Python News: What's New From November 2022

Python 3.12 Alpha Released

One of the most newsworthy events from October was the release of Python 3.11. While many of us are exploring the cool new features of Python 3.11, others are already hard at work on the next release.

Right on track with the Python 3.12 release schedule, the Python release team unveiled Python 3.12 alpha 2 in the middle of November. The core team is still early in the development cycle, but so far, the list of new features seems exciting.

Here’s some of what’s coming in Python 3.12:

• Even more improved error messages
• Support for the Linux perf profiler
• Deprecation of old functions, classes, and modules

While Python 3.11 already improved error messages, the next feature release will offer even better suggestions for fixing errors. For example, check out what it does when you forget to import a module or order your import statements wrong:

>>> sys.version_info
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'sys' is not defined. Did you forget to import 'sys'?

>>> import pi from math
  File "<stdin>", line 1
    import pi from math
    ^^^^^^^^^^^^^^^^^^^
SyntaxError: Did you mean to use 'from ... import ...' instead?

Especially when you’re learning Python, constructive error messages can point you in the right direction to improve your code. But also, if you’re a seasoned Python developer, then the upcoming Python release will have something in stock for your code improvements:

The Linux perf profiler enables you to analyze the performance of your application. You could already use perf to obtain information about your Python code before Python 3.12. However, you could only see the names and procedures written in the C programming language. With the Python 3.12 support of perf, you’ll be able to investigate Python call stacks and expose Python functions in the output of perf.

The new Python release also continues to remove dead batteries from the standard library, with the following rationale:

Back in the early days of Python, the interpreter came with a large set of useful modules. This was often referred to as “batteries included” philosophy and was one of the cornerstones to Python’s success story. [However], any additional module increases the maintenance cost for the Python core development team. The team has limited resources, reduced maintenance cost frees development time for other improvements. (Source)

Following suit, Python 3.12 will remove wstr from Unicode and deprecate the distutils module. For full details, you can visit Python’s changelog.

If you want to try out the alpha version of Python 3.12, then check out the Real Python guide on how to install a pre-release version of Python.

Malicious Packages on PyPI

In the rationale to remove dead batteries from the Python standard library, you can find this paragraph:

Nowadays, Python has a rich and vibrant ecosystem of third-party packages. It’s pretty much standard to either install packages from PyPI or use one of the many Python or Linux distributions. (Source)

The larger the Python ecosystem gets, the more attractive it becomes to troublemakers. In the August Python news, we reported incidents where attackers uploaded malware packages to PyPI to steal user information.

Attackers used typosquatting to trick developers into downloading malware. Typosquatting in PyPI involves uploading a malware package with a name that’s similar to another popular package. For instance, when downloading a package with python -m pip install colorama, you might accidentally type the additional letter s and mistype colorama as colorsama. A typosquatter might upload a malware package as colorsama to infect those who make this typo.

In their blog article about the current incidents, the security company Phylum summarizes how malicious code may find its way to your machine:

The malicious code is a hidden __import__ statement in the package’s setup.py [or] __init__.py. Regardless, it contains a Base64 encoded string that gets executed. […] Decoded, that Base64 encoded string contains a Python script that is written to a temporary file that is executed. (Source)

On execution, the temporary file tries to download the malware, which will try to grab data from cookies on your system. Although the number of incidents is reported to be low, it’s still a good idea to double-check any third-party packages that you install on your system.

Turbulence for GitHub Copilot

Microsoft made GitHub Copilot publicly available this summer. The release statement opens with this sentence:

At GitHub, it’s part of our mission to build technology that makes developers happy. (Source).

But whether or not GitHub Copilot aligns with that mission is the subject of some debate.

GitHub Copilot enables you to Fly With Python at the Speed of Thought. Once it’s activated, you can write a comment in your code, and GitHub Copilot will try to generate code that matches the intention of your comment. Microsoft claims that the code suggestions stem from publicly available source code, for example public GitHub repositories.

In a class-action lawsuit filed against GitHub Copilot, Matthew Butterick alleges that Microsoft violates the licenses of open-source software hosted on GitHub:

Microsoft apparently is profiting from others’ work by disregarding the conditions of the underlying open-source licenses and other legal requirements. […] This lawsuit constitutes a critical chapter in an industry-wide debate regarding the ethics of training AI tools with data sourced without permission from their creators and what constitutes a fair use of intellectual property. Despite Microsoft’s protestations to the contrary, it does not have the right to treat source code offered under an open-source license as if it were in the public domain. (Source)

If you want to learn more about the class-action lawsuit, then check out the GitHub Copilot litigation website. This website contains contacts, legal documents, and ongoing updates about the case.

Even though the flight of GitHub Copilot might be a bit rough at the moment, Microsoft continues to implement new features into their AI-powered tool. In future versions, you’ll be able to use your voice to code by talking with GitHub Copilot.

What’s your opinion on GitHub Copilot? Are you looking forward to using your voice to code, or will you instead raise your voice to express concern? Let the Real Python community know in the comments below!

News Snippets

In addition to the Python news above, here are some more news snippets for you:

• Advent of Code: Same procedure as every year! The annual Advent of Code event is back. It’s an Advent calendar of twenty-five programming puzzles published each December. It’s created by Eric Wastl and has gained many fans in the Python community. If you want to learn more about this fun tradition, then check out our Real Python tutorial Advent of Code: Solving Your Puzzles With Python.

• Python People on Mastodon: If you’re thinking about quitting Twitter, but you still want to stay connected with other Python developers, then check out Samuel Colvin’s Python People gist. You’ll notice that many of the entries also include links to Mastodon profiles. If you’re curious about what this social networking platform is all about, then check out the Talk Python podcast episode Mastodon for Python Devs.

• The History of Python: This month, Guido van Rossum’s mentor, Lambert Meertens, shared some stories about the origins of Python. You’ll learn about the history of Python and get insights into how Python became the programming language that so many love. At the forefront of this development, of course, was Van Rossum, who recently gave a three-hour-long interview on the Lex Fridman Podcast.

There’s always plenty happening in the world of Python!

What’s Next for Python?

Python keeps developing, which is exciting but can also come with growing pains. We applaud the core developers’ never-ending efforts to improve Python, as well as the community’s efforts to document the history of the language, stay connected across platforms, and keep everyone safe.

What’s your favorite piece of Python news from November? Did we miss anything notable? Let us know in the comments, and we might feature you in next month’s Python news roundup.

Happy Pythoning!