Feeds

The release of Drupal 11 is on the horizon, yet comprehensive information on its features, deprecated modules, and system requirements is scattered. While you can piece together details from documentation and community forums, it would be much more convenient to have everything in one place, hence this post. Since the release of Drupal 10.2, we've known about the deprecations and experimental modules, allowing us to prepare for the transition. With Drupal 10 receiving long-term support (LTS) until Drupal 12, possibly arriving in mid-late 2026, there's no immediate rush to upgrade. However, the benefits of the new features in Drupal 11 make the upgrade highly worthwhile.

I’ve been continuing to work on adapting coverage.py to the new sys.monitoring facility. Getting efficient branch coverage has been difficult even with the new API. The latest idea was to compile the code under measurement to insert phantom lines that could trigger line monitoring events that would track branch execution. But I’ve come to the opinion that this is not the right approach. It’s a complex work-around for a gap in the sys.monitoring API.

Update: Mark Shannon is working on new events: Add BRANCH_TAKEN and BRANCH_NOT_TAKEN events to sys.monitoring.

To re-cap: sys.monitoring let you subscribe to events for code execution. A line event lets you know when lines are executed. You can disable a line event, and you will never again be notified about that particular line being executed.

The gap is in the branch events: when one is fired, it tells you the bytecode offset of the source and destination. The problem is that disabling a branch event disables the source offset. You never hear about that source offset again, even when the destination offset is different. The central idea of a branch is that one source has two different destinations, so this disabling behavior is awkward.

If we leave the branch event enabled, then we might be repeatedly told about the same source/destination pair, slowing down execution. We could disable the event once we saw both possible destinations, but that means implementing our own bookkeeping, and we still have the overhead of repeated first-destination events. If we disable the branch event immediately, we’ll never hear about the other possible destination and the coverage data will be incomplete.

The clever idea from SlipCover is to insert do-nothing lines at each branch destination, then only subscribe to line events. This works in theory, but adds complexity to coverage.py. It also limits how it can be used: you can’t start coverage measurement in a process after code has already been imported because the line insertion happens during compilation via an import hook. To make matters worse, there’s a tricky interaction between the coverage.py import hook and the pytest import hook that rewrites assertions.

Over the years I’ve done plenty of clever work-arounds for limitations in systems I build on top of. They can be interesting puzzles and proud achievements. They can also be maintenance headaches and fragile sources of bugs.

My progress on adapting coverage.py to sys.monitoring has be slow, even glacial. I think it will be faster overall to work on improving sys.monitoring instead, even though it means the improvements wouldn’t be available until 3.14. It will keep coverage.py simpler and more flexible, and will make the improved branch events available to everyone. I can’t see how the current behavior is useful, so let’s change it.

I’ve proposed that we fix the sys.monitoring API. Of course other participation is welcome in that discussion.

I remember years ago working at Lotus, using the Lotus Notes API. I accepted it as a finished thing. Later I joined the organization that built Lotus Notes. We had a discussion about something we were building and a difficulty we were encountering. One of the longer-tenured engineers said, “Let’s extend the API.” It was a revelation that we didn’t have to limit ourselves to the current capabilities of our foundation, we could change the foundation.

The same is true of Python, especially because it is open source. But it can be hard to remember that and to advocate for it where necessary.

BTW, I still believe that coverage.py’s internal focus on “arcs” is misguided, and will be working to remove that idea in favor of true branches.

As I mentioned last time, there’s now a dedicated #coverage-py channel in the Python Discord if you are interested in discussing any of this.

We’re excited to announce the August 2024 release of the Python and Jupyter extensions for Visual Studio Code!

This release includes the following announcements:

• Improved Python discovery using python-environment-tools
• Inline variable values shown in source code
• Improvements to the VS Code Native REPL for Python

If you’re interested, you can check the full list of improvements in our changelogs for the Python, Jupyter and Pylance extensions.

Improved Python discovery using python-environment-tools

In the last release, we announced the Python environment tools, which redesigned the Python discovery infrastructure focused on performance. This new approach reduces the need for executing python binaries to probe for information and thus improving performance.

Starting in this release, we are rolling out this enhancement as part of an experiment. If you are interested in trying this out, you can set "python.locator" to "native" in your User settings.json and reload your VS Code window. Visit the python-environment-tools repo to learn more about this feature, ongoing work, and provide feedback.

Inline variable values shown in source code

The Python Debugger extension introduced an Inline Values feature to enhance your Python debugging experience making it easier to track variable values during a debug session. This feature enables the display of variable values directly in the editor, next to the corresponding line of code during a debugging session. This helps you to quickly understand the state of your program without needing to hover over variables or check the variables pane. To enable this feature, set the configuration value debugpy.showPythonInlineValues to true in your User settings.

