PyDev of the Week: Paul Kehrer

This week we welcome Paul Kehrer (@reaperhulk) as our PyDev of the Week! Paul is a core developer of the cryptography package. He also the maintainer of pyOpenSSL, bcrypt, and PyNaCl. You can get a feel for what he’s up to over on Github. Paul also has a fun blog that is worth checking out. Let’s take a few moments to get to know our fellow Pythonista better!

Can you tell us a little about yourself (hobbies, education, etc):

My name is Paul Kehrer, but many people probably only know me by my handle reaperhulk (it’s an anagram of my name). I have a degree in physics but learned to program on the side in college and stumbled into a security job directly out of school. I travel often (much of my time is spent in Asia these days), I love kiteboarding (typically in Aruba or Maui), and I also like to bake.

Why did you start using Python?

Sadly I don’t have a story about how I discovered the amazing community that is Python. At a previous job I had been doing a lot of Ruby work, but I took a new job in early 2013 and the company that hired me (Rackspace) wanted me to contribute to a security project written in Python. It was a relatively easy transition, although the two communities have wildly different opinions about the advisability of meta-programming!

What other programming languages do you know and which is your favorite?

I’ve written PHP, Basic, Objective-C, Ruby, C, Go, and probably others at various points in my career. I currently write in Python, C, and Go on a regular basis. I don’t think I have a favorite language because no language is perfect. I admire some of the tooling in Go (single binary, gofmt) but vendoring is not great. Python’s packaging story has been bad for a long time, but the heroic efforts of the PyPA are really starting to pay off at this point and we can hope that eventually reasonable distribution to end users will be possible.

What projects are you working on now?

Well I’m a maintainer on every Python Cryptographic Authority project, which, in addition to cryptography itself includes pyOpenSSL, bcrypt, and PyNaCl. My primary open source focus, however, is on cryptography. It is both the most rewarding and most complex of all the projects I participate in (from both a cryptographic and packaging standpoint).

Outside of that I am one of the creators of Frinkiac (and Morbotron, Master of All Science, and Capital Beat). Those projects take an increasing amount of time as we expand our supported shows and add features!

Which Python libraries are your favorite (core or 3rd party)?

I think Python developers might be legally required to mention requests here, but additionally I’ll mention pytest (which cryptography uses extremely heavily), cffi (the One True Way to call C ABI from Python), and magic-wormhole (Brian Warner’s fantastic cryptographically secure file sharing utility).

How did you get started with the cryptography project?

When I first started programming in Python I quickly discovered that the state of cryptographic libraries in Python left much to be desired. My boss put me in touch with some other people inside Rackspace who were interested in building a new library and had already started putting together a skeleton (along with several others from outside of Rackspace). From there I just started submitting PRs! It’s been just over 4 years since I started (here’s my first PR! https://github.com/pyca/cryptography/pull/48) and in that time we’ve gone from completely unknown to over 5 million downloads per month from PyPI.

What kinds of challenges have you faced working in open source?

I see two big issues day to day. One is the sustainability of open source projects. Businesses frequently derive enormous economic benefit from open source packages, but they do not contribute back in proportion with the advantage they derive from it. This is problematic because the vast, vast majority of open source projects are done in people’s spare time and burnout is a large issue. Even PyCA, which has some business backing (some of my time every week is dedicated to open source work and we have a large budget for our massive continuous integration setup), has only 2-4 people contributing across the entire organization. In the case of cryptography there are only two active maintainers, despite its immense popularity.

Second, parts of the open source community can be extremely toxic. I see this most often in the form of people angry about a bug or feature that is missing. This sort of entitlement is extremely discouraging to maintainers and should be avoided at all costs. Fortunately, the PyCA projects have mostly not seen this sort of behavior, but it’s hardly unusual elsewhere. Please, when something takes longer than you think it should, remember that open source maintainers are people with lives and jobs and any number of reasons why they may not do what you want/need immediately. If you want it to happen faster, get involved! Or just thank them for all the time and effort they spend to make your life easier.

Do you have any advice for new developers that would like to join an open source project?

There are many ways to get involved in a project. One of the best is to just sit down and spend a lot of time improving the documentation for a project you want to work on. Not only will the maintainers love it, it’s a great way to learn more about the API such that when you want to add a feature you can understand the philosophy behind the project.

Another avenue is to join the conversation in their mailing list, IRC channel, slack, issue tracker, etc. Lurking for a bit and learning what they’re working on and what they’re interested in solving can make it much easier for you to offer to help. Remember that saying “Hey can I help?” is great, but it does require the maintainer to spend significant effort to determine your skill level, commitment, and come up with work for you. If you say “Hey I’d like to help with and here’s my proposal based on ” that’s much easier!

That said, don’t feel like you need to be an expert on a project before you can say anything. Expressing interest and staying communicative when the maintainers explain things is a perfectly good first step.

Is there anything else you’d like to say?

You should definitely go to https://frinkiac.com, https://morbotron.com, https://masterofallscience.com, and https://capitalbeat.us and tell all your friends to do it too 😉

Also, if you’re an open source maintainer did you know that PyPI writes useful statistics to a publicly available BigQuery? You can make all sorts of maintenance decisions with actual data! More info here if you’re interested: https://langui.sh/2016/12/09/data-driven-decisions/

Thanks for doing the interview!