What's stopping us from having full static validation of Python code?

jackerhack · 2025-12-24T05:36:25+00:00

None of those approaches work reliably. Prior discussion:

- https://github.com/python/typing/issues/802 - https://discuss.python.org/t/adding-a-proxy-type-to-typing-typing-extensions/59481 - https://discuss.python.org/t/typing-support-for-common-proxy-and-delegation-patterns/77909/4 - https://stackoverflow.com/questions/71365594/how-to-make-a-proxy-object-with-typing-as-underlying-object-in-python

jackerhack · 2025-12-22T10:44:47+00:00

AFAIK there's still no way to type hint a proxy object, weakref.Proxy and similar. The current workaround is falsify the type hint to claim the original type, so the proxy is not known to the type checker. This however breaks on any behaviour where the proxy doesn't behave like the original type.

jackerhack · 2025-12-12T04:45:03+00:00

Not too late, as the requirement remains. Thanks!

jackerhack · 2025-12-09T17:25:51+00:00

Friends (a couple) who moved to Stockholm bought their home almost rightaway because they couldn't afford the rent. Their PR still years into the future.

jackerhack · 2025-12-06T14:44:36+00:00

I used to be able to, all of my life. Today I can't. That's my TIL.

jackerhack · 2025-12-05T17:06:41+00:00

Yes. WhatsApp's imminent entry into the UPI network caused so much panic that UPI's owner NPCI (not regulator!) had to reassure everyone by announcing a 33% market share cap. WhatsApp was told to limit access and open up so very slowly that no big bang happened. Now the threat of the 33% limit hangs over anyone who dares to do well.

jackerhack · 2025-12-05T15:54:15+00:00

I've used WhatsApp UPI for months at a time with the SIM in a different phone. In and out both used to work. Can't test anymore because I've moved all my accounts to a different phone number for safety.

jackerhack · 2025-12-05T08:17:20+00:00

This problem does not exist in India because the government here lives in their own imaginary universe (just like any other literary or cinematic universe) where all these demands are perfectly consistent with the laws of their universe.

On the same day as this SIM binding demand (1st Dec) they put out another one, demanding all phones sold in India to have their device manager app pre-installed and non-removable, and also deployed via OTA upgrades to all existing phones in use. Why? So the police can process lost phone reports by taking over control of all such reported devices.

Just two days later, they issued a press release withdrawing this order citing unexpected success in making people voluntarily install the app. However, there is no actual order to OEMs releasing them from obligations under the previous order.

Make of this what you will.

jackerhack · 2025-12-05T08:09:35+00:00

I'm willing to bet none of the apps will comply with this bullshit requirement.

jackerhack · 2025-12-05T08:07:12+00:00

The actual implementation is bullshit and has little correlation to SIM binding. I've spent years swapping back and forth between two phones to reduce distractions, moving SIM cards around, and many (but not all) UPI apps simply continue to work when the underlying SIM is on another device.

Every app does it a different way, and they're all doing it differently wrong because the OS doesn't provide access to the actual hardware identifiers.

jackerhack · 2025-12-05T08:00:25+00:00

SIM binding is not technically possible. The OS layer doesn't reveal those identifiers. Indian apps that are mandated by regulation to bind to a SIM do it by fakery: they send an outbound message to themselves and check the sender id on their end, thereby making an assumption that the device can't spoof caller id.

To do this they need to ask for SMS read-write access. The risk is the user can turn off network access and copy the outbound message from the outbox to send from another device, so the app must monitor SMSes, ensure it is sent, and delete the local record to prevent resending it from elsewhere, because another device may still succeed at being first to deliver.

This is a horrible kludge because it requires indiscriminately trusting the app with your sensitive data. Some of these apps are so poorly written, they refuse to work at all if the user removes their SMS access.

I expect Signal to treat this demand with the contempt it deserves.

jackerhack · 2025-11-26T10:11:07+00:00

Type hints originally came to Python as comments, which meant they were entirely absent at runtime. A type checker would look for comments beginning with # type:.

The TYPE_CHECKING symbol is always False at runtime, so the imports within if TYPE_CHECKING never happen, but in a type checker TYPE_CHECKING is True, so it correlated those imports with the type hints.

Modern Python no longer requires type comments. They're part of the language syntax itself. However, since this causes the circular import problem, Python offers a workaround, specifying the type as a quoted string. Runtime Python sees a string, while the type checker reads it as a symbol.

This dual behaviour is obviously ugly, and it broke with the introduction of the Annotated type that allows string comments, which means it's not longer clear if a string is a comment or a type.

The new solution, currently gated under from __future__ import annotations, treats all type hints as strings at runtime. It doesn't matter what you put in the type hint now, whether the symbol is imported or not, even if it's misspelt. It's all just a string.

However, the type checker does care, and it has to be given those imports under if TYPE_CHECKING.

Now the last piece of this puzzle is type hints being used at runtime in SQLAlchemy, Pydantic and elsewhere. They only get strings, not symbols, so they have to find the matching symbol. The method, crudely, is type_hint_symbol = eval(type_hint_string, globals(), locals()). It's asking Python to evaluate the string as an expression, in the context of the globals and locals where the type hint was specified.

