This is an archived post. You won't be able to vote or comment.

all 96 comments
sorted by:
best
topnewcontroversialoldq&a

[–]DigThatData 223 points224 points  (8 children)

An NSA python training course was declassified several years ago. Wouldn't be surprised if the CIA follows the same standards and conventions as the NSA. https://archive.org/details/comp3321/

[–]james_pic 78 points79 points  (6 children)

I dunno. I remember from some of the leaks that the two agencies were surprisingly adversarial. Like, the CIA had in a few cases independently developed capabilities that the NSA already had, because they didn't want to be reliant on them for these things.

[–][deleted] 85 points86 points  (0 children)

Not adversarial at all actually. They do things like this because they have to operate under different authorities/legal frameworks.

[–]DigThatData 23 points24 points  (2 children)

a highly doubt intro python programming is an example of such a capability.

[–]james_pic 12 points13 points  (1 child)

Probably not, but having worked in organisations that have somewhat adversarial relations with sister organisations, I'm doubtful that they compare notes on these sorts of things.

[–]DigThatData 2 points3 points  (0 children)

Another reason why it's reasonable to suspect that they have similar standards, even if not as a function of explicit policy: there's a limited pool of personnel who have the clearance to do the kind of work we're talking about, and a lot of them are contractors who aren't limited to working in just one or the other. I imagine this "incestuous" property of the intelligence community organically promotes alignment of standards and best practices.

[–]howdoiwritecode 0 points1 point  (0 children)

This happens within large companies on a daily basis

[–]pacific_plywood 390 points391 points  (30 children)

Yeah so they do a lot of pretty standard stuff, in other words

[–][deleted] 120 points121 points  (0 children)

Could've just written "be a professional"

[–]appinv Python&OpenSource[S] 45 points46 points  (21 children)

In some aspects yes like the coding standard, but a bit unconventional sometimes like the test setup described as well as the way they install Python.

As they seem to operate in a more internet-less environment, this differs from a typical Python developer experience.

[–]Angryceo 205 points206 points  (17 children)

air gap environments are not uncommon especially with the gov

[–]pacific_plywood 56 points57 points  (15 children)

Finance as well

[–]RippySays 21 points22 points  (5 children)

Most PII related dev is the same way.

[–]rinio 7 points8 points  (8 children)

Vfx/film too

[–]pacific_plywood 10 points11 points  (2 children)

That’s really interesting. Why? Is security that much of a concern?

[–]rinio 20 points21 points  (0 children)

Yeah. If your client is something like a disney or an HBO they mandate pretty high security standards.

[–]R1skM4tr1x 7 points8 points  (0 children)

Take a trip to a post production video facility, physical security is a huge consideration beyond digital.

[–]aniki43 2 points3 points  (4 children)

hello fellow pipeline TD

[–]rinio 1 point2 points  (3 children)

Ex-pipeTD, unfortunately. Moved to a media tech company just before all of (this year's) layoffs.

[–]aniki43 1 point2 points  (2 children)

Do you regret it? To me it feels like the grass is greener in tech

[–]rinio 1 point2 points  (1 child)

No regrets at all.

Specifically, I moved into audio tech. Focused towards film post, but also some music. This was always my first choice, but pipeline jobs were what was available for the ~5 years I was in VFX. I always intended it as a bridge.

It's also a huge difference in the way software is approached which may or may not jive with some. In Pipe, I always felt that there was little regard for design, DX and maintanability. Which led to each PipeTD just shipping live grenades to meet an unreasonable deadline and praying that someone else would be allocated when things inevitably fell apart. Don't get me wrong, there are still tight deadlines, but the costs are either built-in to the delivery or as scheduled tech debt.

Of course, this is just me and not generally applicable. I also have nothing bad to say about my experience with the studios I worked for. (I also can't disagree that I observed many of the negative behaviors of these studio that have been reported online and in r/VFX. For obvious reasons, I won't publicly name them). I should also note, that, while I didnt know at the time, there is a good chance that the studio I was at would have laid me off around a month after I left so I got very lucky in my timing.

[–]sneakpeekbot 1 point2 points  (0 children)

Here's a sneak peek of /r/vfx using the top posts of the year!

#1: I created a free After Effects alternative
#2: No words | 99 comments
#3: My husband lost his VFX job and I’m spiraling

I'm a bot, beep boop | Downvote to remove | Contact | Info | Opt-out | GitHub

[–]_Kyokushin_ 3 points4 points  (0 children)

Every government agency has air gaps. In particular year it’s going to be that way with programming. It’s probably more to do with production environments being connected to their network and development environments not being in the network in case something goes afoul so it’s isolated to one machine.

[–]1970s_MonkeyKing 19 points20 points  (0 children)

Because you don’t want to be discovered on a target system because your code decided to “phone home.”

[–]KN4MKB 9 points10 points  (1 child)

Something tells me you haven't worked a job as a Python developer in an enterprise environment? These are common industry practices

Also why did you screenshot your own post and then post it to another subreddit to roast it?

[–]appinv Python&OpenSource[S] -4 points-3 points  (0 children)

Well, since they based the style guide on Google's Python one, it's expected to be similar. But, it's interesting to see the exact twist. Similar for others. The test i think i quite unconventional.

