Python Bytes

Topics covered in this episode:

Migrating from mypy to ty: Lessons from FastAPI

Oxyde ORM

Typeshedded CPython docs

Raw+DC Database Pattern: A Retrospective

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Migrating from mypy to ty: Lessons from FastAPI

Tim Hopper

I saw this post by Sebastián Ramírez about all of his projects switching to ty

FastAPI, Typer, SQLModel, Asyncer, FastAPI CLI

SqlModel is already ty only - mypy removed

This signals that ty is ready to use

Tim lists some steps to apply ty to your own projects

Add ty alongside mypy

Set error-on-warning = true

Accept the double-ignore comments

Pick a smaller project to cut over first

Drop mypy when the noise exceeds the signalAdd ty alongside mypy

Related anecdote:

I had tried out ty with pytest-check in the past with difficulty

Tried it again this morning, only a few areas where mypy was happy but ty reported issues

At least one ty warning was a potential problem for people running pre-releases of pytest,

Not really related: packaging.version.parse is awesome

Michael #2: Oxyde ORM

Oxyde ORM is a type-safe, Pydantic-centric asynchronous ORM with a high-performance Rust core.

Note: Oxyde is a young project under active development. The API may evolve between minor versions.

No sync wrappers or thread pools. Oxyde is async from the ground up

Includes oxyde-admin

Features

Django-style API - Familiar Model.objects.filter() syntax

Pydantic v2 models - Full validation, type hints, serialization

Async-first - Built for modern async Python with asyncio

Rust performance - SQL generation and execution in native Rust

Multi-database - PostgreSQL, SQLite, MySQL support

Transactions - transaction.atomic() context manager with savepoints

Migrations - Django-style makemigrations and migrate CLI

Brian #3: Typeshedded CPython docs

Thanks emmatyping for the suggestion

Documentation for Python with typeshed types

Source: typeshedding_cpython_docs

Michael #4: Raw+DC Database Pattern: A Retrospective

A new design pattern I’m seeing gain traction in the software space: Raw+DC: The ORM pattern of 2026

I’ve had a chance to migrate three of my most important web app.

Thrilled to report that yes, the web app is much faster using Raw+DC

Plus, this was part of the journey to move from 1.3 GB memory usage to 0.45 GB (more on this next week)

Extras

Brian:

Lean TDD 0.5 update

Significant rewrite and focus

Michael:

pytest-just (for just command file testing), by Michael Booth

Something going on with Encode

httpx: Anyone know what's up with HTTPX? And forked

starlette and uvicorn: Transfer of Uvicorn & Starlette

mkdocs: The Slow Collapse of MkDocs

django-rest-framework: Move to django commons?

Certificates at Talk Python Training

Joke:

Neue Rich

Topics covered in this episode:

Lock the Ghost

Fence for Sandboxing

MALUS: Liberate Open Source

Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

**Patreon SupportersConnect with the hosts**

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: Lock the Ghost

The five core takeaways:

PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them.

uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way.

This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews.

Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed.

Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live.

Brian #2: Fence for Sandboxing

Suggested by Martin Häcker

“Some coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.”

“JY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.”

Source code on GitHub: https://github.com/Use-Tusk/fence

Related:

Simon Willison lethal trifecta for AI agents article from June 2025

Claude Code Sandboxing

Michael #3: MALUS: Liberate Open Source

via Paul Bauer

The service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules.

AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software.

Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright?

Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns

Matthias Schoettle

Avoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far

Extras

Brian:

GitHub is asking to spy on us, that’s nice

Michael:

Michael’s new SaaS for podcasters: InterviewCue

DigitalOcean’s Spaces cold storage for infrequently accessed data

Minor issue about my fire and forget post, was a latent bug?

Fire and Forget at Textual follow up article

Joke: Can you?

