Transcript: Boost Your Django DX - Adam Johnson

00:00.0

Hi, welcome to another episode of Django Chat, a fortnightly podcast on the Django web framework.

00:10.2

I'm Carlton Gibson, joined as ever by Will Vinson. Hello, Will.

00:13.3

Hi, Carlton.

00:14.2

Hello, Will. Happy New Year as well.

00:16.9

And today we've got Adam Johnson back with us, who's, you know, you know who Adam Johnson is,

00:22.4

but he's a Django Technical Board member, Django author.

00:25.4

So you've all got speed up your Django tests.

00:28.1

And coming up soon is improve your Django developer experience, which we're going to talk about today, and various other things.

00:34.8

Adam, thank you for coming on the show again.

00:36.8

Thank you very much.

00:37.5

And Happy New Year to you both.

00:39.8

Happy New Year to you, sir.

00:41.5

Carlton, you missed one.

00:42.4

Adam just won the Malcolm Frederick Memorial Prize.

00:45.1

Yes, he did.

00:45.8

Which is well-deserved.

00:47.6

I voted for you.

00:48.5

And I would just say the two top vote-getters are the two of you this year.

00:53.4

so it was a very very easy choice um for the board no thank you that's good congratulations

00:59.2

very well deserved thank you yeah well done adam like um you do you're massive you're doing posts

01:05.9

all the time you're putting out packages after packages after packages you're always there on

01:10.5

the mailing list you know giving people the the welcome pointers so super thank you very much

01:16.8

i'm honored to receive the prize and it came in uh the worst year of my life so it's a nice end

01:23.2

helped me a lot.

01:25.3

We have lots to talk about.

01:26.6

I think there's going to be a lot of the two of you

01:29.1

talking, but I would love to tee up the Django

01:31.0

Technical Board. Maybe we could tell

01:33.2

folks what that is and what they do since

01:35.0

Adam, you're on it, and that's quite a

01:37.1

big deal. It's also a relatively new thing

01:38.9

and how that works

01:41.2

with the Django codebase for new releases since

01:43.1

4.0 came out just a couple weeks

01:45.2

ago.

01:46.7

Sure. So the Technical Board is

01:49.2

five members voted

01:51.0

in for each release cycle.

01:53.2

And where the buck stops with decisions on whether things go into Django or not.

02:00.7

Like quite often, like features are clearly like a good idea.

02:04.4

So it's okay for a few people to suggest it and the fellows to go and review.

02:09.4

But for larger scale changes or contentious changes, a technical board vote would be held and we'd need a consensus whether or not something would be added.

02:20.6

Yeah, so if it was an easy decision, it would not reach the board.

02:24.5

In the same way for a community, that's what the Django Software Foundation handles, non-technical things.

02:29.5

But the DSF has no sway over the technical board decisions by design.

02:34.2

Yeah, exactly.

02:35.4

Actually, I should know.

02:36.4

Does that go to the long-term releases, or is that the number releases?

02:39.3

It's every number release.

02:40.3

Like the 2-2 to 3-2, or is it?

02:41.4

So I've been on the technical board since 2-2, and voted in each time since.

02:49.6

There's like maybe eight or nine people who've stood over that time.

02:55.5

So most people who are standing are getting elected at least once.

03:00.3

It's just kind of cycling between a few people, I think.

03:04.3

It's kind of interesting that because, I mean, one comment was made on the Django Software Foundation DSF members list that the elections hasn't been particularly diverse and that it's all, you know, it's all white men still.

03:19.6

And part of that, I think, is because we still have a quite narrow experience contributor base.

03:26.4

Like the qualification for the technical boards, you have to be involved in the day-to-day running.

03:31.1

I mean, you don't have to have been there forever, but you do have to be active on the discussion list and things like this.

03:38.5

And we still don't have a very broad contributor base there.

03:41.9

So, you know, there's not necessarily a wider pool to draw from, which is something we, you know, we kind of think about.

03:49.2

It's definitely something that would be nice to correct.

03:51.8

It's very hard because you have to have been contributing for years

03:55.2

before you're really eligible to be on the technical board.

03:58.3

You have to have some deep knowledge of various parts.

04:01.7

And of course that's correct, right?

04:05.2

There's a tension.

04:06.4

It's chicken and egg.

04:07.7

Yeah.

04:09.4

Well, the DSF doesn't have that requirement.

04:12.3

So, you know, you don't even have to be an individual member

04:17.8

to be voted on, though it is voted on by the individual members. So you do need to be known

04:22.6

in the community. And all those things are true. I think one thing I found this past year,

04:29.5

I think it's basically for the first time since I've been on the board, this is my third year,

04:33.3

we had basically all the same people reelected. And diversity is nice. I mean, I'm not planning

04:39.2

to stay indefinitely, but it is easier logistically to have the same people because

04:44.0

certainly for two years terms because you kind of know how to do things whereas initially that first

04:49.8

couple months people are ramping up so when we my first year there was or my second year there was

04:55.0

like half the board was new and so a lot of time was spent kind of getting people up to speed so

04:59.6

anyways internal baseball but maybe longer term there is something i think to multi-year terms

05:04.7

just to kind of avoid the ramp up and ramp down but at the same time a recycling of voices is

05:11.1

healthy as well absolutely i'm not i'm not sure about this can is it it's not so there's janga

05:17.9

release every eight months it's it's every is it every major release cycle now so it's every

05:23.8

eight months or every two and a half years for the technical board i thought it was every eight

05:28.1

months right because it was two two i was voted in on and now i was in the four zero yeah yeah

05:35.6

it's kind of talking to maris about this do we need a new election or it's a ceremony that goes

05:40.4

pass very quickly doesn't it yeah well eight months is too quick i think you know um well i

05:48.1

think you know that the dsf board a year is if it's if i had total control i think is too quick

