I’m pleased to announce the release of Python 3.13 beta 1 (and feature freeze for Python 3.13).

https://www.python.org/downloads/release/python-3130b1/

 

This is a beta preview of Python 3.13

Python 3.13 is still in development. This release, 3.13.0b1, is the first of four beta release previews of 3.13.

Beta release previews are intended to give the wider community the
opportunity to test new features and bug fixes and to prepare their
projects to support the new feature release.

We strongly encourage maintainers of third-party Python projects to test with 3.13 during the beta phase and report issues found to the Python bug tracker
as soon as possible. While the release is planned to be feature
complete entering the beta phase, it is possible that features may be
modified or, in rare cases, deleted up until the start of the release
candidate phase (Tuesday 2024-07-30). Our goal is to have no ABI changes
after beta 4 and as few code changes as possible after 3.13.0rc1, the
first release candidate. To achieve that, it will be extremely important to get as much exposure for 3.13 as possible during the beta phase.

Please keep in mind that this is a preview release and its use is not recommended for production environments.

Major new features of the 3.13 series, compared to 3.12

Some of the new major new features and changes in Python 3.13 are:

New features

• A new and improved interactive interpreter, based on PyPy’s, featuring multi-line editing and color support, as well as colorized exception tracebacks.
• An experimental free-threaded build mode, which disables the Global Interpreter Lock, allowing threads to run more concurrently.
• A preliminary, experimental JIT, providing the ground work for significant performance improvements.
• The (cyclic) garbage collector is now incremental, which should mean shorter pauses for collection in programs with a lot of objects.
• A modified version of mimalloc is now included, optional but enabled by default if supported by the platform, and required for the free-threaded build mode.
• Docstrings now have their leading indentation stripped, reducing memory use and the size of .pyc files. (Most tools handling docstrings already strip leading indentation.)
• The dbm module has a new dbm.sqlite3 backend that is used by default when creating new files.

Typing

• Support for type defaults in type parameters.
• A new type narrowing annotation, typing.TypeIs.
• A new annotation for read-only items in TypeDicts.

Removals and new deprecations

• PEP 594 (Removing dead batteries from the standard library) scheduled removals of many deprecated modules: aifc, audioop, chunk, cgi, cgitb, crypt, imghdr, mailcap, msilib, nis, nntplib, ossaudiodev, pipes, sndhdr, spwd, sunau, telnetlib, uu, xdrlib, lib2to3.
• Many other removals of deprecated classes, functions and methods in various standard library modules.
• C API removals and deprecations. (Some removals present in alpha 1 were reverted in alpha 2, as the removals were deemed too disruptive at this time.)
• New deprecations, most of which are scheduled for removal from Python 3.15 or 3.16.

(Hey, fellow core developer, if a feature you find important is missing from this list, let Thomas know.)

For more details on the changes to Python 3.13, see What’s new in Python 3.13. The next pre-release of Python 3.13 will be 3.13.0b2, currently scheduled for 2024-05-28.

 

More resources

• Online Documentation
• PEP 719, 3.13 Release Schedule
• Report bugs at Issues · python/cpython · GitHub.
• Help fund Python directly (or via GitHub Sponsors), and support the Python community.

 

Enjoy the new releases

Thanks to all of the many volunteers who help make Python Development
and these releases possible! Please consider supporting our efforts by
volunteering yourself or through organization contributions to the
Python Software Foundation.

Your release team,
Thomas Wouters
Łukasz Langa
Ned Deily
Steve Dower 

 

