Transcript: Django Security - Markus Holtermann

00:00.0

Hi, and welcome to another episode of Django Chat, a weekly podcast on the Django web framework.

00:10.3

I'm Carlton Gibson, joined as ever by Will Vincent.

00:12.3

Hello, Will.

00:13.1

Hi, Carlton.

00:15.3

Hi, Will.

00:16.3

And with us this week, we've got Marcus Holderman, who's a member of the Django Technical Board

00:20.8

and on the Django security team and on the Django Ops team.

00:25.0

He's just a stalwart of the community.

00:27.7

Hello, Marcus.

00:28.5

Hi, Carlton.

00:29.1

i will hi everybody hello thanks for coming on marcus so i guess look let's kick off look what

00:35.6

how how perhaps you could tell us a little bit about yourself marcus like how did you get into

00:39.7

program how did you find django you know how long you've been with the community these kind of you

00:43.6

know i've been writing code for oh two decades now i'm not even sure it's been it's been quite a

00:50.8

well um and then got into django um 2010 ish um as part of the german ubuntu users.de community

01:02.0

that's a django project that started even before the days of django 1.0 or something it's like

01:09.0

9 0.90 or something like the very very early stages of django that's when that project was

01:15.4

started and it's a support forum for the german-speaking ubuntu community and yeah features

01:23.1

a bulletin board and news articles and planets and all these kinds of things is that still going

01:29.1

it's still going it's still maintained by a few folks on all it's unfortunately not open source

01:37.2

it's a kind of a thing that we since ever talk about yes we want to make this open source

01:45.4

But because it has so much legacy, it's also one of the things where there's a lot of technical depth in there that the folks who work on it these days want to get out of it before they actually open source it.

01:59.3

Were you going to say cruft?

02:00.9

Is that the word that was coming to mind?

02:02.3

Yeah, probably.

02:07.3

Maybe that's the kinder of the words that start with CR.

02:10.6

Yes, exactly.

02:11.6

but that's it that's that's just any old code base right any or like so that's that's what um

02:18.3

10 years old 15 years old coming you know that's an old code base yes it's i think they started

02:24.7

writing that and i wasn't on the original team but they started writing that 2006 i believe

02:30.8

i believe and it's one of the it's a project where then as a side effect like workzeug flask ginger

02:38.9

two other projects

02:41.1

came out of.

02:45.1

It's kind of in the

02:46.9

early stages of the Python

02:49.2

web part, but I guess

02:51.2

the Django-ish

02:53.1

style web

02:55.1

development part. Yeah, that's kind of cool.

02:57.7

And that got you into Django?

02:59.1

And that eventually got me into Django.

03:01.2

And yeah, there's

03:02.6

Apollo 13 is on that team as

03:05.2

well. Back in the day

03:07.3

was under the theme as well and then he

03:09.2

eventually kind of like always

03:10.7

pushed me a bit to maybe contribute to

03:13.2

Django because at that point he was a

03:15.4

core contributor as well

03:16.5

and yeah that eventually

03:19.1

got me into

03:19.8

contributing to Django after

03:23.3

Andrew Godwin

03:24.8

merged his migration patch

03:26.7

in 2014

03:29.0

I believe, 13, 14, 14

03:31.0

1.7 right? 1.7

03:33.3

exactly and

03:35.0

yeah then

03:36.3

our contributed

03:38.7

bug fixes there

03:40.6

every other day or so

03:42.8

because you're

03:44.5

like so when tickets come in

03:46.5

on the migrations I always wince a little bit

03:48.3

because they're quite hard and I'm always

03:50.5

quite glad if Marcus comments or you know

03:52.6

a couple of other people but Marcus is one of my core

03:54.6

you know

03:55.7

go-to people on the migrations framework

03:58.6

yeah maybe still

04:00.8

I unfortunately

04:02.1

didn't have the time for the last few years to actually

04:04.7

do a lot of things on the migration

04:07.2

framework.

04:09.6

But it seems

04:11.3

there's a bunch of other contributors these days

04:13.3

that actually have picked up

04:15.2

behind me and behind Andrew

04:17.1

and others that contributed on a

04:19.3

regular basis and, like, squash

04:21.1

all these bugs these days.

04:23.7

Yeah. So,

04:25.0

go on, Will.

04:27.1

I was going to say, I'm going to put a link

04:29.2

to all the various teams on the

04:31.1

Django Project

04:31.7

um site because i think you have the record for being on like all of them right so there's and

04:38.7

again and this is also in flux you're on the ops team you're i guess you're not technically a

04:43.4

releaser you're on the security team you're on the technical board though not the advisory board

04:48.9

so i guess you're and then you're on the technical team so you're missing two but all the other

04:53.2

boards and then that all is in kind of flux because now there's the new yeah technical so

04:59.8

perhaps um what is the future going to look like in terms of the organization right because like

05:04.0

the term django core even yes tossed around what do you make of all this for a casual listener so

05:10.2

how should they understand so about a month ago or something beginning first quarter first half

05:17.7

of march or something um we passed the django enhancement proposal number 10 which essentially

05:25.0

states that we want to

05:27.4

change how Django

05:29.1

is being developed or

05:31.2

how the Django community

05:33.3

works and how

05:35.2

decisions are made and

05:36.9

who has

05:38.4

I don't want to say the right to do something

05:41.3

but who can

05:43.1

eventually if there's a

05:45.2

discussion that doesn't come to a solution

05:47.5

where people can't agree on

05:49.3

one of two things

05:51.6

who can make the eventual

05:53.4

or final decision to go

05:55.2

okay let's go with this way

05:56.8

or another one

05:58.3

and

05:59.8

yeah I guess that's

06:02.9

one of the things that's

06:04.4

been around where we've

06:07.4

been trying to do that for quite a while

06:09.2

but never really got

06:11.4

around that now

06:12.2

James Bennett finally managed to

06:15.3

actually write down the step

06:16.8

and

06:17.7

well at that point the Django

06:21.2

Core team

06:21.7

voted on that

06:23.8

and it was accepted

06:25.8

with quite a large number

06:27.6

of votes

06:29.6

and yeah so then the

06:31.7

future of the Django project is gonna

06:33.6

look different

06:35.2

I guess

06:36.6

we're trying to open up the

06:39.7

decision making processes

06:41.6

and make those more

06:43.8

visible

06:44.1

yeah because the other piece was

06:47.8

the so DepTan

06:49.8

And then the core voted on it.