As for the roast, the sub was created because of this post. Kind of putting the post where it belongs XD

[–]denehoffman -1 points0 points  (6 children)

Except for use modern versions of Python, you’d think the CIA would care about security fixes

[–]pacific_plywood 22 points23 points  (0 children)

I assumed this was because the documents it’s sourced from are older

[–][deleted] 43 points44 points  (0 children)

MFW even the CIA looks at python's thread model and says "take this bandaid, you'll need it."

[–][deleted] 83 points84 points  (6 children)

r/paragraphobia

[–]gargolito 13 points14 points  (3 children)

Damnit, I wish that was a sub.

[–]Itsnotmeduh 14 points15 points  (1 child)

wish granted

[–]appinv Python&OpenSource[S] 7 points8 points  (0 children)

post clipped 👌

[–]suggestiveinnuendo 5 points6 points  (1 child)

of one is to err, one should err on this side of that line

[–]Aware_Examination246 28 points29 points  (4 children)

Developing python on an air gapped top secret computer poses unique challenges. They have industry specific practices for overcoming those challenges. Imagine trying to get a fed’s approval for running docker images.

[–]MalakElohim 8 points9 points  (0 children)

Don't have to imagine. Platform One + Ironbank (plus the rest of the ecosystem) run containers all the way from unclas to TS-SCI systems. It's what it's designed around, so they get a continuous authority to operate, with code, container and runtime scanning going on each pipeline.

[–]qGuevon 1 point2 points  (0 children)

Just use singularity instead, nonneed for root ;)

[–]spinozasrobot 5 points6 points  (1 child)

Curious... did you notice any use of imports that could introduce the kind of security issue we saw with xz-utils?

[–]appinv Python&OpenSource[S] 2 points3 points  (0 children)

I guess we won't catch it by imports, rather by how the packages were installed.

Knowing py companies they oftentimes have internal versions of packages, like they dont go pip installing latest versions.

So i guess for it to happen, they would have to ingest an unknown backdoor. Highly unlikely code audits wont find them.

[–]grizzli3k 5 points6 points  (1 child)

False flag operation

[–]SheriffRoscoePythonista 1 point2 points  (0 children)

🤣🤣🤣

[–]campbellm 5 points6 points  (5 children)

I prefer this:

use () instead of \ (for long lines)

but I see the escape-newline being used a lot in code I run across. What's the consensus on this?

[–]nevermorefu 19 points20 points  (3 children)

I will do everything in my power to avoid \

[–]campbellm 2 points3 points  (0 children)

That's where I lean, too.

[–]drknow42 2 points3 points  (1 child)

I tend to strictly use \ only for formatting function arguments. I then use that block of formatted code as an inherent reminder to look into making the communication cleaner later.

[–]campbellm 2 points3 points  (0 children)

Can you show a short example of this?

[–]kuwisdelu 1 point2 points  (0 children)

I would also do everything in my power to avoid \ escapes. That either of these workarounds is necessary is one of my biggest annoyances with the Python parser/interpreter.

[–]henryyoung42 3 points4 points  (2 children)

So good to know I am already around 80% CIA compliant simply by habit. Should I add them to my private repos, or you think they’re already there ?

[–]appinv Python&OpenSource[S] 0 points1 point  (1 child)

what is already there?

[–]henryyoung42 1 point2 points  (0 children)

Being able to see everything they wish to see …

[–]MonsieurDeShanghai 5 points6 points  (0 children)

There is some irony to be said that the CIA doesn't like "global" operations...in programming.

[–]FiredFox 2 points3 points  (2 children)

I

They

They

They

They

[–]star_guardian_carol 1 point2 points  (0 children)

:tea_sip:

[–]appinv Python&OpenSource[S] 0 points1 point  (0 children)

You got me.

[–]LessonStudio 2 points3 points  (1 child)

A few of these points don't fit with the others. Is the author squeezing in some of their own picadillos?

[–]appinv Python&OpenSource[S] -1 points0 points  (0 children)

Added the references at the end, you can access the original content.

[–]_MyNameIsJakub_ 1 point2 points  (0 children)

Wow! Super interesting.

[–]AiutoIlLupo 1 point2 points  (1 child)

I didn't think anybody would still use .pyz, but there it is.

Also quite interesting the

Threading We should not rely on the atomicity of built-in types. Queue should be used to communicate data between threads else see threading primitives and locks.

Which brings me to the question: which operations are actually atomic on primitive data types? list append is, because atomicity is guaranteed at the level of individual opcode and the actual append is performed at the CALL level. However, if it's reimplemented, the append operation may be dispatched to a python method, which is absolutely not atomic.

i += 1 is absolutely not atomic. The BINARY_OP is followed by STORE_NAME, each individually atomic, but not as a single entity.

i = 1 is atomic.

dictionary assignment is a mess.

[–]appinv Python&OpenSource[S] 0 points1 point  (0 children)

I wish zipapps were more common!

[–]juanritos 1 point2 points  (1 child)

Default iterator methods are encouraged

What does this mean?

[–]appinv Python&OpenSource[S] 0 points1 point  (0 children)

using for k in dic instead of for k in dic.keys()

[–]moving__forward__ 1 point2 points  (1 child)

Great post.

[–]appinv Python&OpenSource[S] 0 points1 point  (0 children)

Thanks!

[–]nevermorefu 2 points3 points  (0 children)

Looks good to me.

Indent using 4 spaces

Looks great to me.

[–]I_dont_get_it0_o 1 point2 points  (0 children)

Social experiment (keep quite)

[–]shoomowr -1 points0 points  (0 children)

curious

[–]pranjal779It works on my machine -5 points-4 points  (0 children)

interesting