Below are my notes from day one of PyCon Australia in Hobart.

Nick Coghlan: Python packaging

• setuptools 0.8 and pip 1.4 have many good things and will be ready very soon
• lots of work has been done to improve the speed of installations from PyPI
• new package metadata spec is coming and will makes things faster and will help platform-specific packaging

Jacob Kaplan-Moss: OWASP vulnerabilities

• overview of each of the 2013 top 10 OWASP vulnerabilities, and how they happen
• if your docs say “You must exercise care…” (MongoDB) your approach is wrong
• use mature, battle-hardened tools provided by the framework instead of rolling your own
• django-secure is a tool to check for common security mistakes in Django projects
• the problem of outdated dependencies containing vulnerabilities is not solved at all [except that the serious Linux distros have already solved it]

Nathan Faggian: Cython and Numba

• accurate image segmentation is hard, but even naive algorithms are really slow in Python
• Cython is Python-like but with type annotations, and is compiled to C
• it lets you opt out of safety features (bounds checking, …)
• it includes tight integration with NumPy for extra efficiency
• Numba is an opt-in JIT for ordinary Python code which can produce code rivalling the type-annotated Cython code
• GrowCut is a promising image segmentation algorithm with high accuracy but some limitations

Roger Barnes: performance of a web request

• page load times (“end-user response times”) are important because they affect user experience, search engine rankings, and sales
• assets often contribute much more to loading delays than the base HTML page
• some tools for measuring client-side page performance: browser tools/extensions, webpagetest.org, proposed W3C standard “Navigation Timing”
• Django Debug Toolbar gives useful measurements for the Django request
• django-extensions has a tool to run a Django development server with profiling enabled
• many general and Django-specific tips for improving response time
• is it worth streaming templated responses back to the client?
• the application could even cheat and send the page header (with CSS references) before it begins rendering the response

Ryan Kelly: testing for failures

• you're confident your application works, but does it fail gracefully when overloaded or when its environment falls apart?
• FunkLoad can simulate production-like load
• Marteau is a front-end for automating and orchestrating FunkLoad runs
• Vaurien can simulate TCP-level failure modes, and also protocol-level misbehaviour
• loads is a Mozilla load testing tool to address some shortcomings of FunkLoad

Erik van Zijst: limiting execution time

• code whose runtime is not constant will eventually blow up in production, given large enough input or hostile enough environment
• it's not always possible or desirable to make everything run in constant time: for example, diffstats and comment linkification on Bitbucket
• interruptingcow can be used to enforce time limits on arbitrary Python code, including sharing a time quota across multiple timed blocks
• django-timelimit applies interruptingcow to Django template rendering