Cogito, Ergo Sumana
Sumana oscillates between focus and opportunity

: Python Packaging Tools: Security Work And An Open Position:

Two exciting bits of news regarding massively improving how we package, distribute, and install Python software!

First: a new grant. New York University (specifically Professor Justin Cappos) and I have successfully asked the US National Science Foundation for a grant to improve Python packaging security. The NSF is awarding NYU $800,000 over two years, from mid-2021 to mid-2023, to further improve the pip dependency resolver and to integrate The Update Framework further into the packaging toolchain. I shared more details in this announcement on an official Python packaging forum.

I'll be part of this work, paid to work on this part-time, doing some outreach, coordination, project management, and similar. Thanks to the NSF, Justin, the Secure Systems Lab at NYU, and all the people who work on Python packaging tools!

Second: the Python Software Foundation is hiring a full-time project manager and community manager for Python's packaging toolchain. Thanks to Bloomberg for the funding! Please check out the job description and spread the news. Please apply by May 18th, 2021.

The job is remote and you can apply from anywhere in the world. As the description says: "Total compensation will range from $100k-$125k USD based on qualifications and experience." And you'd report to Ee W. Durbin III, a colleague I strongly recommend and love working with.

I'm thoroughly grateful that we've now gotten to the point where the PSF can hire for a full-time person for this role. As a volunteer and as a contractor, I've performed -- in many cases initiated -- the activities that this person will do, and I've seen the critical need. We deeply need a full-time coordinator for holistically assessing and improving the user and developer experience of Python packaging, because -- as Russell Keith-Magee said in his PyCon US 2019 keynote -- the status quo poses "an existential threat" to the future of the language. And so one of the desired qualifications for the role is: "Belief that Python packaging problems are of critical importance for the Python language... but that those problems are solvable."

We've gotten better and better at attracting corporate and grant funding -- and yes, I'll take some credit for that, with my past work researching and writing grant proposals, leading funded projects, and volunteering with the Packaging Working Group and cofounding the Project Funding Working Group. So, now, what should we focus on? We need to prioritize improvements for strategic value (e.g., should we first concentrate on overhauling the Warehouse API, or making a generic wheel-builder service, or tightening metadata compliance, or ....?). What can we learn from other package management toolchains, especially those that emerged after PyPI and pip (e.g., yarn, npm, cargo), and what should we copy? In my opinion, you do not need to already have an opinion on these questions to apply for this role -- you just have to be interested in talking with a bunch of stakeholders, poking through past discussions, and collaboratively developing some answers.

I won't be applying for this PSF role -- I'm going to be, instead, excited to collaborate with that person and help them learn all the stuff I know, so that in the long run, we'll have more people, with that set of skills and domain knowledge, working on Python packaging. I'll concentrate on the Python supply chain security piece specifically (via the NSF-funded work at NYU), plus finishing my book and maybe creating and leading associated trainings, and taking what I've learned to other languages and ecosystems through client work.

So: please spread the word and apply!

(0) : Trying to Notice What's Missing: I'm ploughing through some open source project email threads and thinking:

In 2010, people got together in Berlin for a Wikimedia developers' meeting .... and then a bunch of them hung around a lot longer than they'd expected, because a volcano erupted and so their flights got cancelled. As I understand it, you can trace certain architectural decisions and improvements to the discussions and pair programming from that chunk of unexpected extra in-person time.

It's conference season, at least in the northern hemisphere, and we're going into our second year of virtualized or missing technology conferences. The maintainers, users, and stakeholders of the open source software you depend on have gone more than a year without getting to quietly gossip with each other over a snack or while walking to a sponsored party. It's been more than a year since one guy has been able to make that other guy laugh and remember "ah, he's not so bad really". It's been more than a year since people could easily scribble boxes and arrows together on the back of a conference schedule or poke at the demo on someone's laptop.

We come together every once in a while to refill on trust and camaraderie and a shared understanding of what we're trying to do and who we're trying to do it for; I assume that, for some folks, those wells have now run dry.

In a tree's rings you can see the years of drought. Where, in our code and our conversations, will we see the record of this separation? Do you already see it?