Topics covered in this episode:

Starlette 1.0.0

Astral to join OpenAI

uv audit

Fire and forget (or never) with Python’s asyncio

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters
Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Starlette 1.0.0

As a reminder, Starlette is the foundation for FastAPI

Starlette 1.0 is here! - fun blog post from Marcello Trylesinski

“The changes in 1.0 were limited to removing old deprecated code that had been on the way out for years, along with a few bug fixes. From now on we'll follow SemVer strictly.”

Fun comment in the “What’s next?” section:

“Oh, and Sebastián, Starlette is now out of your way to release FastAPI 1.0. 😉”

Related: Experimenting with Starlette 1.0 with Claude skills

Simon Willison

example of the new lifespan mechanism, very pytest fixture-like

@contextlib.asynccontextmanager
async def lifespan(app):
async with some_async_resource():
print("Run at startup!")
yield
print("Run on shutdown!")
app = Starlette(
routes=routes,
lifespan=lifespan
)

Michael #2: Astral to join OpenAI

via John Hagen, thanks

Astral has agreed to join OpenAI as part of the Codex team

Congrats Charlie and team

Seems like **Ruff** and uv play an important roll.

Perhaps ty holds the most value to directly boost Codex (understanding codebases for the AI)

All that said, these were open source so there is way more to the motivations than just using the tools.

After joining the Codex team, we'll continue building our open source tools.

Simon Willison has thoughts

discuss.python.org also has thoughts

The Ars Technica article has interesting comments too

It’s probably the death pyx

Simon points out “pyx is notably absent from both the Astral and OpenAI announcement posts.”

Brian #3: uv audit

Submitted by Owen Lemont

Pieces of uv audit have been trickling in. uv 0.10.12 exposes it to the cli help

Here’s the roadmap for uv audit

I tried it out on a package and found a security issue with a dependency

not of the project, but of the testing dependencies

but only if using Python < 3.10, even though I’m using 3.14

Kinda cool

Looks like it generates a uv.lock file, which includes dependencies for all project supported versions of Python and systems, which is a very thorough way to check for vulnerabilities.

But also, maybe some pointers on how to fix the problem would be good. No --fix yet.

Michael #4: Fire and forget (or never) with Python’s asyncio

Python’s asyncio.create_task() can silently garbage collect your fire-and-forget tasks starting in Python 3.12

Formerly fine async code can now stop working, so heads up

The fix? Use a set to upgrade to a strong ref and a callback to remove it

Is there a chance of task-based memory leaks? Yeah, maybe.

Extras

Brian:

Nobody Gets Promoted for Simplicity - interesting read and unfortunate truth in too many places.

pytest-check - All built-in check helper functions in this list also accept an optional xfail reason.

example: check.equal(actual, expected, xfail="known issue #123")

Allows some checks to still cause a failure to happen because you no longer have to mark the whole test as xfail
Michael:

TurboAPI - FastAPI + Pydantic compatible framework in Zig (see follow up)

Pyramid 2.1 is out (yes really! :) first release in 3 years)

Vivaldi 7.9 adds minimalist hide mode.

Migrated pythonbytes.fm and talkpython.fm to Raw+DC design pattern

Robyn + Chameleon package

Joke: We now have translation services

Topics covered in this episode:

chardet ,AI, and licensing

refined-github

pgdog: PostgreSQL connection pooler, load balancer and database sharder

Agentic Engineering Patterns

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters
Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: chardet ,AI, and licensing

Thanks Ian Lessing

Wow, where to start?

A bit of legal precedence research.

Chardet dispute shows how AI will kill software licensing, argues Bruce Perens on the Register

Also see this GitHub issue.

Dan Blanchard, maintainer of a Python character encoding detection library called chardet, released a new version of the library under a new software license. (LGPL → MIT)

Dan is allowed to make this change because v7 is a complete “clean room” rewrite using AI

BTW, v7 is WAY better:

The result is a 48x increase in detection speed for a project that lives in the hot loops of many projects. That will lead to noticeable performance increases for literally millions of users (the package gets ~130M downloads per month).

It paves a path towards inclusion in the standard library (assuming they don’t institute policies against using AI tools).