Note: This feature is currently in exploration state and improvements are actively being made. Please try out this feature and provide feedback in the vscode-python-debugger repo!

Improvements to the VS Code Native REPL for Python

The experimental native REPL ("python.REPL.sendToNativeREPL": true) will now display success/failure UI, similar to that in a Jupyter cell, depending on the outcome of execution. Furthermore, we have made improvements so that we no longer display an empty line on cells that generate no output.

Other Changes and Enhancements

We have also added small enhancements and fixed issues requested by users that should improve your experience working with Python and Jupyter Notebooks in Visual Studio Code. Some notable changes include:

• Pylance now provides a way to disable unreachability hints in @pylance-release#6106
• The Debug Welcome view now includes a button for quick access to automatic Python configurations when a Python file is open in the editor

Call for Community Feedback

As we are planning and prioritizing future work, we value your feedback! Below are a few issues we would love feedback on:

• In a joint effort from various parts of the Python community, we are collecting responses about usage of type annotations in Python. Please take a few minutes to share your experience in the Type Annotation in Python survey! The survey will close at the end of August 2024.
• Design proposal for test coverage in (@vscode-python#22827)

Try out these new improvements by downloading the Python extension and the Jupyter extension from the Marketplace, or install them directly from the extensions view in Visual Studio Code (Ctrl + Shift + X or ⌘ + ⇧ + X). You can learn more about Python support in Visual Studio Code in the documentation. If you run into any problems or have suggestions, please file an issue on the Python VS Code GitHub page.

The post Python in Visual Studio Code – August 2024 Release appeared first on Python.

This is one of those posts that’s more for my own reference than likely to be helpful for others. If you’re unlucky it’ll have some useful tips for you. If I’m lucky then I’ll get a bunch of folk pointing out some optimisations.

First, what I’m trying to achieve. I want a virtual machine environment where I can manually do tests on random kernels, and also various TPM related experiments. So I don’t want something as fixed as a libvirt setup. I’d like the following:

• It to be fairly lightweight, so I can run it on a laptop while usefully doing other things
• I need a TPM 2.0 device to appear to the guest OS, but it doesn’t need to be a real TPM
• Block device discard should work, so I can back it with a qcow2 image and use fstrim to keep the actual on disk size small, without constraining my potential for file system expansion should I need it
• I’ve no need for graphics, in fact a serial console would be better as it eases copy & paste, especially when I screw up kernel changes

That turns out to be possible, but it took a bunch of trial and error to get there. So I’m writing it down. I generally do this on a Fedora based host system (FC40 at present, but this all worked with FC38 + FC39 too), and I run Debian 12 (bookworm) as the guest. At present I’m using qemu 8.2.2 and swtpm 0.9.0, both from the FC40 packages.

One other issue I spent too long tracking down is that the version of grub 2.06 in bookworm does not manage to pass the TPMEventLog through to the guest kernel properly. The events get measured and the PCRs updated just fine, but /sys/kernel/security/tpm0/binary_bios_measurements doesn’t even get created. Using either grub 2.06 from FC40, or the 2.12 backport in bookworm-backports, makes this work just fine.

Anyway, for reference, the following is the script I use to start the swtpm, and then qemu. The debugcon line can be dropped if you’re not interested in OVMF debug logging. This needs the guest OS to be configured up for a serial console, but avoids the overhead of graphics emulation.

As I said at the start, I’m open to any hints about other options I should be passing; as long as I get acceptable performance in the guest I care more about reducing host load than optimising for the guest.

#!/bin/sh BASEDIR=/home/noodles/debian-qemu if [ ! -S ${BASEDIR}/swtpm/swtpm-sock ]; then echo Starting swtpm: swtpm socket --tpmstate dir=${BASEDIR}/swtpm \ --tpm2 \ --ctrl type=unixio,path=${BASEDIR}/swtpm/swtpm-sock & fi echo Starting QEMU: qemu-system-x86_64 -enable-kvm -m 2048 \ -machine type=q35 \ -smbios type=1,serial=N00DL35,uuid=fd225315-f72a-4d66-9b16-55363c6c938b \ -drive if=pflash,format=qcow2,readonly=on,file=/usr/share/edk2/ovmf/OVMF_CODE_4M.qcow2 \ -drive if=pflash,format=raw,file=${BASEDIR}/OVMF_VARS.fd \ -global isa-debugcon.iobase=0x402 -debugcon file:${BASEDIR}/debian.ovmf.log \ -device virtio-blk-pci,drive=drive0,id=virblk0 \ -drive file=${BASEDIR}/debian-12-efi.qcow2,if=none,id=drive0,discard=on \ -net nic,model=virtio -net user \ -chardev socket,id=chrtpm,path=${BASEDIR}/swtpm/swtpm-sock \ -tpmdev emulator,id=tpm0,chardev=chrtpm \ -device tpm-tis,tpmdev=tpm0 \ -display none \ -nographic \ -boot menu=on

Middle Age and Absences

“Fundamentals are the foundation of excellence. Without a strong base, you cannot reach your full potential.” – John Wooden

Hey there!

