Transcript: Sticking with Django - Florian Apolloner

00:00.0

This episode is sponsored by Hacksoft, your Django development partner beyond code.

00:04.5

More on their services later in the show.

00:12.2

Hi, welcome to Django Chat, a podcast on the Django web framework. I'm Carlton Gibson,

00:16.4

joined as ever by Will Vinson. Hello, Will.

00:18.3

Hello, Carlton.

00:19.9

Hello, Will. Today we've got with us Florian Apollon, who's a long-time Django contributor,

00:25.0

former security team member, former steering council member, everything,

00:29.0

and yet somehow still so young. Florian, thank you for coming on the show.

00:32.6

Hello, thank you for having me. It's a pleasure to be here.

00:35.3

Yeah, well, no, I'm really excited to have you. Go on, Will, go on.

00:38.1

I was just going to ask, so you've kind of already lived the life that Carlton's just stepped into now.

00:42.6

Like, what do you know that he doesn't?

00:45.9

I don't think I know anything he doesn't, but I probably had the pleasure of starting earlier, right?

00:56.0

Well, maybe let's start with that, because you are, for those who can't see you, you are still quite young, especially given how long you've been involved with Django.

01:03.4

When did you first start with Django? How did that happen?

01:07.1

So I think it was around 2006 or 2007.

01:11.8

It was quite, quite early.

01:14.0

I think the famous magic removal branch had mostly just happened.

01:21.7

give me it a long time ago i i can't remember the old code anymore um i i know i saw a bit of it but

01:29.5

i i know django like it is nowadays which speaks a bit to its backwards compatibility right

01:36.2

right yeah yeah and um so how did how did a young person find it in 2006 what was it or 2007 what

01:44.5

was it that led you to django so um my father let me let me just rephrase that because you're not

01:50.9

based in lawrence kansas okay so um my father is based is working in it um as a programmer and it's

02:01.7

it is for medical clinics and stuff like that so not uh web frameworks but um internal clinic

02:09.3

systems and i was always impressed um i liked playing age of empires one at the company um

02:18.0

computers and so you had a big screen at no small screens there were no big screens at the time

02:26.2

and uh at some point i wanted to do what my father did namely programming and so we started to look

02:35.4

for a project that we could do because um i'm really a bad learner if i learn something just

02:41.9

for the sake of it i need i need a reason to do something right and uh our idea was to write a

02:50.0

cookbook software where where we could put in our dishes and recipes and we started doing this with

02:58.4

i think turbo gears i'm not sure if um have i used it and um used um at the time xul this was the

03:08.6

xml user interface mozilla used quite a long time for firefox where you could create

03:14.8

native looking user interfaces in the browser which was kind of nice i'm kind of sad that

03:21.5

dropped it and so we started working on this application and at some point i don't know

03:28.4

we became bored or so and looked around what there are other options and then we found django and

03:34.8

from that point on it was Django. So if in doubt rewrite it from scratch?

03:41.2

Absolutely I think TurboGears wasn't even maybe not even the first implementation so

03:47.3

there were like three implementations I think we actually rewrote it every year and then at some

03:54.7

point we got bored rewriting and this was the time I think around 2006 or so when I met Armin

04:03.7

Ronacher. He lived, well, near me, a hundred kilometers or something. And we met at the

04:11.6

bar camp and he was working on Ubuntu users, which is the German Ubuntu platform. And we

04:19.8

had, or they at the point in time, had a software containing of PHP BB, the burning

04:27.4

board software um moin moin wiki which was python based already and something self-written a news

04:35.3

portal in django and they were already rewriting it completely to django and at this point i joined

04:43.0

and i think it's one of the largest and oldest django deployments still running in germany

04:48.7

and that's probably open source as well so people are looking for a long-lived open source

04:54.3

django application to to study from they could perhaps use that yeah but um this is actually

05:01.9

not open source so we we never got around it um i also was against releasing it to be honest because

05:11.1

uh we we didn't know what we were doing right um and the code evolved we we had our own user model

05:20.1

we had everything and it took us a while till we could switch to the user model or the

05:26.0

abstract user model Django provided we had our own I don't know caching before Django got

05:32.0

those caching options so release after release we worked hard to port over to modern Django and

05:40.9

yeah modernize the whole stack okay well you said user model which is was like my thing for

05:47.4

last year so i'm curious if you could uh what do you make of the current status of the django user

05:53.5

model and do you have any thoughts on because there's a number of proposed changes to it how

05:58.4

do you feel about all that um i don't know i'm a i'm a bit torn i i see the recommendations is like

06:06.4

always start with a custom user model but i always not need not anymore carlton got that taken taken

06:12.5

out of the docks no no no no all it was a very small change i made it's like highly recommend

06:17.0

got rid of the really scary warnings that the world was going to end if you didn't i'm sorry

06:22.9

that i mentioned that we've been sort of like silent not intentionally not talking about that

06:27.6

for like half a year now carlton but the change has been out there no come on finish it quick

06:32.9

what do you think i mean if you think as we're going forward what's the best story

06:36.7

i i think the story is kind of okay um what i would like to see more in terms of um business

06:45.1

applications is actually um support for um open id connect at which point the user model becomes

06:52.5

a little bit more well irrelevant what i see what i use it currently still for is that like

06:59.3

i'm syncing the groups that or rather i get roles from open id connect and then automatically

07:06.9

create groups in django for that and assign permissions and so on to that so all i need

07:13.9

basically is um some some user model um i i don't think i even feel the first name and last name i

07:22.4

just um it's just a foreign key yeah and for this player you get something from um open id connect

07:31.9

anyways and you can put it into the session in the worst case or have an extra model where you