05:53.5

too i think there's something to you know perhaps a you know three out of three two or two two three

05:59.0

year term just to avoid the nuisance because it does take up quite a bit of time um anyways

06:05.0

something for all of us to discuss with our our bodies so we should give a couple of examples of

06:11.6

things the technical board done so it not quite often we discuss on the mailing list and we just

06:17.1

come to a consensus right and it's it's but there are a few issues so one that has been really

06:22.5

important for um was a discussion about typing because there was no consensus at all and um

06:31.3

you know there was a dep and there was massive discussion on the mailing list and there was a

06:36.1

you know maybe even been draft pr i don't know um but you know maris and i just aren't in the

06:42.2

position where we can go oh yeah we decided to merge this or we decided to close this so we

06:46.6

asked the technical board for that and you were involved in that discussion then yes that was a

06:50.8

big one and we came to the conclusion that uh jagger wouldn't add type hints at the time and

06:56.7

that was like a couple years ago at this point and obviously typing has moved forwards as many

07:03.2

of us have gained a bit more experience and so it would be nice to reapproach that decision

07:09.7

at some point yeah and yeah i guess the second point is who's going to do the work because it's

07:16.4

it would be a lot of work to add the type hints into django yeah i mean so you've been blogging

07:20.7

loads and loads about um you know types um so would it be fair to say that you know you'd be

07:27.3

you'd be keen now to think again about adding those yeah i think i i'd probably be in favor

07:34.0

but we'd probably have to come to a decision that we'd only officially support my pi or

07:39.8

um something like that because you will need a plug-in for a type checker to tell it

07:45.2

you know when you make a django model the field definitions map onto these types

07:49.9

okay um i mean my one thing that i've i kind of been flirting around is around the widget api

07:56.8

because you know there's lots of there's lots of areas there where it's like what do i get

08:01.2

what exactly do i get out of value for data dict here and you know i could really i could really

08:06.4

appreciate some typing there but my kind of thought is oh i wonder if we could do this just

08:11.3

in say the widgets file you know just in one kind of module where it's it's at the kind of leaf you

08:17.6

know that the widgets don't really impinge on anything else they're not impinged by anything

08:21.1

else could we type those and that might be a sort of progressive way of doing it i don't know yeah

08:26.0

progressive would be would be how i'd like to see it happen anyway um yeah all these leaf modules

08:31.1

like all the things in django utils um they'd be perfect candidates to be in with but we'd need to

08:39.4

discuss is there value in adding just a small amount of type hints initially or is that going

08:44.1

to make it harder for people because then they're going to have oh we're trying to use the tight

08:49.2

pins but everything else is showing up as any and causing us headaches yeah some research is

08:55.5

definitely required yeah okay interesting interesting something else technical i'd love to

09:00.9

mention um so as i went to bed last night i saw there was a there's a new security release and

09:06.1

this morning i see in the notes adam you've done up a whole blog post on it which is insane so i

09:12.5

wonder if we could briefly talk about that and that's a chance to mention that you're also

09:15.5

on the security team of Django which is a separate group for a few months now and

09:19.6

oh only a few months I think Colton invited me in September something like that oh wow well

09:28.1

I just assumed you were part of it the last couple years look let me give a bit of background let me

09:33.1

just give a bit of background there and um so there's a I don't know about 10 members some of

09:38.1

the older contributors that have been around.

09:41.1

And, you know, they're super knowledgeable,

09:42.8

but not necessarily involved in Django day-to-day anymore.

09:46.3

And, you know, there's a few people

09:50.1

who are still very active,

09:51.2

like Marcus Holtzman and Florian Apollina.

09:56.1

But we were finding that, you know,

09:57.6

it was me and Marius and maybe Marcus

09:59.3

and maybe Florian commenting.

10:00.5

And we just needed some more people

10:02.6

who were sort of directly involved,

10:05.1

kind of very regularly.

10:07.7

And so amongst the security team,

10:10.6

we talked about it with Adam and Nick Pope came up

10:13.1

and so we invited both of them and they came in

10:15.0

and they've been super helpful and active

10:17.4

because we get a lot, not a lot of reports.

10:19.1

How many reports would you say we get, Adam, in you?

10:21.3

I'd say the average is one every two weeks.

10:23.5

That's really actionable.

10:25.8

Would you say that's about it?

10:27.1

Yeah, I mean, it's not a lot,

10:30.3

but they all need dealing with, they all need looking at.

10:32.9

And it's not easy.

10:34.4

It's really not easy.

10:35.7

You know, I mean, I'm not a security expert.

10:40.4

And a thing comes in and it's like, I don't know, is this?

10:43.7

And without the security team, there's no way I could handle those issues.

10:48.5

Yeah, okay, some of them, it's easy.

10:50.6

No, that's not a problem.

10:51.5

Some of them, oh, yeah, that clearly is.

10:53.1

But then there's this vast area of that's a really difficult question.

10:58.2

I think I really like seeing how everyone, like, filled in the holes of knowledge and ideas in solving these issues.

11:05.7

And yeah, because we'd have a lot of back and forth before even our pull request is open and to be like, oh, we could do this, we could do that.

11:13.9

And yeah, so there were there were three fixes in today's release, right?

11:21.0

Yeah.

11:21.3

Shall we run through them quickly?

11:23.3

OK, so the first one was a denial of service possibility in user attribute similarity validator.

11:30.4

Now, that's a mouthful, isn't it?

11:32.9

That's a password validator that checks that the password given isn't too similar to a user's other attributes, like their email address.

11:43.5

So they're not just recycling their email address or adding a one and exclamation mark at the end for their password.

11:51.2

Yeah, who does that?

11:54.1

I think quite a lot of people.

11:55.6

That's exactly what I do.

11:57.7

Yeah. So it's active by default when you do start projects. But who was it that reported that one?

