davepeck.org

Mon, 14 Apr 2025 16:10:00 GMT

PEP 787, Safer subprocess usage using t-strings, is a newly proposed PEP that improves the safety of subprocess invocations in Python by building directly on the template strings features of PEP 750. I couldn't be more excited to see it! The proposal is open for feedback.

(PS: This new proposal was written by the two authors of PEP 501, which fed directly into the development of PEP 750. Nick Humrich offers a good perspective on the history in his recent HN posts.)

Python's new t-strings

Fri, 11 Apr 2025 15:31:00 GMT

Template strings, also known as t-strings, have been officially accepted as a feature in Python 3.14, which will ship in late 2025. 🎉

I'm excited; t-strings open the door to safer more flexible string processing in Python.

What's the big idea with t-strings?

Since they were introduced in Python 3.6, f-strings have become a very popular way to format strings. They are concise, readable, and powerful.

In fact, they're so delightful that many developers use f-strings for everything... even when they shouldn't!

Alas, f-strings are often dangerously (mis)used to format strings that contain user input. I've seen f-strings used for SQL (f"SELECT * FROM users WHERE name = '{user_name}'") and for HTML (f"<div>{user_name}</div>"). These are not safe! If user_name contains a malicious value, it can lead to SQL injection or cross-site scripting.

Template strings are a generalization of Python's f-strings. Whereas f-strings immediately become a string, t-strings evaluate to a new type, string.templatelib.Template:

from string.templatelib import Template
name = "World"
template: Template = t"Hello {name}!"

Importantly, Template instances are not strings. The Template type does not provide its own __str__() implementation, which is to say that calling str(my_template) does not return a useful value. Templates must be processed before they can be used; that processing code can be written by the developer or provided by a library and can safely escape the dynamic content.

We can imagine a library that provides an html() function that takes a Template and returns a safely escaped string:

evil = "<script>alert('bad')</script>"
template = t"<p>{evil}</p>"
safe = html(template)
assert safe == "<p>&lt;script&gt;alert('bad')&lt;/script&gt;</p>"

Of course, t-strings are useful for more than just safety; they also allow for more flexible string processing. For example, that html() function could return a new type, HTMLElement. It could also accept all sorts of useful substitutions in the HTML itself:

attributes = {"src": "roquefort.jpg", "alt": "Yum"}
template = t"<img {attributes} />"
element = html(template)
assert str(element) == "<img src='roquefort.jpg' alt='Yum' />"

If you've worked with JavaScript, t-strings may feel familiar. They are the pythonic parallel to JavaScript's tagged templates.

How do I work with t-strings?

To support processing, Templates give developers access to the string and its interpolated values before they are combined into a final string.

The .strings and .values properties of a Template return tuples:

name = "World"
template = t"Hello {name}!"
assert template.strings == ("Hello ", "!")
assert template.values == (name,)

There is always one more (possibly empty) string than value. That is, t"".strings == ("",) and t"{name}".strings == ("", "").

As a shortcut, it's also possible to iterate over a Template:

name = "World"
template = t"Hello {name}!"
contents = list(template)
assert contents[0] == "Hello "
assert contents[1].value == name
assert contents[2] == "!"

Developers writing complex processing code can also access the gory details of each interpolation:

name = "World"
template = t"Hello {name!s:>8}!"
assert template.interpolations[0].value == name
assert template.interpolations[0].expression == "name"
assert template.interpolations[0].conversion == "s"
assert template.interpolations[0].format_spec == ">8"

In addition to supporting the literal (t"foo") form, Templates can also be instantiated directly:

from string.templatelib import Template, Interpolation
template = Template(
	"Hello ",
	Interpolation(value="World", expression="name"),
	"!"
)

Strings and interpolations can be provided to the Template constructor in any order.

A simple t-string example

Let's say we wanted to write code to convert all substituted words into pig latin. All it takes is a simple function:

def pig_latin(template: Template) -> str:
	"""Convert a Template to pig latin."""
	result = []
	for item in template:
		if isinstance(item, str):
			result.append(item)
		else:
			word = item.value
			if word and word[0] in "aeiou":
				result.append(word + "yay")
			else:
				result.append(word[1:] + word[0] + "ay")
	return "".join(result)

name = "world"
template = t"Hello {name}!"
assert pig_latin(template) == "Hello orldway!"

This is a goofy example; if you'd like to see some less silly examples, check out the PEP 750 examples repository.

What's next once t-strings ship?

T-strings are a powerful new feature that will make Python string processing safer and more flexible. I hope to see them used in all sorts of libraries and frameworks, especially those that deal with user input.

In addition, I hope that the tooling ecosystem will adapt to support t-strings. For instance, I'd love to see black and ruff format t-string contents, and vscode color those contents, if they're a common type like HTML or SQL.