07:38.4

store the extra data it's it's one extra query compared to well i don't know the work maintaining

07:46.2

the custom user model or so it's simply not worth it for my use cases but um i'm mostly doing

07:52.2

internal applications and you can tell users there that well it is like it is and we are not going to

07:59.1

change anything okay so i was thinking about what you talk about open id connect there it's just

08:04.7

sort of one option in the auth world and i think there's lots of people that have come on the

08:09.2

podcast and lots of conversations we've had on the forum and place about how we need to sort of bump

08:13.3

up dango's all story is solid and it's good but things like 2fa things like you know third-party

08:19.5

auth providers and whatnot i've been thinking about that recently because we could take on

08:24.3

some sort of mega project and try and merge everything into core or we could at least

08:27.6

for a first part try and like document the ecosystem options out there and what what's

08:32.1

your sort of take what how do you think we can move forward um in this space because you know

08:37.0

it's difficult for us to bring everything into core because we just don't have the capacity to

08:41.0

maintain things yeah so i guess this is one of the main problems because like days open id connect

08:48.0

but it's it's not it's standardized right but it's like you have login with google you have

08:53.8

login with microsoft and depending on the directory provider you don't get back a username but like

09:00.5

a domain name which is display name which looks ugly and keyclock gives you the full name and

09:06.7

whatnot so i'm not sure um i think we should look out a little bit um just because we're using it at

09:17.3

work um is java and the spring ecosystem and they have relatively good support from what i gather

09:25.1

what the developers are telling me that they can easily like um add um open id connect to an

09:32.1

application and it all basically works and i haven't looked at that because i'm not a developer

09:37.7

anymore but um i guess we should take more inspirations from other frameworks be that

09:44.1

bring more rails ruby on rails omni out which gitlab uses and maybe see what they use and

09:51.4

then draw the conclusions from there try and rob some ideas from places yeah because it's it's not

09:58.4

like it's not i mean it's a solved problem right at least for some things you always will need

10:04.5

extra templates probably because like um you want to put login with google at the first position or

10:11.6

something like that and i would question whether it makes sense to have this all in code or just

10:17.8

ask the user to reorder things reshuffle things in a template um it's also like do you support

10:25.4

just one authentication provider which is typical for an internal enterprise application or do you

10:32.9

go software as a service and need to support based on like the email domain of your username

10:39.3

different idps it's a different health story right and too complex for django to have one

10:46.6

simple answer for everybody right yeah well i mean one good thing is that raymond penner is

10:53.8

with django all off he's doing a lot of really great work kind of pushing all this forward

10:58.7

without the community needing to get involved so that's that that's a positive thing like he's

11:06.0

already he got a grant and he's already done a bunch but i think i i just use django all off

11:11.5

honestly as and it has most of the things i need at this point i i do as well but um it required

11:18.5

quite a bit of tinkering around um if i remember correctly it reads the role from the

11:25.1

um user info endpoint and our idb um per default um gives it in the access token or in the id

11:33.7

I think in the ID token so and it's not not really um well documented where from it gets the roles

11:42.6

or extra attributes which makes it a bit hard but generally I think it's the best option currently

11:50.0

but you have to dig into the code especially if you want to do more than just login because what's

11:56.5

very important for us is that we we get some kind of roles that we then can map to permissions on

12:02.7

our side. You mentioned you're not really a developer anymore. Can you expand upon that?

12:08.2

Yeah. So I'm mostly doing system administration nowadays.

12:14.2

The funny part of the story is that when I started at the current company,

12:19.3

I actually was forbidden to do any code. The idea behind was that we actually need a system

12:29.4

administrator um way more than another developer and to ensure that the priorities are set straight

12:36.7

i was not allowed to code which was mostly in jest but um still holds kind of true so

12:45.1

you'd sneak back late one night just to get a couple of lines in right

12:49.0

um no i actually currently sneaking back and writing my own django application for some

12:55.9

internal tooling um but i mean that's like i think seven or eight years in well what is what is that

13:04.9

world like right clearly it's engaging enough to keep you occupied i'm thinking about silos in the

13:10.9

context of i've been very much head down in the web space and i'm doing a django con talk on

13:15.9

django and data science because you know data science is a thing that i know very little about

13:21.3

um so i'm curious someone who knows both django and then you know let's just pick on system

13:26.5

administration what yeah what do you see as the similarities and differences between the two i

13:32.1

mean it's all programming but it's a totally different world um i i don't think it's a

13:38.2

different word actually i okay actually like to see more people getting involved into system

13:44.1

administration and coding at the same time because um there is there are so many things like um

13:50.5

And you have to think about your software from a different perspective, right?

13:55.0

If I'm getting handed down software from the developers and I'm putting it into production,

14:00.1

I need some kind of conventions, be that like this, we have config files or we pass

14:06.8

it in via environment variables.

14:09.4

And you need useful log lines, especially if you don't speak the language the program

14:17.7

is written in, which can happen as well.

14:20.5

or usually is the case if you're a normal system administrator and i think software development

14:29.0

can or in both direction um we can learn from each other because they are like this structure

14:37.5

structured thing for a system administrator where you say you want your log lines all in

14:42.3

the same format um independent of like when i have 10 applications or 20 this makes also

14:49.5

sense for a developer, because they are faster when all their programs output the same log

14:54.7

format. It's easier to recognize patterns if you don't have to focus on every new logline

15:02.3

and guess the format and so on.