12:07.0

Chris Bailey reported that if you submit a very large password, then it has kind of n squared or

12:13.9

exponential runtime. I'm not sure which. You have to submit like a very large password, like 100,000

12:19.7

characters, but then that can lead to many seconds of processing on an average server.

12:26.6

you know submitting a hundred thousand

12:28.3

letter A's over gzip is not much of a request body for the client to send, but then it can result in

12:35.4

in many seconds of processing so it becomes like a denial of service vector.

12:39.5

Someone submitting loads of these requests could cause your server just to hang up.

12:45.0

So the fix that I came up with along with Florian, Carlton and Marius is to

12:52.7

avoid checking the similarity if password if the password is like so much longer than the

12:59.6

attribute value that it's not going to be regarded as similar anyway so how do you come to that

13:04.9

conclusion right i mean are you like who do is you didn't did you come up with that or is that

13:09.2

something that other security researchers have used as a best practice um we had to come up with

13:13.7

this one i don't think there's much groundwork for using this kind of algorithm right now um

13:19.2

yeah i mean i mean this was quite an interesting example because adam had an idea to just well you

13:26.0

know if we would take it like if it's if it's a plural you know a multiple sufficient multiple

13:32.0

cut it off and then there was various back and forth and different approaches it was really nice

13:36.3

this adam's point about like everyone throwing in their ideas was that there were two or three

13:40.6

different takes and it's like yeah actually this one's quite sweet and it's a nice ratio that

13:44.8

this is a realistic cutoff at different scales of input and yeah and whatnot cool and then there's

13:52.0

two more just okay we'll go through them a little quicker because i'm a bit less familiar yeah

13:56.5

um the second one was with the dict sort template filter this is one that i've not seen used but it

14:01.8

takes a list of dictionaries and then sorts them by a key or perhaps an attribute um and uh security

14:09.9

researcher at SonaSource, Dennis Brinkroff, submitted us a report that you can use it to

14:16.1

access arbitrary attributes and inside of a string, you can access the characters of the

14:23.0

string one by one. So if a user managed to submit which order to sort your list of dictionaries by,

14:29.0

they could sort them by character zero, then character one, then character two,

14:32.9

and see the sort order changing. And then they could infer the value of that attribute. And if

14:37.5

that value was like security sensitive like a password or api key they can kind of infer okay

14:42.9

this this user appeared at the top of the list so their password starts with a and then when i

14:48.3

sort by character two they're in the middle of the list so that's probably something around l

14:53.1

and then i can kind of combine that with other info to get a statistical guess at what their

14:58.4

what their secret value is yeah i like you phrased it in your blog post a good example of don't

15:03.5

Repeat yourself causing problems.

15:05.7

Yeah, because the problem came from the filter reused the Django variable class.

15:11.4

Probably over time, variable gained more abilities.

15:14.8

And then that has led to the ability to index characters in a string and do the sorting.

15:21.6

Whereas it was never advertised for doing that, and probably no one needs that.

15:25.4

Well, I think that the more common example of this, right, is with URLs,

15:29.4

where why you would use a UUID.

15:32.0

So instead of going user slash one or, right, because as you said, it could apply to bank

15:35.9

records or something important.

15:37.0

You don't want someone to infer the order or the number.

15:40.2

And then number three, I can read it.

15:41.5

So there's a potential directory traversal via storage.save class, which, so that's a

15:48.2

file storage API thing.

15:49.6

Yeah.

15:50.0

So when you're uploading a file.

15:51.5

Well, I think it's just, it's interesting to talk about this because, you know, I think

15:54.2

like many, I see the reports that come out and I'm just like, yeah, it sounds good to

15:58.2

me and unless it's something i directly have don't get a chance to fully dive into it or even know

16:03.8

the process behind it so yeah and these these file driver these file directory traversal ones

16:09.4

there's been several of those over the throughout the you know the upload handlers and then and you

16:13.9

know blah blah blah and there was a number and this is kind of like the last one and you'd have

16:18.5

to use the storage directly which kind of nobody does so it's already been bulletproofed around

16:22.9

the outside but the idea would be that you know you go from the media file the media directory

16:29.6

where you're meant to be saving it to somewhere else on the file system which you know you're

16:34.5

not supposed to have access now you know if you do everything right that can't you know that's

16:38.9

already ruled out by various other bits in django but you know this is the sort of last bolt down

16:44.0

on that area um there might be a bit of a rewrite coming in the future who knows saying it's the

16:48.9

last possible directory traversal bug is very brave carton well no in that little bit it's the

16:55.1

last possible one in that that cluster of you know that that cluster of upload handlers and files and

17:01.7

we because we've gone over them no doubt that we won next week i think there's been like sufficient

17:06.5

eyeballs on it now um it's pretty pretty good this was again by um dennis brinkroff and sonosource so

17:13.6

i guess they were running some kind of scanner or just deciding to audit open source projects so

17:18.5

yeah they found it that was cool well something else just to shed light on all the things you do

17:23.9

adam just prs to django itself so 4.0 came out i guess carlton this was in your your week notes

17:29.6

thing where i saw where um i don't think it was on the release notes where you listed all the

17:34.0

active contributors and adam you were one of the largest ones we'll link to that it's not in the

17:39.7

release notes right i don't think the formal no no not yet i know that's no so i've so so one so

17:46.2

what I've got for 4.0 is a breakdown of new contributors of people who like I've called

17:51.6

them on a roll people contributed in the last in 3.2 as well and then people who didn't contribute

17:56.0

in 3.2 but had previously and could put those in the category welcome back and what I want to do

18:00.3

is write that up and then put that somewhere either on my site or on jangaproject.com if we

18:05.1

can find a suitable place for it and then keep that rolling for 4.1 and as we go forward that

18:11.2

would have happened already if it weren't for you know 2020 or the usual excuses um