Yuxuan Shui, the developer behind the X11 compositor picom (a fork of Compton) published a blog post detailing their experiences with using GitHub Copilot for a year. I had free access to GitHub Copilot for about a year, I used it, got used to it, and slowly started to take it for granted, until one day it was taken away. I had to re-adapt to a life without Copilot, but it also gave me a chance to look back at how I used Copilot, and reflect – had Copilot actually been helpful to me? Copilot definitely feels a little bit magical when it works. It’s like it plucked code straight from my brain and put it on the screen for me to accept. Without it, I find myself getting grumpy a lot more often when I need to write boilerplate code – “Ugh, Copilot would have done it for me!”, and now I have to type it all out myself. That being said, the answer to my question above is a very definite “no, I am more productive without it”. Let me explain. ↫ Yuxuan Shui The two main reasons why Shui eventually realised Copilot was slowing them down were its unpredictability, and its slowness. It’s very difficult to understand when, exactly, Copilot will get things right, which is not a great thing to have to deal with when you’re writing code. They also found Copilot incredibly slow, with its suggestions often taking 2-3 seconds or longer to appear – much slower than the suggestions from the clangd language server they use. Of course, everybody’s situation will be different, and I have a suspicion that if you’re writing code in incredibly popular languages, say, Python or JavaScript, you’re going to get more accurate and possibly faster suggestions from Copilot. As Shui notes, it probably also doesn’t help that they’re writing an independent X11 compositor, something very few people are doing, meaning Copilot hasn’t been trained on it, which in turn means the tool probably has no clue what’s going on when Shui is writing their code. As an aside, my opinion on GitHub Copilot is clear – it’s quite possibly the largest case of copyright infringement in human history, and in its current incarnation it should not be allowed to continue to operate. As I wrote over a year ago: If Microsoft or whoever else wants to train a coding “AI” or whatever, they should either be using code they own the copyright to, get explicit permission from the rightsholders for “AI” training use (difficult for code from larger projects), or properly comply with the terms of the licenses and automatically add the terms and copyright notices during autocomplete and/or properly apply copyleft to the newly generated code. Anything else is a massive copyright violation and a direct assault on open source. Let me put it this way – the code to various versions of Windows has leaked numerous times. What if we train an “AI” on that leaked code and let everyone use it? Do you honestly think Microsoft would not sue you into the stone age? ↫ Thom Holwerda It’s curious that as far as I know, Copilot has not been trained on Microsoft’s own closed-source code, say, to Windows or Office, while at the same time the company claims Copilot is not copyright infringement or a massive open source license violation machine. If what Copilot does is truly fair use, as Microsoft claims, why won’t Microsoft use its own closed-source code for training? We all know the answer. Deeply questionable legality aside, do any of you use Copilot? Has it had any material impact on your programming work? Is its use allowed by your employer, or do you only use it for personal projects at home?

One year after a love affair bound him up in a murder case, a foolish DJ has a one-night encounter that leads to even bigger kerfuffles related to his past.

Luciano Zucco, deputado federal do PL-RS, concedeu entrevista ao Jornal da Manhã e falou sobre a situação do Rio Grande do Sul em meio à crise climática por conta das fortes chuvas.

Assista ao Jornal da Manhã completo: https://youtube.com/live/G29NyZJGG2U

Baixe o app Panflix: https://www.panflix.com.br/

Inscreva-se no nosso canal:
https://www.youtube.com/c/jovempannews

Siga o canal “Jovem Pan News” no WhatsApp: https://whatsapp.com/channel/0029VaAxUvrGJP8Fz9QZH93S

Entre no nosso site:
http://jovempan.com.br/

Facebook:
https://www.facebook.com/jovempannews

Siga no Twitter:
https://twitter.com/JovemPanNews

Instagram:
https://www.instagram.com/jovempannews/

TikTok:
https://www.tiktok.com/@jovempannews

Kwai:
https://www.kwai.com/@jovempannews

#JovemPan
#JornalDaManhã

Thierry Ascione, à la fois directeur de l’Open Parc et co-fondateur, avec Jo-Wilfried Tsonga, du All In Group, s’est penché au micro de Tennis Actu pour évoquer plusieurs sujets. Il est bien sûr revenu sur la dernière édition du tournoi, son souhait de “ramener” du tennis de haut niveau à Lyon dès 2025 – en plus du challenger de l’Open Sopra Steria -, avec un autre tournoi challenger et éventuellement un ATP 250 en 2026, mais également sur le très en forme Ugo Humbert (15e ATP), numéro 1 français et tête d’affiche de cette ultime édition du tournoi de Lyon (18-25 mai), qu’il “chapeaute” en tant qu’agent.