: Discovery Versus Context: This insightful, funny, downbeat Brandy Zadrozny interview obliquely reminds me of something I realized the other day: the modern Web is, relatively, amazing at offering discovery but awful at offering context. It's easier than it's ever been for a single blog post/microblog post (such as a tweet), song, video, photo, etc. to be discovered, publicized, and plucked out of the context of what the creator usually says, what they are aiming to do, who and how large their usual audience is, and what power they hold in the institutions of their lives. And so it's easier than it's ever been to be heard, and easier than it's ever been to be misunderstood.

: If You Call Me A Thought Leader For This Post I Will Give You A Stern Look:

In scifi/fantasy fandom there's this phrase, "Big Name Fan". This is someone who is well-known, influential, for the fannish things they say and do and make. The idea is that a BNF is a minor celebrity -- not at the television-interviews level, but still, within their Internet and convention circles, someone who gathers a crowd, and whose tossed-off words have disproportionate power to help or hurt others.

The chunk of fandom I'm thinking of is, mostly, women. We're socialized to not admit when we have power, and to shut up and use it to serve others. Joanna Russ wrote about this dynamic in "Power and Helplessness in the Women’s Movement"; fan Hope reiterated that expectation in "Nobody Ever Admits They're a BNF", advising Big Name Fans that they get to benefit from feelings of belonging but "You are not allowed to have hurt feelings, you are not allowed to argue with someone, and you absolutely are not allowed to have an opinion." I think the only/first time I've found out that I've been called a BNF, it was in the context of someone criticizing my too-abrupt comments in a Dreamwidth thread; they were disappointed, taken aback, at such a BNF acting in this way.

Given that it's considered arrogant to call oneself a BNF, at least in public, perhaps you can infer how difficult it then is for a person to honestly and transparently reckon with the concomitant opportunities and constraints.

And perhaps you can draw a line from this dynamic to ones in the developer relations industry, or in large collaborative volunteer groups such as major open source projects, etc. If you have an explicit role such as "conference chair" or "professor" or "maintainer" then you know whether you inhabit it or not, you can straightforwardly mention that you hold it, and you and your peers can come up with norms for the special powers and responsibilities that come with it. But absent that? As far as I am aware you do not get a how-to book and access to an all-celebrities group chat upon achieving some number of Twitter followers. A person who has gradually accreted influence must notice that they have more intangible influence than most of the people they talk and listen to, and -- through reflection, study, and private conversation -- develop their own guidelines for how to use that influence.

But: there's how you act, and then there's how everyone else acts toward you. No matter whether or not they get some explicit roles to help everyone understand these kinds of expectations, I think -- at least in the bit of US society that I'm used to, where we have strong egalitarian ideals -- we don't help newly powerful people get used to all those social epiphenomena that will now start brushing against them. Envy, intimidation, and so on. Maybe there are now influencer finishing schools that include "you are now the object of other people's projections and their parasocial interactions with you will get very weird" in their curriculum.

I have counterproductive feelings and habits in my head that relate to this whole issue, around envy, martyrdom, etc. As with the stuff I mentioned earlier this week in "Paralipsis", this blog isn't the right place to work through those things. This week I'm particularly grateful to friends of mine with whom I can talk candidly about this stuff. And if you and I are friends, perhaps we can talk about it too.

(0) : A Few Books Influencing Mine: I'm working on a forthcoming book on rejuvenating legacy open source systems. In addition to my bibliography of open source management books/courses, I'm grateful to a few management, teaching, and writing books that have influenced me recently:

Florence Nightingale's Notes on Nursing: What it is, and what it is not, a cranky and thoroughgoing text on management that covers the healing environment as a whole: "let whoever is in charge keep this simple question in her head (not, how can I always do this right thing myself, but) how can I provide for this right thing to be always done?"

Greg Wilson's Teaching Tech Together: How to create and deliver lessons that work and build a teaching community around them, a guide to effective instruction: "We have been talking about mental models as if they were real things, but what actually goes on in a learner's brain when they're learning? The short answer is that we don't know; the longer answer is that we know a lot more than we used to....As scary as it is, we are the grownups."