Thread-safe detect() and detect_all() with no measurable overhead; scales on free-threaded Python 3.13t+

An individual claiming to be Mark Pilgrim, the original creator of the library, opened an issue in the project's GitHub repo arguing that Blanchard had no right to change the software license, citing the LPGL requirement that the license remain unchanged.

A 'complete rewrite' is irrelevant, since they had ample exposure to the originally licensed code (i.e. this is not a 'clean room' implementation).

Blanchard disagreed, citing how version 7.0.0 and 6.0.0 compare when subjected to JPlag, a library for detecting plagiarism.

Blanchard told The Register he had wanted to get chardet added to the Python standard library for more than a decade since it’s a core dependency to most Python projects.

Brian #2: refined-github

Suggested by Matthias Schöttle

A browser plugin that improves the GitHub experience

A sampling

Adds a build/CI status icon next to the repo’s name.

Adds a link back to the PR that ran the workflow.

Enables tab and shift tab for indentation in comment fields.

Auto-resizes comment fields to fit their content and no longer show scroll bars.

Highlights the most useful comment in issues.

Changes the default sort order of issues/PRs to Recently updated.

But really, it’s a huge list of improvements

Michael #3: pgdog: PostgreSQL connection pooler, load balancer and database sharder

PgDog is a proxy for scaling PostgreSQL.

It supports connection pooling, load balancing queries and sharding entire databases.

Written in Rust, PgDog is fast, secure and can manage thousands of connections on commodity hardware.

Features

PgDog is an application layer load balancer for PostgreSQL

Health Checks: PgDog maintains a real-time list of healthy hosts. When a database fails a health check, it's removed from the active rotation and queries are re-routed to other replicas

Single Endpoint: PgDog can detect writes (e.g. INSERT, UPDATE, CREATE TABLE, etc.) and send them to the primary, leaving the replicas to serve reads

Failover: PgDog monitors Postgres replication state and can automatically redirect writes to a different database if a replica is promoted

Sharding: PgDog is able to manage databases with multiple shards

Brian #4: Agentic Engineering Patterns

Simon Willison

So much great stuff here, especially

Anti-patterns: things to avoid

And 3 sections on testing

Red/green TDD

First run the test

Agentic manual testing

Extras

Brian:

<code>uv python upgrade</code> will upgrade all versions of Python installed with uv to latest patch release

suggested by John Hagen

Coding After Coders: The End of Computer Programming as We Know It

NY Times Article

Suggested by Christopher

Best quote: “Pushing code that fails pytest is unacceptable and embarrassing.”

Michael:

Talk Python Training users get a better account dashboard

Package Managers Need to Cool Down

Will AI Kill Open Source, article + video

My Always activate the venv is now a zsh-plugin, sorta.

Joke: Ergonomic keyboard

Also pretty good and related:

<code>Claude Code Mandated</code>

Links

legal precedence research

Chardet dispute shows how AI will kill software licensing, argues Bruce Perens

this GitHub issue

citing

JPlag

refined-github

Agentic Engineering Patterns

Anti-patterns: things to avoid

Red/green TDD

First run the test

Agentic manual testing

<code>uv python upgrade</code>

Coding After Coders: The End of Computer Programming as We Know It

Suggested by Christopher

a better account dashboard

Package Managers Need to Cool Down

Will AI Kill Open Source

Always activate the venv

now a zsh-plugin

Ergonomic keyboard

<code>Claude Code Mandated</code>

claude-mandated.png

blobs.pythonbytes.fm/keyboard-joke.jpeg?cache_id=a6026b

Topics covered in this episode:

chardet ,AI, and licensing

refined-github

pgdog: PostgreSQL connection pooler, load balancer and database sharder

Agentic Engineering Patterns

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: chardet ,AI, and licensing

Thanks Ian Lessing

Wow, where to start?

A bit of legal precedence research.

Chardet dispute shows how AI will kill software licensing, argues Bruce Perens on the Register

Also see this GitHub issue.

