Feeds

#647 – SEPTEMBER 17, 2024
View in Browser »

How to Use Conditional Expressions With NumPy where()

This tutorial teaches you how to use the where() function to select elements from your NumPy arrays based on a condition. You’ll learn how to perform various operations on those elements and even replace them with elements from a separate array or arrays.
REAL PYTHON

PythonistR: A Match Made in Data Heaven

In data science you’ll sometimes hear a debate between R and Python. Cosima says ‘why not choose both?’ She outlines a data pipeline that uses the best tool for each job.
COSIMA MEYER

Transcribe Audio in 5 Lines of Code

Build AI apps that understand speech with insanely accurate speech-to-text models. Sign up for a free account and get $50 in credits to try AssemblyAI’s speech recognition models →
ASSEMBLY AI sponsor

Python HTTP Clients: Requests vs. HTTPX vs. AIOHTTP

Learn about the differences between Requests, HTTPX, and AIOHTTP, and when to use each library for your Python projects.
GEORGES HAIDAR

Quiz: Generate Images With DALL·E and the OpenAI API

In this quiz, you’ll test your understanding of generating images with DALL·E by OpenAI using Python. You’ll revisit concepts such as using the OpenAI Python library, making API calls for image generation, creating images from text prompts, and converting Base64 strings to PNG image files.
REAL PYTHON

Quiz: The Walrus Operator: Python’s Assignment Expressions

In this quiz, you’ll test your understanding of the Python Walrus Operator. This operator was introduced in Python 3.8, and understanding it can help you write more concise and efficient code.
REAL PYTHON

Python Releases 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20

PYTHON.ORG

Python Release Python 3.13.0rc2

PYTHON.ORG

Articles & Tutorials Python Community Divided Over CoC Enforcement

Over the last few months there has been a lot of back and forth in the Python community, especially on the forums, around changes to bylaws and how the Code of Conduct is enforced. This article covers the history and context of the events.
JAKE EDGE

Django: Rotate Your Secret Key, Fast or Slow

Django’s SECRET_KEY setting is used for cryptographic signing in various places, such as for session storage and password reset tokens. If you need to rotate it you can allow read-only use of the old key to smooth the transition.
ADAM JOHNSON

Posit Connect - Help Your Analytics Team Share and Collaborate

Tired of tediously send files and trying to use general-purpose collaboration tools? Posit Connect makes it easy to share, collaborate, and get feedback on your data science work including Jupyter notebooks, Plotly dashboards, Streamlit, Quarto, Shiny or other interactive analytics applications →
POSIT sponsor

Multiversion Python Thoughts

Armin has played around with enabling multiple versions of a library to be installed for the same instance of Python in the past, and recent feature additions to uv are making it come closer to fruition.
ARMIN RONACHER

How We Made Notebooks Load 10 Times Faster

“When we received feedback our Notebooks UI was taking too long too load, our engineers dove into ways to improve the developer experience — bringing some load times from 30 seconds down to less than one.”
LUIS NEVES

When to Use .__repr__() vs .__str__() in Python

In this video course, you’ll learn the difference between the string representations returned by .__repr__() vs .__str__() and understand how to use them effectively in classes that you define.
REAL PYTHON course

Python Bytes Episode #400

The Python Bytes podcast just delivered show #400. This is a huge accomplishment. This episode celebrates the achievement, and also covers: Python 3.13RC, Docker with uv, the humanize project, and more.
PYTHON BYTES podcast

Improved print Readability With pprint

The pretty print module (pprint) provides more readable output for complex data structures and this post shows you how to use the library and what you can get out of it.
JUHA-MATTI SANTALA

“Next Level Python” Humble Bundle for Charity

Make mastering Python your mission: This mix of online courses, books, exercises, and productivity tools is here to help you succeed—whether you’re a beginner or a skilled Python pro. Support Girls Who Code and get Python books, software, and video courses collectively valued at $1,882 for a pay-what-you-want price →
HUMBLEBUNDLE.COM sponsor

Switching From pyenv to uv

Will has recently switched from using a variety of packaging tools to just using uv. This post is a summary of what needed to change when going from pyenv to uv.
WILL KAHN-GREENE

uv Under Discussion on Mastodon

There is a deep conversation going on about the longevity of uv on Mastodon and for those not on the platform, Simon has summarized it.
SIMON WILLISON

Why Not Comments

This post talks about why you might want to include information in your code comments about why you didn’t take a particular approach.
HILLEL WAYNE

How to Build a Perfect Docker Image for a Poetry Project

This article describes how to build a secure, fast to build, and lightweight Docker image for your Poetry-based project
CODEMAGEDDON • Shared by Sergey

Python macOS Framework Builds

Glyph explains just what a Framework is on macOS and why CPython on macOS should be built that way.
GLYPH LEFKOWITZ

Projects & Code PSP (Python Scaffolding Projects)

GITHUB.COM/MATTEOGUADRINI • Shared by Matteo Guadrini

pocketpy: Portable Python 3.x Interpreter in Modern C

GITHUB.COM/POCKETPY

graphiti: Build Dynamic, Temporally-Aware Knowledge Graphs

GITHUB.COM/GETZEP

picows: Ultra-Fast Websocket Client and Server for Asyncio

GITHUB.COM/TARASKO

django-cotton: Component Based Design to Django Templates

GITHUB.COM/WRABIT

Events PyData Amsterdam 2024

September 18 to September 21, 2024
PYDATA.ORG

Weekly Real Python Office Hours Q&A (Virtual)

September 18, 2024
REALPYTHON.COM

PyCon India 2024

September 20 to September 24, 2024
PYCON.ORG

PyCon TW 2024

September 21 to September 23, 2024
PYCON.ORG

DjangoCon US 2024

September 22 to September 27, 2024
DJANGOCON.US

PyBay 2024

September 23 to September 24, 2024
PYBAY.ORG

PyCon Africa 2024

September 24 to September 29, 2024
PYCON.ORG

PyData Paris 2024

September 25 to September 27, 2024
PYDATA.ORG

PyCon JP 2024

September 27 to September 30, 2024
PYCON.JP

Python Norte 2024

September 27 to September 29, 2024
PYTHONNORTE.ORG

PyCon Niger 2024

September 28 to September 30, 2024
PYCON.ORG

Happy Pythoning!
This was PyCoder’s Weekly Issue #647.
View in Browser »

[ Subscribe to 🐍 PyCoder’s Weekly 💌 – Get the best Python news, articles, and tutorials delivered to your inbox once a week >> Click here to learn more ]

The Open Source Initiative (OSI) is running a blog series to introduce some of the people who have been actively involved in the Open Source AI Definition (OSAID) co-design process. The co-design methodology allows for the integration of diverging perspectives into one just, cohesive and feasible standard. Support and contribution from a significant and broad group of stakeholders is imperative to the Open Source process and is proven to bring diverse issues to light, deliver swift outputs and garner community buy-in.

This series features the voices of the volunteers who have helped shape and are shaping the Definition.

Meet David Manset

What’s your background related to Open Source and AI?

My background in Open Source and AI is shaped by my ongoing experience as the senior coordinator of the Open Source Ecosystem Enabler (OSEE) project at the United Nations International Telecommunication Union (ITU), a project developed in collaboration with the UN Development Program and under the funding of the EU’s Directorate-General for International Partnerships, to support countries developing digital public goods and services using Open Source. In this capacity, a significant part of my work involves driving initiatives related to Open Source for various types of use cases in the public sector.

Witnessing the birth of an Open Source AI definition during the DPGA Annual Members meeting in 2023, I have since then been contributing to the Open Source AI agenda, and more recently to various Open Source AI initiatives within the ITU Open Source Program Office (OSPO). Additionally, I co-lead the Open Source AI for Digital Public Goods (OSAI4DPG) track at AI for Good, focusing on creating AI-driven public goods that are both accessible and affordable.