Via a recommendation from Eszter Hargittai on Crooked Timber: Thinking Like Your Editor: How to Write Great Serious Nonfiction and Get It Published by Susan Rabiner and Alfred Fortunato (concentrating on the kind of nonfiction from big publishers that gets reviewed in major newspapers), and So You Want to Publish a Book? by Anne Trubek (who runs a small press). I just read these within the past week. In Trubek's book I particularly appreciated the list of presses and imprints belonging to the Big Five, her breakdown of budgets, her frank appraisal of what helps sell more copies of a book, her thoughts on horizontal solidarity among authors and reader, and her assessment of Amazon's effects on the market. And in Rabiner's and Fortunato's book, I was struck by their in-depth explanation of how to structure a book proposal (and the many examples of what works and what falls flat), their thoughts on what editors are seeking, and their advice on structuring a book and making one's argument fairly.

Filed under:

(0) : Painstakingly Reminding Myself How To Play:

This is a little bit about how free-range learners in programming assess our own skill levels and choose what to learn next. But it's also a response to my own insecurity, and to the sometimes-stultifying weight of concentrating one's work on infrastructure.

Working on things that matter

In the Abstruse Goose comic "Computer Programming 101", a learner provokes an explainer with further and further questions about the CS and hardware and physics underlying a programming task. One reading of the comic: "Get comfortable with abstraction. If you try to understand how everything works, you'll get nothing done."

Yeah, of course, everyone's time is finite, and we all have to make our own decisions about how much time to spend on learning and how much time to spend doing other things, using our existing levels of knowledge. (Although I've recently tripped up on the assumption that the listener aims to get anything in particular "done".)

But there's also a kind of obliviousness that is so helpful, not just cognitively but emotionally, when I'm learning. Not knowing that something is risky, or not really being able to comprehend risk, helps you do it. This is one reason it can be useful to learn a bunch of programming skills when you're young, not just because very little responsibility rests on your code's shoulders, but also because at that stage you haven't yet seen all the vulnerabilities and Daily WTFs and unlocalized sadnesses... you don't even know what all edge cases exist in the world. You can take the leap of faith that all your infrastructure will work -- heck, you don't even know what infrastructure you're relying on! You don't even realize you are taking that leap of faith! -- and concentrate on getting your corner just right.

For context: for my job, I primarily work, and want to work, on mature open source software that many users already depend on. I find a lot of satisfaction in rejuvenating and stabilizing widely-used open source projects and thus healing important parts of the whole system. My professional experience is loaded up with working on stuff like GNOME utilities and MediaWiki and the Python packaging toolchain. (I left the Wikimedia Foundation partly to mess around with blank slates and without legacy infrastructure/stakeholders.... and then turned into the de facto community manager for Python packaging!) I played with BASIC as a child, and I learned a bit of Scheme and bash in college, but I came to programming in a serious, sustained way AFTER years in the industry, as a technologist and manager in software engineering teams.

Which means that when I do want to make a little toy, sometimes it's been hard for me to just come to it with learner's mind. I see that it has no unit tests, no localization, a bad UI, crappy OO, no extensibility and zero separation of concerns, ridiculous performance. There are at least five worlds of software development (that article is pretty obsolete but its point is reasonable) and I am a permanent resident of the People You Don't Know Will Need To Use This Software world. I spent some of my childhood in Playing Around world but it can be hard for me to remember how to get around there. (And oppressed people, out of necessity, often mitigate risk more, tempering audacity. So that's yet another privilege thing.)

As Amandine Lee writes: "People's intuitions and risk-friendliness also vary based on personality, and how they've seen things fail in the past." Yes! But then the very next sentence: "A lot of growing as an engineer is fine-tuning that initial response to design decisions." She meta-cautions us against knee-jerk caution, a reflex that leads to "wasteful carefulness". Was it nearly a year ago I talked about this, about the balance between preservation and growth? Maybe it's a springtime kind of rumination.

Precursors to relaxation

I am trying to think about what helps me let go of those worries and fiddle, sketch, prototype. Curiosity about a specific dataset helps, as does the impatient desire to munge some data into a form I can more easily reuse. Or an external force causing me to concentrate on achieving some specific outcome OTHER than "other people need this," like "I want to create enough of a game that I can put it in my application to the Recurse Center" (e.g., this commit in "Where on the Oregon Trail is Carmen Sandiego?" -- global variables and pretty naive string concatenation abound, as you can see, and I think those were the first two classes I ever wrote). I also think it helps when I feel like I am exploring abundant neat stuff left over by past architects, as with "HTTP Can Do That?!" (video).