Let’s talk fundamentals today. Why are they important? John Wooden’s quote sums it up nicely, but let’s unpack it a bit more:

1. Strong foundation:

   • A solid grasp of fundamental concepts provides a strong foundation for building advanced skills. Just like a house needs a sturdy base, your knowledge in software engineering needs a solid groundwork. It may sound cliché, but it’s still true.

   • Continuous learning: fundamentals serve as a launchpad for continuous learning. Once you have a solid base, you can explore more advanced topics and specializations, keeping your skills sharp and relevant.

2. Confidence: mastering the fundamentals boosts your confidence.  Remember, competence breeds confidence.

3. Shelf-life: technology evolves at a breakneck pace. Remember when new JavaScript frameworks seemed to pop up before your morning coffee? Or just look at how quickly the AI space is advancing these days. While frameworks come and go, fundamentals like data structures, algorithms, math, software design, OS internals, and soft skills have enduring value. Investing in these fundamentals offers a much better return on investment compared to the often fleeting value of the latest frameworks.

Understanding the fundamentals is essential for software engineers at all levels; they’re not just for beginners.

Which specific fundamentals are important for software engineers?

Well, everyone loves a good list, so here you go - an opinionated list of essential fundamentals for software engineers at all levels, from entry-level to senior IC, staff, and beyond:

1. Programming languages: this one’s super obvious. The main question is which languages? Python, JavaScript, Go, and some C are the usual suspects. Bonus points if you dive into how interpreters and compilers work.

2. Software design and architecture

3. Data structures and algorithms (DSA)

4. Operating systems: this also includes basic computer architecture and networking.

5. Databases: design and internals

6. Distributed systems: nowadays, systems run on multiple machines and instances, so understanding the basics of distributed systems is important.

7. Math: this might be controversial, but it can also be the secret sauce, especially statistics and math for AI.

8. Soft skills: fundamental to any engineer’s career unless you’re living in a cave alone. The truth is, soft skills are actually hard to master.

Consider this a teaser! I’ll be doing deep dives into these fundamentals in upcoming posts, along with other key essentials for software engineers.

Spotlight

In today’s spotlight: “The Pragmatic Programmer: Your Journey to Mastery”

Andy Hunt and Dave Thomas offer a wealth of practical advice, timeless tips, and real-world examples. Every software engineer needs “The Pragmatic Programmer” on their shelf. Now in its second (20th anniversary) edition, this book is a must-read. I fondly remember the original edition titled “From Journeyman to Master.” My copy is well-worn from many reads - truly good books are worth revisiting.

Sneak Peak

In the next post, I’ll talk about essential fundamentals for engineering managers.

Stay curious,

Ruslan

In the Django framework, a project refers to the collection of configuration files and code for a particular website. Django groups business logic into what it calls apps, which are the modules of the Django framework. There’s plenty of documentation on how to structure your projects and the apps within them, but when it comes time to package an installable Django app, information is harder to find.

In this tutorial, you’ll learn how to take an app out of a Django project and package it so that it’s installable. Once you’ve packaged your app, you can share it on PyPI so that others can fetch it through pip.

In this tutorial, you’ll learn:

• What the differences are between writing stand-alone apps and writing apps inside of projects
• How to create a pyproject.toml file for publishing your Django app
• How to bootstrap Django outside of a Django project so you can test your app
• How to test across multiple versions of Python and Django using nox
• How to publish your installable Django app to PyPI using Twine

This tutorial includes a working package to help guide you through the process of making an installable Django app. You can download the source code by clicking the link below:

Get Your Code: Click here to download the free sample code that shows you how to write an installable Django app.

Prerequisites

This tutorial requires some familiarity with Django, pip, PyPI, pyenv—or an equivalent virtual environment tool—and nox. To learn more about these, you can check out the following resources:

• Django Tutorials
• Using Python’s pip to Manage Your Projects’ Dependencies
• How to Publish an Open-Source Python Package to PyPI
• Managing Multiple Python Versions With pyenv

Starting a Sample Django App in a Project

Even if you set out to make your Django app available as a package, you’ll likely start inside a project. In the sample code, you’ll find a 000_before directory that shows the code before the app is moved onto its own, demonstrating the process of transitioning from a Django project to an installable Django app.

You can also download the finished app at the PyPI realpython-django-receipts package page, or install the package by running python -m pip install realpython-django-receipts.

