Feeds

Project: Drupal coreDate: 2024-January-17Security risk: Moderately critical 11∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2Description: 

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.

Solution: 

Install the latest version:

• If you are using Drupal 10.2, update to Drupal 10.2.2.
• If you are using Drupal 10.1, update to Drupal 10.1.8.

All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Drupal 7 is not affected.

Reported By: 

• Alexander Antonenko
• Doug Green

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Benji Fisher of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• xjm of the Drupal Security Team
• Lauri Eskola, provisional member of the Drupal Security Team

Join the FSF and friends on Friday, January 19, from 12:00 to 15:00 EST (17:00 to 20:00 UTC) to help improve the Free Software Directory.

This post is brought to you from our partners at Skynet Technologies.

Uplifting the digital experience of your Drupal website by making it accessible is inevitable.

The reason behind digital evolution is its easy availability for all. But unfortunately, the web is still full of inaccessible experiences, which become a hindrance for users with any sort of disability. And that is the reason why Drupal incorporated various accessibility features with time to ensure its website accessibility.

Along with accessibility features, Drupal has accessibility modules as well that are contributed by its active community. The modules improve Drupal website accessibility without having to put much effort into coding.

Let’s know which are those modules that enhance Drupal website accessibility.

Top Drupal web accessibility modules! #1 All in One Accessibility

Drupal All in One Accessibility is an AI based accessibility module to enable Drupal websites to be accessible among people with hearing or vision impairments, motor impaired, color blind, dyslexia, cognitive & learning impairments, seizure and epileptic, and ADHD problems. It manages website UI and design related alteration as an accessibility interface.

Drupal All in One Accessibility module installs in just 2 minutes. PRO version reduces the risk of time-consuming accessibility lawsuits.

This module improves accessibility compliance for the standards WCAG 2.0, WCAG 2.1, WCAG 2.2, ADA, Section 508, European EAA EN 301 549, Canada ACA, California Unruh, Israeli Standard 5568, Australian DDA, UK Equality Act, Ontario AODA, France RGAA, German BITV, Brazilian Inclusion law LBI 13.146/2015, Spain UNE 139803:2012, JIS X 8341, Italian Stanca Act, and Switzerland DDA.

It is a cornerstone of improving web accessibility through its ease of use for companies of all sizes. Top features of the module:

1. Accessibility statement
2. Accessibility interface for UI design fixes
3. Dashboard Automatic accessibility score
4. AI based Image Alternative Text remediation
5. AI based Text to Speech Screen Reader
6. Keyboard navigation adjustments
7. Content, Color, Contrast, and Orientation Adjustments
8. Supports 53 languages
9. PDF / Document Remediation Add-On
10. White Label Subscription
11. Live site translation add-on
12. Custom widget color, position, icon size, and type
13. Dedicated email support

#2 Monsido Tools

Monsido tool helps to optimize Drupal websites easily and swiftly. The tool ensures that the website is validated for the de facto international standard, which is WCAG 2.1. So that website will be accessible to everyone in each region.

Monsido scans your Drupal website to identify all persisting accessibility issues and gives you suggestions on addressing the issues to rectify them. It also finds SEO errors and helps you optimize every page of your website.

#3 Editoria11y Accessibility Checker

Editoria11y (editorial accessibility ally) is supported by Princeton University. It is made focusing on content quality and accessibility.

The module checks content automatically, authors are not required to get trained to use it. It detects issues that appear after Drupal assembles the pages by testing rendered content.

Editoria11y prioritizes content issues by inserting alerts and tooltips to help authors fix the problems without troubling them with complex code. It majorly supplements the accessibility issues and does not replace the elements.

#4 Civic Accessibility Toolbar

The Civic Accessibility Toolbar has a block with accessibility utilities which is an aid for end-users if they wish to switch between theme versions with higher color contrast and update text font sizes as well.

The module enables its users to create a block with both or at least one of the utilities to make your Drupal website accessible for visually impaired users. It is tested with Garland, Bartik, Zen Starterkit, Stark, and Olivero themes.

It uses colourContrast and fontSize cookies to remember user selection. The cookies only use functional or necessary details and don’t keep the user’s personal information.

#5 Accessibility toolkit

Basically, Accessibility Toolkit helps Drupal developers with reusable tools so that they can fulfil the requirements of people with disabilities by making websites compatible with assistive technologies. It is tested for Drupal 7, 8, and 9. It does this through aggressive CSS additions and remembers the setting using Drupal's built-in usage of jQuery Cookie.

It provides a block with all little settings to allow for –

• High contrast mode
• Dyslexic font support
• Text scaling
• Inverted colors mode
• Keyboard navigation (only for D8/D9)

#6 Fluidproject UI Options

The module is maintained by Ukrainian developers. It helps users to modify a web page’s line height, font size and style, contrast, and link style. All changes are retained using cookies for a longer span. Fluidproject UI options integrate Drupal libraries into non-admin pages.

To use this module, you need to have Grunt and NPM installed for compiling the infusion library, and a jQuery 1.7 version is required.

However, the module cannot do internationalization through the Drupal interface, JSON files within the module folder can perform this function. This Drupal accessibility module is tested with its most popular themes successfully. Please note here that some of its themes require additional CSS to adjust font size and line heights. Also, Contrast settings don’t work properly for website elements that use CSS gradients.