18:17.1

but that that's coming and the idea there is just to have a bit of fun calling out contributors and

18:22.9

you know particularly for new contributors you make a contribution if can we find a way of just

18:27.8

flagging up and you know i it was it was on my list to get done for the end of the year and that

18:33.4

just didn't happen so okay over the next month or so i'll pull it up and you know finish finish

18:38.4

that off and have that going forward but that that the idea there is to do something to call

18:42.9

out contributors a little more than we have you know um you know i don't know it should it's just

18:50.9

a bit of fun it's just i think it's important though i think it's important to highlight those

18:54.5

things you know i think it's important because of exactly this problem of diversity we've already

18:58.8

talked about just just now like it's all right if you're sort of economically privileged and

19:03.6

you can contribute loads of time to open source and you can spend the time to get a contributor

19:09.2

record and you know but if a lot of people they need some recognition for it you know so I've made

19:15.1

one contribution did that did that pay back to me well no it didn't because it just disappeared into

19:20.1

the void whereas if we can put it on a website somewhere and then they can point to it it adds

19:24.5

a little you know for for someone getting into tech it adds a a validation point that might help

19:29.7

and get a job and then oh you know i can contribute you know i can continue we need to to to do things

19:35.5

to smooth the pathway there or we're never going to change the situation we're in it's always going

19:39.6

to be a slow break we're not going to you know instantly have a super diverse contributor base

19:43.4

but if we don't do these things we're never going to have that contributor base well part of it adam

19:48.2

i mean because even just your commit your um commits to django there's a wide range of how

19:53.8

how big they are right like i think you tweeted there was one a template like it's like a one

19:58.0

line thing with you and marius you know and then you have you know signal receiver function stuff

20:03.2

you know so there's i think it's great that you highlight that because that's something where it

20:07.5

seems small but like that's exactly a onboarding way versus going into like a core piece of django

20:12.2

and thinking that's what it takes to do a pr right yeah this this one line change i just was reading

20:17.6

the docs i found that there's a class that exists but the setting that you'd put that class in

20:23.1

didn't document it it said here's the list of built-in and listed two of the three so it's

20:27.4

just adding the third one on that list and and i think there are like a number of these small

20:33.0

things out there you might spot when reading the docs and it's great to just go make that change

20:38.9

and so it helps everyone else in the future yeah it's also i wanted to ask you i mean i know you're

20:44.2

a consultant and so you poke around a lot of code bases like how do you find so many things i mean

20:49.0

because i guess i'm just not using django to the full bore the way you are but i mean the range of

20:54.9

PRs, you have SQLite, signals, templates. I mean, is it client work? Is it a docs mismatch? Or is

21:01.8

there any pattern there? Because you find so many. Yeah, I guess I just end up going through a bunch

21:07.5

of different stuff, trying to solve people's problems they bring to me. I also enjoy reading

21:13.9

the code. And I'll sometimes take that as first reference, even skipping the docs when I'm like,

21:19.0

oh what's that method on on the storage for example i have django open in a sublime text

21:24.9

window all the time um yeah i guess the third thing is i'm always just uh finding it fun and

21:32.7

expanding my knowledge and my curiosity by diving into things i'm not really not not really looked

21:39.4

at before so like sqlite i was just interested in sqlite a bit more because they came out with

21:45.4

That new release, SQLite has strict tables now.

21:48.6

I was like, oh, I wonder how good Django's SQLite support really is

21:52.8

and could you get that strict thing in there?

21:55.1

And when I was reading the database back end,

21:57.5

I came up with that optimization PR.

21:59.9

I was like, oh, this seems fun.

22:01.6

I could do it.

22:02.4

I love that.

22:03.8

And Nick Pope was very good at reviewing and helping me out there.

22:08.3

So while we're talking about the ORM and contributing,

22:12.0

So you're, you're one of my sort of go-to ORM knowledgeable people, you know, that I can flag up on a PR. Hey, Adam, can you look at this? You know, obviously you did all the work on Django MySQL and, you know, you've been contributing there for a long time. One of the questions we always have from prospective new contributors is how do I get going contributing to the ORM? So can I put that question to you? What might you, what would be your kind of initial thoughts if somebody's coming, you know, somebody wants to get involved and they want to get involved in the ORM specifically?

22:41.1

That's a hard one, isn't it?

22:44.5

I think the problem with the ORM is that it does 99.9% of all the queries people need.

22:52.2

But most developers probably only know how to write 99% of those.

22:57.0

So there's this kind of ton of extra features that are hard to discover.

23:01.3

And some people might be tempted to just try and help, but it's already there in some way.

23:08.6

Yeah, I don't know if there's an easy path into the ORM.

23:12.1

I know there's like a James Bennett three-hour talk at a DjangoCon that is like a deep dive into the ORM.

23:19.8

And it's a few years ago, but the fundamentals won't have changed.

23:23.4

If you can sit through that, you're definitely going to be a good ORM contributor.

23:27.4

I've tried three times.

23:29.4

I still really want to.

23:30.8

It's no slag on him.

23:32.0

It's just it gets deep fast.

23:34.2

Yeah.

23:35.8

Yeah.

23:37.0

Yeah, it's a bit of a trial by five.

23:39.2

Maybe that's a new year's resolution for me.

23:42.8

Okay, cut one slightly different angle then.

23:46.2

You said there are lots of features that are kind of hard to discover.

23:49.2

So, like, you know, do you think there's a bit of a doc shortage in terms of learning more advanced SQL features or SQL features

24:01.1

and how to use them with the orm like annotations and aggregations and then the expressions api and

24:07.3

you know all those you know output field types and blah blah all that all that stuff which is

24:13.1

it's documented but there's no real easy learning path for that i would think yeah definitely um

24:21.0

one one thing i i've liked and tried to promote a bit is check constraints i've done a number of

24:26.1

posts on that if you read the check constraint docs in django they are like purely a reference

24:31.0

they're not going to explain to you what a check constraint really is and how it's defined on the

24:36.8

database um and we don't really have like a topic guide there so if someone was looking for a topic

24:42.9

guide that'd be to contribute that'd be a good place to start and perhaps that's a good first

24:48.0

contribution um it's like in migrations we have the reference for all the different operations and um

24:56.5

the topic guide of how to do X in migrations

25:00.6

is actually where you can learn how to really use that stuff.