06:51.9

And then the Django Software Foundation board, which I'm on, most recent meeting, we approved it.

06:57.8

So going forward, I think the idea is that there'll be the technical board and then the one I'm on, which is sort of the non-technical things as kind of the arbiters of disputes or decisions that arise.

07:11.6

Because the next step is an election that Frank Wiles, who's the president, is going to be configuring, setting up the election.

07:19.8

of technical board members yes um frankly i'm not entirely sure about the exact process

07:26.2

from the uh from the top of my head because it's a fairly lengthy document but yeah we need to yeah

07:32.3

well i mean i'm i'm privy to uh it is a long document um and james has spent a ton of work

07:39.1

on it basically the reason why uh frank is going to take that on is because we don't want someone

07:44.4

on the technical board to be in charge of the forum for voting but it's just going to be a

07:48.9

google form with the proper permissions yeah and seems like that will be a good idea happening

07:54.6

so but i think part but part of that is as you were saying is public versus private discussion

07:59.7

right because that's sort of a big thing about so what are some examples of why that matters

08:05.0

for the django community i think it's it's django is an open source project and we should

08:09.3

be able to make decisions in a public forum and and make it visible to anybody who wants to

08:16.1

contribute to understand the reasoning of how the people who made a decision came to that decision

08:23.1

and seems to be just in the nature of how to do those things and that making those decisions in

08:31.1

public seems to be the right choice i think the other part as well is that the term django core

08:35.6

is something that you get and you never lose even if you're not as active i mean because for example

08:41.3

you're incredibly active and there are members who have the title who are not as active so i

08:45.9

believe one of the intents is to i think that's going to be a legacy thing that can be bestowed

08:50.7

but but to have the technical team reflect the current active members as opposed to people who

08:55.5

were maybe more active in the past well the the um the term django core or rather django

09:02.9

commit or django core team member has been or is a term for somebody who had been given commit

09:09.3

access in the past and it was always kind of a yeah once you have it you don't lose it unless

09:17.4

you mess up like big time but i don't think anybody ever did or you hand it or give it up

09:23.9

by yourself um but then these even yeah as you said if you then don't actively participate in

09:34.7

the whole development of that then you still seem to be on this list of people who aren't in there

09:39.1

and you can still take credit for that position.

09:42.9

And sure, when you have contributed in the past

09:44.7

a significant amount of work,

09:46.3

and that was usually the thing

09:47.5

that kind of led somebody to become a core member,

09:51.6

then using that position

09:55.8

or using that title that you had in the past

09:57.7

kind of made sense and seems fine to me.

10:02.9

But over the last years,

10:05.4

it's been clear that there's not really this big thing in Django

10:11.2

that somebody could do to become a core committer or core member.

10:17.3

And the things that in the past indicated somebody becoming commit access

10:23.0

are just not really there anymore.

10:26.4

So finding a way to become a core committer

10:29.3

wasn't just something that still existed.

10:32.6

There wasn't a route to become one.

10:34.9

So, dropping this whole concept and acknowledging people who had this position in the past, but then essentially dropping this whole position seemed kind of like a better or good way forward.

10:48.6

Well, part of that is that, because the term core was around before there were Django Fellows, because Tim Graham and now Carlton and Marius, in terms of releases, at least, they do much of that work for the community.

11:02.3

Yes.

11:03.0

So that's part of the...

11:04.4

Exactly.

11:04.8

So in the past, with commit access, you were able to commit to the GitHub repository directly.

11:14.5

And some people, a small number, I think like three of three people,

11:22.3

had release access, which meant they had the possibility

11:26.7

to put packages in PyPI.

11:30.7

And with the new change of the DEP-10,

11:35.8

this also changed in a way that you don't need to be,

11:41.3

We will have a merger role, which is the people who have commit access to the Django repository.

11:48.1

And we have a releaser role, which are the people who have access to PyPI and can put packages on PyPI.

11:55.2

People can be in both, but they don't have to be.

11:59.4

So if you, for example, don't have the time to constantly review or time to merge patches,

12:08.7

and specifically review is not necessarily up to the mergers they should yeah they should be doing

12:16.2

like a senate like a check on style and and so on and do a like general review on the pr that

12:25.2

it makes that whatever is committed or whatever they commit makes sense but um the discussion

12:31.7

if the approach is taken in a pr should be taken by the community and by people who are going to

12:38.2

be involved in this in this change yeah because you could imagine like you know a number of people

12:45.1

reviewing the pr and then the merger is just the person who clicks the button at the end it's it's

12:49.5

kind of the yeah you know i always describe the fellow role as like the janitors and that's kind

12:56.0

of what we do is we just you know just keep it tidy i mean we do do reviewing and all that yeah

13:01.2

i mean you do more than just being the janitor um you do far more than just being the janitor

13:07.0

for the Django project but yeah it seems to be a significant role to to what you're doing well

13:13.2

and I think part of this in general is the reason why that like for me on the on the board and you

13:19.2

and the technical board why we spend time on this is because it's an open source project basically

13:24.1

everyone's a volunteer and we wanted the system to be in place so people can contribute but not

13:29.1

one person has access to everything for example and so when people do leave there's a process as

13:35.0

you said for new people to come in to be a handoff of of knowledge and power i mean even for example

13:41.1

so we added github sponsors to uh to the jenga repo and that's something i worked a lot on

13:48.9

so i have access to part of the jenga repo but i couldn't fill out the form so i had to get

13:54.8

marius who's the fellow because he has you know more access so these layers of permission

13:58.7

are important just in case yeah you know you don't want someone to have the keys to everything

14:03.2

and you want to have a bit of structure, but not so much that it's prohibitive to get anything done.