One of my recent achievements includes co-organizing the AIntuition hackathon aimed at developing cost-effective Open Source AI solutions. This event focused on utilizing Retrieval Augmented Generation (RAG) and Large Language Models (LLMs) to create a basic yet understandable and adaptable prototype implementation for public administration. My efforts in this area highlight my commitment to practical and usable AI tools that meet public sector needs.

Prior to my role at ITU, I worked in the private sector, where I developed AI services that enhanced healthcare services and protected patients/citizens. This experience gives me a well-rounded perspective on implementing and scaling Open Source AI technologies for public benefit.

What motivated you to join this co-design process to define Open Source AI?

My motivation to participate in this co-design process for defining Open Source AI is deeply rooted in my former experiences in software development and as the coordinator of the OSEE project, where my focus lies in enhancing digital public services and developing digital public goods. Open Source AI indeed presents a unique opportunity, especially for the public sector, to adopt cost-effective and scalable solutions that can significantly improve public services. However, to harness these benefits, it is imperative to establish a clear, standardized and consensual definition of Open Source AI. This definition will serve as a foundational guideline, ensuring transparency and understanding of the specific types of AI technologies being developed and implemented.

Moreover, my involvement is driven by the critical work of the ITU OSPO, particularly in developing Open Source AI solutions tailored for low- and middle-income countries (LMICs). These regions often face challenges such as scarce resources and limited representation in global AI training processes. By contributing to the development of Open Source AI, I aim to support these countries in accessing affordable and effective AI technologies, thereby promoting greater equity in AI development and utilization. This effort is not just about technology but also about fostering global inclusivity and ensuring that the benefits of AI are accessible to all.

Why do you think AI should be Open Source?

AI should be Open Source for several compelling reasons, especially when considering its potential impact on global development and governance. First, transparency, traceability and explainability are crucial, particularly in digital public services. Open Source AI allows public scrutiny of the algorithms and models used, ensuring that decision-making processes are transparent and accountable. This is vital for building trust in AI systems, especially in sectors like healthcare, education and public administration, where decisions can significantly impact individuals and communities.

Second, accessibility and affordability are key benefits for LMICs. Open Source AI lowers the barriers to entry, enabling these countries to access cutting-edge technologies without the prohibitive costs associated with proprietary systems. This democratization of AI technology ensures that even resource-constrained nations can harness AI’s transformative potential. Moreover, Open Source AI fosters greater representation and competition for LMICs in the global AI landscape. By contributing to and benefiting from Open Source projects, these countries can influence AI development and ensure that their specific needs and contexts are considered.

Finally, as AI increasingly becomes a foundational technology, Open Source serves as a universal resource that can be adapted and improved by anyone, promoting innovation and inclusivity across the globe.

What new perspectives or ideas did you encounter while participating in the co-design process?

Participating in the co-design process introduced me to several new perspectives and ideas that have deepened my understanding of the role of Open Source AI, particularly in supporting global development. One key insight is the realization that LMICs would significantly benefit from having access to an Open Source AI reference implementation. This concept, which we are actively working on, would provide these countries with a practical, ready-to-use model for AI development, helping them overcome resource constraints and accelerate their AI initiatives.

Another important perspective is that Open Source AI requires solid foundational elements—an Open Source mindset, adherence to best practices, and generalized policies must be embedded across all organizations involved. This is not just about technology; it’s about fostering a culture and infrastructure that supports Open Source principles at every level. Notably, ITU is now coordinating the definition of a common policy framework for United Nations Open Source initiatives, which will be crucial in guiding future Open Source AI developments. This framework will ensure that Open Source AI projects are supported by robust Open Source policies, promoting sustainable and equitable technological advancement worldwide.

What do you think the primary benefit will be once there is a clear definition of Open Source AI?

The primary benefit of a clear definition of Open Source AI will be the establishment of a unified framework that ensures transparency, accessibility, and ethical standards in AI development. This clarity will enable broader adoption across various sectors, particularly in LMICs, by providing a reliable foundation for building and implementing AI technologies. It will also foster global collaboration, ensuring that AI advancements are inclusive and equitable, while promoting innovation through open contributions, ultimately leading to more trustworthy and widely beneficial AI solutions.

What do you think are the next steps for the community involved in Open Source AI?

Once a global standard definition of Open Source AI is established, the Open Source AI community should focus on several key steps to ensure its widespread adoption and effective implementation. These include developing comprehensive guidelines and best practices, creating reference implementations to help organizations, particularly in LMICs, adopt the standard, and enhancing global collaboration through international networks and partnerships. Additionally, launching education and awareness campaigns will be crucial for informing stakeholders about the benefits and practices of Open Source AI. Establishing a governance and compliance framework will help maintain the integrity of AI projects, while supporting policy development and advocacy will ensure alignment with national and international regulations. Finally, fostering innovation and research through funding, hackathons, and collaborative platforms will drive ongoing advancements in Open Source AI. These steps will help build a robust, inclusive, and impactful Open Source AI ecosystem that benefits societies globally.

How to get involved

The OSAID co-design process is open to everyone interested in collaborating. There are many ways to get involved:

• Join the forum: share your comment on the drafts.
• Leave comment on the latest draft: provide precise feedback on the text of the latest draft.
• Follow the weekly recaps: subscribe to our monthly newsletter and blog to be kept up-to-date.
• Join the town hall meetings: we’re increasing the frequency to weekly meetings where you can learn more, ask questions and share your thoughts.
• Join the workshops and scheduled conferences: meet the OSI and other participants at in-person events around the world.

As businesses strive to succeed online, the need for an effective content management system (CMS) becomes paramount. Drupal 11, the latest version of this powerful CMS, is packed with new features and improvements designed to enhance your marketing strategy.

We’re excited to share how these advancements can elevate your marketing efforts and help create exceptional digital experiences for your audience.

Dear Readers,

"Imagine a world where creating or cloning any application becomes as simple as issuing a command: "Build me that."

The capabilities of AI are evolving at a fast pace, and the developments that have been brought forth are unprecedented. The recent demonstration of the O1 model by Reuven Cohen is a striking testament to this progress. Imagine taking a complex content management system like Drupal, traditionally built on PHP, and seamlessly transforming it into a JavaScript-based platform—all within an hour. This is precisely what the O1 model has achieved. Reuven tested this revolutionary AI by converting the entire Drupal CMS into Node.js, and the results were nothing short of astounding. The model didn't just convert code; it reimagined and replicated the whole system in a new language, paving the way for revolutionary changes in software development. 

By providing the O1 model with a detailed prompt, including Drupal's structure, API, and taxonomy, it generated a complete implementation plan in mere seconds. 

"It seamlessly transformed the codebase from PHP to JavaScript," 

Reuven noted, emphasizing how the model made cross-language conversion appear effortless. Once the backend was replicated into what can be called 'Drupal.js,' the process moved on to the front end. Utilizing GPT-Engineer, a UI was designed, wrapping up the entire transformation process in just about an hour.

What makes the O1 model truly exceptional is not just its ability to replicate; it goes beyond to fully clone and transform. The AI didn’t stop at code conversion—it provided a clear specification, built the necessary folder and file structure, and even automated the setup process with a bash script. This is more than a mere glimpse into the future; it is a tangible demonstration of how software development could evolve. 

As we stand on the brink of this new era, it's clear that these advancements will redefine our approach to software development and open-source projects like Drupal. With tools like the O1 model, the boundaries of what's possible are expanding, making this an exhilarating time for developers and tech enthusiasts alike.

With that, let's move on to the stories from last week.

In an interview with Kazima Abbas, a Sub-Editor of The DropTimes (TDT), Julian Chabrillon, a seasoned full-stack developer at ES IMAGINACION, shares his inspiration behind Noah's Page Builder and how he developed the tool. With the help of his wife and work partner, Sofía García de Blas, he shaped its visual identity, creating a cohesive and user-friendly experience.

