Python 3.2 has some deadly infection
On Sat, 31 May 2014 17:10:20 +0100, Mark Lawrence wrote:
> Some interesting comments here
> so I'm simply asking for other opinions.
Oh, Anatoly Techtonik. He's quite notorious on python-dev for wanting to
impose his wild and sometimes wacky processes on the entire community.
Specific examples aren't coming to mind, and I'm too lazy to search the
archives, so I'll just make one up to give you an idea of the flavour of
"Twitter is the only way that developers can effectively
communicate. We must shut down all the mailing lists and the
bug tracker and move all communication immediately to
Twitter. And by we I mean you."
[Not an actual quote.]
I've come to the conclusion that he occasionally has a point to his
posts, but only at random by virtue of the scatter-gun technique. He's
obviously widely read, but not deeply, and so he fires off a lot of ill-
thought out but superficially attractive proposals. Just by chance a few
of them end up being interesting, not *interesting enough* for somebody
else to do the work. At this point the ideas languish, because he refuses
to sign a contributor agreement so the Python core developers cannot
accept anything from him.
This blog post is a strong opinion about Python, but it isn't clear what
that opinion *actually is*. His post is rambling and unfocused and
incoherent ("art is the future"). He rails against having to write PEPs,
and decries the lack of stats, summaries, analysis and comparison,
utterly missing the point that the purpose of the PEP process is to
provide those stats, summaries, analysis and comparison. Reading between
the lines, I think what he means, deep down, is that *somebody else*
ought to gather those stats and do the analysis to support his ideas, and
not expect him to write the PEP.
He makes at least one factually wrong claim:
"I thought that C/C++ must die, because really all major
security problems are because of it."
He's talking about buffer overflows. Buffer overflows have never been
responsible for "all" major security problems. Even allowing for a little
hyperbole, buffer overflows have not been responsible for the majority of
major security problems for a very long time. It is not 1992 any more,
and today the single largest source of security bugs are code injection
attacks. In Python terms that mostly means failure to sanitize SQL
queries and the use of eval() and exec() on untrusted data.
Three of the top four software errors are forms of code injection: SQL
injection, OS command injection, cross-site scripting. The classic C
buffer overflow comes in at number 3, so it's not an inconsiderable cause
of security vulnerabilities even today, but it is not even close to the
only such cause.
See also http://www.sans.org/top25-software-errors/
Back to the blog post... it's 2014, Python 3.3 and 3.4 have come out, why
is he talking about 3.2?
It's interesting that he starts off by stating his graph is meaningless:
"They don't measure anything - just show some lines that
correlate to each other."
then immediately tries to draw a conclusion from those lines:
"It looks like the peak of Python was on February 2011,
and since then there was a significant drop."
I've written about the difficulty of measuring language popularity in any
Anatoly has picked the TIOBE Index, but I don't know that this is the
best measure of language popularity. According to it, Python is more
In any case, I think that a better explanation for the observed dip in
Feb 2011 is not that Python 3.2 is infected (infected by what?) but
*regression to the mean*. Regression to the mean is a statistical
phenomenon which basically says that all else being equal, an extreme
value is likely to be followed by a less extreme (closer to the average)
Language popularity, as measured by TIOBE, is at least in part random.
(Look at how wiggly the lines are. The wiggles represent random
variation.) If by chance a language gets a spike in interest one month,
it is less likely to
Because TIOBE's results contain so much random noise, they really ought
to smooth them out by averaging the scores over a three month window, and
show trend lines. They don't, I believe, because random hiccoughs in the
data provide interest: "Last month, Java was overthrown from it's #1
ranking by C. This month it has fought its way back to #1 again! Tune in
next month to see if C can repeat it's stunning victory!!!"
I think that long term trend lines would be much less exciting but much
more informative. Eyeballing the graph, it seems to me that Java and C++
are trending down, C is probably steady, and Objective C and Python
trending up. If by chance there was a flurry of interest in Python for a
month or two, and then things fell back to normal (regression to the
mean), that might look like a slump.
But I digress... back to Anatoly's post. I think he reveals more about
himself than Python:
"When these little things sum up, you realize that you're
just wasting time trying to improve things that people
don't want to improve. They don't want to improve the process.
They don't realize that the problem is not in the language,
but in the way they don't want to hear each other. Technology
showed that people want to be heard, that they opinion should
be accounted , not closed as won't fix , or works for
me . It is not a community process, when you rely on abilities
of certain individuals to monitor and respond to all traffic
and wishes, especially when they fail to do so."
On Python-Dev, this is Anatoly's repeated claim: the process is broken,
because well it just is okay. In my opinion, "the process is broken" is
Anatoly's shorthand for "I want to do things THIS way, and you won't let
me. My way is SO OBVIOUSLY BRILLIANT that everybody, no matter their
circumstances, will be immeasurably better off by switching to my process
instead of the old way of doing things. Anyone who thinks differently is
simply not paying attention. Didn't you hear how brilliant my process is?"
Anatoly does make a few concrete complaints about Python 3, or at least
as concrete as he gets in this post:
"I expected Python 3 to be ready for the internet age" -- What does that
mean? What makes him think it isn't?
"with cross-platform behavior preferred over system-dependent one" --
It's not clear how cross-platform behaviour has anything to do with the
Internet age. Python has preferred cross-platform behaviour forever,
except for those features and modules which are explicitly intended to be
interfaces to system-dependent features. (E.g. a lot of functions in the
os module are thin wrappers around OS features. Hence the name of the
"with clear semantics to work with binary data" -- There are clear
semantics to work with binary data: use bytes, and the struct module.
Those features can be improved, and indeed Python 3.4 has improved them,
and 3.5 is in the process of improving them further. But to suggest that
Python doesn't have those clear semantics is simply false.
"with non-confusing error handling" -- How is Python 3's error handling
confusing? It's the same error handling as Python 2. Where is the
TL;DR: Anatoly's blog post is long on disappointment and short on actual
content. It feels to me that we could summarise his post as:
I don't know what I want, I won't recognise it even if I saw
it, but Python 3 isn't it. I blame others for not living up
to my expectations for features I cannot describe and were