14:09.3

is how i think about this is i mean the things particularly with access to like pi pi you know

14:14.5

that's that's sensitive right you you can't you can't have a package being uploaded as django to

14:22.6

pi pi if it isn't django yes there's too many people depend on it being django for for that

14:29.3

to happen exactly there's opening up the whole thing um opening up the whole contribution process

14:37.0

to Django and allowing more or less arbitrary people to be voted on

14:44.5

to be mergers or releases comes with a side note that with a perspective

14:52.2

and me taking this with a perspective of a more security conscious person

14:59.3

right now, comes with the problem that we need to trust that person

15:04.1

to not put in some backdoor or whatever in that release package

15:10.0

that somebody needs to inspect and find.

15:15.5

And so, yeah, the selection process or the voting process

15:22.1

on who becomes them will be open according to the things

15:27.2

that are stated in the DAP.

15:29.9

But it's definitely also going to be something where the community

15:34.1

needs to look out for that not some random malicious person is going to like hijack django

15:42.4

because that's not going to be a good uh but i was i was reading the the depth the yesterday or

15:50.6

day before some for some reason i needed to refresh my memory on it but um the the the

15:56.2

qualification to be on so the technical board have to um uh okay the nomination of mergers and

16:03.5

releases for these important roles but to be a candidate for the technical board so the technical

16:08.0

board will be elected by the dsf members so already to be in the dsf you have to be known

16:12.7

by the community right anyone can join but you have to be known by the community well you can

16:17.1

you have to you have to be nominated and then approved by the yeah but then to be a candidate

16:22.6

for the i think you can self-nominate but there's and actually i'm linking i wrote a blog post just

16:28.6

recently about what the board actually does there's i think 180 or so individual members

16:33.5

so sorry continue carlton but that's like the first step of yeah but like the to be a tech so

16:38.2

but not anyone can be on the technical board you have to have a show like a recent like within the

16:44.6

last couple of years a shown um history of contributing and reviewing prs or working on

16:50.2

track or the you know github or being being in the group so to to be a candidate for the technical

16:56.9

board is actually quite tough it's it's not like any any person who isn't known to the community

17:03.1

and known to be a contributor could could even stand for the technical board i think so i think

17:07.9

the term the wording in the depth is is actually very um conscious of the debt of the possible

17:14.3

dangers if it were more open so i'm quite relaxed about it in that yeah it definitely

17:18.6

james definitely put a lot of thought into that part and and the other people who contributed in

17:25.1

the in the writing of the dab i mean james did a major part of that but as again the discussion

17:31.5

on the depth was uh held in public on the on the depth itself on the pr and it was over a year in

17:39.6

discussion right it was it took a long time i don't even know it's taking quite a while

17:45.3

but that's cool so maybe we can talk about some of these hats that you wear because i i hope that

17:51.0

there's more of an understanding of the you know the many many roles that you you play in the

17:56.0

community so let's pick security team so you and carlton are both in the security team and i think

18:01.0

what's the process for a normal security release and then there was that the github sql injection

18:07.3

injection one recently which i believe you did the commit for that you you all turned around in two

18:12.3

days a month or two ago um right right so that it was first discovered on github so what's the

18:20.4

normal process and then i thought that that one was particularly impressive where maybe it was

18:23.8

three days but the it was discovered the commit was done and it was released yeah and so the usual

18:31.5

i thought that was cool thank you um um the usual process for security thing is usually that

18:40.4

well somebody reports either on hacker one on a security mailing list or security reporting list

18:46.6

security at jangleproject.com

18:48.6

reports a security issue

18:51.0

or a suspected security issue

18:52.8

rather be conscious and

18:54.4

think this might be an issue

18:56.5

report it and then we go actually that's not

18:59.2

but we'd much rather have

19:01.2

that than somebody just

19:02.4

putting something into the open

19:05.0

like oh shit this is something

19:06.8

that we should have

19:07.8

fixed now

19:09.5

so you usually report something in a private way

19:12.7

and then people on the security team

19:15.1

are going to review that

19:16.0

um is it an issue is it like do we need to fix it like now now or do we have time to to rethink the

19:25.2

whole approach we have there um we then usually talk to the reporter and try to figure out who's

19:33.1

going to write the patch who's going to review the patch like we try we love for reporters to

19:38.4

also contribute to patch and then the people on the security team reviewing it but if they feel

19:44.5

like yeah now it's i don't really feel like writing the patch then somebody on the team

19:49.0

is going to write the pageant we then hand out the patch or the proposed patch to the reporter

19:54.8

and ask them to apply that and see that this actually fixes their bug in their well probably

20:01.4

production environment that they have there um this maybe goes back and forth once we are done

20:08.2

with that, we pre-notify a set of organizations, companies, of an upcoming security release.

20:20.0

We also pre-notify on the Django announce mailing list that there will be a security

20:25.5

release with a given date and time.

20:29.1

And then at that point, well, usually Carlton or Marius are going to commit the patches

20:36.1

to the Django repository and issue the corresponding releases

20:40.5

and announce the release.

20:43.7

Now, yeah, go ahead.

20:46.4

I was just going to say about that commit,

20:48.4

because it's like potentially sensitive,

20:51.1

and on that morning of the release, and so we've got a time,

20:53.7

and it's like we've got the patches ready,

20:55.1

and they say we're going to have to, you know,

20:57.1

we just dropped 1.11 from extended support,

21:01.6

but at the time we were supporting Django 1.11, Django 2.2,

21:05.4

Django 3.0 and you have to merge those patches onto onto the branches and then within a short

21:11.9

period get the release out and the announcement out because once you've merged them those patches

21:16.9

are public and so that it's kind of like you have to get all the pieces lined up and it's a little

21:22.8

bit tense you know it's it's much harder than a normal release which you can you know you take

21:27.4

your time on yeah carry on Marcus you were you were saying so we've yeah this is um I can

21:33.0

definitely understand that like issuing a security release is a whole different story just from the

21:38.8

mental uh capacity that's involved there because you can't like a usual release you can go like

21:45.5

oh yeah we broke whatever in there we're just gonna it just don't install the new version

21:52.3

like pin something to before and then like take the time to to fix this bug and or revert it and

22:00.1

issue another one but if that happens with a security release you go like oh damn well we

22:05.4

just published a security issue which we don't have a working patched version for and you go

22:11.3

like this is not ideal um so the the other issue that you brought up with the um with this with a

22:19.6

github uh sql engine and it wasn't i think it was like this it was an account hijack it was an

22:25.7

Potential account hijack.

