#480: Proud Parents

Topics covered in this episode:

• Using Django Tasks in production
• Co-authored with Claude?
• PyPI packages are increasing rapidly
• httpx2
• Extras
• Joke

About the show

Sponsored by us! Support our work through:

• Our courses at Talk Python Training
• The Complete pytest Course
• Patreon Supporters Connect with the hosts
• Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)
• Brian: @brianokken@fosstodon.org / @brianokken.bsky.social
• Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Using Django Tasks in production

• Tim Schilling shares how the Djangonaut Space website has been using Django’s new tasks framework and some of the info missing from the official Django docs.
• Tasks require a third party package, django-tasks-db to actually run the tasks.
• Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example.
• With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors.
• Some wishes for the community to implement
  • new tutorial in the Django docs
  • Django Debug toolbar panel for tasks
  • test/mock backend
• Great title for wish list: Thinks I’d like to see, but I’m too lazy to implement myself.

Michael #2: Co-authored with Claude?

• Via Nik T.
• We don’t put “executed on macOS”, “edited with PyCharm”, etc. in our commits. Why Claude?
• Seems like a growth hack to me, that I don’t really care to participate in.
• Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open Source
• Adjust to turn off in ~/.claude/settings.json see the docs.

Brian #3: PyPI packages are increasing rapidly

• Artem Golubin
• There’s been an increase of published packages per week on PyPI
• A pretty big increase in the last handful of months.
• 30% increase since 2025, clearly due to AI
• Artem is building hexora, a malicious Python code detector.
• Cool package too, it can:
  • Audit project dependencies to catch potential supply-chain attacks
  • Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories
  • Analyze IoC files from past security incidents
  • Audit new packages uploaded to PyPi.
• Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocess
  • Side note: I don’t think that’s necessarily a false positive. Not malicious, but maybe a stupid-code-detector?
• Lots are LLM related, Lots have bots contributing code
• Publishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a feature
• Brian’s proposal, PyPI should limit releases per day for any package to something a sane human would do, even if they make a mistake on a release, to maybe like 2-3, definitely under 10, in a day. And if the repo has obvious agent contributors listed, maybe lower to the limit to 1-2 a day? Honestly, “move fast and break things” doesn’t apply to breaking the commons.

Michael #4: httpx2

• More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2.
• Michiel says “while we think httpxyz was definitely needed, we welcome httpx2 and think it should be the ‘blessed’ fork.”
• Kludex, who is among other things maintainer of Starlette, was considering a fork
• As it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too.
• Also they already made some smart decisions:
  • they are switching from certifi to truststore
  • they are switching to compression.zstd on Python 3.14+, enabling zstd compression by default
  • they merged httpcore and vendored it in their repository
• Discussion on Hacker News

Extras

Brian:

• The Four Horsemen of the LLM Apocalypse - Anarcat
• Django/JetBrains 2026 developer survey is open
• Pyrefly 1.0 : “meaning we are confident that Pyrefly is ready for production use.” Michael:
• Just about ready to release Python Web Security: OWASP Top 10 with Agentic AI course. Be sure to be on the courses newsletter to get notified.

Joke: Proud Parents