YOU MAY ALSO LIKE: PDF Document Accessibility Remediation

#7 High contrast

High contrast provides a quick solution for users to switch between an active theme and its high-contrast version.

It only needs to install it and press the tab from the keyboard, then click on the ‘Toggle high contrast’ link. You will find yourself in high contrast mode, returning to normal view is possible via following the same steps.

#8 Style Switcher

This Drupal website accessibility module enables every website visitor to select the stylesheet they want to view the site content with. They only require clicking on its link to get the new look of the website.

Style Switcher reduces the duplication of work since developers don’t need to create themes for alternative stylesheets. Themer has the capacity to provide a theme with alternate stylesheets and the Site builder can add alternate stylesheets in the admin section.

The module gathers and presents all the styles as a list of links in a block for site visitors. Thus, all visitors can easily choose their preferred styles. And the module uses cookies, so, if a user returns to the site, they get the same chosen style.

#9 Text Resize

The text resize accessibility module offers a block to end-users that helps in changing the font size of text on Drupal websites. The block includes a button to increase or decrease the text size, which is an aid for visually impaired users. Text resize uses JavaScript with jQuery and jQuery Cookie to bring accessibility.

#10 Automatic Alternative Text

The Automatic Alternative Text accessibility module uses the Microsoft Azure Cognitive Services API or Alttext.ai to generate alternative texts for images if the alt text is missing.

The module provides algorithms to process images. It can be used to understand if the image has relevant content or not. It also has features like categorizing the content of images, describing the images in human-readable language, and estimating the dominant and accent colors of the image.

P.S. All above-mentioned modules have free and premium versions available. You can select the best suited version.

YOU MAY ALSO LIKE: Voluntary Product Assessment Template (VPAT)

Some more contributed modules to fine-tune the Drupal website’s accessibility!

• CKEditor Abbreviation
• HTML Purifier
• Siteimprove
• htmLawed
• Block ARIA Landmark Roles

Read more for detail information.

Wrapping up

Having an accessible website is crucial and the need of an hour. All in One Accessibility is a quick and comprehensive solution with AI based features to improve your website accessibility compliance at next level. The cherry on top is its 2 minutes installation and 10 days free trial. Not limited to this, the dashboard add-ons and upgrades like PDF / document accessibility remediation, white label subscription, and live site translation helps in increasing digital accessibility.

We are pleased to announce the return of the Hatchery program in PyCon US 2024.

What is the Hatchery program?

This program offers the pathways for PyCon US attendees to introduce new tracks, activities, summits, demos, etc., at PyCon US—activities that all share and fulfill the Python Software Foundation’s mission within the PyCon US schedule.

The program began as a trial led by Ee Durbin and Naomi Ceder in 2018, resulting in the creation of several new tracks that are now staples of PyCon US, for example: PyCon US Charlas, Mentored Sprints, and Maintainer’s Summit.

The Hatchery program was paused during the pandemic, and we are excited to restart and refresh this program for PyCon US 2024.

With the Hatchery program, we want to provide the opportunity for you, the Python community members, to take active participation and lead new activities and events at PyCon US. We want to provide a transparent process for this, and we also want to ensure that every attendee, whether they are new to the community, or have been at the conference for the 10th time, have the equal opportunity to propose ideas for PyCon US.

What belongs in a Hatchery program

PyCon US offers a wide range of events for the attendees to engage with the community during the conference. In addition to the talks, Charlas, keynotes, tutorials, posters, and lightning talks, at PyCon US we further support the Python community by hosting summits (e.g. The Python Language Summit, Education Summit), Sprints, and Open Spaces: one-hour meet ups in dedicated rooms throughout the conference. PyCon US also hosts other events like the PyLadies Luncheon, Members Lunch, and PyLadies Auction. We also offer community booths and Startup Row alongside the Sponsor Booths in the expo hall.

Despite all of the above, as conference organizers we still receive great, creative suggestions and ideas from the community for more things that they’d like to see at PyCon US. This is where the Hatchery program comes in.

If you have an idea for new and different kinds of events, activities, summits, or tracks at PyCon US, or things that do not fit in any of the existing talks, charlas, tutorials, and posters tracks, please propose that as a Hatchery.

A few examples of topics that have been accepted for the program (not a complete list, creativity is expressly encouraged):

• Maintainers' Summit
• The Art of Python
• Foreign language talk track (see the PyCon US Charlas, the first track created in the hatchery, and now a part of PyCon US).
• Scientific data summit
• Mentored Sprints

See the full guidelines and criteria for proposals at https://us.pycon.org/2024/events/hatchery/

Hatchery Program Rebooted!

Since it’s been a few years since the last time the Hatchery program ran, meaning, some folks might have already forgotten about it, and newer community members might not yet know what it’s about. With that in mind we decided that this is a good time for us to introduce some changes to the Hatchery program.

One-off events are encouraged!