How to Setup Landing Page Wordpress

A growing trend is seen in governments favouring free and open-source solutions (FOSS) for their official websites. The potential benefits of FOSS include enhanced security, flexibility, and cost savings. But how widespread is this trend, and which specific systems are gaining traction? To understand the scope of this trend, we examined the official websites of 195 countries globally. This analysis digs deeper into the trend of governments favouring free and open-source solutions for their online presence, uncovering which CMS systems—including Drupal, WordPress, and others—are most preferred for official government communication.

Article showing off Hanami and HTMX used in combination, to create an updating progress bar https://2n.pl/blog/hanami-progress-bar-with-htmx
It is sort of a tutorial, but more of a my own write-up of what I experimented with an learned.
Some more hanami articles are on the blog page, with more to come

You clone a Git repository, then pull from it. How can you tell its
contents are “authentic”—i.e., coming from the “genuine” project you
think you’re pulling from, written by the fine human beings you’ve been
working with? With commit signatures and “verified” badges ✅
flourishing, you’d think this has long been solved—but nope!

Four years after Guix deployed its own
tool to allow
users to authenticate updates fetched with guix pull (which uses Git
under the hood), the situation hasn’t changed all that much: the vast
majority of developers using Git simply do not authenticate the code
they pull. That’s pretty bad. It’s the modern-day equivalent of
sharing unsigned tarballs and packages like we’d blissfully do in the
past century.

The authentication mechanism Guix uses for
channels
is available to any Git user through the guix git authenticate
command. This post is a guide for Git users who are not necessarily
Guix users but are interested in using this command for their own
repositories. Before looking into the command-line interface and how we
improved it to make it more convenient, let’s dispel any
misunderstandings or misconceptions.

Why you should care

When you run git pull, you’re fetching a bunch of commits from a
server. If it’s over HTTPS, you’re authenticating the server itself,
which is nice, but that does not tell you who the code actually comes
from—the server might be compromised and an attacker pushed code to the
repository. Not helpful. At all.

But hey, maybe you think you’re good because everyone on your project is
signing commits and tags, and because you’re disciplined, you routinely
run git log --show-signature and check those “Good signature” GPG
messages. Maybe you even have those fancy “✅ verified” badges as found
on
GitLab
and on
GitHub.

Signing commits is part of the solution, but it’s not enough to
authenticate a set of commits that you pull; all it shows is that,
well, those commits are signed. Badges aren’t much better: the presence
of a “verified” badge only shows that the commit is signed by the
OpenPGP key currently registered for the corresponding GitLab/GitHub
account. It’s another source of lock-in and makes the hosting platform
a trusted third-party. Worse, there’s no notion of authorization (which
keys are authorized), let alone tracking of the history of authorization
changes (which keys were authorized at the time a given commit was
made). Not helpful either.

Being able to ensure that when you run git pull, you’re getting code
that genuinely comes from authorized developers of the project is
basic security hygiene. Obviously it cannot protect against efforts to
infiltrate a project to eventually get commit access and insert
malicious code—the kind of multi-year plot that led to the xz
backdoor—but if you don’t even
protect against unauthorized commits, then all bets are off.

Authentication is something we naturally expect from apt update,
pip, guix pull, and similar tools; why not treat git pull to the
same standard?

Initial setup

The guix git authenticate
command authenticates Git checkouts, unsurprisingly. It’s currently
part of Guix because that’s where it was brought to life, but it can be
used on any Git repository. This section focuses on how to use it; you
can learn about the motivation, its design, and its implementation in
the 2020 blog
post, in the 2022
peer-reviewed academic paper entitled Building a Secure Software
Supply Chain with
GNU Guix,
or in this 20mn
presentation.

To support authentication of your repository with guix git authenticate, you need to follow these steps:

1. Enable commit signing on your repo: git config commit.gpgSign true. (Git now supports other signing methods but here we need
   OpenPGP signatures.)

2. Create a keyring branch containing all the OpenPGP keys of all
   the committers, along these lines:

   git checkout --orphan keyring
   git reset --hard
   gpg --export alice@example.org > alice.key
   gpg --export bob@example.org > bob.key
   …
   git add *.key
   git commit -m "Add committer keys."