Geoffrey Litt reports that part of it, for him, is concentrated time: "Also, I just gotta say: years of professional software engineering has trained me to work sustainably, but there's something to be said for a few long, unsustainable days of furious programming. Early-stage creative prototyping seems to benefit from a certain energy level that's not easily attainable in a sustainable environment." (Which makes me think about different ways participants can use Recurse Center, deliberately creating bursty rhythms of work and recovery, if they're concentrating on inventing, versus using a consistent routine to aid learning.)

Security and insecurity (how novel, I know)

A few years ago* I started thinking about how to harness this dynamic for play and confidence, specifically by improving my cybersecurity skills. My reasoning went:

  1. I often see good engineering that is better than I could do
  2. There is a counterproductive reaction-pattern in my head that sometimes finds it intimidating, not inspiring, to see amazing work
  3. Thus I get turned off in a fixed-mindset way, thinking "I am not a good engineer" because of my relative inferiority
  4. But the reverse is also kind of true; if I discover flaws in real running production code then I will notice my relative superiority and feel more confident about my own abilities, which raises my morale and makes it easier for me to try things that I might fail at
  5. There is a lot of poor engineering out there, especially when, for instance, viewed through a security lens, and it is probably possible for me to use existing resources to understand common flaws and learn how to find them
  6. Thus, it would be a good step for me to learn more about the bit of the software industry that has lots of terribly written code, in production, that I can inspect and feel superior to

(There's something here in common with what I've said about ways to deal with impostor syndrome, and self-assessment vertigo -- find reminders of my own competence as compared to the whole human population, not just the experts whose skill level I aspire to.)

Less coherently, I feel emotionally insecure and feel digitally insecure; I would like to be able to make better-reasoned tradeoffs about my digital behavior and protection. And I was noodling around, thinking about the community of practice of script kiddies, and the envy I feel when thinking about having the time and equipment to play like that, and the joy of feeling powerful but not responsible. I thought that would be something I would get out of offensive (rather than defensive) security skills: a feeling of power without necessarily then feeling a new weight of responsibility.

Fast forward to now. I went in approximately the opposite direction. Sure, I know more about cybersecurity now, and I'm even a visiting scholar in an academic lab working on cybersecurity. But it's to better secure the Python packaging pipeline! More infrastructure work! I have not learned any offensive skills and all of my power comes with responsibility! It's like the sitcom trope where a person says "I think I'm gonna skip that party" and then the show cuts to them seated in the middle of a big banquette table at the restaurant and everyone's wearing party hats.

And I now know myself well enough to know that, as soon as I notice a needless wasteful problem, I itch to fix it, and have to remind myself to pick my battles. So: even if I did grow in my offensive skills, every time I noticed a vulnerability, I would immediately feel a frustrated desire to patch it, more than I'd feel a confirmation of my own capabilities. I am too mature to have power without feeling commensurate responsibility. I missed my window.

Old advice for a new mind

A few nights ago I couldn't get to sleep because of a wave of insecurity and negative self-talk. I never went to MIT and I wasted my social opportunities in college and that's why I founded Changeset solo instead of with a cofounder and that's why I haven't yet achieved what I wanted to! I'm middle-aged and my neuroplasticity is declining and it's too late for me to gain momentum on improving my habits and getting more efficient and making an impact! That sort of thing.

And I remembered an old teacher of mine, Mr. Berkowitz. He taught government and economics at my high school, and he looked ancient and frail -- when he slowly walked the path between the administration building and his classroom, I thought I could see the wind threatening to knock him over. And that's why it made such an impression on me when, on the last day of class, he told us: "if you keep learning, you will never grow old."

And I got out of bed and went to my computer, and figured out how to install Rust (with help from 2 people in the Recurse Center's Zulip chat), and started Rustlings, an exercise-by-exercise approach to learning Rust by fixing code that doesn't work. I completed the first exercise and got the string of "tada" emojis and smiled, a strong real spontaneous smile, and felt and noticed it. And a few exercises later, I was calm enough to go to bed and fall asleep.