Previous versions of the Hatchery prioritized programs that have potential to become a new staple and repeat program at PyCon US, and one-off events were given a lower priority. We recognize that this might put a high barrier of entry, and could potentially cause organizer burnout. People might feel like they are now “obligated” to continue the program year after year even if they no longer have the bandwidth to do it. Therefore, we want to focus on the experimental aspect of Hatchery. If your Hatchery program is accepted this year, you are free to continue it again next year. But if you just want to experiment and host an activity only for this year, that’s okay too!

Rolling admission

You can propose your idea for the Hatchery starting today, until approximately 4 weeks before the conference. 

We will be reviewing your ideas and proposals as they come in, and we will do our best to support and accommodate your request. We aim to give you a decision within 2 weeks, depending on the nature of your proposal. (i.e. if your proposal requires a more complicated room set up, we may need extra time to figure out the feasibility for that).

Proposal submissions for the Hatchery Program are open until April 17, 2024, or until all the spaces have been filled.

Note that the conference venue is limited in terms of size and available rooms. We might not be able to provide you with a room you need for your program if you wait until the last minute to submit your idea. Therefore, we encourage you to submit your ideas as soon as you can!

How to submit your Hatchery proposal?

Please visit the PyCon US 2024 Hatchery page. Submissions are open through the PyCon US 2024 Hatchery CFP on Pretalx here. Please note that Pretalx accounts used for the main conference PyCon US 2024 CFP will not be carried over; all submitters will be required to create a new account for the PyCon US 2024 Hatchery CFP.

Thank you. If you have any questions about the Hatchery, please get in touch with us, pycon-hatchery@python.org. The PyCon US Hatchery Committee members are: Elaine Wong, Mariatta Wijaya, and Naomi Ceder.

Join us TOMORROW, January 18 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

This month we'll be discussing the return of the Nonprofit Summit to DrupalCon Portland 2024!  We're currently looking for breakout discussion leaders, and we'll be answering questions about what that involves, as well as throwing around ideas for potential topics. 

And we'll of course also have time to discuss anything else that's on our minds at the intersection of Drupal and nonprofits -- including our plans for NTC in March.  Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone. 

• Join the call: https://us02web.zoom.us/j/81817469653

  • Meeting ID: 818 1746 9653
    Passcode: 551681

  • One tap mobile:
    +16699006833,,81817469653# US (San Jose)
    +13462487799,,81817469653# US (Houston)

  • Dial by your location:
    +1 669 900 6833 US (San Jose)
    +1 346 248 7799 US (Houston)
    +1 253 215 8782 US (Tacoma)
    +1 929 205 6099 US (New York)
    +1 301 715 8592 US (Washington DC)
    +1 312 626 6799 US (Chicago)

  • Find your local number: https://us02web.zoom.us/u/kpV1o65N

• Follow along on Google Docs: https://nten.org/drupal/notes

View notes of previous months' calls.

Data analysis is a broad term that covers a wide range of techniques that enable you to reveal any insights and relationships that may exist within raw data. As you might expect, Python lends itself readily to data analysis. Once Python has analyzed your data, you can then use your findings to make good business decisions, improve procedures, and even make informed predictions based on what you’ve discovered.

In this tutorial, you’ll:

• Understand the need for a sound data analysis workflow
• Understand the different stages of a data analysis workflow
• Learn how you can use Python for data analysis

Before you start, you should familiarize yourself with Jupyter Notebook, a popular tool for data analysis. Alternatively, JupyterLab will give you an enhanced notebook experience. You might also like to learn how a pandas DataFrame stores its data. Knowing the difference between a DataFrame and a pandas Series will also prove useful.

Get Your Code: Click here to download the free data files and sample code for your mission into data analysis with Python.

In this tutorial, you’ll use a file named james_bond_data.csv. This is a doctored version of the free James Bond Movie Dataset. The james_bond_data.csv file contains a subset of the original data with some of the records altered to make them suitable for this tutorial. You’ll find it in the downloadable materials. Once you have your data file, you’re ready to begin your first mission into data analysis.

Understanding the Need for a Data Analysis Workflow

Data analysis is a very popular field and can involve performing many different tasks of varying complexity. Which specific analysis steps you perform will depend on which dataset you’re analyzing and what information you hope to glean. To overcome these scope and complexity issues, you need to take a strategic approach when performing your analysis. This is where a data analysis workflow can help you.

A data analysis workflow is a process that provides a set of steps for your analysis team to follow when analyzing data. The implementation of each of these steps will vary depending on the nature of your analysis, but following an agreed-upon workflow allows everyone involved to know what needs to happen and to see how the project is progressing.

Using a workflow also helps futureproof your analysis methodology. By following the defined set of steps, your efforts become systematic, which minimizes the possibility that you’ll make mistakes or miss something. Furthermore, when you carefully document your work, you can reapply your procedures against future data as it becomes available. Data analysis workflows therefore also provide repeatability and scalability.

There’s no single data workflow process that suits every analysis, nor is there universal terminology for the procedures used within it. To provide a structure for the rest of this tutorial, the diagram below illustrates the stages that you’ll commonly find in most workflows:

A Data Analysis Workflow

The solid arrows show the standard data analysis workflow that you’ll work through to learn what happens at each stage. The dashed arrows indicate where you may need to carry out some of the individual steps several times depending upon the success of your analysis. Indeed, you may even have to repeat the entire process should your first analysis reveal something interesting that demands further attention.