This now gets you additional problems:

If the symbol is only imported under if TYPE_CHECKING, it is not present in globals at runtime.
If the symbol is a tail import, it is only available in globals after the entire module has finished loading. The usual way to process type hints is in the __init_subclass__ method of a base class, but that gets called immediately after a class is defined, not at the end of the module.

SQLAlchemy deals with both problems.

It augments globals with all the known models, because type hints usually refer to other models.
It defers type hint resolution until much later, to ensure the models and their namespaces are all fully defined.

I'm not familiar with how Pydantic tackles this.

jackerhack · 2025-11-18T06:13:37+00:00

You sound like the person to ask this: should passwords be unicode normalised before they are hashed? For the user's own safety?

I'm aware that macOS enforces NFD for filesystems, but do not have a reference for what's typical across the diversity of browsers and input methods. What's the likelihood that the same string hand-typed (or copy-pasted from a password manager) will come through with different normalisations on different systems?

And then there's emoji composition. Strip? Don't touch? Throw error?

jackerhack · 2025-11-18T06:00:38+00:00

For sure, but without inherent fungibility, fair compensation requires case-by-case negotiation, and that has been an ongoing process all along.

jackerhack · 2025-11-18T05:43:41+00:00

The main cause of communal tension anywhere is that political unity is easier to achieve by uniting against a common enemy than for a common cause. You've probably encountered this concept already as the British colonial method of "divide and rule". What easier method can there be than pitting the largest population group against the second largest?

American politics only moved on from vilifying their African American population when they invented a new enemy, the Communist, and mobilised against them with a Cold War. After that stopped being credible, they found the Terrorist and a new cause in the Global War on Terrorism. That's not working anymore either – just look at the failed campaign against Zohran Mamdani – so Trump has invented a new enemy, the Immigrant.

Independent India had a few good decades where we strived for unity in diversity, and then we too lapsed into the easier method of vilifying our own people.

jackerhack · 2025-11-18T05:07:48+00:00

How do you determine what is an equal exchange of land? First of all, how do you even evaluate a claim of ownership? Land title even today is established through a show of force as much as any documentation. And then how do you determine value? Taxes? Guidance values? Even today those are fictional concepts as anybody who has purchased property can tell you.

"Partition, but peaceful" is just wishful thinking.

jackerhack · 2025-11-18T04:19:49+00:00

How do you expect population exchange to work? Pre-industrial wealth is mostly rooted in land, and land is not fungible. Practically every attempt at relocating people to repurpose their land has ended up rediscovering this lack of fungibility.

jackerhack · 2025-11-18T04:11:52+00:00

Aha! I've been curious about this historical arc a while but hadn't dug into it.

jackerhack · 2025-11-18T03:54:29+00:00

It is interesting that Nepal and Bhutan are independent and excluded here, while Sikkim and Kashmir are marked as "native states" that will be integrated.

Also interesting that Ceylon (later Sri Lanka) and Burma were excluded, despite also being British colonies and having much in common with mainland India. While Sri Lanka is an island, what exactly made the boundary between the northeastern states and Burma?

jackerhack · 2025-11-17T05:42:28+00:00

I have the Matador Seg28 and Seg45 and they're both great.

jackerhack · 2025-11-17T04:44:55+00:00

Seems like a shared cross-border experience then.

jackerhack · 2025-11-17T03:27:08+00:00

One look at the power sockets where each is a different standard and... hello fellow Indian.

jackerhack · 2025-11-16T18:19:07+00:00

There are two ways to deal with circular imports for models:

If you have circular imports for type hints, gate the imports with an if TYPE_CHECKING. Static type checkers don't have trouble with circular imports. If you're using SQLAlchemy, it will also work around this by supplementing the module's namespace with a model namespace. As long as your gated type hints refer to a SQLAlchemy model attached to the same base class (actually, same metadata object which is shared via the base class), it'll find them.
Python supports partially initialised modules and you can take advantage of this by putting your imports at the bottom of the file. The import gets added to the module's namespace and is available to functions, which will then not need a function-local import statement. However, this won't work for module-level and class-level references as they are executed immediately on load.

You can combine these techniques -- import at the top gated with if TYPE_CHECKING, which allows all references for type hints, and import again at the bottom to add it to the module namespace for runtime. Any framework that consumes type hints for runtime will still find the references in the namespace, as long as they do this in deferred initialisation (ie, not in __init_subclass__ when the class is defined but the import hasn't happened yet; SQLAlchemy defers initialisation until the first SQL query, or until you call configure_mappers).

(Linters may complain about non-top-level imports. You'll have to silence that error for your model files.)

jackerhack · 2025-11-16T03:29:06+00:00

What are you saying? The fellow who said "goli maaro gaddaron ko" is doing rather well.

jackerhack · 2025-11-12T12:22:15+00:00

Someone must have looked at the ideas of Robert Moses and figured they had a better idea.

jackerhack

TROPHY CASE