I have some unformed ideas about how knowing a bit of Rust might help me with my work, to lead projects like Federico Mena-Quintero's work on librsvg, replacing C library code with Rust. But maybe the big reasons it appeals to me are that everyone I've ever heard of working on Rust is friendly, and the language aims to be really helpful with its error messages, and no one needs me to learn it. It's ok if I don't do it. Which makes it more ok to do it.

In my job I want to work on things that matter. To do that job well I need to learn. The pressure of "this matters" can make it harder to learn. Therefore there is meta-work I must do to make tidepools and sandboxes for myself to learn in, shifting my mindset accordingly. And, for bigger jaunts into Playing Around World, maybe making time for another retreat at Recurse Center sometime.

* I have a note here that maybe this was related to my experience watching a preview of Jessica McKellar's talk "Building and breaking a Python sandbox". In it, McKellar mentioned to us that ping runs as root, which stuck with me.

: Paralipsis:

I'm in the process of working with a contractor to overhaul my personal and professional websites. Thus, I have been thinking about my brand (oh how I want to put distancing quotation marks around that word when it pertains to me), and breadth.

I value my ability to use this weblog to write about a broad variety of topics (and, in the writing, find out what I think) and in a variety of tones. This is at odds with the approach of many successful professional blogs, and perhaps there's an inertia here, a self-sabotaging recalcitrance to shape up and make my interface easier for my future customers to grasp. "Indie 101, do stuff that defeats your own purpose. Reflexively, routinely." as John Darnielle said.* I think I'm not. I think I'm doing this out of a kind of intuition, about habitually being and seeming like a person who will bring a multidisciplinary approach to your problem, about the relative advantage of being a bit weirder and having more odd edges to catch on in a Web of frictionless interchangeability, and about the mental benefits to me of minimizing the upfront cognitive cost of choosing which venue I use to think aloud about what.

But, in the overhaul, the contractor and I will be making it easier for people who only want to see the work-related stuff to browse and concentrate on that, particularly via resource collections on the Changeset Consulting website.

And I've been reflecting on the limits I do have in what I blog about. As early as 2002 I wrote here:

I'm not my whole self here. If you are your whole self in your weblog, if I could completely know you by just reading your weblog, then you've broken some barrier and become a Philip K. Dick character, or you have a very small life.

Talking about that necessarily seems a bit coy, but I've been meaning to write about it for years, so, here are some thoughts.

The nonrandom distribution of absence

... rhetorical devices ... in which a speaker claims something to be true while implying the opposite. Sarcasm works that way, of course, but there are subtler forms. For instance, praeteritio, also known as paralipsis: pretending one is omitting information while providing it. "I shall refrain from mentioning my opponent's lengthy criminal record...."

Several years ago, a friend of mine asked me for a bit of advice, because she was thinking of blogging something about sexism in technology, and wanted a risk assessment. How likely is it that jerks would contact her employer and suggest she be fired, or send her rape threats or death threats, or try to break into her online accounts, or find her phone number and harass her that way, or follow her around and try to argue with her at conferences, or give her a hard time via Twitter, or start overlooking her for various kinds of opportunities, or write thoughtless or hurtful comments on the inevitable Hacker News discussion, or otherwise demonstrate Lewis's Law?

I write about technology, and sometimes I write about anti-sexism initiatives. But I thought about the things I rarely or never publicly write about, because I'm afraid. Here's what I wrote, more than six years ago:

I don't write about the few really bad experiences I've had.

I don't write about the things friends and acquaintances are going through.

When I travel, I don't publicly mention what hotel I'm staying at.

I don't talk in detail about what it's like to be the only woman in the room.

I don't write about my own sex life, at all.

I don't write about figuring out what to wear, or about the trouble I fear if I explore traditional expressions of femininity.

I don't talk about my period.

I don't talk about men assuming that I went to Hacker School to learn how to program, from scratch.

I don't talk about deciding which photos of myself are too chesty to put on my site, or about not knowing whether photographers at an event really want to get a lot of shots of the only woman of color who's turned up.

