Mashing the marvelous wrapper until it responds, part 1: prereq/setup

I haven’t used a dynamic language for coding nearly as much as strongly-typed, compiled languages so approaching Python was a little nervous-making for me.  It’s not every day you look into the abyss of your own technical inadequacies and find a way to keep going.

Here’s how embarrassing it got for me: I knew enough to clone the code to my computer and to copy the example code into a .py file, but beyond that it felt like I was doing the same thing I always do when learning a new language: trying to guess at the basics of using the language that everyone who’s writing about it already knows and has long since forgotten, they’re so obvious.  Obvious to everyone but the neophyte.

Second, is that I don’t respond well to the canonical means of learning a language (at least according to all the “Learn [language_x] from scratch” books I’ve picked up over the years), which is

  • Chapter 1: History, Philosophy and Holy Wars of the Language
  • Chapter 2: Installing The Author’s Favourite IDE
  • Chapter 3: Everything You Don’t Have a Use For in Data Types
  • Chapter 4: Advanced Usage of Variables, Consts and Polymorphism
  • Chapter 5: Hello World
  • Chapter 6: Why Hello World Is a Terrible Lesson
  • Chapter 7: Author’s Favourite Language Tricks

… etc.

I tend to learn best by attacking a specific, relevant problem hands-on – having a real problem I felt motivated to attack is how these projects came to be (EFSCertUpdater, CacheMyWork).  So for now, despite a near-complete lack of context or mentors, I decided to dive into the code and start monkeying with it.

Riches of Embarrassment

I quickly found a number of “learning opportunities” – I didn’t know how to:

  1. Run the example script (hint: install the python package for your OS, make sure the python binary is in your current shell’s path, and don’t use the Windows Git Bash shell as there’s some weird bug currently at work)
  2. Install the dependencies (hint: run “pip install xxxx”, where “xxxx” is whatever shows up at the end of an error message like this:
    Traceback (most recent call last):     
        File "", line 5, in <module>
            from config import public_key, private_key 
    ImportError: No module named config

    In this example, I ran “pip install config” to resolve this error.

  3. Set the public & private keys (hint: there was some mention of setting environment variables, but it turns out that for this example script I had to paste them into a file named “config” – no, for python the file needs to be named “ even though it’s text not a script you would run on its own – and make sure the file is stored in the same folder as the script you’re running.  Its contents should look similar to these (no, these aren’t really my keys):
        public_key = 81c4290c6c8bcf234abd85970837c97 
        private_key = c11d3f61b57a60997234abdbaf65598e5b96

    Nope, don’t forget – when you declare a variable in most languages, and the variable is not a numeric value, you have to wrap the variable’s value in some type of quotation marks.  [Y’see, this is one of the things that bugs me about languages that don’t enforce strong typing – without it, it’s easy for casual users to forget how strings have to be handled]:

        public_key = '81c4290c6c8bcf234abd85970837c97' 
        private_key = 'c11d3f61b57a60997234abdbaf65598e5b96'
  4. Properly call into other Classes in your code – I started to notice in Robert’s Marvelous wrapper that his Python code would do things like this – the file defined
         class ComicSchema(Schema):

    …and the calling code would state

        import comic 
        schema = comic.ComicSchema()

    This was initially confusing to me, because I’m used to compiled languages like C# where you import the defined name of the Class, not the filename container in which the class is defined.  If this were C# code, the calling code would probably look more like this:

        using ComicSchema;
        _schema Schema = ComicSchema();

    (Yes, I’m sure I’ve borked the C# syntax somehow, but for sake of this sad explanation, I hope you get the idea where my brain started out.)

    I’m inferring that for a scripted/dynamic language like Python, the Python interpreter doesn’t have any preconceived notion of where to find the Classes – it has to be instructed to look at specific files first (import comic, which I’m guessing implies import, then further to inspect a specified file for the Class of interest (schema = comic.ComicSchema(), where comic. indicates the file to inspect for the ComicSchema() class).