The sample app is a short representation of the line items on a receipt. In the 000_before folder, you’ll find a directory named sample_project that contains a working Django project:

sample_project/ │ ├── receipts/ │ ├── fixtures/ │ │ └── receipts.json │ │ │ ├── migrations/ │ │ ├── 0001_initial.py │ │ └── __init__.py │ │ │ ├── __init__.py │ ├── admin.py │ ├── apps.py │ ├── models.py │ ├── tests.py │ ├── urls.py │ └── views.py │ ├── sample_project/ │ ├── __init__.py │ ├── asgi.py │ ├── settings.py │ ├── urls.py │ └── wsgi.py │ ├── db.sqlite3 ├── manage.py ├── resetdb.sh └── runserver.sh

This tutorial was written using Django 5.0.7 and it was tested with Python 3.8 through 3.12. All of the steps outlined in this tutorial should be compatible with earlier versions of Django going back to Django 1.8. However, some modifications will be necessary if you’re using Python 2. For simplicity, the examples in this tutorial assume at least Python 3.8 across the code base.

Creating the Django Project From Scratch

The sample project and receipts app were created using the Django admin command and some small edits. To start, run the following code inside of a clean virtual environment:

Shell $ python -m pip install Django $ django-admin startproject sample_project $ cd sample_project $ python manage.py startapp receipts Copied!

This creates the sample_project project directory structure and a receipts app subdirectory with template files that you’ll use to create your installable Django app.

Next, the sample_project/settings.py file needs a few modifications:

• Add "127.0.0.1" to the ALLOWED_HOSTS setting so you can test locally.
• Add "receipts" to the INSTALLED_APPS list.

You’ll also need to register the receipts app’s URLs in the sample_project/urls.py file. To do so, add path("receipts/", include("receipts.urls")) to the url_patterns list. Note that you’ll need to add the include function as an import from django.urls.

Exploring the Receipts Sample App

The app consists of two ORM model classes: Item and Receipt. The Item class contains database field declarations for a description and a cost. The cost is contained in a DecimalField. It’s never a good idea to use floating-point numbers to represent money. Instead, you should always use fixed-point numbers when dealing with currencies.

The Receipt class is a collection point for Item objects. This is achieved with a ForeignKey on Item that points to Receipt. Receipt also includes total() for getting the total cost of Item objects contained in the Receipt:

Read the full article at https://realpython.com/installable-django-app/ »

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

56th issue of Andrei Neagoie's must-read monthly Python Newsletter: Python Web Apps, Python Oopsie with Apple, Some Advice From a 15+ Vet, and much more. Read the full newsletter to get up-to-date with everything you need to know from last month.

Join the FSF and friends on Friday, August 2 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.

In an insightful interview with Alka Elizabeth, Jürgen Haas, Co-Founder of LakeDrops, delves into the development and impact of the ECA module, a tool for workflow automation in Drupal. Jürgen, an expert in technical solution architectures, discusses how the ECA module simplifies complex tasks through a no-code approach, making it accessible to developers and non-technical users. He also explores the module's potential future integration with Drupal core and its role in promoting sustainable, open-source practices within the digital community. This interview provides a comprehensive look at how the ECA module reshapes user experiences and sets new standards in the Drupal ecosystem.

In this quiz, you’ll test your understanding of the most commonly used built-in exceptions in Python.

Exception handling is a core topic in Python. Knowing how to use some of the most common built-in exceptions can help you to debug your code and handle your own exceptions.

Good luck!

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Review: The Book That Wouldn't Burn, by Mark Lawrence

Series: Library Trilogy #1 Publisher: Ace Copyright: 2023 ISBN: 0-593-43793-4 Format: Kindle Pages: 561

The Book That Wouldn't Burn is apparently high fantasy, but of the crunchy sort that could easily instead be science fiction. It is the first of a trilogy.

Livira is a young girl, named after a weed, who lives in a tiny settlement in the Dust. She is the sort of endlessly curious and irrepressible girl who can be more annoying than delightful to adults who are barely keeping everyone alive. Her settlement is not the sort of place that's large enough to have a name; only their well keeps them alive in the desert and the ever-present dust. There is a city somewhere relatively near, which Livira dreams of seeing, but people from the settlement don't go there.

When someone is spotted on the horizon approaching the settlement, it's the first time Livira has ever seen a stranger. It's also not a good sign. There's only one reason for someone to seek them out in the Dust: to take. Livira and the other children are, in short order, prisoners of the humanoid dog-like sabbers, being dragged off to an unknown fate.

Evar lives in the library and has for his entire life. Specifically, he lives in a square room two miles to a side, with a ceiling so high that it may as well be a stone sky. He lived there with his family before he was lost in the Mechanism. Years later, the Mechanism spit him out alongside four other similarly-lost kids, all from the same library in different times. None of them had apparently aged, but everyone else was dead. Now, years later, they live a strange and claustrophobic life with way too much social contact between way too few people.