22:28.0

Yeah, it was like the password reset.

22:29.3

Yeah, that's what it was.

22:30.3

Password reset.

22:31.4

Yeah, something like that.

22:33.4

It was like a Unicode character or something, too.

22:35.7

You could shove something in there.

22:38.1

Yes.

22:39.3

You guys actually worked on it.

22:40.6

I'm just sitting here, like, talking over you.

22:42.6

You did the work.

22:43.2

The issue was that if you get a domain with Unicode characters in,

22:46.5

which sort of lowercase comparisons to, you know,

22:49.1

with certain database backends to another domain.

22:52.8

So, you know, it could be google.com,

22:55.2

but the O's are funny Unicode characters.

22:57.9

And then it would look like it was a Google email,

23:00.2

but in fact, it wasn't a Google email.

23:03.8

Yeah, in that case, if the issue itself is known,

23:07.6

then you don't really need to treat it

23:10.8

as a sensitive or private issue anymore

23:13.4

because the moment those security issues are known

23:17.0

and possibly exploits are known,

23:20.0

a bunch of smart people are going to look through

23:22.2

all the court bases out there

23:23.4

and trying to find projects that's occurred

23:25.6

bases that are vulnerable and

23:27.3

at that point this time between

23:29.7

announcement and pre-notification

23:31.7

is just

23:33.3

well kind of wasted time

23:35.0

because we should

23:37.6

instead have that time

23:39.7

people already fixing

23:40.9

their installations. Yes normally

23:43.7

we give seven days but you can't

23:45.8

give seven days when there's a

23:47.1

exploit out in the world.

23:49.8

So yeah

23:50.1

in this case we just dropped the pre-notification

23:53.4

notification we issued the release on may pretty notified by a day yeah something like that i was

24:00.6

just going to say for carlton and i often beat the drum of keep your django version up to date

24:05.1

and even if you're using an lts you should do the minor releases the security releases for this

24:10.6

reason because otherwise you won't get yeah the security updates yeah if you're if you're on a

24:16.0

version that's in the extended support then it's definitely a you know if there's a point release

24:20.9

you definitely want that like yes there is yeah because it's either data loss or it's security

24:26.6

you want that yeah absolutely let's go down the list ops team so you and i have had some

24:32.5

i've been emailing around that maybe we don't need to discuss some of that but what does the

24:37.9

ops team do like what is the ops infrastructure of django itself so you're on there along with

24:42.3

uh florian tobias and um carlton um well we have this website and you probably have heard of it

24:50.4

django-project.com

24:51.5

and that needs to run somewhere

24:53.9

and well we also have

24:56.5

a CI

24:58.2

continuous integration that we use for

25:00.2

testing Django which is

25:02.0

run on django-ci.com

25:05.1

and

25:07.6

hands out when you run

25:08.6

websites you need some servers or something in the

25:10.5

backend that does work

25:12.5

and

25:14.5

yeah we usually kind of

25:16.7

maintain

25:17.4

the software or

25:20.2

Not necessarily software there, but the infrastructure.

25:24.5

We keep Jenkins up to date, usually.

25:28.3

When there's fixes to the Django website, we deploy them.

25:33.9

These kinds of things.

25:35.2

Yeah, well, it's, I think, another sort of unsung role in the broader community,

25:40.4

but quite a bit of work is done.

25:42.5

And so for me on the board, as the treasurer,

25:46.4

what's relevant is there's some costs involved with that.

25:49.1

so i monitor and help pay those rack space has been sort of the major contributor the last few

25:54.5

years who provides the servers they've been very generous with that so just another one of these

25:59.7

things that's happening in the background that makes django happen and um you know you marcus

26:03.9

are very involved with so i want to call that out thank you um i have a long list of things to ask

26:09.7

you about but maybe let's talk about your day job right you work at crate io which is iot scale

26:15.4

database can you tell us what all that means yeah yeah yeah iot scale database explain that that's

26:20.9

not you that's that's the headline on the website yeah uh it's the headline on the website which is

26:24.9

fine um so we built a database for the iot market um so iot is usually time time series database

26:33.9

time series data so something numbers usually or maybe some added labels to that and then a

26:42.3

timestamp and um well you want to like aggregate data from usually or in the the market we are

26:51.4

focusing on is the industrial iot so you have factories that companies have where they equip

26:58.3

their production lines with sensors or the machines in themselves are already equipped

27:03.4

and you want to do analytics on on those machines and you want to understand when something goes

27:10.5

wrong and like this whole in order to do analytics you need to store the data somewhere that and then

27:16.8

aggregate things and turns out when you have a lot of plants or manufacturing lines and machines

27:23.3

and a lot of data and a lot of numbers then you need to have a database that can cope with that

27:29.8

And yeah, with CreateDB, we have a database that's based on Lucene, scales fairly well, like pretty much almost linearly for I don't even know how many nodes, and can cope with ridiculous numbers of records and tables.

27:53.2

And yeah, it's a SQL database after all.

27:57.4

So you still write your SQL statements and it returns the records.

28:02.8

So why not Postgres?

28:03.8

Right.

28:04.8

Obviously there's a lot that Postgres can't do, which is why you work there and you have

28:07.7

this product.

28:08.7

But what is, where does, if I start a Django project that's IoT and I'm using Postgres,

28:14.8

where do I see that, oh, I need something better or bigger.

