.e., contributions in the last 90 days, things look even brighter, GitHub says, with 98% of such repositories being patched in fewer than seven days.
More than four million vulnerabilities in over 500,000 repositories have been reported.
Security alerts are only currently supported for repositories written in Ruby or JavaScript, while support for Python is planned for 2018.
I also recommend pyup.io
Brian #3: Markdown Descriptions on PyPI
Dustin Ingram provides detailed steps on how to get this to work.
README.md now supported by pypi.org
“Only https://pypi.org will correctly render your new Markdown description.
Legacy PyPI (http://pypi.python.org/) will still render your description as plaintext, but don’t worry, it’s going away real soon.
And also, Github-Flavored Markdown Descriptions are supported.
Another post, this one by Jon Wayne Parrot
Michael #4: Concurrency comparison between NGINX-unit and uWSGI
show performance of two web application servers
nginx-unit (a new modern application web server)
uWSGI (the best one application server)
uWSGI and nginx-unit configured with 4 workers because test system has 4 cores.
Effectively an empty “Hello world” Flask app
Have a look at the pictures here: https://itnext.io/performance-comparison-between-nginx-unit-and-uwsgi-python3-4511fc172a4c
Take away: I’m going to start paying attention to NGINX-unit
Brian #5: Loop better: A deeper look at iteration in Python
via Trey Hunner
Generators are a great way to loop, but have a few gotchas
Looping twice doesn’t work
Containment checks muck up the generator “contents”.
Unpacking has odd results.
This article describes Python loops in detail and then applies that do describe why the gotchas act like they do.
Covered:
iterators, iterables, sequences, generators
the iterator protocol
Reading this will make you a better programmer, but might hurt your head.
Michael #6: Misconfigured Django Apps Are Exposing Secret API Keys, Database Passwords
Security researchers have been stumbling upon misconfigured Django applications that are exposing sensitive information such as API keys, server passwords, or AWS access tokens.
He discovered 28,165 Django apps just this week where admins left debug mode enabled.
Just by skimming through a few of the servers, the researcher found that the debug mode of many of these apps were exposing extremely sensitive information that would have allowed a malicious actor full access to the app owner's data.
This is not a failure from Django's side. My recommendation is to disable debugging mode when deploying the application to production.
Security researcher
Brian #1: ZeroVer: 0-based Versioning
“Software's most popular versioning scheme!”
“Cutting-edge software versioning for minimalists”
My favorite April Fools prank this year.
Calls out many popular projects for never reaching 1.0
From the about page:
“ZeroVer is the world's most popular software versioning convention, and the only one shown to harness the innovative power of zero. The benefits are innumerable and the effects on the software world are profound.”
“Version 0.0.1 of ZeroVer was published by Mahmoud Hashemi, with help from Moshe, Mark, Kurt, and other patient collaborators, on 2018-04-01. ZeroVer is satire, please do not use it. We sincerely hope no project release schedules were harmed as a result of this humble attempt at programmer humor.”
Michael #2: GitHub Security Alerts Detected over Four Million Vulnerabilities
Last year GitHub launched “GitHub security alerts”
GitHub’s security alerts notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories.
Nearly half of all displayed alerts are responded to within a week and the rate of vulnerabilities resolved in the first seven days has been about 30%.
When that statistics is restricted to only repositories with recent contributions, i.e., contributions in the last 90 days, things look even brighter, GitHub says, with 98% of such repositories being patched in fewer than seven days.
More than four million vulnerabilities in over 500,000 repositories have been reported.
Security alerts are only currently supported for repositories written in Ruby or JavaScript, while support for Python is planned for 2018.
I also recommend pyup.io
Brian #3: Markdown Descriptions on PyPI
Dustin Ingram provides detailed steps on how to get this to work.
README.md now supported by pypi.org
“Only https://pypi.org will correctly render your new Markdown description.
Legacy PyPI (http://pypi.python.org/) will still render your description as plaintext, but don’t worry, it’s going away real soon.
And also, Github-Flavored Markdown Descriptions are supported.
Another post, this one by Jon Wayne Parrot
Michael #4: Concurrency comparison between NGINX-unit and uWSGI
show performance of two web application servers
nginx-unit (a new modern application web server)
uWSGI (the best one application server)
uWSGI and nginx-unit configured with 4 workers because test system has 4 cores.
Effectively an empty “Hello world” Flask app
Have a look at the pictures here: https://itnext.io/performance-comparison-between-nginx-unit-and-uwsgi-python3-4511fc172a4c
Take away: I’m going to start paying attention to NGINX-unit
Brian #5: Loop better: A deeper look at iteration in Python
via Trey Hunner
Generators are a great way to loop, but have a few gotchas
Looping twice doesn’t work
Containment checks muck up the generator “contents”.
Unpacking has odd results.
This article describes Python loops in detail and then applies that do describe why the gotchas act like they do.
Covered:
iterators, iterables, sequences, generators
the iterator protocol
Reading this will make you a better programmer, but might hurt your head.
Michael #6: Misconfigured Django Apps Are Exposing Secret API Keys, Database Passwords
Security researchers have been stumbling upon misconfigured Django applications that are exposing sensitive information such as API keys, server passwords, or AWS access tokens.
He discovered 28,165 Django apps just this week where admins left debug mode enabled.
Just by skimming through a few of the servers, the researcher found that the debug mode of many of these apps were exposing extremely sensitive information that would have allowed a malicious actor full access to the app owner's data.
This is not a failure from Django's side. My recommendation is to disable debugging mode when deploying the application to production.
Security researcher
Released:
Apr 5, 2018
Format:
Podcast episode
Related podcast episodes
Minimum Safe Distance - ASW #148: We start with the article about "Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned" and explore its range of issues from ethics to securing huge, distributed software projects. It's hardly novel to point out... by Security Weekly Podcast Network (Audio)