25:06.0

Like, that has a few topics now, but could definitely

25:08.8

be expanded to, like, how do you add an index concurrently?

25:11.9

Like, we have that now for Postgres

25:15.3

in Django Contra Postgres, but there's definitely not

25:17.2

a topic guide.

25:17.8

Like, here's what you should be doing to use it.

25:21.2

So there's all these features, but, yeah.

25:23.1

MARK MANDELMAN- Carlton, it

25:24.0

seems I have a lot of questions.

25:25.4

don't want to overrun you do you no no okay i wanted to ask so so your new book um was it boost

25:31.8

your django developer experience is that that's the title yep you've used your django dx or

25:37.6

developer experience so you've um i've seen you i don't know if it's on twitter your blog post

25:42.0

mentioned like book driven development because so could you talk a bit about that because you've

25:46.6

put out i mean we have a long list in the notes so many projects posts um but as you've been

25:52.0

writing the book so i'm really interested in that and if you could expand on that topic yeah

25:56.2

absolutely so the the book is um just trying to describe and like categorize all the tools

26:03.0

that aren't django itself but like live around it that can really help you like accelerate your

26:08.5

development and and i guess book-driven development is where i start writing a section i'm like okay

26:14.2

i think i know the best way that i've seen to do this and i get halfway i'm like actually you know

26:20.0

that i'm just describing some snippets that you could copy paste instead it would be better if

26:24.8

there was a package out there that would would combine all this for you um so like a good example

26:30.5

there is a django rich a package i just created to integrate will mcgougan's rich that does nice

26:36.7

terminal output with django and currently it only provides like a new management command

26:43.3

yes calvin is there a is there a test runner coming for that because a while ago there was a

26:49.1

a PR to get colored output into the Django test runner,

26:52.5

and it didn't make it because of maintainability concerns,

26:55.1

but perhaps a third-party package wrapping rich as a test runner,

26:59.8

that'd be a nice thing to see.

27:01.6

It would be a nice thing to see.

27:03.1

I did briefly look into it and was like,

27:05.9

maybe the package could do this,

27:07.6

but a unit test is really the blocker there

27:09.7

because you've got to override this class and that class,

27:12.8

Django's test results and its debug results

27:15.8

inherit from the text results.

27:17.7

There's like a chain of like four classes that refer to each other in subclass and it would be a pain.

27:24.5

Okay, interesting.

27:25.8

I think maybe an approach would be if there was a unit tests extension package that used rich, then Django could inherit off that.

27:33.8

Okay.

27:34.4

If it was there.

27:35.5

The rich package only provides a management command that gives you the way to wrap Django's output with rich and then turn it off if you're piping to another terminal command.

27:46.6

And what about this Django browser reload?

27:48.8

I mean, that was one that I know came out and I guess asking the two of you, is that

27:54.2

a future core Django thing or are there just clear limitations on that?

27:58.8

Because that's pretty helpful.

28:00.1

Sure.

28:00.7

Briefly, Django browser reload is a tool that you install and then in development, whenever

28:06.1

you hit save on a template or save on a Python file that causes the server to restart or

28:11.6

a static asset changes, then it will hit reload on the browser for you automatically.

28:16.6

It does this with a different approach to what I've seen before, in that it sets up a very small JavaScript-based listener in the browser that's listening for a stream of events from a Django view that captures them.

28:31.1

And then that JavaScript worker, it hits reload on the most recently opened tab that you have for your development server.

28:38.8

So if you've opened five of them, it's only going to reload one.

28:41.7

I was inspired to do this because I was writing about DX.

28:44.3

I knew that this is a big problem.

28:46.8

People have this in JavaScript.

28:48.7

They have even the hot replacement where the page doesn't reload.

28:52.1

It just swaps in one section.

28:54.3

But there's not really been something I've seen in Django that works amazingly.

28:58.2

I came across one package, I think, for FastAPI,

29:02.2

and this was using Selenium to control it.

29:04.1

I was like, there's got to be a simpler way.

29:06.2

I don't want to force everyone to install Selenium

29:08.5

and use a Selenium development browser to do this.

29:13.6

there's got to be a way in javascript and yeah it didn't take long to fumble through the javascript

29:19.2

apis and come up with something very basic that's great no that's really interesting that

29:23.0

that is a common problem and that's an elegant approach which i guess time will tell but

29:29.0

i don't know why it wouldn't work it would be cool to have it in cool that that's the

29:34.4

interesting question is what makes it in what doesn't and you know i mean uh yeah i i would

29:40.3

like to know in what situations it doesn't work before we really go ahead and consider it it's

29:46.4

the sort of thing that's suitably useful that there's a case to be made right well i suppose

29:50.8

i mean there's almost i don't know if it's a conflict of interest but if it's your own package

29:55.8

and you're on the technical board and the security team it's not really on you to propose that it be

30:01.4

integrated but i guess when it's a third-party package you know people can use it on their own

30:06.1

and if there are issues they'll come to the fore so so many times we have like um the the standard

30:13.0

argument the standard line the standard approach is can we get this feature into janga well can

30:17.5

you put it into a third-party package and can we see how that goes for you know and quite a long

30:24.1

time i mean you know janga rest framework is 15 years 10 years out there you know it's it can live

30:31.4

a third-party package forever um and so what's the case for bringing it in you know that's

30:36.8

you know jammer t-bug toolbar that would be a you know candidate but that's never going to get

30:40.9

merged into core um you know these kind of hyper useful pack third-party packages they will they

30:47.4

can just stay as third-party packages i don't know it's but we can't just go right new feature

30:54.0

bam can we can i ask some more about about the book i mean sort of you've i think you put well

30:58.3

I've had a chance to look at it, as has Carlton, but topics covered.