28:18.6

create like do you have a sense of where that friction comes up so one of the things with

28:24.6

postgres is that it's transactional for example like i'm not even sure if you can run postgres

28:30.1

without transactions i suppose you can't i guess you can't um you probably also don't want to

28:36.7

that's it um create db on the other hand is um eventual consistent and you have

28:44.8

kind of multi-master

28:46.9

you don't really have a master node

28:50.6

in your cluster

28:51.2

you have a single node that holds

28:53.8

at the particular set of time

28:56.6

at the current time holds

28:58.1

an information about the whole cluster

29:00.3

but that's also known to

29:02.4

every other node

29:03.5

but you can write to every node in your cluster

29:06.6

connect to every node

29:08.4

write to every node, read from every node

29:10.1

and it's

29:12.3

more or less self-balancing with the data

29:14.7

if you don't screw up your table creation.

29:18.0

And is the advantage of that, is that ingest speed?

29:23.8

You can pull in the rate at which you can ingest data

29:27.1

is just an order of magnitude higher.

29:30.3

It's orders of magnitude higher.

29:32.9

I don't even know the exact numbers

29:34.6

that we are currently looking at with some of our benchmarkings.

29:38.7

But it's, sure, you can scale your Postgres

29:42.3

ridiculously high

29:44.7

and improve a whole bunch of inserts

29:47.0

but at some point it's going to

29:49.2

you're going to run

29:51.1

into issues and then

29:52.7

for the most part in Crate you

29:55.1

just add two more

29:57.1

nodes to your cluster

29:58.0

the just in quotes because it's

30:01.0

like just in IT is never going to be

30:03.2

a you can simply again

30:04.9

in quotes

30:05.8

but it's like tutorials I always

30:09.2

try to put simply just simply

30:10.7

install jing exactly it goes over well um but yeah for the most part it's you add a node or two or

30:18.0

five and your cluster has more storage space your cluster has more throughput um aggregation

30:27.8

capabilities memory all these things um and so the other question you said eventually consistency so

30:35.3

how long does that take because i've used eventual eventually consistent data stores and quite often

30:39.8

that just means where's my data you do a write and then you do a get to get it back and it's like

30:44.7

not found and you're like hang on i just inserted it and you said it worked where is it um so i mean

30:51.3

how long does that take to run through say if you're you know i mean i guess it depends on the

30:54.7

size of your class you know but as i think it's sub milliseconds or a millisecond area like you're

31:03.2

not gonna wait five minutes for this number to show up somewhere i mean if you're if you're

31:08.4

complete if your entire network is completely overloaded for sure it's going to take time but

31:13.8

then you may want to reconsider your network infrastructure um spin up that extra node you

31:19.1

talked about yeah though so adding more nodes also means more communication right and you so the you

31:27.4

said it was based on lucene which means it well the thing that comes to mind is well elastic search

31:31.2

how does it compare to elastic search because i know a lot of people use that for high ingest

31:35.1

use case yes in the very early stages of creative it was merely a plugin on top of elastic search

31:45.3

that provided the sql interface which over time became a as well not a fork of elastic but

31:54.9

had a bunch of code from elastic that was um used and then we we had our own stuff around that or

32:05.1

melt it into the whole thing

32:07.7

and that made up

32:09.7

CreateDB at that point and then eventually

32:11.8

last year, I guess

32:15.7

I think we dropped the core team

32:17.8

there, dropped Elastic

32:19.9

in that sense that

32:21.8

it's not in the code base anymore

32:25.3

so it's

32:27.4

I'm not involved in the

32:29.7

direct development of the database itself

32:31.4

so I can't

32:33.9

actually tell you that much about the details of the development there and the specifics around

32:38.5

the code um but are you aware of the sort of general like what was it that elastic didn't

32:44.1

scale in a particular way or do you know do you happen to know that maybe you don't i don't know

32:49.0

it's just interesting i'm not entirely sure to be honest okay fair enough fair enough it was just a

32:54.9

you know well and you i think your your master's studies you you did some work on elastic search

33:01.2

right so that's back in 2014 along with alex uh no no oh whoops sorry i got the wrong i was

33:13.8

looking up ah i pulled up wait oh weird i'm sorry i was just quickly pulling up um wait it's on your

33:20.1

i'm on my masters without alexander griebert because i i saw you had a talk on elastic

33:27.2

search and i was just trying to pull it up and it pulls up i did from 2014 you have a whole post on

33:32.8

it so i saw you oh i saw you give a very good talking um on elastic search it was just one

33:39.4

course at uni um where we so so all my all my studies i always with all the projects that i

33:47.0

had to do i always tried to use yet another technology just to like play around with it

33:51.5

and went from C, C++, Java, eventually Python.

33:59.6

And then in the Masters, in that one course,

34:02.7

in this one blog post, I guess you're referring to,

34:06.6

with the school data in Berlin,

34:10.2

we figured, hey, how about we just build a static website

34:13.6

and then throw all the data we have into Elastic

34:16.0

and just query that straight from the front end.

34:20.9

But that's about it, what I did with Elastic there.

34:24.1

The thing I think Hugh Carton referred to was a talk I gave on Heidelberg.

34:29.6

On Heidelberg, yes, probably.

34:32.0

Like to search, no, what was it?

34:36.1

Well, let me summarize what I remember.

34:37.8

I mean, I've got it here.

34:39.8

It's combining Django and Elasticsearch.

34:41.5

You have the slides up, the link to it.