15:04.7

This idea was, I know the term now has just become a sort of postage to marketing,

15:10.1

but this was the idea behind the DevOps movement originally, right? It was that if you get

15:14.9

developers closer to ops they can think with an ops mindset and vice versa yeah um i i honestly

15:22.4

honestly don't don't like dev ops as such because um it's the the idea was there i think but in the

15:32.1

end it turned somewhere so um it's like nowadays it sometimes feels like you don't know enough from

15:42.0

either world um right and i think it's better to have like a developer who's interested in

15:49.9

operations and the system administration who is administrator who is interested in development

15:56.0

but you can accept that you don't wear both hats i mean in smaller companies it's often happening

16:04.1

right but um this distinction still makes sense but you you have to look um over the border and

16:12.1

see what the rest of the company is doing you you don't want those silos right so it's not like right

16:17.5

i've written it now you deploy it no i'm not going to deploy it throw it back over the wall

16:21.5

several times yeah that's obviously not healthy it's especially when it comes to like um configuration

16:28.9

management where we're using ansible quite a lot um you you have to think about how to handle

16:35.3

secrets and you you need to support from the developers they they need to adjust in the worst

16:41.5

case the application um depending on whether you are reading the secret from i don't know world or

16:48.0

using a hsm for um hashing or signing stuff um this completely changes the um

16:56.8

completely changes how you work because quite often you can't use a few libraries

17:01.3

um because like they make the assumption assumption that you always have access to

17:07.7

the private key which if the private key is not on your system is not going to work

17:12.8

so there's talk in the django world sorry there's talk in the django world about um trying to do

17:19.4

something to smooth the road from so the start project template is very beginner friendly it's

17:24.3

very you know get up and running but it's not there's quite a number of steps to get to

17:28.5

production to get to deployment it's like a big challenge that people have and one of the questions

17:33.7

is about secret handling and whether we can build in better handling of environment variables or

17:38.6

you know have you got any thoughts about you know if you if we could do something in that space what

17:43.6

Would you like to see?

17:45.8

Hard, hard topic.

17:48.1

The, well, where to even start?

17:51.0

So I'm using, I think Django GoodConf, which gives me all this environment handling, which works nicely.

18:01.8

But as soon as you start to integrate secret management systems, especially with rotating secrets, it becomes really, really hard.

18:12.3

Like if you think about our database backends, you can't really, I mean, you

18:18.5

can, if you overwrite the database backend, but like you can change the

18:21.9

password every five minutes and same goes for service discovery.

18:26.8

Like, um, and new connections should always.

18:30.5

resolved via console or something um this is really hard the django settings module works

18:37.3

best with um static credentials and i'm i'm not a fan of environment variables i try to get rid of

18:45.8

them um as far as possible because um you're going to explain why yeah yeah um so the reason is

18:53.5

we are doing mostly java and in java it's not that bad because you you do have your virtual

19:00.9

machine basically so the java virtual machine and there are usually no program forks or anything but

19:08.9

if you're using um django and having a python project it can happen that you i don't know

19:16.6

call out to some sub-process and this sub-process automatically inherits all the environment

19:24.3

variables by default, usually. I mean, there might nowadays be some options and Python nowadays also

19:31.5

closes, for instance, open file descriptors by default. But in the earlier days, this all got

19:38.4

inherited to the sub-process. And especially if you're using the sub-process for things like

19:44.2

rendering a pdf file or something and you got an exploit there you have access to all your secrets

19:50.5

and i think every code execute remote code execution that i know tries to look um for

19:58.5

secret secrets via environment variables because that's since heroku um i think heroku was it with

20:05.4

the 12 factor stuff um popularized it really really hard and now you know if you are inside

20:12.2

the process you have environment variables and if you put all those things into files

20:18.1

it's way more you have to figure out where where the file is i mean that's it's not exactly hard

20:25.0

but if you take more off the shelf stuff um and depending on the system it the environment

20:32.8

variables are leaking around everywhere i mean it's it's the same user you can always um look

20:38.6

them up in the proc file system on linux which which is kind of okay i mean that that's how it's

20:43.7

designed and it works like that right but um yeah a file is easier i think it's just too much space

20:51.3

for exploits yeah and also good luck trying to encode i don't know a list or something or

20:59.5

a hash map or any structure in environment variables where you see ugly solutions where

21:05.2

you then have underscore one two three four five and pass through that or json encode and put a

21:11.7

prefix in and it's like ah okay so here's here's my question because um let's sort of follow up to

21:18.6

that because i think for when people starting out and they just hard code the credentials in the

21:23.4

settings file that's a step to move to environment variables is clearly a step up but then there's a

21:29.6

step beyond environment variables for the reasons you've talked about because they're not they're

21:33.3

not the securest thing in the world and i think any solution that we have in django needs to account

21:38.4

for the evolution along that pathway right it needs to have backends for you know proper vault

21:43.8

systems as well as environment handling but i think once you have a generic backend you get

21:49.8

all that for free the main question that you usually have to answer is um how how does this

21:56.5

back-end work right um do you uh read up all environment variables at startup or do you access

22:04.0

the environment once the variable is accessed because this this at some point begs the question

22:09.6

do you have a schema and can read all the needed data in advance or if you need to go to an outside

22:16.4

system does that mean an http call for every variable when it's first read or can you like in

22:22.5

in bulk read read the whole configuration and this is where it gets interesting and hard i think

22:28.7

and this is why every time we have a discussion about it we never make any progress because

22:33.0

yeah but i mean most config systems i know out there for django already support files and

22:42.5

environment variables in some form and usually you can mix and match them

22:47.9

um one thing i ran recently in to was um i'm running i wanted to run systemd inside a docker

22:59.6

container and use that to start my application because i'm trying to ship my applications a

23:05.1

single container um and this really easily breaks down if you use environment variables because

23:13.4

systemd won't start your service with the environment variables that you passed into

23:18.7

the container by default and so if your application just reads a config file it's readable from