Now that you have an understanding of the need for a data analysis workflow, you’ll work through its steps and perform an analysis of movie data. The movies that you’ll analyze all relate to the British secret agent Bond … James Bond.

Setting Your Objectives

The very first workflow step in data analysis is to carefully but clearly define your objectives. It’s vitally important for you and your analysis team to be clear on what exactly you’re all trying to achieve. This step doesn’t involve any programming but is every bit as important because, without an understanding of where you want to go, you’re unlikely to ever get there.

The objectives of your data analysis will vary depending on what you’re analyzing. Your team leader may want to know why a new product hasn’t sold, or perhaps your government wants information about a clinical test of a new medical drug. You may even be asked to make investment recommendations based on the past results of a particular financial instrument. Regardless, you must still be clear on your objectives. These define your scope.

In this tutorial, you’ll gain experience in data analysis by having some fun with the James Bond movie dataset mentioned earlier. What are your objectives? Now pay attention, 007:

• Is there any relationship between the Rotten Tomatoes ratings and those from IMDb?
• Are there any insights to be gleaned from analyzing the lengths of the movies?
• Is there a relationship between the number of enemies James Bond has killed and the user ratings of the movie in which they were killed?

Now that you’ve been briefed on your mission, it’s time to get out into the field and see what intelligence you can uncover.

Acquiring Your Data

Once you’ve established your objectives, your next step is to think about what data you’ll need to achieve them. Hopefully, this data will be readily available, but you may have to work hard to get it. You may need to extract it from the data storage systems within an organization or collect survey data. Regardless, you’ll somehow need to get the data.

In this case, you’re in luck. When your bosses briefed you on your objectives, they also gave you the data in the james_bond_data.csv file. You must now spend some time becoming familiar with what you have in front of you. During the briefing, you made some notes on the content of this file:

Heading Meaning Release The release date of the movie Movie The title of the movie Bond The actor playing the title role Bond_Car_MFG The manufacturer of James Bond’s car US_Gross The movie’s gross US earnings World_Gross The movie’s gross worldwide earnings Budget ($ 000s) The movie’s budget, in thousands of US dollars Film_Length The running time of the movie Avg_User_IMDB The average user rating from IMDb Avg_User_Rtn_Tom The average user rating from Rotten Tomatoes Martinis The number of martinis that Bond drank in the movie

As you can see, you have quite a variety of data. You won’t need all of it to meet your objectives, but you can think more about this later. For now, you’ll concentrate on getting the data out of the file and into Python for cleansing and analysis.

Read the full article at https://realpython.com/python-for-data-analysis/ »

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Now that I’m freelancing, I need to actually track my time, which is something I’ve had the luxury of not having to do before. That meant something of a rethink of the way I’ve been keeping track of my to-do list. Up to now that was a combination of things like the bug lists for the projects I’m working on at the moment, whatever task tracking system Canonical was using at the moment (Jira when I left), and a giant flat text file in which I recorded logbook-style notes of what I’d done each day plus a few extra notes at the bottom to remind myself of particularly urgent tasks. I could have started manually adding times to each logbook entry, but ugh, let’s not.

In general, I had the following goals (which were a bit reminiscent of my address book):

• free software throughout
• storage under my control
• ability to annotate tasks with URLs (especially bugs and merge requests)
• lightweight time tracking (I’m OK with having to explicitly tell it when I start and stop tasks)
• ability to drive everything from the command line
• decent filtering so I don’t have to look at my entire to-do list all the time
• ability to easily generate billing information for multiple clients
• optionally, integration with Android (mainly so I can tick off personal tasks like “change bedroom lightbulb” or whatever that don’t involve being near a computer)

I didn’t do an elaborate evaluation of multiple options, because I’m not trying to come up with the best possible solution for a client here. Also, there are a bazillion to-do list trackers out there and if I tried to evaluate them all I’d never do anything else. I just wanted something that works well enough for me.

Since it came up on Mastodon: a bunch of people swear by Org mode, which I know can do at least some of this sort of thing. However, I don’t use Emacs and don’t plan to use Emacs. nvim-orgmode does have some support for time tracking, but when I’ve tried vim-based versions of Org mode in the past I’ve found they haven’t really fitted my brain very well.

Taskwarrior and Timewarrior

One of the other Freexian collaborators mentioned Taskwarrior and Timewarrior, so I had a look at those.

The basic idea of Taskwarrior is that you have a task command that tracks each task as a blob of JSON and provides subcommands to let you add, modify, and remove tasks with a minimum of friction. task add adds a task, and you can add metadata like project:Personal (I always make sure every task has a project, for ease of filtering). Just running task shows you a task list sorted by Taskwarrior’s idea of urgency, with an ID for each task, and there are various other reports with different filtering and verbosity. task <id> annotate lets you attach more information to a task. task <id> done marks it as done. So far so good, so a redacted version of my to-do list looks like this:

$ task ls ID A Project Tags Description 17 Freexian Add Incus support to autopkgtest [2] 7 Columbiform Figure out Lloyds online banking [1] 2 Debian Fix troffcvt for groff 1.23.0 [1] 11 Personal Replace living room curtain rail

Once I got comfortable with it, this was already a big improvement. I haven’t bothered to learn all the filtering gadgets yet, but it was easy enough to see that I could do something like task all project:Personal and it’d show me both pending and completed tasks in that project, and that all the data was stored in ~/.task - though I have to say that there are enough reporting bells and whistles that I haven’t needed to poke around manually. In combination with the regular backups that I do anyway (you do too, right?), this gave me enough confidence to abandon my previous text-file logbook approach.