34:43.0

Yeah, so it was this great talk about how you can use the Django ORM

34:45.4

and write that and then how you would sync to Elasticsearch

34:48.6

do your information retrieval your search queries and i remember it being so good because i at the

34:55.1

time i was flirting with this idea that oh we'll just drop the orm if we're going to sync everything

35:00.2

to elastic search and search from elastic search and even we're going to serve the web pages perhaps

35:04.6

from elastic search why not just write to elastic search and not bother with the django orm at all

35:08.2

and you were like no no because you lose the transaction handling you lose the orm you lose

35:13.7

all these and you're exactly right and i was like yeah that's that's that's answered that question

35:18.4

canonically for me um yeah the talk i i looked up the talk it's um on the lookout for your data

35:24.2

from jango con europe in heidelberg you're right there's 2018 but that's a great video folks you

35:31.8

must watch that on youtube yeah link in the show what the um the other talk project that i wanted

35:38.5

that i was saw of yours recently was the the logging article where you you know you talk

35:44.9

through django and and logging at a really deep level but then you just casually link to this

35:50.3

gitlab repo that's amazing where you have all these examples of how to structure

35:55.2

your logs in different applications which we'll we'll link to like you know because i i put a

36:02.6

code open source sometimes and you know you've got a lot of good stuff in here right you have

36:07.8

an airline example a bank example that's and you just sort of casually mention at the end like you

36:12.7

know i would just like make a video of that being like check this out it's a lot of work to make

36:16.4

that um it's been a top this this so the topic there in this talk is about structured logging

36:23.3

and yeah structured i could recite parts of the talk now but i'm not going to do that i'll i

36:29.9

suppose you can put the link to the talk somewhere in the description um or in the links um i i feel

36:36.9

i'm gonna spoil the surprise of this talk but um okay well i just i was really impressed that you

36:42.7

actually have code to back it up which was which i always like like it's not just talking it's like

36:47.0

you gave examples yeah yes the um the parts you mentioned there with airline and so on it's the

36:54.5

reason for that is because of the title and the the whole story of how i try to bring this whole

37:02.9

title of the talk into

37:04.8

why you would want to do structured logging

37:06.9

and with that refers to

37:09.1

a movie. Okay, we'll put the

37:11.1

link up for everyone so we won't

37:13.3

ruin it.

37:15.8

Or maybe we could talk about Django

37:17.2

3.1. The two things I'm excited

37:19.1

about is the async view. So OK 3.0 had

37:21.2

the ASCII handler which enabled

37:23.2

you to embed Django in a

37:24.9

ASCII environment

37:27.0

so that's the foundation step

37:29.3

but 3.1 is the starting where

37:31.1

you can actually write an async def view and okay that's going to be basic and that's going to that's

37:36.4

going to be fledgling as what we'll be able to do in future but it's like yes so now if i've got my

37:42.7

janga project i need to make a few api calls out and they need they could be done in parallel

37:46.9

without even running a different server still with gunicorn still in the whiskey environment

37:51.0

i can write a parallelized view which fetches those rather than having to do those sequentially

37:55.4

and that will be much quicker and that's that's just a quick gain without having to do anything

38:00.1

else so you know this is the real start for yeah we can start to do these extra exciting things and

38:06.4

okay we'll there aren't going to be the async class-based views that yet that we'll probably

38:11.2

get in a few you know when we all learn how to write these views and we all learn what the

38:14.6

patterns are django support will evolve but this is like the for me this is like yeah actually this

38:21.0

is the real async bit this is the bit where we'd like yeah actually most of what you can do and

38:25.7

And then one of the next versions,

38:29.4

we need this three-point async for database level, I guess,

38:35.5

because that's still not there, right?

38:36.6

Yeah, I mean, so yeah, the limitation is if you're still using the ORM,

38:43.0

that still needs to be wrapped in a sync wrapper and executed in a thread.

38:46.9

So a lot of the things you want to do, there'll still be sync.

38:50.7

Yeah.

38:51.9

But, I mean, Andrew Godwin, who wrote the Vue's PR,

38:56.6

we merged it, and he's quickly joking,

38:58.3

oh, right, now the ORM.

38:59.6

It's like, oh, my God.

39:05.3

Right, exactly.

39:07.9

It's going to be exciting, I think.

39:10.8

I mean, I'm excited.

39:11.8

I've been writing for years.

39:12.7

I had to spin out a Node.js on the side

39:16.0

before Python had Async.

39:18.8

I'd have to spin up a JavaScript thing

39:20.9

to do something Async.

39:21.9

and then python's had async for a little while with async io and you know there are other options

39:26.6

but async io being the standard libby option and you think okay well i can just do it with async io

39:33.0

fine brilliant and there are a couple of web frameworks around that and um that we've talked

39:37.0

about tom christie style it as as a go-to there but to not even have to change your web framework

39:42.7

to do the basic thing that's yeah it's more and more civilized all the time that's pretty cool

39:47.3

absolutely and i think that because flask is working on this but it's sort of like totally

39:52.5

different things too so not that it's a competition but i hope to get i guess david lord or someone on

39:58.1

from flask to talk about how they're doing it but it's it's gonna be another reason that django just

40:03.3

marches into the future and you know when people say async yeah you can you can do that though of

40:09.6

course like i mean in andrew's talks to me the interesting thing is the use cases for async

40:14.9

aren't as ubiquitous as maybe we thought they would or the community thought they would be

40:19.2

five years ago yeah um like that to me is sort of the interesting piece i mean you know in the

40:24.7

same way that we have http2 but it's not aside from gaming and chat maybe well perhaps and you

40:31.0

know in in iot cases it's being used but it's not used everywhere the the interesting part about

40:38.2

the part about async is that it's really giving you a lot of benefit and and when you have a lot

40:48.3

of io and frankly most websites and yeah should chat and and all these things they are not

40:59.2

particularly normal websites in that sense because there's a whole part of this media part in there

41:04.2

But regular websites, it's, well, here's my view that fetches a few things from the database and returns a bunch of HTML for the most part, or returns a bunch of stuff in a JSON response as an API.

41:23.7

There's not a lot of, not really a lot of IO happening when you compare it to a bunch of other scenarios.

41:30.5

and yeah you may get a bit of speed up here and there but the occasionally i think that the

41:38.3

mental overhead that you need to apply there in order to wrap your head around async can easily

41:45.6

reduce the maintainability of the of that page then yeah um comes with pros and cons

41:53.7

it's pretty much everything yeah in the pr there was a note andrew put i'm sure i'm sure

42:00.3

it's there. It may not. It must be. It must be. Otherwise, I wouldn't be sure. But there

42:04.8

was a note saying something like, we advise you to keep using sync until you've profiled

42:08.8

and you know that there's a real benefit here. Don't just jump onto the async bandwagon because

42:13.6

you think it's cool. I mean, it is cool, but that's not a reason to build your product

42:17.3

in it.