   All the files must end in .key. You must never remove keys from
   that branch: keys of users who left the project are necessary to
   authenticate past commits.

3. Back to the main branch, add a .guix-authorizations file, listing
   the OpenPGP keys of authorized committers—we’ll get back to its
   format below.

4. Commit! This becomes the introductory commit from which
   authentication can proceed. The introduction of your repository
   is the ID of this commit and the OpenPGP fingerprint of the key
   used to sign it.

That’s it. From now on, anyone who clones the repository can
authenticate it. The first time, run:

guix git authenticate COMMIT SIGNER

… where COMMIT is the commit ID of the introductory commit, and
SIGNER is the OpenPGP fingerprint of the key used to sign that commit
(make sure to enclose it in double quotes if there are spaces!). As a
repo maintainer, you must advertise this introductory commit ID and
fingerprint on a web page or in a README file so others know what to
pass to guix git authenticate.

The commit and signer are now recorded on the first run in
.git/config; next time, you can run it without any arguments:

guix git authenticate

The other new feature is that the first time you run it, the command
installs pre-push and pre-merge hooks (unless preexisting hooks are
found) such that your repository is automatically authenticated from
there on every time you run git pull or git push.

guix git authenticate exits with a non-zero code and an error message
when it stumbles upon a commit that lacks a signature, that is signed by
a key not in the keyring branch, or that is signed by a key not listed
in .guix-authorizations.

Maintaining the list of authorized committers

The .guix-authorizations file in the repository is central: it lists
the OpenPGP fingerprints of authorized committers. Any commit that is
not signed by a key listed in the .guix-authorizations file of its
parent commit(s) is considered inauthentic—and an error is reported.
The format of
.guix-authorizations
is based on S-expressions
and looks like this:

;; Example ‘.guix-authorizations’ file.

(authorizations
 (version 0)               ;current file format version

 (("AD17 A21E F8AE D8F1 CC02  DBD9 F8AE D8F1 765C 61E3"
   (name "alice"))
  ("2A39 3FFF 68F4 EF7A 3D29  12AF 68F4 EF7A 22FB B2D5"
   (name "bob"))
  ("CABB A931 C0FF EEC6 900D  0CFB 090B 1199 3D9A EBB5"
   (name "charlie"))))

The name bits are hints and do not have any effect; what matters is
the fingerprints that are listed. You can obtain them with GnuPG by
running commands like:

gpg --fingerprint charlie@example.org

At any time you can add or remove keys from .guix-authorizations and
commit the changes; those changes take effect for child commits. For
example, if we add Billie’s fingerprint to the file in commit A, then
Billie becomes an authorized committer in descendants of commit A
(we must make sure to add Billie’s key as a file in the keyring
branch, too, as we saw above); Billie is still unauthorized in branches
that lack A. If we remove Charlie’s key from the file in commit B,
then Charlie is no longer an authorized committer, except in branches
that start before B. This should feel rather natural.

That’s pretty much all you need to know to get started! Check the
manual
for more info.

All the information needed to authenticate the repository is contained
in the repository itself—it does not depend on a forge or key server.
That’s a good property to allow anyone to authenticate it, to ensure
determinism and transparency, and to avoid lock-in.

Interested? You can help!

guix git authenticate is a great tool that you can start using today
so you and fellow co-workers can be sure you’re getting the right code!
It solves an important problem that, to my knowledge, hasn’t really been
addressed by any other tool.

Maybe you’re interested but don’t feel like installing Guix “just” for
this tool. Maybe you’re not into Scheme and Lisp and would rather use a
tool written in your favorite language. Or maybe you think—and
rightfully so—that such a tool ought to be part of Git proper.

That’s OK, we can talk! We’re open to discussing with folks who’d like
to come up with alternative implementations—check out the articles
mentioned above if you’d like to take that route. And we’re open to
contributing to a standardization effort. Let’s get in
touch!

Acknowledgments

Thanks to Florian Pelz and Simon Tournier for their insightful comments
on an earlier draft of this post.