Among other notable stories, The DropTimes conducted a video interview with Piyuesh Kumar, the Director of Technology at QED42. Starting as an intern and with almost 14 years with QED42, he watched Drupal evolve from a basic content management framework into a powerful digital experience platform. Piyuesh also shares excitement about his upcoming sessions at DrupalCon Barcelona, where he’ll explore topics like AI’s role in supporting Digital Experience Platforms (DXP) and the importance of designing with privacy in mind, particularly in the context of GDPR.

Last week, Drupal.org refreshed its website with new fonts, transitioning from the previous fonts, Ubuntu and Ubuntu Sans, to ZT Gatha and Noto Sans. This update improves the platform's visual appeal and usability, reflecting the ongoing effort to modernize its design and user experience.

DrupalCon Barcelona is just a week away, and The DropTimes has published several articles and lists to guide attendees through the event. DrupalCon Barcelona 2024, happening from September 24-27, will feature several sessions focused on the Drupal Starshot Initiative, a project aimed at simplifying Drupal while incorporating advanced technologies like AI, no-code tools, and browser-based development. Take a look at 10 key sessions that will provide valuable insights into Drupal’s next steps.

This year’s event also promises to be an exciting convergence of ideas and innovations, with AI taking center stage in a range of sessions. As AI technologies continue to transform the way we build and interact with digital experiences, DrupalCon Barcelona 2024 will feature 13 AI-focused sessions, offering attendees the chance to dive into the latest advancements and explore how AI can revolutionize the future of web development.

Building on the success of DrupalCon Lille 2023 and continuing the partnership with TerraVerde Sustainability, the DrupalCon Barcelona 2024 organizers remain committed to advancing sustainability initiatives and creating lasting positive change. As DrupalCon Barcelona 2024 embraces a greener future, five key sustainability initiatives highlight the event’s commitment to reducing its environmental impact.

While you are there, the Drupal Association invites attendees of DrupalCon Barcelona 2024 to visit its booth to engage with the team, learn more about their ongoing initiatives, and explore ways to contribute to the community. 

Meanwhile, we have published a list of Drupal events happening this week for Drupal enthusiasts to attend. Find the content here.

The FOSSEPS and OSOR projects are conducting a survey to assess interest in forming a European Open Source User Group for public administrations. The initiative seeks input from IT professionals within EU public bodies on the current use and challenges of Free and Open Source Software (FOSS).

Darren Oh has introduced the business model behind Drupal Forge, focusing on sustaining Drupal’s software and infrastructure through vendor contributions. Under this model, vendors can partner with product owners, such as the Drupal Association, by offering product trials via launch buttons integrated into their hosting platforms. 

Kevin Quillen has taken up maintainership of the Netlify module for Drupal, a key integration that ensures seamless syncing between Drupal and Netlify. This module enables automatic triggering of builds in Netlify whenever changes are made to Drupal’s content or configuration, allowing headless websites, particularly those built on frameworks like Next.js, to stay current without caching issues.

As a final update, Monarq has developed a new system called Sections & Components to simplify content management in Drupal, enhancing user experience by making the platform more intuitive and flexible. This system enables site administrators to build customized, responsive pages by combining predefined sections and components such as text blocks, images, carousels, and call-to-action buttons.

We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now.

To get timely updates, follow us on LinkedIn, Twitter and Facebook. You can also, join us on Drupal Slack at #thedroptimes.

Thank you, 
Sincerely 
Alka Elizabeth 
Sub-editor, The DropTimes.

When using Python's help function, have you ever wondered what the various symbols (/, *, [, and ]) mean? Understanding those symbols will help you better understand how to use the functions and classes you're working with.

Table of contents

1. What do all the symbols mean in help output?
2. Multiple function signatures
3. Pay attention to the nouns
4. The symbols of help
5. Default values: the = symbol
6. Unlimited arguments: the * symbol before an argument name
7. Keyword-only arguments: a lone * symbol
8. Positional-only arguments: a lone / symbol
9. Arbitrary keyword arguments: the ** symbol
10. Square brackets: optional arguments
11. Ellipsis (...) and other weird things
12. The conventions of Python's help function

What do all the symbols mean in help output?

We'll cover what the * and / symbols below mean:

>>> help(sorted) Help on built-in function sorted in module builtins: sorted(iterable, /, *, key=None, reverse=False) Return a new list containing all items from the iterable in ascending order. A custom key function can be supplied to customize the sort order, and the reverse flag can be set to request the result in descending order.

We'll also talk about the different formats that help output comes in. For example, note the square brackets in [x] below and note that there are two different styles noted for calling int:

>>> help(int) Help on class int in module builtins: class int(object) | int([x]) -> integer | int(x, base=10) -> integer

We'll start by giving a name to that line which indicates how a function, method, or class is called.

Multiple function signatures

A function signature notes the …

Read the full article: https://www.pythonmorsels.com/understanding-help/

A well-designed coding environment not only enhances your focus and productivity but also makes coding sessions more enjoyable. In this Code Conversation, your instructor Philipp Ascany will guide you step-by-step through the process of finding, installing, and adjusting color themes in VS Code. You’ll explore the various options available in VS Code and learn how to make fine adjustments to create a setup that suits your personal preferences.

In this video course, you’ll:

• Learn about Themes in VS Code
• Find a VS Code Color Theme
• Select a Theme
• Install Your Theme
• Make Additional Adjustments

By the end of the course, you’ll have a coding environment that not only looks great but also enhances your overall coding experience.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

The debridement operation was a success: nothing bad grew afterwards. I was discharged after a couple of nights with crutches, instructions not to weight-bear, a remarkable, portable negative-pressure "Vac" pump that lived by my side, and some strong painkillers.

About two weeks later, I had a skin graft. The surgeon took some skin from my thigh and stitched it over the debridement wound. I was discharged same-day, again with the Vac pump, and again with instructions not to weight-bear, at least for a few days.

This time I only kept the Vac pump for a week, and after a dressing change (the first time I saw the graft), I was allowed to walk again. Doing so is strangely awkward, and sometimes a little painful. I have physio exercises to help me regain strength and understanding about what I can do.

The donor site remained bandaged for another week before I saw it. I was expecting a stitched cut, but the surgeons have removed the top few layers only, leaving what looks more like a graze or sun-burn. There are four smaller, tentative-looking marks adjacent, suggesting they got it right on the fifth attempt. I'm not sure but I think these will all fade away to near-invisibility with time, and they don't hurt at all.

I've now been off work for roughly 12 weeks, but I think I am returning very soon. I am looking forward to returning to some sense of normality. It's been an interesting experience. I thought about writing more about what I've gone through, in particular my experiences in Hospital, dealing with the bureaucracy and things falling "between the gaps". Hanif Kureishi has done a better job than I could. It's clear that the NHS is staffed by incredibly passionate people, but there are a lot of structural problems that interfere with care.

From Fri, Sep 6th to Tue, Sep 10th I attended the 2024 edition of KDE Akademy in Würzburg, Germany. I booked a room in a hotel downtown the same place CoLa, a fellow KDE developer, stayed. Since parking is rather expensive in downtown areas, I left the car in front of the university building where the event was about to start on Saturday morning and took the bus into the city to the hotel. We all used the bus in coming days and one would always meet some KDE folks easy to spot wearing their lanyards.

On Friday night the KDE crowd gathered at a pub in the city and it was great to see old friends and also meet new people. At some point, I was talking to Carlos. It turned out that he already made some contributions to KMyMoney. The git log says it was in 2022. While more and more fellow KDE developers joined the place it became louder and louder and conversations were not easy anymore. Too bad that some of us got stranded at different places on their way out to Würzburg and did not make it until Saturday.

Conference

On Saturday, the conference program started with a keynote by Joanna Murzyn who took us on a journey from crucial mineral mining hubs to electronic waste dumpsters, uncovering the intricate connections between code, hardware, open source principles as well as social and environmental justice. We discovered how the KDE community’s work is shaping a more resilient, regenerative future, and explore ways to extend those principles to create positive impact beyond tech world.