Evar's siblings, as he considers them, were each in the Mechanism with a book. During their years in the Mechanism they absorbed that book until it became their focus and to some extent their personality. His brothers are an assassin, a psychologist, and a historian. His sister, the last to enter the Mechanism and a refugee from the sabber attack that killed everyone else, is a warrior. Evar... well, presumably he had a book, since that's how the Mechanism works. But he can't remember anything about it except the feeling that there was a woman.

Evar lives in a library in the sense that it's a room full of books, but those books are not on shelves. They're stacked in piles and massive columns, with no organizational system that any of them could discern. There are four doors, all of which are closed and apparently impenetrable. In front of one of them is a hundred yards of char and burned book remnants, but that door is just as impenetrable as the others. There is a pool in the center of the room, crops surrounding it, and two creatures they call the Soldier and the Assistant. That is the entirety of Evar's world.

As you might guess from the title, this book is about a library. Evar's perspective of the library is quite odd and unexplained until well into the book, and Livira's discovery of the library and subsequent explorations are central to her story, so I'm going to avoid going into too many details about its exact nature. What I will say is that I have read a lot of fantasy novels that are based around a library, but I don't think I've ever read one that was this satisfying.

I think the world of The Book That Wouldn't Burn is fantasy, in that there are fundamental aspects of this world that don't seem amenable to an explanation consistent with our laws of physics. It is, however, the type of fantasy with discoverable rules. Even better, it's the type of fantasy where discovering the rules is central to the story, for both the characters and the readers, and the rules are worth the effort. This is a world-building tour de force: one of the most engrossing and deeply satisfying slow revelations that I have read in a long time. This book is well over 500 pages, the plot never flags, new bits of understanding were still slotting into place in the last chapter, and there are lots of things I am desperately curious about that Lawrence left for the rest of the series. If you like puzzling out the history and rules of an invented world and you have anything close to my taste in characters and setting, you are going to love this book.

(Also, there is at least one C.S. Lewis homage that I will not spoil but that I thought was beautifully done and delightfully elaborated, and I am fairly sure there is a conversation happening between this book and Philip Pullman's His Dark Materials series that I didn't quite untangle but that I am intrigued by.)

I do need to offer a disclaimer: Livira is precisely the type of character I love reading about. She's stubborn, curious, courageous, persistent, egalitarian, insatiable, and extremely sharp. I have a particular soft spot for exactly this protagonist, so adjust the weight of my opinion accordingly. But Lawrence also makes excellent use of her as a spotlight to illuminate the world-building. More than anything else in the world, Livira wants to understand, and there is so much here to understand.

There is an explanation for nearly everything in this book, and those explanations usually both make sense and prompt more questions. This is such a tricky balance for the writer to pull off! A lot of world-building of this sort fails either by having the explanations not live up to the mysteries or by tying everything together so neatly that the stakes of the world collapse into a puzzle box. Lawrence avoids both failures. This world made sense to me but remained sufficiently messy to feel like humans were living in it. I also thought the pacing and timing were impeccable: I figured things out at roughly the same pace as the characters, and several twists and turns caught me entirely by surprise.

I do have one minor complaint and one caveat. The minor complaint is that I thought one critical aspect of the ending was a little bit too neat and closed. It was the one time in the book where I thought Lawrence simplified his plot structure rather than complicated it, and I didn't like the effect it had on the character dynamics. There is, thankfully, the promise of significant new complications in the next book.

The caveat is a bit harder to put my finger on, but a comparison to Alaya Dawn Johnson's The Library of Broken Worlds might help. That book was also about a library, featured a protagonist thrown into the deep end of complex world-building, and put discovery of the history and rules at the center of the story. I found the rules structure of The Book That Wouldn't Burn more satisfyingly complicated and layered, in a way that made puzzle pieces fit together in my head in a thoroughly enjoyable way. But Johnson's book is about very large questions of identity, history, sacrifice, and pain, and it's full of murky ambiguity and emotions that are only approached via metaphor and symbolism. Lawrence's book is far more accessible, but the emotional themes are shallower and more straightforward. There is a satisfying emotional through-line, and there are some larger issues at stake, but it won't challenge your sense of morality and justice the way that The Library of Broken Worlds might. I think which of those books one finds better will depend on what mood you're in and what reading experience you're looking for.

Personally, I was looking for a scrappy, indomitable character who would channel her anger into overcoming every obstacle in the way of thoroughly understanding her world, and that's exactly what I got. This was my most enjoyable reading experience of the year to date and the best book I've read since Some Desperate Glory. Fantastic stuff, highly recommended.