23:25.1

everywhere for your application and you don't have to think about whether it started via systemd and

23:30.9

are the environment variables passed down or not and the systemd's got this credentials thing that

23:37.0

you're meant to use on you with that ram it in there it i haven't tried it inside um containers

23:44.4

to be fair okay okay we we are currently playing with it it um actually solves a bit of problems

23:51.8

for us because you can um store the credential um as the root user on the system and then provide

24:00.1

to the service and it has access and in combination with containers it you get very interesting and

24:08.9

great deployment patterns for instance we are also using um socket not socket activation like

24:16.1

like in a d style and so we have our containers without network access but they provide an http

24:23.6

api to the outside world which is perfect because you can now execute some code that might call out

24:31.1

to the outside world like any document literally like printing an html page or something which

24:38.4

could include an image and this is all blocked by default because the container has no network

24:43.7

and i think systemd provides some nice deployment units in that sense okay so

24:51.4

go on then no you go keep going okay okay so i was going to ask like so you you're right into

24:59.4

the world you're right into deployments you're using quite advanced um containerized whatnots

25:03.6

and kubernetes i guess and what i don't know not kubernetes right no so i was going to ask

25:08.0

what's the what's your kind of what are your favorite things from that landscape from of all

25:13.4

the the tools that come by what are the ones that you think yeah no that's that really makes the

25:17.2

difference so we are using ansible a lot really really a lot basically for everything um we are

25:26.1

slowly evaluating kubernetes um i'm i'm impressed by what i'm seeing there uh but i'm also kind of

25:34.3

afraid like uh we we need to understand um our systems and we so just for context um the company

25:44.1

I'm working at is a trust center, which is under the EIDAS regulations, where we concern ourselves

25:51.7

with digital signatures and whatnot. And we basically have an uptime of 100%, so 99.999

26:01.7

something or so for the last five years. And this includes basically maintenance and everything.

26:11.0

And we are really, really afraid of systems that we don't understand.

26:16.0

And I like the fact that you can put a database onto Kubernetes and the operator.

26:23.4

So they have this operator pattern, which will upgrade and make backups and everything.

26:29.3

But what happens when the operator goes wrong?

26:33.9

Sure, it's better tested than your usual setup.

26:36.8

But when it goes wrong, you have to fix it anyways.

26:41.0

yeah and the problem with the high nines the uncommon problems become problems right they

26:46.8

happen yeah and so we keep it really simple as as much as possible so we we have ansible we can

26:54.7

deploy a new virtual machine in minutes or actually seconds what it takes to clone it basically

27:01.7

after that ansible runs over it and usually that's it so we get certificates issued everything

27:09.7

automatically and um then we can use the machine and it's not like um we don't need to scale that

27:18.6

much so we have a rather static setup and it's questionable how much kubernetes makes sense

27:25.5

there right i mean for something certainly in the future but um i still think that docker compose

27:32.1

per se is a nice um deployment pattern because it allows you to um put things together nicely

27:39.3

With all its ups and downs, like the network routing and everything, but no matter what you use, you have to know the stack.

27:48.4

You have to own it if you want to be successful.

27:51.7

So that means providing patches to Docker Botman as well and digging in really deep.

27:59.3

Hacksoft is your development partner beyond code.

28:01.7

From custom software development to consulting, team augmentation, or opening an office in Bulgaria, they're ready to take your project to the next level.

28:09.3

I want to ask you, so you're on the security team for Django, and Django is well known for having one of the best security stories out there.

28:18.7

But that's very much behind the veil because people submit them privately and they're handled.

28:25.4

I'm curious, I'm sure there were some wild stories, especially early days security issues.

28:31.0

I don't think that we had really, really bad security issues.

28:35.3

mostly it's like denial of service um quite often via regular expressions or something

28:41.5

and i guess the worst thing that we had um which was only in the main branch at the time

28:50.1

um when we moved the login view to class-based views or was it the password reset view um you

28:58.7

were able to reset a password for any user without the password reset link basically there

29:05.1

it was it really is subtle change but um that that was horrifying i wouldn't have wanted that

29:13.2

on a live site right yeah well but i mean i mean carlton you're are you still you're still on it

29:19.8

carlton yeah yeah i'm still i'm still on the security team yeah hanging hanging on in there

29:24.0

for now i mean i if i think of things that are important but completely hidden um security team

29:31.1

is up there right so yeah the one that comes to mind was um github um had a password hijack

29:38.1

thing with uh with a unicode encoding of emails look like emails of unicorns oh yeah and they

29:46.4

published they published a blog post about how they fixed it in rails and simon charrette was

29:53.0

reading his you know with his coffee and his rss reader the ping them a security list like hey

29:57.8

folks i think we need to do something about this and we will have a quick look we're like oh yes

30:02.2

and then so a hot fix went out i think the very next day and normally django has the um seven day

30:08.8

pre pre pre announcement um and to tell people that the security fix is coming but on that one

30:14.5

it was like look because because this has been made public and it's it's quite it was quite a

30:20.3

serious vulnerability as florin says most of them are kind of denial of service ones which probably

30:25.2

you know they're worth fixing but they're questionable or whether an individual

30:29.7

installation is going to get hit this is kind of like a much more serious one and it was like no

30:34.8

we've got to drop the seven day advance and just put it out as fast as we can that's the one that

30:38.9

comes to mind as the sort of most processing from my timeline and i mean that also goes a little bit

30:44.5

back to um looking at what other frameworks are doing because um especially with security issues

30:50.5

we are fixing the same security issue in a multitude of frameworks um especially when you

30:56.2

look at flask or so um if flask has an issue in its http handling i bet django has it as well and