On the first day, I took the opportunity to see the following talks

• Current Developments in KDE Hardware Integration
• KDE to Make Wines — Using KDE Software on Enterprise Desktops a Return on Experience
• KWin Effects: The Next Generation
• Adapt or Die: How new Linux packaging approaches affect wider KDE
• An Operating System of Our Own
• What’s a Maintainer anyway?

The last one for the day complemented the keynote in a nice way. In KDE newcomer Nicole Teale’s talk entitled “Getting Them Early: Teaching Pupils About The Environmental Benefits Of FOSS” she presented the work she is doing introducing KDE/FOSS to pupils, with a focus on its environmental benefits. She shared ideas on how to get schools involved in teaching pupils about reusing old hardware with FOSS. and presented some of the projects that have already been implemented in schools in Germany. This project is funded by the Umweltbundesamt (UBA) called “Sustainable Software For Sustainable Hardware”. The goal of this project is to reduce e-waste by promoting the adoption of KDE / Free & Open Source Software (FOSS) and raising awareness about the critical role software plays in the long-term, efficient use of hardware.

This becomes important in 2025 when Windows 10 runs out of support and Windows 11 requires new hardware, even though the existing one is still perfectly suited for the requirements of the majority of people. Linux and KDE to the rescue.

Saturday ended with Pizza and beer at the university as the booked beer garden canceled the reservation due to approaching thunderstorms.

On Sunday, I saw the following talks

• Openwashing – How do we handle (and enforce?) OSS policies in products?
• Opt In? Opt Out? Opt Green! KDE Eco’s New Sustainability Initiative
• KDE’s CI and CD infrastructure
• The Road to KDE Neon Core — Gosh! We’re surrounded by Snaps everywhere!

and of course the KDE Akademy award ceremony. In between those talks I had a chance to meet Julius Künzel and take a look at the problems we have in the KMyMoney project with the MacOS CD builds. He spotted a few things but I did not have the time to take care of them yet.

As a tradition, on Sunday is also the gathering to take the group picture. Here’s this years edition:

CC-BY-SA 4.0 by Andy Betts Birds of a feather sessions

On Monday and Tuesday I went to various BoF’s and took the opportunity to join the git/Gitlab presentation by Natalie Clarius. I learned a few subtleties of Gitlab that I didn’t know before, so it was worth it. In the meantime I talked with a lot of people and did a small bit of hacking (one bug fixed). The BoFs I joined:

• Opt Green / KDE Eco
• Tutorial: Using lager with Qt/QML
• KDE Goals – Streamlined Application Development Experience
• KDE Linux
• CI / CD

Good-bye Akademy 2024 / Thank you volunteers

Tuesday afternoon was the time to wave good-bye to the fellow KDE people and drive back home which I reached without delay (no traffic on the road) after an hour and a half. Hopefully, I will be able to join next time. Next stop will be the auditing of KDE accounting coming up in Berlin in a few weeks.

A big thank you goes out to the numerous volunteers who made this event happen. The team around seaLne just did a marvelous job.

Increasing work productivity and effectiveness is key in many professions, including Drupal developers. One of the tools that allows you to achieve this is the Drupal Admin Toolbar module. Thanks to it, you can easily access key administrative functions and navigate through admin panels. In this article, you will learn more about the Drupal Admin Toolbar features, benefits, and configuration methods. You will discover the possibilities that this tool has to offer and how it can streamline your Drupal-based website management.

In this quiz, you’ll test your understanding of Python’s standard package manager, pip. You’ll revisit the concepts behind pip, important commands, and how to install packages.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Mastering Dependency Injection in Drupal: A Practical Guide admin Tue, 09/17/2024 - 13:37

<strong>Topics covered in this episode:</strong><br> <ul> <li><strong>“<a href="https://github.com/overhangio/tutor/issues/937?featured_on=pythonbytes">We must replace uwsgi by something else</a>”</strong></li> <li><strong><a href="https://pythonspeed.com/articles/intro-rust-python-extensions?utm_source=pocket_shared&featured_on=pythonbytes">Let’s build and optimize a Rust extension for Python</a></strong></li> <li><strong><a href="https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages?featured_on=pythonbytes">Fake recruiter coding tests target devs with malicious Python packages</a></strong></li> <li><a href="https://pyfound.blogspot.com/2024/08/ask-questions-or-tell-us-what-you-think.html?utm_source=pocket_shared&featured_on=pythonbytes"><strong>Monthly PSF Board Office Hours</strong></a></li> <li><strong>Extras</strong></li> <li><strong>Joke</strong></li> </ul><a href='https://www.youtube.com/watch?v=XKI5gtnKMus' style='font-weight: bold;'data-umami-event="Livestream-Past" data-umami-event-episode="401">Watch on YouTube</a><br> <p><strong>About the show</strong></p> <p>Sponsored by ScoutAPM: <a href="https://pythonbytes.fm/scout"><strong>pythonbytes.fm/scout</strong></a></p> <p><strong>Connect with the hosts</strong></p> <ul> <li>Michael: <a href="https://fosstodon.org/@mkennedy"><strong>@mkennedy@fosstodon.org</strong></a></li> <li>Brian: <a href="https://fosstodon.org/@brianokken"><strong>@brianokken@fosstodon.org</strong></a></li> <li>Show: <a href="https://fosstodon.org/@pythonbytes"><strong>@pythonbytes@fosstodon.org</strong></a></li> </ul> <p>Join us on YouTube at <a href="https://pythonbytes.fm/stream/live"><strong>pythonbytes.fm/live</strong></a> to be part of the audience. Usually <strong>Monday</strong> at 10am PT. Older video versions available there too.</p> <p>Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to <a href="https://pythonbytes.fm/friends-of-the-show">our friends of the show list</a>, we'll never share it.</p> <p><strong>Michael #1:</strong> <strong>“<a href="https://github.com/overhangio/tutor/issues/937?featured_on=pythonbytes">We must replace uwsgi by something else</a>”</strong></p> <ul> <li>uWSGI is now in maintenance mode: https://uwsgi-docs.readthedocs.io/en/latest/ <ul> <li><em>The project is in maintenance mode</em> <em>(only</em> <em>bugfixes and updates for new languages apis). Do not expect quick answers on github issues and/or pull requests</em> <em>(sorry</em> <em>for that) A big thanks to all of the users and contributors since 2009.</em></li> </ul></li> <li>Reasonable options look like: <ul> <li><a href="https://github.com/emmett-framework/granian?featured_on=pythonbytes">granian</a></li> <li><a href="https://www.uvicorn.org?featured_on=pythonbytes">uvicorn</a></li> <li><a href="https://hypercorn.readthedocs.io/en/latest/index.html?featured_on=pythonbytes">hypercorn</a></li> <li><a href="https://gunicorn.org?featured_on=pythonbytes">gunicorn</a> (potentially with uvicorn workers for async)</li> </ul></li> </ul> <p><strong>Brian #2:</strong> <a href="https://pythonspeed.com/articles/intro-rust-python-extensions?utm_source=pocket_shared&featured_on=pythonbytes">Let’s build and optimize a Rust extension for Python</a></p> <ul> <li>Itamar Turner-Trauring</li> <li>Example: algorithm for approximating the number of unique values in a list</li> <li>Comparison to non-approximation <ul> <li>non-approx is faster but uses way more memory</li> </ul></li> <li>Rust version <ul> <li>Use Maturin and PyO3</li> <li>Pull in Rust dependencies (rand for random numbers)</li> </ul></li> <li>Optimization <ul> <li>link-time optimization</li> <li>faster random</li> <li>store hashes only</li> </ul></li> <li>Future optimizations <ul> <li>change algorithm maybe</li> <li>pass numpy array instead of Python list (I’d like to see that spedup)</li> </ul></li> </ul> <p><strong>Michael #3:</strong> <a href="https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages?featured_on=pythonbytes">Fake recruiter coding tests target devs with malicious Python packages</a></p> <ul> <li>via python weekly</li> <li>GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews.</li> <li>Attackers posing as employees of major financial services firms.</li> <li>This previously happened via other means such as NPM</li> <li>This analysis revealed that the direct parent of the detected, malicious files is a PythonPYC file, meaning that once again the team encountered malware hidden in a compiled Python file.</li> <li>“The README files tell would-be candidates to make sure the project is running successfully on their system before making modifications.”</li> <li>What can you do (according to Michael)? <ul> <li>Try out new packages in a docker container</li> <li>Work on code and projects using a VM which has snapshotting (to roll back completely after you’re done)</li> <li>Fire up <a href="https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows?pivots=remote-desktop-msi&featured_on=pythonbytes">a Windows desktop in the cloud</a> for the project then destroy it</li> </ul></li> </ul> <p><strong>Brian #4:</strong> <a href="https://pyfound.blogspot.com/2024/08/ask-questions-or-tell-us-what-you-think.html?utm_source=pocket_shared&featured_on=pythonbytes"><strong>Monthly PSF Board Office Hours</strong></a></p> <ul> <li>“The Office Hours will be sessions where you can share with us how we can help your community, express your perspectives, and provide feedback for the PSF.”</li> <li>“Unless we have a dedicated topic for a session, you are not limited to talking with us about the above topics, although the discussions should be focused on Python, the PSF, and our community. If you think there’s something we can help with or we should know, we welcome you to come and talk to us!”</li> <li>Upcoming office hours <ul> <li>October 8th, 2024: 9pm UTC</li> <li>November 12th, 2024: 2pm UTC</li> <li>December 10th, 2024: 9pm UTC</li> <li>January 14th, 2025: 2pm UTC</li> <li>February 11th, 2025: 9pm UTC</li> <li>March 11th, 2025: 1pm UTC</li> <li>April 8th, 2025: 9pm UTC</li> <li>May 13th, 2025: 1pm UTC (Live from PyCon US!)</li> <li>June 10th, 2025: 9pm UTC</li> <li>July 9th, 2025: 1pm UTC</li> <li>August 12th, 2025: 9pm UTC</li> </ul></li> </ul> <p><strong>Extras</strong> </p> <p>Brian:</p> <ul> <li><a href="https://2025.pycascades.com?featured_on=pythonbytes">PyCascades CFP closes Friday, Sept 20</a> <ul> <li>PyCascades is in Portland in 2025 (Feb 8 &amp; 9)</li> </ul></li> <li><p>uv <a href="https://github.com/astral-sh/uv/pull/7263?featured_on=pythonbytes">now supports Python 3.13.0rc2</a></p> <pre><code>uv self update uv venv -p 3.13 </code></pre></li> <li><p><a href="https://github.com/astral-sh/uv/issues/7193?featured_on=pythonbytes">Free threaded is still an open issue</a></p></li> </ul> <p>Michael:</p> <ul> <li><a href="https://www.humblebundle.com/software/next-level-python-from-talk-python-and-friends-software?featured_on=pythonbytes">Big Python Humble Bundle with both of our products</a> <ul> <li>Get $1,800 worth of Python content and tools for $30 and contribute to charity</li> <li>Includes 5 <a href="https://training.talkpython.fm/courses/all?featured_on=pythonbytes">Talk Python courses</a></li> <li>Several of Brian’s and his book</li> </ul></li> <li><a href="https://djangonaut.space/comms/2024-opening-session-3/?featured_on=pythonbytes">Djangonaut Space Session 3 Applications Open!</a> <ul> <li>I interviewed <a href="https://talkpython.fm/episodes/show/451/djangonauts-ready-for-blast-off?featured_on=pythonbytes">Sarah and Tushar on Talk Python</a></li> </ul></li> <li><a href="https://alt-tab-macos.netlify.app?featured_on=pythonbytes">AltTab: Windows alt-tab on macOS</a></li> </ul> <p><strong>Joke:</strong> <a href="https://devhumor.com/media/elections-403-for-bidden?featured_on=pythonbytes">Election joke</a></p>