Followed by The Book That Broke the World, and the ending is a bit of a cliffhanger so you may want to have that on hand. Be warned that the third book in the series won't be published until 2025.

Rating: 9 out of 10

It’s not often that a company is willing to make a sworn statement to a court about how its IT practices are incompatible with the needs of the Internet, but when they do… it’s popcorn time.

The Combatants

In the red corner, weighing in at… nah, I’m not going to do that schtick.

The plaintiff in the case is Alegeus Technologies, LLC, a Delaware Corporation that, according to their filings, “is a leading provider of a business-tobusiness, white-label funding and payment platform for healthcare carriers and third-party administrators to administer consumer-directed employee benefit programs”. Not being subject to the US’ bonkers health care system, I have only a passing familiarity with the sorts of things they do, but presumably it involves moving a lot of money around, which is sometimes important.

The defendant is DigiCert, a CA which, based on analysis I’ve done previously, is the second-largest issuer of WebPKI certificates by volume.

The History

According to a recently opened Mozilla CA bug, DigiCert found an issue in their “domain control validation” workflow, that meant it may have been possible for a miscreant to have certificates issued to them that they weren’t legitimately entitled to. Given that validating domain names is basically the “YOU HAD ONE JOB!” of a CA, this is a big deal.

The CA/Browser Forum Baseline Requirements (BRs) (which all CAs are required to adhere to, by virtue of their being included in various browser and OS trust stores), say that revocation is required within 24 hours when “[t]he CA obtains evidence that the validation of domain authorization or control for any Fully‐Qualified Domain Name or IP address in the Certificate should not be relied upon” (section 4.9.1.1, point 5).

DigiCert appears to have at least tried to do the right thing, by opening the above Mozilla bug giving some details of the problem, and notifying their customers that their certificates were going to be revoked. One may quibble about how fast they’re doing it, but they’re giving it a decent shot, at least.

A complicating factor in all this is that, only a touch over a month ago, Google Chrome announced the removal of another CA, Entrust, from its own trust store program, citing “a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports”. Many of these compliance failures were failures to revoke certificates in a timely manner. One imagines that DigiCert would not like to gain a reputation for tardy revocation, particularly at the moment.

The Legal Action

Now we come to Alegeus Technologies. They’ve opened a civil case whose first action is to request the issuance of a Temporary Restraining Order (TRO) that prevents DigiCert from revoking certificates issued to Alegeus (which the court has issued). This is a big deal, because TROs are legal instruments that, if not obeyed, constitute contempt of court (or something similar) – and courts do not like people who disregard their instructions. That means that, in the short term, those certificates aren’t getting revoked, despite the requirement imposed by root stores on DigiCert that the certificates must be revoked. DigiCert is in a real “rock / hard place” situation here: revoke and get punished by the courts, or don’t revoke and potentially (though almost certainly not, in the circumstances) face removal from trust stores (which would kill, or at least massively hurt, their business).

The reasons that Alegeus gives for requesting the restraining order is that “[t]o Reissue and Reinstall the Security Certificates, Alegeus must work with and coordinate with its Clients, who are required to take steps to rectify the certificates. Alegeus has hundreds of such Clients. Alegeus is generally required by contract to give its clients much longer than 24 hours’ notice before executing such a change regarding certification.”

In the filing, Alegeus does acknowledge that “DigiCert is a voluntary member of the Certification Authority Browser Forum (CABF), which has bylaws stating that certificates with an issue in their domain validation must be revoked within 24 hours.” This is a misstatement of the facts, though. It is the BRs, not the CABF bylaws, that require revocation, and the BRs apply to all CAs that wish to be included in browser and OS trust stores, not just those that are members of the CABF. In any event, given that Alegeus was aware that DigiCert is required to revoke certificates within 24 hours, one wonders why Alegeus went ahead and signed agreements with their customers that required a lengthy notice period before changing certificates.

What complicates the situation is that there is apparently a Master Services Agreement (MSA) that states that it “constitutes the entire agreement between the parties” – and that MSA doesn’t mention certificate revocation anywhere relevant. That means that it’s not quite so cut-and-dried that DigiCert does, in fact, have the right to revoke those certificates. I’d expect a lot of “update to your Master Services Agreement” emails to be going out from DigiCert (and other CAs) in the near future to clarify this point.

Not being a lawyer, I can’t imagine which way this case might go, but there’s one thing we can be sure of: some lawyers are going to able to afford that trip to a tropical paradise this year.

The Security Issues

The requirement for revocation within 24 hours is an important security control in the WebPKI ecosystem. If a certificate is misissued to a malicious party, or is otherwise compromised, it needs to be marked as untrustworthy as soon as possible. While revocation is far from perfect, it is the best tool we have.

