10 April 2015

I have been fortunate enough to attend four PyCon conferences. I find that it helps me to maximize my experience if I take notes and summarize them each day. Perhaps I will later roll this into a post that summarizes the entire conference.

Notes from my day:

  • PyCon puts all of their talks into GuideBook. Use it! It’s a great way to manage a schedule!
  • If you can avoid it, don’t open your laptop during a talk! It’s terribly distracting and data has shown that you retain more information if you take notes by hand.
    • Sure, monitoring IRC and/or Twitter may be great, but know that it comes with a cost.

My notes for each talk:

Opening Statement: Julia Evans

Wow, is Julia enthusiastic or not? She gave a whirlwind overview of PyCon. Highlights included the usual Code of Conduct, their efforts to increase diversity of speakers and attendees, and the $200,000 in donated financial aid (aiding 291 attendees, or more than 10% of the total).

Keynote: Catherine Bracy

Catherine is the Director of Community Organizing at Code for America. She doesn’t have a technical background, from what I gathered, but she is quite passionate about getting the populace engaged in goverment. I’m a bit of a pessimist on this front, especially after reading The Myth of the Rational Voter, but I appreciate her enthusiasm and wish her organization the best of luck.

Her talk was very eloquent. She pointed out many of the glaring inefficiencies in government-led IT (the most high-profile of which was the Healthcare.gov crash as the Affordable Care Act went into effect). Other examples included high school students in Los Angeles sitting in an auditorium while their class scheduling system was sorted out and Floridians being unable to claim unemployment benefits because of issues with their online-only tool.

Building Secure Systems: lvh

I am an avid reader of Bruce Schneier ever since attending the Last HOPE conference (associated with the venerable 2600 hacker quarterly), so I appreciated lvh’s talk. He highlighted the fact that typically our job as developers is to make it work, not to make it fail; the latter is how security operations are tested. He mentioned that new features will always be more exciting and interesting than security in the form of bugs. As he pointed out, this is a rational self-interested decision many companies make: if you look at market cap, it doesn’t really shift much after a huge security disclosure. He did not say this, but ultimately, consumers will have to become more security-sensitive for this lack of priority to ever change.

lvh mentioned that most computer science courses include the Liskov substitution principle as part of their cirriculum, but they do not include the principle of least authority (or privilege), which ultimately might be a more useful topic.

He also mentioned a free resource he put together, crypto101.io:

Crypto 101 is an introductory course on cryptography, freely available for programmers of all ages and skill levels.

I really enjoyed his talk, although it covered security on a sufficiently high enough level that I have heard most of it before.

Introduction to HTTPS - A Comedy of Errors: Ashwini Oruganti

Ashwini had given this talk at PyTennessee and I heard good things about it, so I was happy to catch it at PyCon. It is quite obvious that this contributor to a pure Python TLS implementation is quite familiar with how HTTPS works.

She first mentioned out that urllib is fundamentally flawed in that it does not do any kind of server certificate validation. Any fool with ettercap and mitmproxy can give you a bad time. Fortunately, there are alternative tools at the Pythonista’s disposal (e.g., Python 3 and the requests library).

Furthermore, says Ashwini: SSL is busted; use TLS.

She pointed to a few nice resources, not least of which was Hynek’s guide to configuring TLS, which has has been kept updated. She also mentioned the book The Tangled Web: A Guide to Securing Modern Web Applications.

The big takeaway from this talk: test your clients against servers with bad certificates. They should fail! If they don’t, fix that.

A Dive into TLS: Benjamin Peterson

This talk was retitled “The (Less) Sorry State of SSL in Python” and it did indeed turn out to be an overview of the how things have changed in the Python library since Hynek’s talk titled ‘The Sorry State of SSL’.

As I don’t really use Python to consume TLS, this talk was not quite as useful to me. Peterson, however, is a very engaging speaker.

Distributed Systems 101: lvh

This talk was so over my head I had a really hard time keeping up. Distributed systems is not something I spend a lot of brain power one (if I need something distributed, I tend to rely on services to fill that gap). lvh went into the talk saying that he wanted to impress everyone with how hard distributed systems are, and I suppose he did just that.

My biggest takeaway was that there are three things you want from distributed systems. If you draw them in circles and imagine a Venn diagram, you cannot get all three. You can only pick 2.

  • Consistency
  • Availability
  • Partition tolerance

Basically, the last one, partition tolerance, is not really optional. So most systems concentrate on the gradient between consistency and availability.

Smart Services & Smart Clients - How Microservices Change the Way You Build and Deploy Code: Frank Statton

Frank is the CTO and Runscope, and he took a nice in-depth look at how Runscope manages their infrastructure in ways that minimize tight coupling.

I had a splitting headache during this talk so unfortunately I had to make an exit to hunt down some pain medication. Alas, it appeared to be a good talk. I’ll have to catch the video later.

Stop Sucking Me Into Your Drama: A Personal Appeal for Loose Coupling: Augie Fackler, Nathaniel Manista

I really enjoyed how these two tag-teamed their talk. It kept the topic fresh and entertaining as they would bounce back and forth.

This topic is similar to what you would read in Bob Martin’s Clean Code or Steve McConnell’s Code Complete.

CoreOS: Dan Callahan

I’ve used the lightweight Linux distro CoreOS for managing Docker on Mac OS X, but I had no idea that the distro had so many things going on.

First Dan went over the basics of why we like containers. After that, he went over:

  • FastPatch for opportunistic, recoverable upgrades.
  • Docker for containerization
  • etcd for consensus
    • If updates are automatically applied, how do I make sure my system is stable? etcd is the answer!
    • But wait, if etcd is also running on CoreOS, how do I make sure my system is stable? The answer is more etcd! Dan recommended 5 etcd nodes.
    • Maor virtual machines!
  • Fleet for scheduling.

If I had one word to describe CoreOS it would be “clever.” Of course, sometimes clever can get you into trouble.

Board Games

After dinner I joined a group of Pythonistas to play some board games generously provided by Randolph’s Pub. This pub has thousands of games and you can go there to drink beer and play. How fantastic is that? May have to visit them before I leave.

Games I played:


As usual, the videos from PyCon are posted online very quickly. All of these talks can be found on the PyCon 2015 Channel.

Now I’m exhausted and I need to go to bed in order to be ready for tomorrow morning’s 5k!