Status: Learning

So far, I’m feeling (a) stupid that I have to admit these were not things with which I sprang from the womb, (b) grateful Python’s not *more* punishing, (c) smart-ish that fundamental debugging is something I’ve still retained and (d) good that I can pass along these lessons to other folks like me.


Considering learning Python – idle thought (until something catalyses it)

A friend-of-a-friend asked me this week:

Hi Mike, [mutual friend] referred me to you as a good person to ask: what’s the best way to learn Python for someone like me, whose programming skills are essentially 1990-era (I know Perl and C, but haven’t made the leep to object oriented stuff)? I’d like to leapfrog into the present era, and make web 2.0-ish-looking sites and experiments. Is there a particular web hosting service I should use? Thanks for any advice you might have.

Funny you should ask – I was just wondering this week whether I shouldn’t dive into Python as a quick-and-dirty prototyping language.  I’d fancied myself for years as someone who might be able to reinvent myself as a programmer, and I’ve muddled around with C# and VB for a few years now – but only in short spurts.  Every time I come back to it, I feel like I’m climbing a steep hill all over again.
For some reason, I get the impression that  for folks that are just whipping something together quickly, interpreted scripting languages like Python, Perl or Javascript are easier to deal with – less overhead, less setup, just diving in and getting to the business of making something happen.  I’ve always felt like if I wanted to call myself a coder, that I’d be “cheating” by taking this route, so I never allowed myself the freedom to try this out.  But at the same time, I was never brave/patient enough to mess around with low-level code like C or C++ (who wants to write hundreds of lines of memory-handling routines that managed code gives you for ‘free’?), so I guess I’ve left myself between a rock and hard place – not quite as easy as “just do it” but not really forcing myself to learn the really “worthy” stuff either.
How to learn Python?  An almost-colleague of mine took the leap and blogged his process for going deep – start at the bottom:
I’ve never done it myself, but I trust that Mark is a smart guy who doesn’t muck around for the sake of making himself “look smart” (feel miserable).
For me, forcing myself to learn to code was an exercise in frustrating false starts – until I found a problem I couldn’t solve any way but coding it myself, and a problem that pissed me off enough to keep slogging through failures and dead ends until I got something working.
Web hosting?  No idea.  I know a few big names (AWS, Rackspace, Google Apps) but I have no clue where to get the pre-built infrastructure to just upload .py and let fly.
Is this helpful?  Do you have something specific in mind?  If you’re working on something specific and looking to work loosely with one or a few others, I’d be interested in hearing what it is and whether it fires my “that sucks!” instinct enough to want to contribute/walk alongside.

Security scrubbing of Python code – PyChecker or nothing?

I’m hardly versed in the history or design of the Python programming language (I just started reading up on it this week), but I know this much already: Python is intended to be a very easy-to-use scripting language, minimizing the burden of silly things like strongly typing your data (not to mention skipping the arguable burden of compiling your code).

Most developers don’t have two spare seconds to rub together, and are hardly excited at the prospect of taking code that they finally stabilized and having to review/revisit it to find and fix potential security bugs.  Manually droning through code has to be about the most mind-numbing work that most of us can think of eh?

On the other hand, static analysis tools are hardly an adequate substitute for good security design, threat modelling and code reviews.

Still, static analysis tools seem to me a great way to reduce the workload of secure code reviews and let the developer/tester/reviewer focus on more interesting and challenging work.

Is it really practical to expect to be able to perform complex, comprehensive static analysis of code developed in a scripting language?  I mean, theoretically speaking anyone can build a rules engine and write rules that are meant to test how code could instruct a CPU to manipulate bits.  It’s not that this is impossible – I’m just wondering how practical it is at our current level of sophistication in terms of developing software languages, scripting runtimes and modelling environments.  Can we realistically expect to be able to get away with both easy development, ease of maintenance (since the code isn’t compiled) and robustness of software quality/security/reliability?

I’m certainly not trying to disparage the incredible work that’s gone into PyChecker already – anything but.  However, when a colleague asks me if there are any other static analysis tools in addition to PyChecker, I have to imagine that (a) he has some basis for comparison among static analysis tool and (b) that PyChecker doesn’t quite meet the needs he’s come to expect for checkers targeted at other languages.