In this court filing, Alegeus has claimed that they are unable to switch certificates with less than 24 hours notice (due to “contractual SLAs”). This is a pretty big problem, because there are lots of reasons why a certificate might need to be switched out Very Quickly. As a practical example, someone with access to the private key for your SSL certificate might decide to use it in a blog post. Letting that sort of problem linger for an extended period of time might end up being a Pretty Big Problem of its own. An organisation that cannot respond within hours to a compromised certificate is playing chicken with their security.

The Takeaways

Contractual obligations that require you to notify anyone else of a certificate (or private key) changing are bonkers, and completely antithetical to the needs of the WebPKI. If you have to have them, you’re going to want to start transitioning to a private PKI, wherein you can do whatever you darn well please with revocation (or not). As these sorts of problems keep happening, trust stores (and hence CAs) are going to crack down on this sort of thing, so you may as well move sooner rather than later.

If you are an organisation that uses WebPKI certificates, you’ve got to be able to deal with any kind of certificate revocation event within hours, not days. This basically boils down to automated issuance and lifecycle management, because having someone manually request and install certificates is terrible on many levels. There isn’t currently a completed standard for notifying subscribers if their certificates need premature renewal (say, due to needing to be revoked), but the ACME Renewal Information Extension is currently being developed to fill that need. Ask your CA if they’re tracking this standards development, and when they intend to have the extension available for use. (Pro-tip: if they say “we’ll start doing development when the RFC is published”, run for the hills; that’s not how responsible organisations work on the Internet).

The Givings

If you’ve found this helpful, consider shouting me a refreshing beverage. Reading through legal filings is thirsty work!

The diffoscope maintainers are pleased to announce the release of diffoscope version 273. This version includes the following changes:

[ Chris Lamb ] * Factor out version detection in test_jpeg_image. (Re: reproducible-builds/diffoscope#384) * Ensure that 'convert' is from Imagemagick 6.x; we will need to update a few things with IM7. (Closes: reproducible-builds/diffoscope#384) * Correct import of identify_version after refactoring change in 037bdcbb0. [ Mattia Rizzolo ] * tests: + Add OpenSSH key test with a ed25519 key. + Skip the OpenSSH test with DSA key if openssh is >> 9.7 + Support ffmpeg >= 7 that adds some extra context to the diff * Do not ignore testing in gitlab-ci. * debian: + Temporarily remove aapt, androguard and dexdump from the build/test dependencies as they are not available in testin/trixie. Closes: #1070416 + Bump Standards-Version to 4.7.0, no changes needed. + Adjust options to make sure not to pack the python s-dist directory into the debian source package. + Adjust the lintian overrides.

You find out more by visiting the project homepage.

Authored by Nadiia Nykolaichuk.

CKEditor 5 has become a signature innovation in Drupal 10 and a symbol of cutting-edge content editing. As more Drupal websites upgrade, editorial teams can enjoy CKEditor 5’s new and vibrant design, where every detail is crafted for usability and efficiency.

Quick note that the yearly extend-the-expiry-of-my-GPG-key has happened early this year, as I realised that my GPG information on FreeBSD infrastructure was outdated. This doesn’t extend the Calamares signing-subkey (not yet) but does add new EC subkeys if that’s your kind of thing. The Calamares signing-subkey is valid until November 2024.

Get the exported public key block here.

#640 – JULY 30, 2024
View in Browser »

Build Captivating Display Tables in Python With Great Tables

Do you need help making data tables in Python look interesting and attractive? How can you create beautiful display-ready tables as easily as charts and graphs in Python? This week on the show, we speak with Richard Iannone and Michael Chow from Posit about the Great Tables Python library.
REAL PYTHON podcast

Overview of the Module itertools

This article proposes the top 3 iterators that are most useful from the module itertools, classifies all of the 19 iterators into 5 categories, and then provides brief usage examples for all the iterators in the module itertools.
RODRIGO GIRÃO SERRÃO • Shared by Rodrigo Girão Serrão

Take a Free Course. It’s on us

Learn how to speed up Python programs on NVIDIA GPUs using Numba, a type-specializing just-in-time compiler. Join the NVIDIA Developer Program to take our ‘Fundamentals of Accelerated Computing with CUDA Python’ course for free →
NVIDIA sponsor

Asyncio Event Loop in Separate Thread

Typically, the asyncio event loop runs in the main thread, but as that is the one used by the interpreter, sometimes you want the event loop to run in a separate thread. This article talks about why and how to do just that.
JASON BROWNLEE

Quiz: Python Type Checking

In this quiz, you’ll test your understanding of Python type checking. You’ll revisit concepts such as type annotations, type hints, adding static types to code, running a static type checker, and enforcing types at runtime. This knowledge will help you develop your code more efficiently.
REAL PYTHON

Quiz: Build a Blog Using Django, GraphQL, and Vue

In this quiz, you’ll test your understanding of building a Django blog back end and a Vue front end, using GraphQL to communicate between them. This will help you decouple your back end and front end, handle data persistence in the API, and display the data in a single-page app (SPA).
REAL PYTHON

PEP 751: A File Format to List Python Dependencies for Installation Reproducibility (New)

This PEP proposes a new file format for dependency specification to enable reproducible installation in a Python environment.
PYTHON.ORG

pytest 8.3 Released

PYTEST.ORG

Django 5.1 RC 1 Released

DJANGO SOFTWARE FOUNDATION

Discussions Interesting Topics for an Advanced Python Lecture?