31:03.8

also in the other direction i mean it's happened once or twice i think and um same goes for php

31:11.0

and Ruby. This is something with all this security posture going around nowadays. We need software

31:23.3

inventories and whatnot. What we first need is to talk with each other and find a common channel

31:30.9

where we can like easily exchange security issue classes basically. Like we've got this kind of

31:41.8

problem, can you look if you also have it? Because chances are that most systems have it and

31:49.6

sometimes you see it in the published issues that day after day a new framework joins the

31:58.0

release process and says oh we have the same issue we have the same issue and this this is

32:03.7

something which would be great to work on but it's it's really hard to get like multi-language

32:10.6

programs started right yeah or even multi-framework it's difficult enough to you know david lord has

32:17.4

reached out to us a few times and we are in communication with with flask and david over

32:22.7

there but it's difficult enough to handle sort of our own reports because a lot of them you know

32:27.8

there's a lot of traffic to that to the security list and so it you know it's like okay we need

32:32.7

to stay on top of that as well as reaching out as well and is there a common space no there isn't i

32:36.5

mean i wonder if we can get something going with python and this you know with seth doing such a

32:41.6

good job there if he could nerd herd us into the same room it's nothing uh a couple million dollars

32:46.9

and a dozen full-time employees can't solve yeah yeah exactly exactly exactly lauren so you said

32:55.0

you were still working on your internal application that um with django yeah okay so after all this

33:01.3

time what keeps you fresh what keeps you staying with django is it just that you know it or

33:05.0

and the bits that you think no that's why well part of it is certainly that i know it um i don't

33:11.6

have the time to um play around and learn a new framework just to write an application for

33:18.9

internal use and the other thing is uh what what i still like about django is that um even though

33:26.2

it's sometimes horrible to work with uh you get everything out of one hand right um you don't have

33:32.9

to explain to someone using django how forms and models interact and i i don't need so many

33:42.1

extensions or dependencies in that sense the the current project has like i think five or so um

33:49.8

and this is massive for me especially this is by no means uh anything against flask or so but um

33:58.9

when i need login i know i can count on django to some extent right there's no i'm open id

34:06.5

connect like we said but i've got that covered i've got form validation covered i've got models

34:12.7

i don't need to think about how to integrate um sql alchemy which i love and think is way way way

34:19.1

superior um than the django orm in some senses and the same goes true for flask itself but it's like

34:25.9

this thing um you where you have everything out of one hand and you have one documentation to look

34:33.4

at you have one one channel for support uh where you don't get told to this is not a problem with

34:40.3

um the form handling but it's with the models different yeah this other channel because this

34:46.4

is all a different company or something like that okay okay so that that one hand that battery's

34:50.9

included i guess you could if you think about the scope of django as it is now and thinking about

34:56.2

this from you know we constantly add things but do we ever take anything out is it are there bits

34:59.9

that you think we could retire from core or take out of core separate and and contrary to that as

35:04.8

well other bits that you think no actually i'd like to bring that in and that's missing from

35:08.3

my deck so for me it's most certainly the the low-level tooling like um authentication um

35:14.9

configuration and um there was a third one but this i would like to see in core and um more of

35:23.3

it but i i've never used the sites framework for instance but it's it's hard to throw stuff out i

35:30.7

i understand that but all in all um i i think the the scope should should stay roughly um i i also

35:41.7

wouldn't want to um add too much support for instance for htmx i i know plenty of people are

35:48.4

using it but it's still like it's it feels like new it's great um some people are using something

35:55.5

else and maybe maybe in three years um we are back to somewhere else but um this is especially

36:05.6

an area where we can um experiment outside and uh you know when we added for um i think it was

36:13.4

template partials where you needed something to make it work.

36:17.5

This has been the story for Django all along, right?

36:20.8

What's the minimal thing we can do to enable you to implement your ideas?

36:27.9

And in this case, it's two lines and you can build Django template partials, which offers

36:34.1

much, much more flexibility.

36:36.4

But what you needed in core was one line.

36:38.9

I understand that this doesn't work for stuff like authentication or not always, where I say like, yeah, I would feel better if I don't have like 10 libraries of glue code.

36:50.0

I want one security solution and want that to work.

36:53.9

Do you have any thoughts on UV?

36:55.9

I see you have a repo on it.

36:57.3

Have you had a chance to play around with that at all?

37:01.0

um i'm i've converted pretty much everything to it okay that's a yes yeah yes um but not

37:11.1

well how to put it everyone is complaining every time that packaging in python doesn't work which

37:18.7

like i guess is or was true to some extent but for me it's um how to put this it's like

37:29.2

writing a web application without knowing http right um you you can use django without knowing

37:36.1

http but you you have a much better understanding of it um if you know that http is supposed or

37:43.9

yeah is stateless and what this means what when you should get uh when you should use get when

37:50.1

you should use post and what the implications of that are so for me uv is mostly um useful in the

37:58.5

sense that i've i'm getting a single binary that i can easily um include in my docker files in my

38:06.2

intermediate build containers without having to install much and from that on let uv take over

38:13.3

but similarly i had the same thing with um poetry and pdm um i think i'm switching my package

38:21.7

manager for python yearly so okay okay but i'm in the other school every 20 years well we had

38:28.7

we had hinnick on recently and he's fully on board with uv and i think when i ask around most people

38:34.3

who've who've tried it are like yeah this is certainly for the foreseeable future this is

38:40.3

the way to do it well and what's helping me currently is that they are um well maybe because

38:49.5

they are funded or just because they are funded um there is a really really quick turnaround on

38:55.4

issues and while i understand that um stuff doesn't move fast in open source it's like when

39:03.2

you're when you can't build your project anymore because um some new package got released somewhere