Next was time tracking. Timewarrior integrates with Taskwarrior, albeit in an only semi-packaged way, and it was easy enough to set that up. Now I can do:

$ task 25 start Starting task 00a9516f 'Write blog post about task tracking'. Started 1 task. Note: '"Write blog post about task tracking"' is a new tag. Tracking Columbiform "Write blog post about task tracking" Started 2024-01-10T11:28:38 Current 38 Total 0:00:00 You have more urgent tasks. Project 'Columbiform' is 25% complete (3 of 4 tasks remaining).

When I stop work on something, I do task active to find the ID, then task <id> stop. Timewarrior does the tedious stopwatch business for me, and I can manually enter times if I forget to start/stop a task. Then the really useful bit: I can do something like timew summary :month <name-of-client> and it tells me how much to bill that client for this month. Perfect.

I also started using VIT to simplify the day-to-day flow a little, which means I’m normally just using one or two keystrokes rather than typing longer commands. That isn’t really necessary from my point of view, but it does save some time.

Android integration

I left Android integration for a bit later since it wasn’t essential. When I got round to it, I have to say that it felt a bit clumsy, but it did eventually work.

The first step was to set up a taskserver. Most of the setup procedure was OK, but I wanted to use Let’s Encrypt to minimize the amount of messing around with CAs I had to do. Getting this to work involved hitting things with sticks a bit, and there’s still a local CA involved for client certificates. What I ended up with was a certbot setup with the webroot authenticator and a custom deploy hook as follows (with cert_name replaced by a DNS name in my house domain):

#! /bin/sh set -eu cert_name=taskd.example.org found=false for domain in $RENEWED_DOMAINS; do case "$domain" in $cert_name) found=: ;; esac done $found || exit 0 install -m 644 "/etc/letsencrypt/live/$cert_name/fullchain.pem" \ /var/lib/taskd/pki/fullchain.pem install -m 640 -g Debian-taskd "/etc/letsencrypt/live/$cert_name/privkey.pem" \ /var/lib/taskd/pki/privkey.pem systemctl restart taskd.service

I could then set this in /etc/taskd/config (server.crl.pem and ca.cert.pem were generated using the documented taskserver setup procedure):

server.key=/var/lib/taskd/pki/privkey.pem server.cert=/var/lib/taskd/pki/fullchain.pem server.crl=/var/lib/taskd/pki/server.crl.pem ca.cert=/var/lib/taskd/pki/ca.cert.pem

Then I could set taskd.ca on my laptop to /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt and otherwise follow the client setup instructions, run task sync init to get things started, and then task sync every so often to sync changes between my laptop and the taskserver.

I used TaskWarrior Mobile as the client. I have to say I wouldn’t want to use that client as my primary task tracking interface: the setup procedure is clunky even beyond the necessity of copying a client certificate around, it expects you to give it a .taskrc rather than having a proper settings interface for that, and it only seems to let you add a task if you specify a due date for it. It also lacks Timewarrior integration, so I can only really use it when I don’t care about time tracking, e.g. personal tasks. But that’s really all I need, so it meets my minimum requirements.

Next?

Considering this is literally the first thing I tried, I have to say I’m pretty happy with it. There are a bunch of optional extras I haven’t tried yet, but in general it kind of has the vim nature for me: if I need something it’s very likely to exist or easy enough to build, but the features I don’t use don’t get in my way.

I wouldn’t recommend any of this to somebody who didn’t already spend most of their time in a terminal - but I do. I’m glad people have gone to all the effort to build this so I didn’t have to.

Discover what sustainability really means in tech in our latest Tag1 Team Talks episode. Learn how the Drupal community contributes to this vital cause and how you can get involved

Read more michaelemeyers Wed, 01/17/2024 - 05:00

Ruqola 2.1 Beta (2.0.81) is available for packaging and testing.

Ruqola is a chat app for Rocket.chat. This beta release will build with the current release candidate of KDE Frameworks 6 and KTextAddons allowing distros to start to move away from Qt 5.

URL: https://download.kde.org/unstable/ruqola/
SHA256: 2c4135c08acc31f846561b488aa24f1558d7533b502f9ba305be579d43f81b73

Signed by E0A3EB202F8E57528E13E72FD7574483BB57B18D Jonathan Esk-Riddell jr@jriddell.org
https://jriddell.org/esk-riddell.gpg

Building a Drupal website from scratch can be challenging and time-consuming. That’s exactly why we need Drupal recipes. These are a set of predefined configurations or components that can be used as the starting point for addressing specific needs such as creating an e-commerce platform, blog, and other projects. It doesn’t matter what type of Drupal development services you are interested in, Drupal recipes are available for all. They make Drupal project development much easier and faster.