Drupal's ongoing evolution has seen many innovations, with the latest being the introduction of Recipes with the “Recipes Initiative” in Drupal 10.3. Recipes, now part of the core of Drupal, represent a significant shift in how developers can automate the setup and configuration of Drupal sites. A Recipe explores the idea of “composibility” which will enable people to compose a Drupal website as per the need or at least a solid foundation. In this article, we’ll discuss Recipes in detail - what they are, why they’re fantastic, and how you can use them to create a perfectly crafted site. Get ready to cook up a storm with a foolproof recipe for Drupal success! But we already have Distributions! The concept of pre-configured packages is not new to Drupal. It was first introduced in Drupal 5 as Drupal distributions that include the Drupal core, along with additional modules, themes, and configurations aimed at serving a specific use case or industry. This concept made it easier for developers to quickly set up Drupal for specific applications like intranets, e-commerce sites, or government portals without starting from scratch. However, Drupal distributions offer a convenient way to get started with pre-configured setups, but they come with some drawbacks: Limited Flexibility: Predefined features and tightly integrated modules make customization difficult. Maintenance Complexity: Updating distributions can be challenging due to custom configurations, leading to potential compatibility issues. Dependency on Maintainers: Some distributions may be poorly maintained or abandoned, causing risks to security and updates. Performance Overhead: Unnecessary bundled modules can slow down the site and introduce vulnerabilities. Niche Focus: Distributions are often tailored to specific use cases, making it difficult to adapt if your needs change. Drupal Recipes solves problems with distributions by offering more modularity. Instead of coupling everything together, Recipes let you add only the specific features you need, avoiding the bloat of unnecessary modules. A Recipe in action To illustrate, imagine I need to set up an Event feature. For this, I will apply (Recipes are not installed but rather applied) an “Events Content-Type” Recipe which will set an Event content type with necessary attributes & fields, and configure views, metatags & paths for the Event contents. This will give me a solid foundational starting point to implement the feature where 70-80% of the basic setup and configurations are done by Recipes and on top of it I can make customizations to configure other settings as per my requirements. However, once applied, I am no longer dependent on the Recipe package anymore and it can be safely removed from my project keeping all the configured setup intact. Benefits of Drupal Recipes Modular Setup: Recipes allow for specific features or configurations to be added individually at any point in a project timeline.  Combine Multiple Recipes: Recipes can be easily combined or modified to fit specific use cases. This allows for a more customizable site-building experience, making it easier to adapt to changing requirements. No Lock-in: Unlike distributions, which are often tightly integrated, recipes give you more freedom to swap out or upgrade parts of your setup without being tied to a rigid structure. Composable: As mentioned above you can combine multiple recipes which means you can also compose Recipes with other recipes easily. If you want Event registration but also Commerce capabilities, you can easily create a new recipe that will apply the Event and Commerce recipes to be set up. What Recipes can do Install Modules and Themes: Recipes can automatically install necessary modules and themes. Apply Configurations: Recipes can apply both default and selective configurations provided by modules. Update Configurations: Recipes can update module configurations to fit your site's needs through' config actions'. Composable and Reusable: Recipes can be composed of other Recipes, making them highly modular and reusable across different projects. What Recipes cannot do Custom Code or Hooks: Recipes do not include custom PHP code, hooks, or API integrations. Module-Like Functionality: Unlike modules, Recipes cannot contain custom plugins, forms, or other typical Drupal module structures. Persistent Locking: Recipes do not persist after application; they set up the initial state and can be safely removed. Want to take full advantage of Drupal Recipes? Schedule a consultation with our experts and discover how our Drupal development services can help boost your site's growth! How to create and use a Recipe To get started, it is recommended that a new custom repository is created for the recipe. This will ensure that the recipe is version-controlled & managed efficiently to be used on other projects.  At the bare minimum, a recipe will require a “recipe.yml” file as the required file which will define the meta information like name, and description along with installations of modules/themes & configuration installations/updates. Apart from the “recipe.yml” a Recipe can also have the below optional items. The “config” directory holds the configuration entity yml files which will be installed when the Recipe is applied. The “content” directory holds the content entity yml files which will be created after the Recipe is applied. A “composer.json” file that allows the discoverability of Recipes via Composer. It will define any dependencies the Recipe might have on other modules or themes. A “README.md” can also be included to give a brief description of the Recipe which will allow users to better evaluate. So, the folder structure of a Recipe can look like this: recipe_name       ◦ recipe.yml       ◦ config           ▪ node.type.event.yml       ◦ content           ▪ node               • 43940d31-0106-46b4-ba32-39e511eb1f4a.yml       ◦ composer.json       ◦ README.md Dissecting the recipe.yml file A “recipe.yml” at minimal consists of “name” & “description” keys. Apart from that, it can include three different keys: Install packages with the “install” key which will specify the modules and/or themes to be installed when the Recipe is applied. If not already installed, Drupal will proceed to install each of the modules & themes specified in the list. install:   - address   - datetime_range   - media   - media_library   - geolocation_address   - geolocation_leaflet   - layout_builder   - metatag   - pathauto   - paragraphs   - smart_date Configuration related task under “config” key. This allows you to “import” configurations from a module in two ways     • Import all the configurations from a module with the “*” wildcard. This will import all the base configurations & optional configurations from a module.    • Import selective configuration from a module by specifying the list of configurations to be imported. config:   import:     media: "*"     node:       - views.view.contentWhen you want to update any active configuration which is being imported or any existing once, “action” comes into play which will allow you to update those configurations config:   actions:     metatag.settings:       simple_config_update:         entity_type_groups.node.event:           - basic           - advanced     workflows.workflow.editorial:       addNodeTypes:         - event Dependency on other recipes can be included under the “recipes” key which specifies the list of Recipes to be applied prior applying the current Recipe. recipes:   - core/recipes/image_media_type   - core/recipes/editorial_workflowApplying a Recipe Until reaching Phase 2 and a user interface (UI) for easier application, recipes are currently applied using Drupal core's PHP script. It can be executed with the following command in the CLI Drupal root: php core/scripts/drupal recipe recipes/recipe_nameAfter applying the recipe, it's also necessary to clear the caches to ensure the changes take effect. Applying a hosted Recipe If you Recipe has a “composer.json” file then it can be hosted on Packagist.org to make it discoverable and included in any project. However, to download the recipe in a “recipes” directory there are few changes which are required to be made in the project’s “composer.json” file composer require oomphinc/composer-installers-extender:2.0.1Update “installer-types” & “installer-paths” keys in the “composer.json” "installer-types": ["drupal-recipe"], "installer-paths": {   "web/recipes/{$name}": [ "type:drupal-recipe" ] }When you request Composer for a recipe, it will automatically place it in your project's “recipes” directory, similar to how it handles modules or themes. Once this is setup, you then you can use composer to require the package as usual.For this example, I am using a sample recipe which set ups an Event content type along with other configurations updates.  https://github.com/malabya/event_content_type/ composer require imalabya/event_content_type Once downloaded this can be applied with the Drupal core scripts php core/scripts/drupal recipe recipes/event_content_type Once the recipe is applied this will create an Event content type and enable Editirial workflow for the Event content type with default core configurations. This will also create 2 default contents for the Event content type to get started. Unpacking Recipes Even though Recipes do not lock in your site and can be safely replaced or removed once applied, you would want to maintain the dependencies in your project. When you request a Recipe, it will download all the dependencies mentioned in the Recipe’s “composer.json” file, but these dependencies are not copied/unpacked over into the project’s “composer.json” which will make it difficult to maintain or upgrade those dependencies. For this, use the composer plugin Drupal Recipe Unpack Composer Plugin to your project’s “composer.json” which allows the extraction of a packages dependencies into the project root composer and lock files for the sole purpose of implementation within Drupal recipes. Once the plugin is installed you can run the below command to unpack the dependencies composer unpack [organization/package-name]Final thoughts Recipes in Drupal 11 represent a powerful new tool for site builders and developers. They offer flexibility, modularity, and ease of maintenance that surpass traditional installation profiles and distributions. When it comes to creating a new Drupal site or adding new features, Recipes provides a streamlined, efficient way of managing the configuration. As Recipes continues to evolve, they promise to make Drupal site development more agile and responsive to changing needs, ultimately making Drupal a more accessible and powerful platform for all users. So do you want to cook from scratch or use Drupal Recipes? Your choice! Want to know how Drupal Recipes can enhance your project? Reach out to us to learn more about our Drupal development services and get started on your next big idea!