Dan Blanchard, maintainer of a Python character encoding detection library called chardet, released a new version of the library under a new software license. (LGPL → MIT)

Dan is allowed to make this change because v7 is a complete “clean room” rewrite using AI

BTW, v7 is WAY better:

The result is a 48x increase in detection speed for a project that lives in the hot loops of many projects. That will lead to noticeable performance increases for literally millions of users (the package gets ~130M downloads per month).

It paves a path towards inclusion in the standard library (assuming they don’t institute policies against using AI tools).

Thread-safe detect() and detect_all() with no measurable overhead; scales on free-threaded Python 3.13t+

An individual claiming to be Mark Pilgrim, the original creator of the library, opened an issue in the project's GitHub repo arguing that Blanchard had no right to change the software license, citing the LPGL requirement that the license remain unchanged.

A 'complete rewrite' is irrelevant, since they had ample exposure to the originally licensed code (i.e. this is not a 'clean room' implementation).

Blanchard disagreed, citing how version 7.0.0 and 6.0.0 compare when subjected to JPlag, a library for detecting plagiarism.

Blanchard told The Register he had wanted to get chardet added to the Python standard library for more than a decade since it’s a core dependency to most Python projects.

Brian #2: refined-github

Suggested by Matthias Schöttle

A browser plugin that improves the GitHub experience

A sampling

Adds a build/CI status icon next to the repo’s name.

Adds a link back to the PR that ran the workflow.

Enables tab and shift tab for indentation in comment fields.

Auto-resizes comment fields to fit their content and no longer show scroll bars.

Highlights the most useful comment in issues.

Changes the default sort order of issues/PRs to Recently updated.

But really, it’s a huge list of improvements

Michael #3: pgdog: PostgreSQL connection pooler, load balancer and database sharder

PgDog is a proxy for scaling PostgreSQL.

It supports connection pooling, load balancing queries and sharding entire databases.

Written in Rust, PgDog is fast, secure and can manage thousands of connections on commodity hardware.

Features

PgDog is an application layer load balancer for PostgreSQL

Health Checks: PgDog maintains a real-time list of healthy hosts. When a database fails a health check, it's removed from the active rotation and queries are re-routed to other replicas

Single Endpoint: PgDog can detect writes (e.g. INSERT, UPDATE, CREATE TABLE, etc.) and send them to the primary, leaving the replicas to serve reads

Failover: PgDog monitors Postgres replication state and can automatically redirect writes to a different database if a replica is promoted

Sharding: PgDog is able to manage databases with multiple shards

Brian #4: Agentic Engineering Patterns

Simon Willison

So much great stuff here, especially

Anti-patterns: things to avoid

And 3 sections on testing

Red/green TDD

First run the test

Agentic manual testing

Extras

Brian:

uv python upgrade will upgrade all versions of Python installed with uv to latest patch release

suggested by John Hagen

Coding After Coders: The End of Computer Programming as We Know It

NY Times Article

Suggested by Christopher

Best quote: “Pushing code that fails pytest is unacceptable and embarrassing.”

Michael:

Talk Python Training users get a better account dashboard

Package Managers Need to Cool Down

Will AI Kill Open Source, article + video

My Always activate the venv is now a zsh-plugin, sorta.

Joke: Ergonomic keyboard

Also pretty good and related:

Claude Code Mandated

Links

legal precedence research

Chardet dispute shows how AI will kill software licensing, argues Bruce Perens

this GitHub issue

citing

JPlag

refined-github

Agentic Engineering Patterns

Anti-patterns: things to avoid

Red/green TDD

First run the test

Agentic manual testing

uv python upgrade

Coding After Coders: The End of Computer Programming as We Know It

Suggested by Christopher

a better account dashboard

Package Managers Need to Cool Down

Will AI Kill Open Source

Always activate the venv

now a zsh-plugin

Ergonomic keyboard

Claude Code Mandated

claude-mandated.png

blobs.pythonbytes.fm/keyboard-joke.jpeg?cache_id=a6026b