DISCUSSIONS ON PYTHON.ORG

Articles & Tutorials Wide Angle Lens Distortion Correction With Straight Lines

Discusses how to estimate and correct wide-angle lens distortion using straight lines in an image. It covers techniques like the Radon transform, Hough transform, and an iterative optimization algorithm to estimate the distortion parameters and undistort the image. The author also provides Python code to match the division-based undistortion model to the OpenCV distortion model.
HUGO HADFIELD

Testing Python Integration With an Azure Eventhub

Using an Azure EventHub with Python is pretty easy thanks to Azure SDK for Python. However, ensuring that your code actually send events into an event hub in a reliable and automated way can be a bit harder. This article demonstrates how you can achieve this thanks to asyncio, docker and pytest.
BENOÎT GODARD • Shared by Benoît Godard

Crunchy Bridge Integrates Postgres with DuckDB

Postgres excels in managing transactional databases. DuckDB offers fast performance for queries and data analysis. Integrating these two databases provides a hybrid solution leveraging the strengths of both transactional and analytical workloads.
CRUNCHY DATA sponsor

pandas GroupBy: Grouping Real World Data in Python

In this course, you’ll learn how to work adeptly with the pandas GroupBy while mastering ways to manipulate, transform, and summarize data. You’ll work with real-world datasets and chain GroupBy methods together to get data into an output that suits your needs.
REAL PYTHON course

10 Open-Source Tools for Optimizing Cloud Expenses

The cloud gets you scale, but it can also be complicated to price properly. This article covers ten different open source tools that you can use to optimize your deployment and understand the associated costs.
TARUN SINGH

Hugging Face Transformers: Open-Source AI With Python

As the AI boom continues, the Hugging Face platform stands out as the leading open-source model hub. In this tutorial, you’ll get hands-on experience with Hugging Face and the Transformers library in Python.
REAL PYTHON

Tanda Runner: A Personalized Running Dashboard

This post talks about a new dashboard tool for visualizing your Strava running data and getting personalized recommendations for your next big race. It is built using Django and includes a LLM integration.
DUARTE O.CARMO

You Don’t Have to Guess to Estimate

“There are roughly three senses of ‘estimate.’ One is ‘a prediction of how much something will cost.’ One is ‘a guess.’ But another definition is a rough calculation.”
NAT BENNETT

Using else in a Comprehension

While list comprehensions in Python don’t support the else keyword directly, conditional expressions can be embedded within list comprehension.
TREY HUNNER

TIL: Difference Between __getattr__ and __getattribute__

A quick post on the the difference between __getattr__ and __getattribute__.
RODRIGO GIRÃO SERRÃO

Projects & Code taipy: Turns Data Into a Web App

GITHUB.COM/AVAIGA

posting: The Modern API Client That Lives in Your Terminal

GITHUB.COM/DARRENBURNS

django-sql-explorer: Share Data With SQL Queries

GITHUB.COM/EXPLORERHQ

pyxel: A Retro Game Engine for Python

GITHUB.COM/KITAO

Herbie: Retrieve Weather Prediction Data

GITHUB.COM/BLAYLOCKBK • Shared by Brian Blaylock

Maelstrom: A Clustered Test Runner for Python and Rust

GITHUB.COM/MAELSTROM-SOFTWARE • Shared by Neal Fachan

Events Weekly Real Python Office Hours Q&A (Virtual)

July 31, 2024
REALPYTHON.COM

Canberra Python Meetup

August 1, 2024
MEETUP.COM

Sydney Python User Group (SyPy)

August 1, 2024
SYPY.ORG

Django Girls Ecuador 2024

August 3, 2024
OPENLAB.EC

Melbourne Python Users Group, Australia

August 5, 2024
J.MP

STL Python

August 8, 2024
MEETUP.COM

Happy Pythoning!
This was PyCoder’s Weekly Issue #640.
View in Browser »

[ Subscribe to 🐍 PyCoder’s Weekly 💌 – Get the best Python news, articles, and tutorials delivered to your inbox once a week >> Click here to learn more ]