New article by Richard Stallman: https://www.gnu.org/philosophy/the-moral-and-the-legal.html

Over the past six months, we’ve met hundreds of developers that are using Python to build AI chat apps for their own knowledge domains, using the RAG (Retrieval Augmented Generation) approach to send chunks of knowledge to an LLM model along with the user question.

We’ve also heard from many developers that they’d like to learn how to build their own RAG chat apps, but they don’t know where to start. So we’re hosting a virtual hackathon to help you learn how to build your own RAG chat app with Python!

.

From January 29th to February 12th, we’ll host live streams showing you how to build on our most popular RAG chat sample repository, while also explaining the core concepts underlying all modern RAG chat apps. Live stream topics will include vector search, access control, GPT-4 with vision. We’re hoping to get developers from all over the world involved, so we’ll also have live streams in Spanish, Portuguese, and Chinese. There will be prizes for the best chat apps, and even a prize for our most helpful community member.

To learn more, visit the AI Chat App Hack page, and follow the steps there to register and meet the community. Hope to see you there!

More RAG resources for Python developers

If you’re interested in learning more about RAG chat apps but can’t join the hack, here are some resources to get you started:

• Tutorial: Get started with the Python enterprise chat sample using RAG
• GitHub Universe: Quickly build and deploy OpenAI apps on Azure, infused with your own data
• Azure AI resources for Python developers
• Using Llamaindex with Azure AI Search
• AI Discord community

The post Join us for AI Chat App Hack from Jan. 29 – Feb.12 appeared first on Python.

Do you use NumPy, Pandas, or scikit-learn and want to get faster results? Nvidia has created GPU-based replacements for each of these with the shared promise of extra speed.

For example, if you visit the front page of NVidia’s RAPIDS project, you’ll see benchmarks showing cuDF, a GPU-based Pandas replacement, is 15× to 80× faster than Pandas!

Unfortunately, while those speed-ups are impressive, they are also misleading. GPU-based libraries might be the answer to your performance problems… or they might be an an unnecessary and expensive distraction.

Read more...

Defending against the PyTorch supply chain attack PoC About • Blog • Newsletter • Links Defending against the PyTorch supply chain attack PoC

Published 2024-01-17 by Seth Larson
Reading time: minutes

This critical role would not be possible without funding from the OpenSSF Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Last week there which a publication into a proof-of-concept supply chain attack against PyTorch using persistence in self-hosted GitHub runners, capturing tokens from triggerable jobs as a third-party contributor, and modifying workflows. This report was #1 on Hacker News for most of Sunday. In the comments of this publication there was a lot of discussion and folks questioning "how do you defend from this type of attack"?

Luckily for open source users, there are already techniques that can be used today to mitigate the downstream impact of a compromised dependency:

• Using a lock file with pinned hashes like pip with --require-hashes, poetry.lock, or Pipfile.lock.
• Reviewing diffs between currently pinned and new candidate releases. The diff must be of the installed artifacts, not using git tags or source repository information. Tools like diffoscope are useful for diffing wheel files which are actually zip files in disguise.
• For larger organizations the cost of manual review can be amortized by mirroring PyPI and only updating dependencies that have been manually reviewed.
• Binary or compiled dependencies can be compiled from source to ensure malicious code isn't hidden from human inspection.

These are tried-and-true methods to protect yourself and ensure dependencies aren't compromised regardless of what happens upstream. Obviously the suggestions above take time and effort to implement. Generally there's desire from me and others to make the above steps easier for consumers like exposing build provenance for easier reviewing of source code or by improving the overall safety of PyPI content using malware scanning and reporting.

Part of my plans for 2024 is to create guidance for Python open source consumers and maintainers for how to safely use packaging tools both from the perspective of supply chain integrity but also for vulnerabilities, builds, etc. So stay tuned for that!

CPython Software Bill-of-Materials update

Last week I published a draft for CPython's SBOM document specifically for the source tarballs in order to solicit feedback from consumers of SBOMs and developers of SBOM tooling. I received great feedback from Adolfo Garcia Veytia and Ritesh Noronha including the following points:

• Strip version information from the fileName attribute
• The top-level CPython component had no relationships to non-file components, should have DEPENDS_ON relationships to all its dependent packages.
• Fix the formatting of the "Tool: " name and version. Correct format is {name}-{version}.
• Use the fileName attribute on the CPython package instead of using a separate file component for the tarball containing CPython source code.
• Include an email address for all "Person" identities.
• Guidance on alternatives to the documentNamespace field.

After applying this feedback we now have an SBOM which meets NTIA's Minimum Elements of an SBOM and scores 9.6 out of 10 for the SBOM Quality Score.

Next I'm working on the infrastructure for actually generating and making the SBOM available for consumers:

• Created a PR for generating the draft SBOM. Next need to hook into the actual release process and opportunistically generate an SBOM.
• Applied changes according to feedback from SBOM reviewers.
• Created a PR for enabling hosting an SBOM artifact on https://python.org/downloads

Other items

• Reviewed PEP 740 proposal for arbitrary attestation mechanism for PyPI artifacts.
• Triaged multiple reports to the Python Security Response Team.

That's all for this week! 👋 If you're interested in more you can read last week's report.

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.