31:02.7

Because this is your second book, you also have your Speed Up Your Django Tests,

31:05.7

and the book will be released a couple of days after this comes out.

31:09.9

So we'll have a link.

31:11.9

Can they still pre-order it up until the release?

31:14.3

You can pre-order it right up until the hour it's released.

31:17.4

It will be released at 12 noon GMT.

31:20.4

That's the same as UTC right now, on the 10th of January.

31:25.1

Okay, well, this will come out.

31:26.1

We're recording on the 4th.

31:27.3

It will come out on the 5th.

31:28.3

So we'll have a big prominent link to that.

31:31.1

But anyways, yeah, to the book.

31:32.1

So what was, you know, because I find the question is always what not to include, right?

31:35.7

Because the first draft is like, let me just dump everything in.

31:38.2

And then it's like, what to strip out.

31:39.6

And then it's like, okay, and is this actually what I want to say?

31:42.2

As you were, you know, with these areas, you start to give it a beginner's look with some experience.

31:48.0

And then sometimes you come up with different approaches.

31:51.1

Yeah, so I tried running one chapter for each kind of like broad area of the development of a Django application.

31:59.1

So it starts off with like looking at docs and then how you make virtual environments and manage dependencies.

32:05.7

And it goes on to other things like later it's things that are actually in your code, like your settings and models and migrations.

32:15.3

So, yeah, it's about everything that's like alongside the actual writing of Django code.

32:20.9

There's not much like, here's how to build an X in Django,

32:23.8

but it's here's how to make it faster for you to build X in Django.

32:29.0

So faster and more bug-free.

32:32.1

You're very right about cutting things.

32:33.9

There's so many things that are actually involved in the process.

32:37.4

One thing that's helped me a lot is I've added a dropped file in the repo

32:41.7

with all the topics that I've dropped in bullet point.

32:44.4

That could have been like a whole chapter on Git,

32:46.9

a whole chapter on GitHub, a whole chapter on text editing.

32:50.6

Yeah, I have all these ghost chapters too.

32:52.4

Yeah, I have to ignore it.

32:53.7

Well, yeah, it's a combination of, yeah, it's like, oh, this is hard or like the deadline.

32:58.0

And you're like, yeah, if it's important, I'll, I mean, I had a whole huge thing on logging for my professionals book.

33:03.8

And I'd still like to put it in there, but I was also like, I just got to ship it.

33:10.6

Logging could be its own book.

33:11.8

Well, right.

33:12.4

Similarly, like I, in this book, I say, hey, you could go install MyPi.

33:16.9

and then it's like i can't cover type hints here there's no real way of even starting so

33:21.9

here's just some links to resources i mean there's a question because you did this whole series of

33:27.5

posts on on typing i did wonder if that was kind of you know drop blogging the first draft of there

33:32.9

was going to be a typing book come out of that but i've considered i i wrote those um for my

33:39.4

own education as well as to like help push typing a bit because it should be possible i think to like

33:46.8

search how do i do type hints for this python feature and find a reasonable explanation so i

33:54.2

just try to cover many of these spaces and i think a book would just be like a bundle of these posts

33:58.5

that you could go read like a typing cookbook maybe that's the title well i love that you're

34:07.6

doing these you know not just advanced but um related to django but not django itself

34:13.4

approach. I feel like that's maybe an approach I should have done, because I struggle more with

34:19.7

my more advanced books than the beginner one. Because the beginner one, I feel a little more

34:23.5

confident saying, I don't need to dive into everything. Just sort of trust me on this,

34:29.3

or here's how you can go deeper. But the more advanced ones, it's still kind of the same thing,

34:34.3

but it's harder to do. I feel a little worse about waving my hands, or maybe I'm just not as

34:38.6

clear on it and i'd have to say you know okay here's three ways to do it i like this one but

34:46.0

i don't feel the same level of confidence on that as i would on the beginner thing where it's like

34:49.8

we're just gonna backfill a little bit here um sorry so i'm incredibly impressed that you're i

34:55.8

mean of course you have the background to write these books but i feel in some ways they're harder

34:59.4

to write but but taking a more from the side you know not just doing like the most badass

35:06.2

Django project ever approach like that's that's a recipe for failure that's like building a Django

35:09.7

puzzle which is what I have in my professionals book so don't do that well I'm trying to fill in

35:15.2

the gaps of of what what materials out there um it's very easy to say to someone hey go set up

35:22.0

pre-commit and then like the pre-commit docs don't say here's how to do pre-commit on a python project

35:27.1

with flaky iso and black and whereas that that's that's what most people want that's what Django

35:33.6

does um and yeah there could be some opinion um i do respect your book's will and i think the fact

35:41.5

that you're a bit uh uncertain about what's going into the professional's book is just an indication

35:46.1

of it being senior right at senior you have to make trade-offs yeah yeah it all it all depends

35:51.7

that'll be my my fourth book right carlton we'll just we'll list all the unknowables i um

35:58.0

i think your point about pre-commit is a good one like because you go to the pre-commit docs

36:03.9

you're like okay it take it can take all day to get it set up properly whereas you can you give

36:09.1

the recipe look here bam this is how you get pre-commit going in your django problem your

36:14.2

django project quickly so one thing i wanted to ask you about because you seem to manage so many

36:18.7

open source projects and um part of that surely it must be tell me is that you've got this tooling

36:25.9

kind of lined up to automate the repetitive parts of managing a package is that right