(And here I stopped writing for a while, because it's wearying and sad and tedious to think about this, and because there were probably more topics that I didn't even want to mention in the list.)

@hashoctothorpe started a #whatitslike hashtag on Twitter.

It's like deciding how far to stick my neck out, all the time, every second, never not making that decision #whatsitlike

"Like being the emotional grownup in the room." #whatsitlike

Like watching my friends and role models be terrorized and being unable to help. #whatsitlike

"Like my friend and i were talking and you interrupted to ask that" #whatsitlike

My friend -- the one who'd asked for advice -- thought about it for a while, and changed all her passwords, and posted the piece she'd written.

But some don't. "Ghost works are all the works that never get made in the first place, or are made but not released".

A bit later, Leigh Alexander wrote:

One of my colleagues just wrote me she's frustrated about all the conversations we're not having. We all are, I think, migrated against our will to interminable residencies in a politicized minefield, where even talk amongst ourselves is scrutinized.... We are not free to debate and to disagree lest we be set against one another.

And that resonated with me, because we're missing people in our public discourse; our conversations are poorer because some of us are more afraid to speak our truths, and that difference is not randomly distributed.

Sometimes the most urgent thing to hear, the lifeline, is "you are not alone." But the consequences of sharing are hard to assess ahead of time. And I'm not just talking about harassment. Sometimes the legal ground shifts under your feet; in the US, if the Affordable Care Act disintegrates, then it will have been more unsafe to talk about health stuff online.

Or the technology changes, so the ground shifts from opaque to transparent under our feet, and archaeology turns trivial. What is public? Or: what is secret, or private, or public, and does that middle category exist anymore?

I think that’s what Twitter is all about, and permits: it’s sort of magically translated the informal register of text messages into the public space, and for public figures, allowed them to get away with throwaway comments far more than before.

I don't know how well Danny O'Brien's 2009 assessment there held up. Perhaps as more people learned to use Twitter search it got less true.

Then, mostly separately, there's the "brand" stuff.

Limited-purpose public figure

me, preparing to have my photo taken at an open technology event, on a rooftop in Queens in 2013

Am I a public figure?

Courtney Milan wrote, regarding a legal controversy in 2014:

...if you inject yourself into an issue of public concern, you may be a limited purpose public figure -- that is, someone for whom the standards differ....

...And the standard for defamation actions for limited purpose public figures is substantially different than for private citizens.

I don't know whether I am a limited purpose public figure, legally, for any controversies at the moment. But the phrase strikes me. It's an evocative phrase, sounding more sophisticated than "brand" or "platform". They get at different things.

A brand is a way to carve a shelf into your brain, at a particular junction of ideas and feelings, so that a picture of me can sit there. But a too-narrow shelf is a pigeonhole. What do we avoid sharing, not because it is uncharitable or misleading or overly revealing, but because the more different things I say the less you know where to shelve me? How many ghost works un-exist for these reasons? Ryn Daniels wrote: "More and more of the time, I end up not posting something I was considering. The bigger my 'brand' gets, the bigger the boundary I have to maintain between it and my self."

The contractor interviewed a few of my friends, colleagues, clients, and peers in the free and open source software world to help understand what they see in my business and in my personal blog. They determined that the indie informality and voice of my personal site helps establish my credibility especially among free and open source folks, and that we can have the personal site and the Changeset Consulting (business) site reinforce each other, so that the Changeset site does the job of establishing my serious professional face to potential clients (i.e., mostly companies) yet benefits from my personal writing too.

This feels like a reasonable path forward. A brand is a public tool for a limited purpose; the business site will be pointed, drawing the reader through a few specific paths. And the personal site will be more browseable, but still diffuse, more of a kaleidoscope where decades of my facets shimmer and reflect off each other. Still not everything, of course; I'm still not a Philip K. Dick character. But enough rich variety to retain the capacity to surprise you, and, just as importantly, myself.

* about 3:00 to 3:15 in the "Leaving Home" track in this 2007 concert recording.

Filed under:

2021 April

7 entries this month.

Categories Random XML

[Show all]

You can hire me through Changeset Consulting.

Creative Commons License
This work by Sumana Harihareswara is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Permissions beyond the scope of this license may be available by emailing the author at