This work is licensed under CC BY-SA 4.0

We are excited to announce the creation of a European project December 1st 2023, which will run for the next 36 months. This Next Generation Internet pilot named "NGI TALER" is operated by a consortium of 11 partners from 8 European countries with the mandate to roll out an innovative electronic payment system for the greater benefit of European citizens, merchants, and banks. This payment system is different from current online payment methods, like credit cards or bank transfers, in that it offers privacy for the buyer: neither merchants nor banks can trace or link the payments. It is also a no-risk payment option for the merchant as there is no equivalent of fake or stolen credit cards, as payments are cleared and confirmed instantly. The payment system is socially, ecologically and fiscally responsible: it is not a new currency, there is no energy-consuming proof-of-work or proof-of-stake method and clearing is processed much faster than payments by credit cards. NGI TA [...]

Disclaimer: I am not one of KDE's masterminds or spokespersons. I am a mere bystander with few unimportant commits. I follow KDE's ecosystem and other developments in the free software world. In the following, I share some thoughts and my personal opinion.

Talks about new programming languagesAfter 30 years of C code, the Linux kernel opens itself to a second high-level language: Rust. Since fall of 2022 the kernel mainly gained infrastructure work. Some experiments show promising results like a Rust-based network driver or a scheduler.Recently, Git developers started to discuss how to allow Rust code in our beloved version control system. Far from having reached a consensus, its media coverage and heated discussions in forums show how interested the public is in this topic.Other projects try to replace established software by rewritten from scratch Rust ones: uutils coreutils, sudo-rs, librsvg, Rustls. Heck, Rewrite it it Rust (RiiR) has become a meme.
We already have a new programming language!KDE is close to its 6th Megarelease, with one major change being based on Qt 6. Qt 6 requires C++17 which -- as of today -- is perceived as modern C++ and is a leap compared to C++11. It is possible to write modern software with C++17. Still, additional tools like C++ Core Guidelines or Cppcheck are advised to keep the number of preventable bugs low.Most of the projects mentioned in the introduction are using C. This inflicts more pain to the developers and thus using Rust is more attractive. For sure, a fair portion of RiiR arguments do not apply to KDE's C++ code base.Problems with C++ remainC++ cannot adapt to modern ways like including a borrow checker or a less complicated syntax, as this would break compatibility. As much as C++ improved as a language, its compilers, and its ecosystem, it is not enough to be considered a good choice for new projects. NIST and NSA advice to move away from C++.Other problems like complicated tooling with variations on different platforms (build systems, compiler, linker, debugger, dependency management), mixed-in C-style code, difficult to parse C++ code, cannot be solved.I fear that in a not to distant future, C++ might be perceived as an outdated choice to learn and people might less likely consider to join KDE as contributors.
What can be done?In the past, GNOME adopted Vala as a new language to solve the short-comings of C. Vala seems to be dead. Going with Rust did not lead to a project-wide adoption.Some people are working on Qt bindings for Rust, e.g., CXX-Qt from KDAB. I am not sure if Qt itself is working on something similar. At least there is no go-to binding.
Beside the hot topic Rust, two big players invest in ways to have good interoperability with existing code bases and a modern language: Cpp2 / cppfront and Carbon.Cpp2 is a new language from Herb Sutter, who chairs the C++ working group. The idea is to have a transpiler cppfront producing modern C++ code. Cpp2 is not backward compatible to C++ and thus not limited in introducing new ways or removing existing parts. Cpp2 promises to integrate seamlessly in existing C++ code bases as it is compiled into C++ code.Carbon is a project by Google developers and follows a different approach. It aims to provide a new language that can use all C++ features in interfaces, even templates with all bells and whistles.Discuss our futureI do not want to whine about C++. I want to start a discussion on how KDE's future might look like. KDE was always driving innovations. We helped CMake to become one of the most important build systems for C++. KDE 4.0 introduced the semantic desktop. KHTML's code base was the nucleus for today's big browsers.Probably we should have this discussion as a BoF at Akademy 2024 or other places where KDE's masterminds and people with a feeling for future trends come together and form/formulate future directions. In the meantime, I start a discourse thread.Personally, I would like to see some push for Cpp2. More important, I want to see that we are actively shaping KDE's future.

Here are my top 10 articles from The DropTimes in 2023. From igniting my Drupal journey with essential resources to exploring the visionary world of Drupal, these articles have shaped my understanding of Drupal's evolution.

#612 – JANUARY 16, 2024
View in Browser »

Exploring Python in Excel

Are you interested in using your Python skills within Excel? Would you like to share a data science project or visualization as a single Office file? This week on the show, we speak with Principal Architect John Lam and Sr. Cloud Developer Advocate Sarah Kaiser from Microsoft about Python in Excel.
REAL PYTHON podcast

Python 3.13 Gets a JIT

This article does a deeper dive into the JIT recently added to the CPython 3.13 pre-release. This JIT is a bit different, it is called a copy-and-patch JIT, and the post explains what that means.
ANTHONY SHAW

NumPy 2 Is Coming: Preventing Breakage, Updating Your Code

NumPy 2 is coming, and it’s backwards incompatible. Learn how to keep your code from breaking, and how to upgrade.
ITAMAR TURNER-TRAURING