36:33.2

absolutely um i use a tool called my repos um which i guess is a bit it's a bit weird because

36:41.0

it's written in pearl and it's not always so easy to use um but it it lets you like run many run

36:48.7

commands in multiple directories and it's a git aware so it has like a status command if you need

36:54.5

that. So I kind of treat all my open source packages as one large repo with like some

37:02.2

variability in each of them if necessary, but as little as possible. So if there's a new Python

37:08.3

version, what I'll do is actually write a script that will make the appropriate changes in the

37:14.1

files using SD, that's a Rust-based replacement for sed. And so I just run my repos and run that

37:23.8

script and do the

37:24.8

and all those files so as long as everything stays relatively uniform i can do i can upgrade

37:32.0

you know 33 packages i think it is now in the same time that many people could do one or two

37:37.9

so it's like boost your github dx yeah i guess

37:42.6

that's it that's a great question i was wondering the same thing i'm i'm trying to like nuke open

37:50.0

source repositories i have because i just can't deal with maintaining them and and so i i love

37:55.1

seeing that you're going the other way um i mean your output honestly it just makes me tired but

37:59.8

i think i'm just tired of little kids but i'm just like oh my god like every you know because

38:03.8

your weekly posts which people should sign up for it's like a couple packages couple blog posts

38:08.2

couple core commits you know plus everything else i do it's awesome it's it's honestly it

38:16.0

It gives me energy, though, to see that you can be so prolific with this stuff.

38:19.1

I'm glad to hear, yeah.

38:20.0

I just wanted to ask you about one more package, which is Django Upgrade.

38:23.2

Can you tell us a little bit about that?

38:24.4

Oh, yeah, yeah, yeah.

38:27.4

That's very exciting.

38:28.2

Yeah.

38:28.6

Okay, yeah.

38:29.3

That's worth mentioning.

38:31.9

So I wrote this between August and September.

38:36.0

It's a code rewriter that will upgrade your Django syntax,

38:42.1

and it knows about some changes as far back as 1.10.

38:46.0

um because they were there um bruno alla wrote a version of this before called django code mod

38:56.2

and this used um instagram's libcst which is their concrete syntax tree library

39:03.1

and there are a couple problems with that underlying library though first it's like

39:08.8

incredibly slow because it's a python parser written in python and it also like turns features

39:14.7

on and off depending upon python versions so it's like got all these branches um and and then the

39:21.3

second would be that they don't really update it for new python versions instagram is still running

39:25.6

their own fork of 3.8 as i understand so there's 3.9 and 3.10 syntax that's just not supported

39:31.3

um so the end result is that django code mod is like okay for most people but it's not something

39:38.4

you can add in the way that i like it which is you know it runs through on your pre-commit hook

39:43.4

so you never can commit old syntax it will just get rewritten when you try

39:48.9

so Django Upgraders is like a rewrite of Django CodeMod but it's using the same approach that

39:56.1

a tool called PyUpgrade uses and PyUpgrade just uses the built-in Python syntax tree and tokenizer

40:03.8

to figure out what changes to make Django Upgrade does the same thing so if you're running it on

40:09.3

python 310 it automatically supports all the features in 310 because the python standard

40:13.3

library will support that little play with that ast stuff it's it's quite sort of in depth it

40:20.3

takes it's quite slow going i would i'd say it was very entertaining to learn a bit more about it

40:29.7

and and especially the especially the going back from the ast to the tokens because when you're at

40:38.5

token level you're basically manipulating like this thing all we know about it is it looks like

40:43.9

a name we don't know what it relates to in this in the actual source tree is it a variable name or a

40:48.9

class name and assignment so yeah you're fiddling around with those tokens it's quite fun okay so i

40:55.7

have i have great hopes for django upgrade in that one of the big not problems one of the great

41:02.1

strengths of django is the stability um policy for the the api stability policy then we don't

41:06.8

break stuff unless you know there's a good reason to do so and i was asking on twitter today after

41:12.2

i was like you know because i was releasing 2.2 um as well as 3.2 and 4.0 and i was like who's

41:17.9

still on 2.2 like well you know because i don't use the lts myself um and i tweeted out and it's

41:24.5

a you know agency a couple of big agencies so dab apps um jamie replied and then um tobias from

41:30.1

cactus replied um saying you know well we use it because our clients it's very hard to justify the

41:35.8

eight monthly upgrade whereas a two yearly upgrade we can we can do that and um other other replies

41:42.9

were like look it's stability we use the lts for stability um and one of the big challenges is oh

41:49.9

we want to deprecate this um but people won't be able to upgrade and you know which you know when

41:56.4

we changed i don't know to using um you had to import the view rather than just use the string

42:00.8

view name i think you know actually we lost instagram over that change you know they weren't

42:05.1

prepared to go through and so they fork Django and you know they're forever on a fork Django

42:09.9

now rather than on mainstream Django and maybe they'd have gone anyway but could we avoid that

42:16.0

and well one one hope of avoiding that kind of breaking change is automatic script so when we

42:20.9

do introduce a deprecation there's also a matching script that will go through your code base and

42:26.2

correctly update it is that is that is that a pipe dream too far or is that is that realistic hope

42:35.7

that we might have well i definitely share this hope um instead is one thing to like deprecate

42:41.8

and add a warning and then that warning just shows up inside in your test suite it's like

42:45.6

here's a thousand things to go change that's no fun um so yeah there's definitely a place for this

42:54.6

um i'd be excited to see it going forwards i couldn't spot anything in 4.0 that can actually

43:01.2

be automatically rewritten um without huge amounts of effort so definitely a balancing act

43:09.7

there's plenty of changes in 4.0 that we can't automate with it so here's a tester for you for

43:16.6

4.1 like um we brought in them the uh zone info time zone changes for django 4.0 and there's this

43:23.6

django.utils.timezone.utc constant which is just uh you know it we should get rid of that ideally