42:18.5

Yeah, absolutely. It's definitely an interesting approach and interesting way of writing code.

42:27.9

And I mean, the whole front end part in web has approached it for a while now and has been doing as in for quite a while.

42:35.7

But then in the front end, you have direct user interactions where you want to do bubbles here and show things there asynchronously, which you don't really have in a web server back end with like APIs for the most part anyway.

42:53.5

yeah i mean there's there's some um was it live call it live view so there was a the phoenix

42:59.9

project which is in um elixir elixir yeah yeah they had a they've got a thing called live view

43:05.2

and then somebody's ported that to django there's a django live view project which is really

43:09.8

interesting i think they i think they're using channels under the back but what's nice about it

43:14.2

is that um the the front the say a form can do um validation on the server side because it's doing

43:21.2

what looks like local client-side JavaScript validation in the form,

43:25.5

but it's actually pinging the server and getting the response there.

43:28.8

And one of the issues with writing decent JavaScript

43:30.6

has always been, oh, I've got to rewrite my validation logic.

43:32.9

And, you know, it's always been a bit of a pain.

43:36.4

There's the Batavia project from the PyBee project,

43:41.4

which aims at providing Python in the browser

43:47.7

through cross...

43:50.5

I was going to say cross-compiling to JavaScript.

43:55.4

I'm not entirely sure.

43:59.4

I don't entirely remember how they built the whole thing.

44:02.2

But essentially can write Python code

44:05.4

and then they have a Python...

44:07.8

Yeah, what they have is essentially a Python runtime.

44:10.7

So no compiler or something or REPL.

44:15.3

It's just the interpreter that you throw some Python bytecode at.

44:21.8

And the interpreter is written in JavaScript, so it runs in the browser.

44:25.7

And then you run this Python bytecode in the browser.

44:30.3

Yeah, that's kind of cool.

44:32.5

So it's part of the BWare project, right?

44:34.1

Part of BWare, yes.

44:35.4

Yeah, I was going to say, yeah, Russell's, yeah.

44:36.9

I think he referred to that in his keynote at PyCon last year, too.

44:41.1

Probably, yes.

44:42.5

That specific, yeah.

44:44.0

Well, maybe for me, a final question. So this is something I was hoping to do in person at

44:48.2

DjangoCon Europe, but since we're in a virtual situation. So sitting on the board, a lot of what

44:54.9

we do is the janitorial side of Django, paying the bills. But one of the things I want to do is be a

45:00.4

little bit more aggressive around if we had a grant fellowship, if we didn't have to rely on

45:05.5

Kickstarters for major new features, what would be some features that you think would be good for

45:12.1

Django to add, assuming we had unlimited

45:13.8

people and money? Are there a couple

45:16.2

that come to mind between the two of you?

45:18.6

I mean, authentication is a big

45:20.1

one, right? So I guess

45:21.6

ContribAuth could

45:22.9

use an overhaul,

45:25.9

let's call it that, make it a bit more

45:27.9

modern and adjust it to a few

45:29.7

modern security or

45:33.2

authentication processes.

45:35.8

Stuff like

45:37.5

OAuth or

45:39.3

TwoFactor in

45:41.2

in whichever way authentication um i think the thing that's been on the docket for ever

45:51.1

is a new admin there's this well right it's just a million dollars right they did the cost

45:57.8

i don't even remember who who brought this number up i have the feeling this was i think it was

46:02.2

jacob jacob at django under the hood i think um yeah if if if we have a million dollar a million

46:10.2

dollar and a few folks i think you mentioned 10 to 10 people or so that's that spent a year then

46:15.8

this is achievable or something like that um yeah well i just it's i i like the big one on my list

46:25.2

is the auth i'd like to see two-factor auth built in i'd like an easy solution for users to be able

46:30.2

to you know have one-time passwords have you know yeah all the other bits and bobs that come um

46:36.2

other things that's been go ahead no well that's that that's my one sort of battery that like there

46:43.4

are other things that we could add like nice little features that would improve it in a number

46:47.4

of ways but my one big missing battery at this point is to fa of some kind of modern yeah you

46:53.1

know um use your use your smartphone with its bio bio registering security measures and know that

47:01.4

it's you that's logging it.

47:02.6

I think we could do that now.

47:05.2

I mean, it's a big job, but...

47:07.2

It's another thing that's been floating around

47:11.9

in a fairly long time,

47:14.6

and I think kind of was dropped to a degree

47:17.6

once the whole channels,

47:20.8

once Django channels came around,

47:22.7

and absolutely once it was clear that Django itself

47:26.1

is going to have some async capabilities,

47:29.9

is an API for task execution.

47:33.8

So not the execution built into Django,

47:37.2

but an API where you're going like,

47:41.3

I want to send off this task and do a thing,

47:45.4

and then whatever implementation project

47:49.1

or project is out there that wants to implement that

47:52.1

can use and can build on top of that.

47:55.8

So just to pick one,

47:58.8

Celery Django integration would leverage that task

48:03.4

or this task interface that Django could, anyway,

48:07.8

could leverage that task interface that Django uses

48:11.1

and you define whatever this one setting in Django or in Celery

48:18.5

and it, again, quote-unquote, just works.

48:24.9

Yeah, well, there's the rub.

48:26.3

But the idea is that you could replace Celery with whatever, RQ or I don't even know what else is out there.

48:34.2

But you might have an SQS backend, you might have a Redis backend, you might have a, you know.

48:38.7

Well, that might not even be the level of where the integration goes, but it's been floating around like five years ago or something.

48:50.7

I remember having a discussion with that in Cardiff at the DjangoCon.