It's been fun to get to know and work with Jim, Paul, Koudai, Lysandros, and Guido on this project and to interact with many more members of the Python community online without whose input PEP 750 simply wouldn't have come together. I can't wait to see what developers build with t-strings once they ship!

Sat, 08 Feb 2025 19:10:00 GMT

Antirez is back with a short list of how we're destroying software. A few excerpts:

We are destroying software with complex build systems.

We are destroying software pushing for rewrites of things that work.

We are destroying software trying to produce code as fast as possible, not as well designed as possible.

...

I dunno. It seems like it was ever thus. We've always layered on terrible leaky abstractions and built unfriendly brittle tools. We've always needlessly rewritten systems that work just fine. We've always rushed to get it out the door now, not out the door right.

But I do want to call this one out:

We are destroying software mistaking it for a purely engineering discipline.

So much this. People and politics and life are so much a part of software. The tools we build reflect our values and beliefs. They enable others to promote and entrench their values and beliefs, whether for good or for ill. Let's work to make it for good.

Link

Tue, 21 Jan 2025 17:10:00 GMT

Welp. He's back.

Yesterday, like all incoming presidents, Trump signed a barrage of executive orders. Unlike other incoming presidents, many of his actions were bizarre, unlawful, or outright unconstitutional. Lawfare remains my go-to source for both cautious analysis and original documents.

From where I sit, the one truly terrifying action Trump took yesterday was pardoning or commuting the terms of every January 6th insurrectionist. What better way to buy the loyalty of his most violent supporters? What better way to ensure future violence should such violence serve his needs?

Small tech in 2025

Wed, 15 Jan 2025 18:43:00 GMT

Big tech can fend for itself. For me, small tech — home to all manner of creative computer weirdos — is where the fun is at. Here are some trends I'm keeping an eye on:

The open social web

The open social web hit its stride in 2024. Idealists and software nerds got organized: the Social Web Foundation emerged to steward the ActivityPub ecosystem, Free Our Feeds started holding ATProto's feet to the decentralized fire, and A New Social began building bridges between open networks. Independent researchers brought focus to the challenges of decentralized governance while nonprofits developed new resources for federated moderation. And, in early 2025, Mastodon took big steps toward community ownership.

Creative tinkerers have leveraged the social web's openness to build interesting indie businesses. Surf.social ships an innovative UI for exploring open social content. Murmel sends top stories from your feed directly to your inbox. Mastohost makes it easy to self-host Mastodon. And Micro.blog continues to thoughtfully explore new directions.

Novel use of large language models

While big tech spins its wheels on "agentic" AI hype, small tech is discovering creative and force-multiplying new uses for LLMs.

Researchers like Amelia Wattenberger, Linus Lee, Tony Beltramelli, Maggie Appleton, and Shawn Wang are all exploring LLM-powered user experiences built on tight feedback loops. My favorite of these interface prototypes avoid chat-like interactions entirely, instead hiding LLMs gently in the background. Gestures lead to LLM invocations, which lead to the further evolution of the interface.

Meanwhile, services like CityMeetings.nyc show the potential for LLMs to transmute piles of unstructured content into actionable insight. CityMeetings breaks down every New York City Council meeting into easily readable and linkable digests. It has become an essential tool for local journalists. Impressively, CityMeetings is a one-person project!

Small tech is (of course!) full of indie devs, who naturally experiment with LLMs for their own software development. AI code assistants like GitHub Copilot are now omnipresent, and editor workflow innovations from Cursor and Windsurf AI, along with chat UX features like Anthropic's Artifacts, suggest where tools might go next. Small tech startups like Val Town have learned from these patterns and introduced their own bespoke AI tools for developers.

Experiments in local-first

The small tech community has a long history of building tools that prioritize user agency and privacy. That's why, when Martin Kleppmann and Adam Wiggins introduced the idea of "local-first software" architecture, the community paid attention. Local-first applications store data locally, work offline, and sync with other devices when possible — aligning nicely with the ethos of small tech and the open social web.

In his fun-to-read predictions for 2025, Tom MacWright anticipates that "local-first will have a breakthrough moment". The technical challenges — building sync engines, resolving conflicts, and managing schema migrations — remain substantial, so I don't expect to see a true market breakthrough. That said, new frameworks like Zero, Electric, and Jazz show that indie devs will keep pushing the envelope.

Sustainable and small

I'm always drawn to indie software shops that eschew "traditional" VC financing in favor of a focus on sustainable growth and personal independence. I'm delighted by the sheer amount of technical depth, art, whimsy, and nerdy joy I'm seeing from today's crop of small tech startups. Creative experimentation is alive and well. While big tech keeps embiggening, small tech is quietly shaping a more humane and thoughtful future.