39:09.4

which breaks the dependency resolving of your package manager and it's it's not like um resolving

39:16.7

packages is an easy task right so it's it's not something i can fix even if i want it and it it

39:24.3

really helps to get a quick turnaround there and even if it's um like with some stop hatches to

39:29.1

explicitly tell the package manager use just this package i don't care whether it works on windows

39:34.3

or not i don't care if it works on a mac i just want it to work in this specific docker container

39:39.3

and this is my deployment unit it's great that it doesn't resolve for i don't know cuda and whatever

39:46.1

GPU stuff you have nowadays

39:48.3

but that's not what I need

39:50.3

Have you looked into it closely

39:52.6

enough to

39:53.2

see into the performance

39:56.2

enhancements because I think

39:57.2

it's obviously written in Rust but I think most of the

40:00.2

enhancements are just

40:01.2

because it's cleverer about

40:04.3

how it searches for packages

40:05.5

it's more aggressive

40:08.4

about caching and things like that

40:09.7

I wonder if you know anything about whether those

40:12.2

speed gains can be brought

40:14.5

into say pip or like you know the community tools um i do think so because um pdm actually

40:22.3

uses the resolver or users can use uv for resolving nowadays um so it's certainly doable

40:29.9

but i'm not sure if the resolver itself um i mean the resolver certainly plays part in it but i'm

40:37.4

just guessing i haven't profiled it but what i do know is that there is aggressive really really

40:42.4

aggressive caching going on to the extent like when your package is installed and it's installed

40:51.5

in editable mode and it then gets put into the cache with an explicit version and which means

40:58.2

your later log files will then include this version instead of your project so instead of

41:06.5

your dev version i mean that got fixed but there are um we are moving to caching bugs now in uv so

41:13.1

whether that's a good sign or a bad sign i don't know but it it certainly works and it works fast

41:18.7

so okay okay cool cool cool i have a question this is probably just because i started working

41:25.0

at jet brains which makes pycharm intellij i'm curious what what text editor id do you like to

41:31.3

use these days and why um i guess out of habit uh visual studio code um i was using vim for a long

41:40.8

time before but the um yeah the easy let's put it that way the easy integration of auto completion

41:48.6

and everything uh won me over i i do know that i can do everything with vim and emacs as well but

41:55.1

i i just don't care um especially if i'm using vim on servers i

42:02.7

or usually vim is one of the editors installed on some servers not not those necessarily that

42:10.4

we manage but um i had my fair share uh working with other servers and you you'd have a default

42:18.4

configuration there and once you use vim on your local laptop and connect to a server and the

42:24.7

configuration is different there it's it stops becoming viable this this is one of the reason

42:31.3

i don't want the editor that i use unconfigured with the default settings for system administration

42:35.7

also be my programming environment and visual studio code was fast enough i'm i'm still a

42:43.9

an unhappy user so to say because um i'm not going or i can't justify paying i'm maybe i could

42:52.1

I don't know what the policies are or if it's possible to pay for it, but with all these

42:57.2

Python plugins becoming more and more closed source and the digital right management stuff

43:02.4

around it, I'm not too happy about it.

43:06.2

I understand parts of it, but I haven't found a better solution yet.

43:12.6

And also, I mean, I know we do use JetBrains here and there, but, and correct me if I'm

43:19.7

wrong.

43:20.2

Last time I looked at it, it was 10 years ago.

43:23.3

But I think it's still like you have one program for one language.

43:30.4

And in Visual Studio Code, I have some plugins and it works well enough.

43:35.4

And I'm switching between five languages a day.

43:39.3

So I wanted the consistency.

43:41.8

That's a common thing out there.

43:44.5

There is some truth in it.

43:46.0

I think it's not totally true.

43:48.2

for example, if you use PyCharm for Python, it also pulls in WebStorm, which has support for

43:54.9

JavaScript, TypeScript, HTML, CSS. So, you know, if you want to hop over to Java, can't do that as

44:03.1

easily. So there's, I think JetBrains doesn't talk about that, the bundling, partly because

44:11.0

there's the pro and the free version. So it's, it's mostly true. I mean, there's, it's interesting

44:16.7

that VS Code is a little bit like Flask in that it's micro, and then you rely on the community

44:22.7

for most of the plugins that you want to use, whereas JetBrains is a little more like Django.

44:28.4

It's all in-house. I mean, under the hood, it's basically the IntelliJ Java engine. So there's

44:34.2

a global engine that drives things, and then there's specific things for PHP or Python or

44:38.8

what have you so it's a little more jango-y um but yeah at the end of the day that's a common

44:47.5

thing people say and i think if you are bouncing between a lot of languages like i certainly

44:51.9

understand why you'd want just one ide for that and i mean for me it's not i'm not doing much

44:58.3

editing right i'm mostly looking at code but on a normal workday it's probably go rust in the worst

45:04.9

case a little bit of c and then usually some java and whatever i have with ansible so so mostly

45:11.5

uh yammer scripts or yammer files and it's i need most i mostly need syntax highlighting and

45:19.5

that's about it have you tried um have you tried zed at all that do you know about this project

45:24.8

no it's i i have it's from the the people who made the atom editor for github uh will will clop

45:31.0

who's involved in the Django community.

45:33.1

He's, yeah, it's public.

45:34.4

He just started working there part-time.

45:36.7

That's interesting.

45:38.6

It's interesting that they're not going

45:40.4

a thousand percent AI focus yet

45:42.9

the way everyone else is, right?

45:44.5

So obviously VS Code is, JetBrains is, Cursor.

45:49.6

There's sort of these two extremes of like,

45:51.5

have AI, have full integration agents and stuff.