Albert Cervera has found that trytond allows to execute reports for records that user has no read access and also for reports limited to a set of group that the user is not.

Impact

CVSS v3.0 Base Score: 4.3

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: Low
• Integrity: None
• Availability: None

Workaround

There is no known workaround.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 7.2: <= 7.2.8
  • 7.0: <= 7.0.17
  • 6.0: <= 6.0.51

Non affected versions per series:

• trytond:
  • 7.2: >= 7.2.9
  • 7.0: >= 7.0.18
  • 6.0: >= 6.0.52

Reference

• https://bugs.tryton.org/13505
• https://bugs.tryton.org/13506

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

1 post - 1 participant

Read full topic

Review: The Book That Broke the World, by Mark Lawrence

Series: Library Trilogy #2 Publisher: Ace Copyright: 2024 ISBN: 0-593-43796-9 Format: Kindle Pages: 366

The Book That Broke the World is high fantasy and a direct sequel to The Book That Wouldn't Burn. You should not start here. In a delightful break from normal practice, the author provides a useful summary of the previous volume at the start of this book to jog your memory.

At the end of The Book That Wouldn't Burn, the characters were scattered and in various states of corporeality after some major revelations about the nature of the Library and the first appearance of the insectile Skeer. The Book That Wouldn't Burn picks up where it left off, and there is a lot more contact with the Skeer, but my guess that they would be the next viewpoint characters does not pan out. Instead, we get a new group and a new protagonist: Celcha, whose sees angels who come to visit her brother.

I have complaints, but before I launch into those, I should say that I liked this book apart from the totally unnecessary cannibalism. (I'll get to that.) Livira is a bit sidelined, which is regrettable, but Celcha and her brother are interesting new characters, and both Arpix and Clovis, supporting characters in the first book, get some excellent character development. Similar to the first book, this is a puzzle box story full of world-building tidbits with intellectually-satisfying interactions. Lawrence elaborates and complicates his setting in ways that don't contradict earlier parts of the story but create more room and depth for the characters to be creative. I came away still invested in this world and eager to find out how Lawrence pulls the world-building and narrative threads together.

The biggest drawback of this book is that it's not new. My thought after finishing the first book of the series was that if Lawrence had enough world-building ideas to fill three books to that same level of density, this had the potential of being one of my favorite fantasy series of all time. By the end of the second book, I concluded that this is not the case. Instead of showing us new twists and complications the way the first book did throughout, The Book That Broke the World mostly covers the same thematic ground from some new angles. It felt like Lawrence was worried the reader of the first book may not have understood the theme or the world-building, so he spent most of the second book nailing down anything that moved.

I found that frustrating. One of the best parts of The Book That Wouldn't Burn was that Lawrence trusted the reader to keep up, which for me hit the glorious but rare sweet spot of pacing where I was figuring out the world at roughly the same pace as the characters. It surprised me in some very enjoyable ways. The Book That Broke the World did not surprise me. There are a few new things, which I enjoyed, and a few elaborations and developments of ideas, which I mostly enjoyed, but I saw the big plot twist coming at least fifty pages before it happened and found the aftermath more annoying than revelatory. It doesn't help that the plot rests on character misunderstandings, one of my least favorite tropes.

One of the other disappointments of this book is that the characters stop using the Library as a library. The Library at the center of this series is a truly marvelous piece of world-building with numerous fascinating features that are unrelated to its contents, but Livira used it first and foremost as a repository of books. The first book was full of characters solving problems by finding a relevant book and reading it.