Tue, 07 Jan 2025 18:31:00 GMT

This is an audio post. You can listen to the audio here: Severance theme song: Defiant Piano Jazz

It's 2025 and I'm apparently unreasonably excited about the upcoming second season of Severance. It's the TV show with the most Being John Malkovich energy since, well, Malkovich.

The opening theme song was stuck in my head all vacation; I couldn't resist noodling with it on the keys. So here's my defiant piano jazz jam:

Sat, 16 Nov 2024 16:43:00 GMT

Bluesky has been a veritable party since the election.

Since I self-host my own Mastodon instance I figured I'd give self-hosting a Bluesky PDS a shot, too.

The upshot: you can find me on Bluesky as @davepeck.org.

I installed my Bluesky PDS on a tiny server using Dokku, a "personal" Heroku clone. You can read my notes on how to self-host a Bluesky PDS with Dokku if you're interested in the gory details.

Decompression

Thu, 07 Nov 2024 04:26:00 GMT

It was unexpectedly sunny in Seattle today. The trails and parks were full. Perhaps we were all decompressing.

Even with the ample sun and fresh air, it was impossible not to dwell:

We can say it was about the economy. We can say it was (sigh) about immigrants taking jobs and importing crime. We can say it was about misogyny and racism.

It was about these things, to some degree.

But I think they also miss the mark. As I write, the GOP looks poised to sweep it all: the popular vote, both houses of Congress, everything.

I see this election as a resounding affirmative vote for Trump and Trumpism. I see it as a strident repudiation of much that came before, the political order of America since at least the Reagan administration. I see it as a statement that our norms and our mores and our rule of law no longer matter except to a minority of us.

America is changed. Mending it will require the work not of another election, but of an entire generation.

Photo: Lit

Tue, 05 Nov 2024 23:30:00 GMT

Lit. 🤞

Mon, 04 Nov 2024 18:42:00 GMT

If you're a U.S. citizen: vote for Kamala Harris.

I don't think I need to say more. Just vote.

Fri, 18 Oct 2024 20:31:00 GMT

PEP 750: Template Strings proposes a new addition to the Python programming language that generalizes f-strings. Unlike f-strings, t-strings evaluate to a new type, Template, that provides access to the string and its interpolated values before they are combined:

name = "World"
template: Template = t"Hello {name}"
assert template.args[0] == "Hello "
assert template.args[1].value == "World"

This opens the door to a variety of new use cases. The proposal is currently in the draft stage and open for feedback.

Mon, 07 Oct 2024 21:15:00 GMT

Took a four-day trip to Iceland. What a beautiful place. A quick photo summary:

Mon, 16 Sep 2024 16:20:00 GMT

How to Monetize a Blog seems a bit bland at first. I'm guessing most visitors quickly bounce away.

Don't. Keep reading. Becōme.

Link

Fri, 13 Sep 2024 22:41:00 GMT

And that's how you fix your 47-year-old computer from 15 billion miles away!

Fascinating talk by Bruce Waggoner, a mission assurance manager at JPL, about how Voyager 1 was repaired after it effectively stopped sending all useful data back to Earth in late 2023.

Link

Tue, 27 Aug 2024 20:03:00 GMT

I knew that Captain Grace Hopper was an early pioneer in computer programming who just so happened to discover and document the first ever computer bug — a literal moth!

But I'd never seen a video of her before.

Yesterday, the NSA declassified a lecture Hopper gave in 1982 at the age of 75.

It's astonishingly prescient. She likens that moment to the days just after Ford introduced the Model T and changed the face of the country forever:

I can remember when Riverside Drive in New York City, along the Hudson River, was a dirt road. And on Sunday afternoons, as a family, we would go out on the drive and watch all the beautiful horses and carriages go by. In a whole afternoon, there might be one car.

...

Whether you recognize it or not, the Model Ts of the computer industry are here. We've been through the preliminaries of the industry. We are now at the beginnings of what will be the largest industry in the United States.

But with the Model T came unintended consequences; Hopper foresaw the same for the computer age:

I'm quite worried about something.

When we built all those roads, and the shopping centers, and all the other things, and provided for automobile transportation... we forgot something. We forgot transportation as a whole. We only looked at the automobile. Because of that, when we need them again, the beds of the railroads are falling apart. [...] If we want to move our tanks from the center of the country to the ports to ship them overseas, there are no flat cars left. [...] The truth of the matter is, we've done a lousy job of managing transportation as a whole.

Now as we come to the world of the microcomputer, I think we're facing the same possibility. I'm afraid we will continue to buy pieces of hardware and then put programs on them, when what we should be doing is looking at the underlying thing, which is the total flow of information through any organization, activity, or company. We should be looking at the information flow and then selecting the computers to implement that flow.