45:54.8

And then there's also, I just want a text editor IDE

45:58.3

with some syntax highlighting that isn't slow.

46:01.0

right yeah and i mean um looking at other things is um part of my day job right and so if i am to

46:12.3

change my personal editor or something the the pain it inflicts on me needs to be really really

46:18.2

high i just don't have the capacity to change my system and everything every other day because

46:24.2

um that's already my day job right and i i want some consistency in in some things that i use

46:31.6

just mentioning the ai i have because i imagine you can't go near it really at work because you

46:37.1

can't risk you can't risk errors i i don't know um i'm i'm not involved in those discussions

46:45.3

um i actually don't know aside from coffee table discussions if there are any um but i i honestly

46:53.4

don't think it would be a problem because uh we would still have code review and everything

46:58.5

it would still be your fault not not that we assign blame or anything but you you have to

47:06.1

take ownership of the code you want to submit and um i i think um like simon is uh simon wilson

47:16.1

is blogging quite a bit about it um it is like with everything um if you know something like

47:22.7

Django well and AI can help you iterate faster and I'm not sure if it maybe it was Guido

47:33.4

in his early days after joining Microsoft or something like that it might have not been him

47:43.9

but I have this quote or rough quote in my head where he says like you don't need an IDE if you

47:51.6

know where everything is right and for me this holds true to some extent because um an ide doesn't

48:01.7

help you find stuff all the time you still need to know where to go looking and i i see this

48:07.4

nowadays with visual studio code i'm i'm not doing that much django anymore so i use the auto

48:13.6

completion and i like i need to import a response object or something like that and i get a

48:19.1

completion with 30 response objects um 10 response objects are from sub projects like

48:26.4

django drf or django ninja which re-import and so so you still need to know which response object

48:33.8

is the correct one for the task and whether this is just a forward import or if it's a subclass

48:39.3

so yes use ai by all means i mean i would be careful or ask legal whether i can send stuff

48:48.3

outside our work perimeter.

48:50.6

But in the end,

48:52.0

it's a tool like everything.

48:53.5

I wouldn't be too afraid of it.

48:55.5

Okay, fair enough.

48:56.4

I was just watching,

48:57.7

Guido had an interview

48:58.4

with Lex Friedman

48:59.7

a couple of years ago

49:00.5

in his podcast

49:01.1

talking about text editors.

49:02.4

And Guido was saying

49:03.7

that he used,

49:05.0

for a time,

49:05.8

he used PyCharm

49:06.8

specifically just for the search,

49:08.4

but then he would go back

49:09.3

into, I forget,

49:10.2

Vim or Emacs,

49:11.0

something, you know,

49:11.8

now VS Code.

49:12.8

So there's something around

49:13.7

like these tools

49:14.4

help you find stuff

49:15.5

in a huge project,

49:16.4

but then you just want

49:17.6

something minimal if you you know know exactly what you're doing i would also say that that's

49:23.6

part of so i'll just say one more thing like you know if you see a drop down of 30 30 imports um

49:29.6

that's something that for example like pie charm has a django integration so i think in some cases

49:36.2

at least we do a better job with that but like how do we i'm only a month in so how do we

49:40.7

communicate that how do you say that you know marginally better uh it's it's hard right because

49:46.4

we we pick a tool we get used to it and then um especially as you're senior you don't really want

49:51.1

to switch around your tooling that much yeah and i mean even whether you're better or not

49:56.5

it honestly doesn't matter as soon as you're going to say it you're going to start a flame war

50:01.3

because people will find this one edge case where vim also performs better and i'm just not sure if

50:07.9

it's worth it and what what came all out for me is that this language server protocol so all those

50:17.3

generic integrations into the editors which are not always that generic but those helped a lot

50:24.5

and this is really important for me when i look at a go project or rust project where i have

50:31.1

literally no idea and i'm able to find um sub implementations or references to this piece of

50:37.7

code which is not so fun in python which is um i mean chatbrains has good support there in java but

50:48.3

with um all this dependency injection going on like you can you can view all the implementations

50:55.2

of an interface but you still have no idea what you get auto wired via configuration somewhere

51:00.3

so it's really hard for me even with the i don't know what the chat brains um sub ide for java is

51:06.9

um but i have looked at that at one point and i i found everything i needed but i just didn't know

51:14.0

what was actually in use but that's not chat brains for it right but if you take an interface

51:19.5

it can be anything so i'm i reckon that the the main difference there between the different

51:25.6

grades of autocomplete you get is the static typing of on the language it's a rust super go

51:32.1

great python not so great which leads us naturally into the question of typing in in django it's come

51:38.3

a long way over the last few years typing i think in python what are your thoughts on that as we go

51:44.6

into 2025 like how do we push that forwards um i i'm honestly not sure but because um i think it's

51:54.9

it's an incredible tool. Personally, I'm now at the stage where I would like to see it.