In The Book That Broke the World, sadly, this is mostly gone. The Library is mostly reduced to a complicated Big Dumb Object setting. It's still a delightful bit of world-building, and we learn about a few new features, but I only remember two places where the actual books are important to the story. Even the book referenced in the title is mostly important as an artifact with properties unrelated to the words that it contains or to the act of reading it. I think this is a huge lost opportunity and something I hope Lawrence fixes in the last book of the trilogy.

This book instead focuses on the politics around the existence of the Library itself. Here I'm cautiously optimistic, although a lot is going to depend on the third book. Lawrence has set up a three-sided argument between groups that I will uncharitably describe as the libertarian techbros, the "burn it all down" reactionaries, and the neoliberal centrist technocrats. All three of those positions suck, and Lawrence had better be setting the stage for Livira to find a different path. Her unwillingness to commit to any of those sides gives me hope, but bringing this plot to a satisfying conclusion is going to be tricky. I hope I like what Lawrence comes up with, but it feels far from certain.

It doesn't help that he's started delivering some points with a sledgehammer, and that's where we get to the unnecessary cannibalism. Thankfully this is a fairly small part of the tail end of the book, but it was an unpleasant surprise that I did not want in this novel and that I don't think made the story any better.

It's tempting to call the cannibalism gratuitous, but it does fit one of the main themes of this story, namely that humans are depressingly good at using any rule-based object in unexpected and nasty ways that are contrary to the best intentions of the designer. This is the fundamental challenge of the Library as a whole and the question that I suspect the third book will be devoted to addressing, so I understand why Lawrence wanted to emphasize his point. The reason why there is cannibalism here is directly related to a profound misunderstanding of the properties of the library, and I detected an echo of one of C.S. Lewis's arguments in The Last Battle about the nature of Hell.

The problem, though, is that this is Satanic baby-killerism, to borrow a term from Fred Clark. There are numerous ways to show this type of perversion of well-intended systems, which I know because Lawrence used other ones in the first book that were more subtle but equally effective. One of the best parts of The Book That Wouldn't Burn is that there were few real villains. The conflict was structural, all sides had valid perspectives, and the ethical points of that story were made with some care and nuance.

The problem with cannibalism as it's used here is not merely that it's gross and disgusting and off-putting to the reader, although it is all of those things. If I wanted to read horror, I would read horror novels. I don't appreciate surprise horror used for shock value in regular fantasy. But worse, it's an abandonment of moral nuance. The function of cannibalism in this story is like the function of Satanic baby-killers: it's to signal that these people are wholly and irredeemably evil. They are the Villains, they are Wrong, and they cease to be characters and become symbols of what the protagonists are fighting. This is destructive to the story because it's designed to provoke a visceral short-circuit in the reader and let the author get away with sloppy story-telling. If the author needs to use tactics like this to point out who is the villain, they have failed to set up their moral quandary properly.

The worst part is that this was entirely unnecessary because Lawrence's story-telling wasn't sloppy and he set up his moral quandary just fine. No one was confused about the ethical point here. I as the reader was following without difficulty, and had appreciated the subtlety with which Lawrence posed the question. But apparently he thought he was too subtle and decided to come back to the point with a pile-driver. I think that seriously injured the story. The ethical argument here is much more engaging and thought-provoking when it's more finely balanced.

That's a lot of complaints, mostly because this is a good book that I badly wanted to be a great book but which kept tripping over its own feet. A lot of trilogies have weak second books. Hopefully this is another example of the mid-story sag, and the finale will be worthy of the start of the story. But I have to admit the moral short-circuiting and the de-emphasis of the actual books in the library has me a bit nervous. I want a lot out of the third book, and I hope I'm not asking this author for too much.

If you liked the first book, I think you'll like this one too, with the caveat that it's quite a bit darker and more violent in places, even apart from the surprise cannibalism. But if you've not started this series, you may want to wait for the third book to see if Lawrence can pull off the ending.

Followed by The Book That Held Her Heart, currently scheduled for publication in April of 2025.

Rating: 7 out of 10

A minor update 0.3.10 for our nanotime package is now on CRAN. nanotime relies on the RcppCCTZ package (as well as the RcppDate package for additional C++ operations) and offers efficient high(er) resolution time parsing and formatting up to nanosecond resolution, using the bit64 package for the actual integer64 arithmetic. Initially implemented using the S3 system, it has benefitted greatly from a rigorous refactoring by Leonardo who not only rejigged nanotime internals in S4 but also added new S4 types for periods, intervals and durations.

This release updates one S4 methods to very recent changes in r-devel for which CRAN had reached out. This concerns the setdiff() method when applied to two nanotime objects. As it only affected R 4.5.0, due next April, if rebuilt in the last two or so weeks it will not have been visible to that many users, if any. In any event, it now works again for that setup too, and should be going forward.

We also retired one demo function from the very early days, apparently it relied on ggplot2 features that have since moved on. If someone would like to help out and resurrect the demo, please get in touch. We also cleaned out some no longer used tests, and updated DESCRIPTION to what is required now. The NEWS snippet below has the full details.

Changes in version 0.3.10 (2024-09-16)

• Retire several checks for Solaris in test suite (Dirk in #130)

• Switch to Authors@R in DESCRIPTION as now required by CRAN

• Accommodate R-devel change for setdiff (Dirk in #133 fixing #132)

• No longer ship defunction ggplot2 demo (Dirk fixing #131)

Thanks to my CRANberries, there is a diffstat report for this release. More details and examples are at the nanotime page; code, issue tickets etc at the GitHub repository – and all documentation is provided at the nanotime documentation site.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Next week is DrupalCon in Barcelona.

I'm not speaking this year but if you're there and want to discuss automated testing, test-driven development, static analysis, Sculpin, Tailwind CSS, Nix, or anything else, I'll be there all week and would love to meet up and chat.

Week 37 summary  Endorse the Open Source AI Definition

• OSI invites individuals and organizations to endorse the Open Source AI Definition (OSAID). Endorsers will have their name and affiliation listed in the press release for Release Candidate 1 (RC1), which is expected to be finalized by the end of September. Those endorsing version 0.0.9 will be contacted again to confirm their support if there are any changes leading up to RC1.

Recommended Resources: US Copyright Office Guidance on TDM

• @mjbommar encourages reviewing the U.S. Copyright Office’s guidance on text and data mining (TDM) exceptions, which provides clear explanations and limitations, especially focusing on non-commercial, scholarly, and teaching uses. He emphasizes that the TDM guidance operates within narrow parameters that are often misunderstood or overlooked.

Proposal to handle Data Openness in the Open Source AI definition [RFC]

• @quaid proposes adding nuance to the Open Source AI (OSAI) Definition by introducing two designations: OSAI D+ (with open data) and OSAI D- (without open data, due to legitimate reasons beyond the creator’s control). He suggests using a dataset certificate of origin (dataset DCO) for self-verification to ensure compliance.
• @kjetilk agrees that verification is key but questions whether data information alone is sufficient for verification. He highlights that verifying rights to the data may not always be possible.
• @stefano appreciates the quadrant system’s clarity and confirms @quaid’s proposal for OSAI D- to be reserved for those with legitimate reasons for not sharing data.
• @thesteve0 expresses skepticism about broadening the “Open Source” label. He argues that without access to both data and code, AI models cannot truly be Open Source and suggests labeling such models as “open weights” instead.
• @shujisado notes the importance of data access in AI, pointing out that OSAID requires detailed information about how data is sourced, including provenance and selection criteria. He also discusses potential legal and ethical reasons for not sharing datasets.
• @Shamar raises concerns about “openwashing” in AI, where developers might distribute a model with a different dataset, undermining trust. He argues that distinguishing between OSAI D+ and D- risks legal complications for derivative works, suggesting that models without open data should not be considered truly open.
• @zack supports the idea of a tiered system (D+ and D-) as an improvement over the current situation, as it incentivizes progress from D- to D+. He is skeptical about verifiability but sees potential in the branding aspect of the proposal.