43:31.3

but that's everywhere and so is it worth the check we could just leave it there forever

43:35.8

but if we are going to get rid of it we need to get rid of it for you know before 5.0 because it

43:40.3

needs to go at the same time as pi tz so you know could we could we could we use pi upgrade to

43:47.8

to make a deprecate that remove it but be make removing it you know just run a script that would

43:55.8

be a cool thing that that one's definitely easy to change from the ast's perspective because you

44:01.1

can see it being imported and you can be like okay what do we replace it with and i guess we

44:05.5

just replace it with the the one in python's datetime module right yeah so exactly that it's

44:10.9

just replace it with datetime datetime.ugc but like it would be it would be nice because my only

44:16.5

reticence about removing it is that it's everywhere you know everywhere in the ecosystem people have

44:21.7

been using that so if there was a scripts that came along with with django 5.0 that said hey

44:27.2

you've got to remove this but just run this and it's done that would be an amazing um you know

44:32.9

proof of concept of of that this is the future of upgrading django because

44:37.4

stability right that's that's the usb yep definitely and there's there's a good argument

44:46.3

to remove it right because it looks like it's a different thing and once it's just an alias for

44:51.1

python's one all you've got is like the potential for confusion yeah so why are we keeping it we're

44:56.4

keeping it to avoid the churn but that that churn can that that confusion can stay there forever

45:02.1

and tutorials and people's code-based snippets that get copy-pasted and oh i should be using

45:07.7

django's one oh it's exactly the same it's just an alias yeah yeah exactly okay one one thing i

45:14.5

found in django upgrade is some historical changes where there were aliases for python

45:20.2

building functions that have been rewritten um and they weren't ever documented but when they

45:27.4

were removed i found the old commits and people were debating should we really be doing this

45:31.1

yeah okay yeah we're definitely better off that we did now so okay interesting so we should push

45:38.2

that for 5.0 then it's been decided here on the podcast it's a quorum yeah so the book's coming

45:47.0

out at least for me there's always it's like it's not like a downer after something comes out but

45:52.3

there's sort of like a loss of purpose at the same time there's there's like a oh thank god like

45:56.4

i can worry about something else so long term what else do you do you know what you know to

46:01.9

work on projects books like pie in the sky um things you have planned around django um well

46:08.6

i've i've taken a break from client work since july last year so i'll be getting back into that

46:14.2

and no doubt diving through people's code bases i'll spot some new things that i'm interested in

46:19.8

in changing yeah um for the book uh my next writing project will be to go update the speed

46:26.4

up your django test one for 4.0 yeah i got you on 4.0 you got me on 3.2 but i got you on 4.0

46:32.2

for one of my books i'm still still waiting on the other one but yeah when i pushed that

46:39.5

well i double checked i was like i beat adam in something

46:43.8

congrats it's not a it's not a big change it's not a big change it's a pretty small change

46:51.1

or at least i i think i think for yours as well right it's not i don't think

46:55.5

try to remember i i'm lucky that my books aren't like go run exactly these things and it will

47:01.8

definitely work for you they're more like hey this is something that could work oh my god it's you

47:07.1

know it's it's like it's it's a test of something because i you know get emails they're like there's

47:12.1

an error and i'm like are you using the right code are you did you pin your repositories like

47:15.7

you know i have 99.9 sure you're making a mistake but i just like sometimes i have to just like

47:22.2

wait a couple days and be like you sure you want to check you know um so it's good and bad it's

47:26.4

like i'm pretty sure i'm right on this um because i've put it in this little box um but anyways

47:33.9

yeah yeah you don't have those it's a little i envy the like yeah like you could do this like

47:38.3

it might work for you um so when i go through my updates yeah yeah like i literally i've thought

47:45.1

of running a script to like check everything but i also for now manually go through everything

47:49.8

um as much for like the text part because i you know i just kind of whinge when i read

47:54.7

old things i've written and i'm like oh i could rephrase that or improve it so it's like a forced

47:59.9

update mechanism i don't know if that's what you do if you go through and read the text or you

48:04.3

you probably have a test suite you can run and just see what's broken uh you think too much for

48:08.4

me i i definitely go through and read things um in in speed up your django tests at least because

48:15.9

some features were still under development i sign posted hey you know django 4.0 you'll be able to

48:20.7

do this so there would just be a matter of updating it and checking that what i wrote there is still

48:25.2

applicable yeah i do that too yeah i try to say i think this is coming um but i mean also i think

48:32.2

You know, it's good to have some distance from it, right?

48:35.2

I mean, eight months is hard, which this is the first, last year was the first time I missed an update cycle.

48:39.4

But it's almost too close because you sort of need some distance.

48:44.3

And yeah, and things change to like revisit the same stuff.

48:47.6

Anyways, yeah, that makes sense.

48:49.0

I wish you well on the update challenge.

48:51.2

It's like a band playing their greatest hits is how I look at it.

48:54.0

You know, it's like some for me, like new stuff, and then some for everyone else, which is updating things I've already written.

48:59.2

Greatest hits, I like that analogy.

49:02.1

yeah it's like you know if nobody cared i wouldn't do it so anyways not to make this

49:07.2

about writing books carlton i know you love those discussions it's just i i like them

49:11.8

because they remind me not to do it anyways we should um we should wrap up okay let's wrap up

49:20.7

there adam thank you so much for coming on um good job with the book launch everybody remember

49:25.5

you can pre-order until the 10th um boost your django dx 10 discount well there you are um thanks

49:32.9

for coming on and thanks for everything you do to the django for the django community and well done

49:37.1

again on the mancom dredelic ward couldn't think of someone who deserves it more thank you very

49:41.3

much for having me all right everyone we will are back on our every two weeks schedule with new

49:45.9

episodes on django chat.com and chat django on twitter and we'll see you all next time bye bye