Build Invincible Apps With Temporal’s Python SDK

Get an introduction to Temporal’s Python SDK by walking through our easy, free tutorials. Learn how to build Temporal applications using Python, including building a data pipeline Workflow and a subscription Workflow. Get started here →
TEMPORAL sponsor

PSF Says: EU’s Cyber Resilience Act Has Wins for Open Source

PYTHON SOFTWARE FOUNDATION

Articles & Tutorials Learn From 2023’s Most Popular Python Tutorials and Courses

Revisit your favorite Real Python tutorials and video courses from 2023. Explore various topics, from Python basics to web development, machine learning, and effective coding environments. It’s been a busy year of learning, and there’s something for everyone to discover and build upon in 2024.
REAL PYTHON

Python’s Array: Working With Numeric Data Efficiently

In this tutorial, you’ll dive deep into working with numeric arrays in Python, an efficient tool for handling binary data. Along the way, you’ll explore low-level data types exposed by the array module, emulate custom types, and even pass a Python array to C for high-performance processing.
REAL PYTHON

Data Deduplication in Python with RecordLinkage

Duplicate detection is a critical process in data preprocessing, especially when dealing with large datasets. In this tutorial, you will explore data deduplication using Python’s RecordLinkage package, paired with Pandas for data manipulation.
PATRYK SZLAGOWSKI • Shared by Izabela Pawlik

The Curious Case of Pydantic and the 1970s Timestamps

When parsing Unix timestamps, Pydantic guesses whether to interpret them in seconds or milliseconds. While this is certainly convenient and works most of the time, it can drastically (and silently) distort timestamps from a few decades ago.
ARIE BOVENBERG • Shared by Arie Bovenberg

A Critical Supply Chain Attack on PyTorch

This post describes how coders found an exploit in the PyTorch supply chain, leaving the repo and its maintainers up for attack. Full details on what the vulnerability was and how to avoid the problem in your own repos is covered.
JOHN STAWINSKI

Comparing Coroutines, by Example, in Kotlin and Python

This series of 3 articles compares Python and Kotlin, with a focus on coroutines and generators. It compares, through examples, how coroutines are used in both languages, to read files and perform network requests.
MEDIUM.COM • Shared by Carmen Alvarez

Enhance Your Flask Web Project With a Database

Adding a database to your Flask project elevates your web app to the next level. In this tutorial, you’ll learn how to connect your Flask app to a database and how to receive and store posts from users.
REAL PYTHON

SQLALchemy vs Django ORM

If you are working with Django ORM most of the time and then switching to SQLAlchemy, you may face some unexpected behavior. This post describes the most important differences between them.
ALEXEY EVSEEV

Annotating *args and **kwargs in Python

“Typing *args and **kwargs has always been a pain since you couldn’t annotate them precisely before.” This article shows you what your options are when typing function signatures.
REDOWAN DELOWAR

Python Gotcha: Modifying a List While Iterating

Python makes it easy to modify a list while you are iterating through it’s elements. This will bite you. Read on to find out how and what can be done about it.
ANDREW WEGNER

A Deep Dive Into Python’s functools.wraps Decorator

Take a deep dive into Python’s functools.wraps decorator to learn how it maintains metadata in your code. A concise guide to effective decorator use.
JACOB PADILLA

max() is broken

The built-in function max in Python is broken and this article explains why, drawing parallels with other programming and mathematics concepts.
MATHSPP.COM • Shared by Rodrigo Girão Serrão

All PyCon 2023 (US and AU) Talks Sorted by the View Count

A full list of PyCon talks given in the US and Australia which are available on YouTube, and sorted by popularity.
SUBSTACK.COM

Projects & Code PikaPython: Python Interpreter in 4KB of RAM

GITHUB.COM/PIKASTECH

Fontimize: Optimize Fonts to the Glyphs on Your Site

GITHUB.COM/VINTAGEDAVE

instructor: Structured Outputs for LLMS

GITHUB.COM/JXNL

Pint: Units for Python

PYPI.ORG

Events Weekly Real Python Office Hours Q&A (Virtual)

January 17, 2024
REALPYTHON.COM

PyData Bristol Meetup

January 18, 2024
MEETUP.COM

PyLadies Dublin

January 18, 2024
PYLADIES.COM

Chattanooga Python User Group

January 19 to January 20, 2024
MEETUP.COM

IndyPy: Models & AI For Dummies (Hybrid)

January 23, 2024
MEETUP.COM • Shared by Laura Stephens

Happy Pythoning!
This was PyCoder’s Weekly Issue #612.
View in Browser »

[ Subscribe to 🐍 PyCoder’s Weekly 💌 – Get the best Python news, articles, and tutorials delivered to your inbox once a week >> Click here to learn more ]

At The DropTimes (TDT), we constantly evolve. The formative steps for us were challenging. We might be just out of infancy, but still in childhood. That does not give us any excuse not to be a better version of what we were yesterday. As we align with the build-in-open philosophy, let us record our recent decisions in response to community feedback.

Authored by: Nadiia Nykolaichuk.

Upon entering the new year, many of us have started working towards resolutions or aspiring achievements. In the digital space, Drupal websites, too, can aspire to be on the cutting edge of trends and provide the most compelling online journeys to users.