Welcome diverse approaches to training data within a unified Open Source AI Definition

• @stefano asks @arandal about suggested edits, which include renaming data as “source data,” allowing open-source AI developers to require downstream modifications with open data, and permitting downstream developers to use open data to fine-tune models trained on non-public data. He further asks if arandal compares training data to model weights as source code is to binary code.
• @shujisado agrees with @stefano and points out that while many interpret OSD-compliant licenses to include CC4 and CC0, OSI has not officially evaluated Creative Commons licenses for compliance. He highlights concerns about CC0’s patent defense, which could be crucial for datasets.
• @mjbommar echoes the concerns about patent defense, noting it as a critical issue in both software and data licensing.
• @Shamar supports the first two suggestions but argues that models trained on non-public data cannot meet an “Open Source AI” definition, as they limit the freedom to study and modify, which are core principles of Open Source.

On the current definition of Open Source AI and the state of the data commons

• @nick shares an article by Nathan Lambert, reviewed by key figures in the Open Source AI space, discussing the challenges of training data and the current Open Source AI definition. @Percy Liang (on X) view is highlighted, where he suggests that releasing an entire dataset is neither sufficient nor necessary for Open Source AI. He emphasizes the need for detailed code of the data processing pipeline for transparency, beyond just releasing the dataset.
• @shujisado discusses the legal nuances of using U.S. government documents in AI training, emphasizing that while they may be used in the U.S., legal complications arise in other jurisdictions.
• @Shamar stresses that Open Source AI should provide all the necessary data and processing information to recreate a system, otherwise, calling it Open Source is “open washing.”

[RFC] Separating concerns between Source Data and Processing Information

• @Shamar proposes a clearer distinction between “source data” and “processing information” in the Open Source AI definition to ensure transparency and reproducibility. He suggests source data should be publicly available under the same terms that allowed its original use, while the process used to train the system should be shared under an Open Source license. His formulation aims to prevent loopholes that could lead to open-washing and emphasizes the importance of granting all four freedoms (study, modify, distribute, and use) to qualify as Open Source AI.
• @nick disagrees, arguing that @Shamar proposal misunderstands the difference between the rights to use data for training and the rights to distribute it. He also challenges the claim that exact replication of AI systems can be guaranteed, even with access to the same data.

Open Source AI Definition Town Hall – September 13, 2024

• The sixteenth edition of our town hall meetings was held on the 13th of September. If you missed it, the recording and slides can be found here.

Join us THURSDAY, September 19 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits.  Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone. 

• Join the call: https://us02web.zoom.us/j/81817469653

  • Meeting ID: 818 1746 9653
    Passcode: 551681

  • One tap mobile:
    +16699006833,,81817469653# US (San Jose)
    +13462487799,,81817469653# US (Houston)

  • Dial by your location:
    +1 669 900 6833 US (San Jose)
    +1 346 248 7799 US (Houston)
    +1 253 215 8782 US (Tacoma)
    +1 929 205 6099 US (New York)
    +1 301 715 8592 US (Washington DC)
    +1 312 626 6799 US (Chicago)

  • Find your local number: https://us02web.zoom.us/u/kpV1o65N

• Follow along on Google Docs: https://nten.org/drupal/notes

View notes of previous months' calls.

Why we don't use GraphQL wolfgang.ziegler Mon, 09/16/2024 - 21:38 Exploring drawbacks of GraphQL in decoupled Drupal, including complexity, loose contracts, performance issues, and security concerns. RESTful alternatives are discussed. Body

At drunomics we are building decoupled Drupal sites for more than five years. During this time, GraphQL has always been a popular choice for decoupled Drupal sites among professional or enterprise projects, thanks to the well maintained GraphQL contrib module. Still, I've vetted against using GraphQL for various enterprise projects, even though sometimes it was appealing to customers. In this blog post, I'd like to summarize why we don't use GraphQL:

General complexity

GraphQL is not only a new query language to learn for both frontenders and backenders, moreover the backend has to support any kind of queries the frontenders make. On the frontend side of things, additional libraries and tooling is needed to handle the protocol.

Loose contracts

GraphQL gives a lot of power to frontend developers, but that comes with a huge price: No defined or a very loosely defined contract, i.e. the data model or more specifically the GraphQL schema layered on top. Based upon this loose contract the frontend may compose any kind of queries, which the backend has to support. What leads to the next point:

Complex queries

When the backend is exposing the Drupal data schema directly, potentiallly a lot of things become leaked unwanted and changing things might became hard, because: Who knows what data properties the frontend uses and queries for? It's quite hard to optimize for every use-case.

However, the backend may compose it's own GraphQL schema and provide exactly the data model as needed by the client, the frontend. That's indeed, a great option to have, but it requires additional work and code to translate between the schema and the real data model behind. It makes it possible to change the underlying data model and schema mapping, while staying with the same or compatible GraphQL output and schema. But is that code performing the mapping performant enough? Does it work correctly? That's quite hard to tell without knowing exactly the queries one has to optimize and test for. So things are or become complex.

Performance

First of all, GraphQL is bad for caching since it makes use of POST requests. The typical work-around is to use shortened, hashed queries and to access them via GET requests, what can help to mitigate the issue. But this comes at the cost of tying the deployed frontend and backend versions, thus increasing overall system and deployment complexity. That way, the main GraphQL advantage - flexibility at the frontend - gets lost. So not an easy or great compromise to make.

Client driven data fetching

With GraphQL, the web browser (or generally the client) sends a query to the server, specifying the exact data it needs. While this can help to reduce payload size, it puts the client in the "driving seat". That often leads to additional round trips being required: Based upon the first request, often additional data is required for rendering it. This additional data often has to be fetched in additional requests, thus requiring another or multiple round-trips to the server and thus increasing latency.

In contrast, when the server is in the "driving seat", it may efficiently do all queries and resolve additional data, and then send the resulting data over the slower network once.

Security

GraphQL queries can expose sensitive data if not properly secured. This can be mitigated by implementing proper authentication and authorization mechanisms. However, this can get very complex easily: Since the server does not know the queries needed by the client, it needs to handle every possible combination a client may request. Unfortunately, it's commonly rather easy for hackers to purposely write computationally very expensive (GraphQL) queries and to send them to the server, thus opening the door for DDOS or even DOS attacks.

Besides that, due to the complexity of the backend having to cover all possible combinations, the danger for data leaking accidentially becomes rather high.

The conclusion

GraphQL comes with a couple of issues, which are - as usual - solvable. That's a price one might want to pay in certain situations, if the benefits are worth it. Thus, is using GraphQL a good idea? As so often, it depends. But in my experience, it's more often not, than it is.

Alternatives are RESTful

The typical alternative to GraphQL is a RESTful API. As usual, with Drupal there are a couple of good options:

• Drupal comes with the JSON-API out-of-the box, which is a great feature to have. While it's good fit in certain situations, it also faces some of the issues mentioned above, most notable "Client driven data fetching" and "Loose contracts".
• Developers may use Drupal's API to provide custom-coded RESTful endpoints for the client. That addresses all mentioned concerns, but requires backend development time for every feature and most notable careful planing. This comes with the downside of frontend developers loosing the flexibility. (By the way, this is what GraphQL is loved for!)
• Configurable RESTful endpoints. In order to improve the development process and gain flexibility in the frontend, we developed a solution for providing custom RESTful endpoints that are configurable via Drupal, by frontend developers. For that, we improved the Custom Elements module, which is part of Lupus Decoupled Drupal, such that it integrates with Drupal's configuration sytem and provides an UI for customizing output by entity view-mode. That way, in many situations, we can tick all the boxes, while enabling the frontend developer to work efficiently. I'll share more details about the new Custom Elements UI in a dedicated blog post later this week.