48:56.3

um so that that was 2015 right well i hope that this is something that i hope to encourage more

49:05.1

in the community because on the dsf side and treasurer if someone said we need this new feature

49:11.0

raise x amount of money there's a number of ways we can get that money um so i don't want that to

49:17.2

be the limiting factor uh i hope to encourage that you know again we don't rely on kickstarters

49:23.0

but it's sort of it's sort of the chicken and egg where i mean because the total budget for

49:27.9

the django software foundation is around 200 000 most of it goes to the fellows then to conference

49:34.3

workshop sponsorship and that's and then teeny tiny amount for the ops and and whatever and

49:39.6

that's it because we don't need more and we're not trying to raise a ton of money but if some

49:45.0

feature was 50 000 you know whether it's getting a grant from google which has provided help for

49:49.2

some of these corporations or you know there's a number of other ways we can um try to raise money

49:55.4

we can raise money in a way that doesn't go against any of the principles of django but

49:59.9

we need to know that we need it um is the the first step so that kind of brings us full circle

50:06.7

because one of the things i'm really excited about the debt 10 which is the change to django's

50:11.1

governance is that the technical board are meant to have a new role of helping to guide the

50:18.4

technical direction of django and to each major release to to sort of have a take a bit of time

50:24.3

solicit ideas compile those ideas into a bit more of a feature roadmap because we've got this time

50:29.2

based release and we'll keep that but the technical board will hopefully be able to lay down some um

50:34.5

look we're aiming to improve contrary both we're aiming to you know introduce a back-end system if

50:39.7

that's what the technical board come to the conclusion with consulting with the community

50:43.8

then we will have that um that list of ideas which are that list of things we want which then you

50:50.8

know the dsf board or the membership can act on yes absolutely um but that also um requires like

50:59.6

ideas from outside or from people using django or from people in the community or so to go like hey

51:06.8

this would be cool and then while we i guess for some obvious reasons we can't do all the things

51:13.3

and we probably shouldn't do all the things,

51:17.0

but the things that are useful for the majority of people

51:21.9

where there's a possibility to build an API in Django

51:26.7

or build the bits and pieces into Django

51:29.9

that then third-party applications can use

51:34.1

and leverage that to build a more sophisticated path

51:38.9

to be used as applications.

51:43.1

I guess that's definitely something where we definitely will need to rely on the community to bring up ideas there.

51:50.6

So one of the things I'd like to do this year is to do a Django survey again, which I think Tim Graham did in 2015, something like that, similar to the Python survey, where in addition to asking people how they use Django, we could have a place to say, you know, what would you like to see in part based on your use case at your company?

52:08.8

because we're sort of getting at is that a lot of the times we're flying blind in terms of Django usage

52:15.1

because we don't have tracking in there.

52:18.4

So we don't really know a company's using Django unless there's something open source

52:22.7

or someone from there tells us by design.

52:25.7

But that does limit sometimes the new features and things that we can add.

52:29.6

Yes, absolutely.

52:32.2

Another was a discussion around integrating some kind of usage tracking in Django, which was, I think, fairly strictly, let's call it shut down by the core team.

52:47.8

I think there's a dApp out there, like a dApp proposal, like four years old, I'm guessing here.

53:00.7

Yeah, I think it was it was shut down. I mean, because we can you can see on PyPI, you can see the number of Django downloads, but the PyPI stats are, there's many ways that those are unreliable, actually.

53:13.1

So I mean, I, I think our take to be conscious of security of privacy and all these things is the right one. But it does mean it takes a little more work to find out what, how people are using it. I mean, literally, I mean, Jeff Triplett and I are trying to, or Jeff Triplett's been working on a list of like the top 500 companies using Django.

53:30.4

And it's a bit of work to find that in part so we know who they are, that we can ask them around features.

53:36.5

We could, you know, try to suggest sponsorships and stuff.

53:39.0

But, like, we have no idea who they are just without doing the work, the manual work.

53:46.5

The DEP I was mentioning is DEP 8, Gathering Django Usage Analytics.

53:54.1

It's difficult.

53:55.0

I mean, commercial companies obviously often put this kind of analytics in their packages.

53:59.9

know you download bs code it's got analytics which goes back to microsoft um that's not necessarily

54:04.8

a problem you opt into all of that and you know about it but when perhaps the message is gonna

54:10.8

have is it like i think the i mean we could message i mean for me uh we could totally read

54:17.4

someone could we could look through django project in general from scratch with someone with fresh

54:22.3

eyes have a docs fellow or team i think there's a lot of ways that we could improve that and

54:27.1

talk about a lot of the things that Django project and team members are doing that we don't

54:32.3

spend the time talking about rather than just doing. But it's capacity as well. Like the,

54:37.2

you know, that there's a group of contributors who are very active and there's new people coming in

54:41.5

and, you know, some come and stay, some come for a bit and leave, some come for a bit, leave,

54:45.8

come back again. You know, everybody's working quite hard on keeping Django moving and it moves

54:52.7

fast you know look at the last few releases they've all been you know just major great releases

54:58.2

yeah and that's and i hope that and the project i want to call out more attention to the people

55:04.3

doing that work because i know that everyone who's on you know our mailing list knows who

55:08.1

one another is but most people don't know um and i not that people do it for that reason but i think

55:14.4

it's important to as to your talks carlton right we need new contributors there's a lot of strength

55:19.5

But there's quite a bit of fragility when it's a half dozen people doing, you know, two of you are on this call are doing a lot of the work.

55:27.0

Fortunately, it's a remote call.

55:28.4

It's a video call.

55:29.2

So if a meteor strikes one location.

55:34.9

But anyways, but I mean, certainly I view my, you know, my role on the board as being a janitorial, a support role for the court, you know, the technical team and trying to enable that.

55:45.9

So, but yeah, I mean, so, okay, that's a good point to wrap up.

55:49.5

So, Markus, thank you for your work on the ops team, on the security team, on the technical board, and everywhere you're around at DjangoCons and on the community as well.

55:58.9

Thanks, Will Carlton, for having me.

56:01.5

Thanks, everybody, for still contributing to Django and keeping this project running.

56:08.6

It's pretty impressive what's happened for the last 16 years now?

56:16.4

15.

56:16.7

15, 16, yeah, something like that, give or take.

56:19.5

yeah yeah wow it's quite a while it's gonna be a few more yet one things yes all right thanks

56:28.3

again all right and everybody we're at chat django on twitter uh django chat.com and links

56:33.7

to everything in the show notes okay join us next time bye