Mon, 05 Aug 2024 21:33:00 GMT

In his excellent piece How I Use "AI", Nicholas Carlini writes:

I don't think that "AI" models (by which I mean: large language models) are over-hyped.

Yes, it's true that any new technology will attract the grifters. And it is definitely true that many companies like to say they're "Using AI" in the same way they previously said they were powered by "The Blockchain". [...] It's also the case we may be in a bubble. The internet was a bubble that burst in 2000, but the Internet applications we now have are what was previously the stuff of literal science fiction.

But the reason I think that the recent advances we've made aren't just hype is that, over the past year, I have spent at least a few hours every week interacting with various large language models, and have been consistently impressed by their ability to solve increasingly difficult tasks I give them.

[...]

So in this post, I just want to try and ground the conversation.

With 50 detailed examples, Nicholas illustrates how LLMs have aided him in deep technical challenges, including learning new programming languages, tackling the complexity of modern GPU development, and more. He repeatedly demonstrates how LLMs can be both immensely useful and comically flawed.

Nicholas conveys a broad balanced perspective that resonates strongly with me. Is AI a bubble? Sure; there's plenty of malinvestment. Is AI over-hyped? Sure; there are those who claim it's about to replace countless jobs, achieve sentience, or even take over the world. Can AI be harmful? Sure; bias and energy usage are two quite different and troubling considerations. But is AI useless? No, demonstrably not.

Link

Mon, 29 Jul 2024 15:33:00 GMT

French TV weather reports apparently include two new climate change graphics:

“We see it as the weather being a still image, and the climate being the film in which this image is featured,” explains Audrey Cerdan, climate editor-in-chief at France Télévisions. “If you just see the still image, but you don't show the whole movie, you’re not going to understand the still picture.”

The first graphic shows projected global temperature rise, in Celsius, to 8 decimal places:

People watched in real time as the counter ticked over from 1.18749863 Celsius above the pre-industrial level to 1.18749864 C. Now, it's ticking past 1.2.

The second graphic, climate stripes, shows annual temperature rise at a glance. Here are the global stripes for 1850 through 2023:

I admire the simplicity of this visualization. I suppose it can be attacked both for its choice of color scale and for its choice of baseline average (1960 through 2010, somewhat arbitrarily) but, for a TV audience, those details seem much less important than the instinct conveyed.

I wonder what further opportunities there are to raise awareness of climate change through this combination of mass media and simple data visualization?

Link

Mon, 15 Jul 2024 17:47:00 GMT

Molly White, introducing her new project Follow the Crypto:

This website provides a real-time lens into the cryptocurrency industry’s efforts to influence 2024 elections in the United States.

In addition to shedding much needed light on crypto lobbyist spending, Molly's project is also open source and can theoretically be targeted at unrelated industries. It'd be fun to see someone build a similar dashboard for fossil fuel influence.

Beyond that: I've spent a good chunk of 2024 focused on the upcoming Presidential election and have done quite a bit of analysis of FEC data; I still learned a few things by reading the code.

Link

Mon, 08 Jul 2024 22:15:00 GMT

Paul Graham, writing about "The Right Kind of Stubborn":

The reason the persistent and the obstinate seem similar is that they're both hard to stop. But they're hard to stop in different senses. The persistent are like boats whose engines can't be throttled back. The obstinate are like boats whose rudders can't be turned.

That feels like a useful analogy.

When I'm at "startup" events in the Seattle region, I tend to — unfairly, I imagine — reduce the stories I'm told to two axes: "commitment to a goal" and "commitment to an implementation". The entrepreneurs I admire most tend to be highly committed to a clearly articulable goal but only lightly committed to its implementation: for them, implementations are simply hypotheses to test as the business is built.

Link

Wed, 12 Jun 2024 20:04:00 GMT

From Maggie Appleton's conference talk on Home-Cooked Software:

For the last ~year I've been keeping a close eye on how language models capabilities meaningfully change the speed, ease, and accessibility of software development. The slightly bold theory I put forward in this talk is that we're on a verge of a golden age of local, home-cooked software and a new kind of developer – what I've called the barefoot developer.

Like everything on Maggie's site, it's worth a read.

For my part, I share Maggie's hopefulness that LLMs will help make software development more accessible to a wider audience. I also appreciate her attempt to broaden the definition of "local-first software" away from its technical roots. I want a flourishing world of community software built by and for the communities it serves.

(An aside: "local-first" has always implied "sync engine" to me. And sync engines nearly always end up being complex hard-to-build systems. That's one reason why I'm skeptical that we'll see local-first software architectures take off the way the community seems to hope.)

Link