Python Bytes
Python Bytes
#technology

Python Bytes is a weekly podcast hosted by Michael Kennedy and Brian Okken. The show is a short discussion on the headlines and noteworthy news in the Python, developer, and data science space.

#480 Proud Parents

May 18, 2026 00:33:13 5.7 MB ( 32.96 MB less) Downloads: 0
Topics covered in this episode:
Watch on YouTube

About the show

Sponsored by us! Support our work through:

Brian #1: Using Django Tasks in production

  • Tim Schilling shares how the Djangonaut Space website has been using Django’s new tasks framework and some of the info missing from the official Django docs.
  • Tasks require a third party package, django-tasks-db to actually run the tasks.
  • Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example.
  • With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors.
  • Some wishes for the community to implement
    • new tutorial in the Django docs
    • Django Debug toolbar panel for tasks
    • test/mock backend
  • Great title for wish list: Thinks I’d like to see, but I’m too lazy to implement myself.

Michael #2: Co-authored with Claude?

  • Via Nik T.
  • We don’t put “executed on macOS”, “edited with PyCharm”, etc. in our commits. Why Claude?
  • Seems like a growth hack to me, that I don’t really care to participate in.
  • Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open Source
  • Adjust to turn off in ~/.claude/settings.json see the docs. 
    {
   "attribution": {
      "commit": "",
       "pr": ""
   }
}

Brian #3: PyPI packages are increasing rapidly

  • Artem Golubin
  • There’s been an increase of published packages per week on PyPI
  • A pretty big increase in the last handful of months.
  • 30% increase since 2025, clearly due to AI
  • Artem is building hexora, a malicious Python code detector.
  • Cool package too, it can:
    • Audit project dependencies to catch potential supply-chain attacks
    • Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories
    • Analyze IoC files from past security incidents
    • Audit new packages uploaded to PyPi.
  • Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocess
    • Side note: I don’t think that’s necessarily a false positive. Not malicious, but maybe a stupid-code-detector?
  • Lots are LLM related, Lots have bots contributing code
  • Publishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a feature
  • Brian’s proposal, PyPI should limit releases per day for any package to something a sane human would do, even if they make a mistake on a release, to maybe like 2-3, definitely under 10, in a day. And if the repo has obvious agent contributors listed, maybe lower to the limit to 1-2 a day? Honestly, “move fast and break things” doesn’t apply to breaking the commons.

Michael #4: httpx2

  • More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2.
  • Michiel says “while we think httpxyz was definitely needed, we welcome httpx2 and think it should be the ‘blessed’ fork.”
  • Kludex, who is among other things maintainer of Starlette, was considering a fork
  • As it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too.
  • Also they already made some smart decisions:
  • Discussion on Hacker News

Extras

Brian:

Joke: Proud Parents

Download