52:01.8

I'm not sure how to start, right? Because, for instance, we need to be able to type the low-level

52:11.6

objects first and then kind of build up from that. So I don't think that an approach where we

52:20.6

just annotate new code is going to be that helpful especially we would want to have like

52:28.9

type checking in ci that verifies that we're using it correctly and if 90 of the code base

52:36.2

are not annotated i honestly don't know how this is working so um but that's just me not

52:43.6

using typing that much especially not in django because it's not there in my other projects i do

52:49.8

use it and um it it is really hard i i have to admit so whenever you are trying to do something

52:58.9

tricky it it sometimes feels like i'm writing c++ again right um in the sense that uh in in python i

53:07.7

i have this elegant idea this is done in one line and then the type checker says yeah you can do

53:13.2

that yeah okay i know i can write it like i would write static code with no extra features um and

53:19.6

then my types will work this is probably a bit unfair to both languages but for me it it is

53:27.1

really hard to get started especially um like when you say unicode and text you have like um

53:36.0

be lenient in what you accept, but you have to be strict on output, like HTML rendering and

53:46.0

everything. And this kind of is the same thing here, like in typing, do you take a list? Do you

53:52.3

take an iterable? How far do you go? What happens if you take an iterable and you want to be strict

54:00.3

in your output then you put a list or something there but does the iterable convert to list

54:05.9

probably not because it can be anything and i've had a case so i know some version of django let's

54:13.1

call it two point something made allowed hosts it said no it has to be i did a check where allowed

54:19.4

host had to be a list and i'm like i've got a project from the old days that has an iterator

54:24.1

there and it's just broken and like ah why yeah that's so certainly type checking is is hard um

54:31.2

i i really see the benefits especially in in smaller projects um at one company where i work

54:38.3

we had like um communication with phone systems like in a hotel guest check-in check out and

54:48.0

stuff like that and those are phone systems from really old age basically where you have serial

54:55.3

cable updated to ethernet via converter and so and you basically get the raw serial stream over

55:03.7

tcp or usb depending on what you use and we were writing code against that and nowadays

55:10.6

with python and it was really hard for me to write tests for such a thing because the code was

55:17.6

Async and I tried to write it with this SANS IO approach, but in the end, for some projects I just can't justify writing the tests. I mean, that's probably

55:31.4

not true but it's it's really really hard and typing there helps a lot it it eradicates a whole

55:38.9

class of mistakes i think be that typos i mean the the ids are already good with typos per se but

55:46.2

everything else like trying to add an integer to a list or something with the wrong operands

55:52.4

this is really really great and it shouldn't mean that you don't have to test anymore but

56:00.1

you you don't have to test that much i would say because previously you have you you're taking an

56:08.3

object basically and you either have to document very carefully what the function actually

56:13.4

takes or you have to check inside and throw errors and then you would want to test this and

56:18.9

now you say okay but if i say this is a string or something i rely on the type checker during

56:26.1

development that it ensures that it's a string and then i don't test what happens if i pass in

56:31.0

an integer yeah and with a compiled language you you have that as soon as it compiles often it just

56:37.2

runs and it you know is bug free because you've satisfied the compiler and the same applies with

56:42.0

type checking right to a certain extent but it's still not easy no okay so i've got one more sort

56:49.6

of question i want to ask you is it as a you know but a very long-standing community member you see

56:57.6

where we're at with you know discussions and featured requests and you know the difficulties

57:02.1

we've had pushing django forward i think over the last few years it's been very stable but

57:05.8

you know there's there's a lot of desire to push django forward how do you think we can do that

57:12.9

best what are your sort of you know as you as you watch and as you partake in the conversations how

57:18.3

do you think we can move forward now um that's one of those where i think i don't have an answer

57:24.7

um part of me not being this active with django anymore is um probably kind of

57:33.0

i wouldn't call it burnout but um it's this this inertia that exists where you just can't get

57:42.1

anything off the ground because no matter what you suggest the default setting is no we we are

57:47.9

not going to do that and this is the reason also on the other hand why i like programming in django

57:54.6

because i can rely on it to work like this in one year which makes it really really hard

58:01.4

um one idea that just came to mind literally now so no no idea if it's uh viable is to ask

58:11.8

other communities like rails or spring to talk about exactly this on django conferences

58:21.2

that they provide their experience how they managed to move beyond such a point or maybe

58:29.3

they didn't have this point this problem at all and this would give us an outside perspective

58:36.4

I think we're doing better recently than we did a year or two years ago, especially with the new steering council as well, because I think we need to make choices now.

58:54.9

and i'm i'm happy if if someone makes those choices and i whether they align with what i want

59:04.8

is not necessarily um required um it's just there is a choice and we know this is the path forward

59:13.5

um for instance the async support in django is something that that lingers around with no

59:21.0

no good path forward i think because do we want to add duplicate code for every method i don't

59:28.4

think so and now we have this this code generation idea and we we will see how it turns out personally

59:35.7

i'm i'm not using async django that much and um i i'm not sure maybe for some parts one can use it

59:46.7

but I won't see Django as a general async framework,

59:52.5

especially with this handling

59:55.5

or how the async code in Python generally looks.

60:00.3

I mean, it's not so bad nowadays,

60:03.4

but I have bad memories of the callback health

60:08.7

in JavaScript and to some extent in Quisted,

60:11.7

which really makes it hard to follow the code.

60:15.6

And this is probably because I stayed away from it.

60:19.1

And also, I don't need it.

60:22.1

For a general purpose homepage, there is no need to serve every view asynchronous.

60:27.6

If you, especially with Python 3.13, I mean, it started there, it will get better.

60:33.1

And free threading, we finally have the possibility to catch up with our web servers and spawn

60:38.7

like a hundred threads.

60:40.3

And this is what we can handle instead of a few processes.

60:44.2

I love your idea of having someone from the other communities come to a DjangoCon and speak.

60:49.0

I mean, we, for example, we had David Hennemeyer-Henson on this podcast early on.

60:54.0

My hypothesis would be that if you look at, so, Java Spring, VMware largely runs that.

61:01.8

Rails, Ruby on Rails, you know, that's David Hennemeyer-Henson.

61:05.2

He largely runs that still.

61:06.6

If you look at Laravel, you know, they raised $72 million and one person kind of runs it.

61:13.6

You know, that's kind of the difference is that all these other ones we're competing

61:17.4

against, you know, FastAPI, it's Sebastian in charge.

61:20.5

They do have a little bit more of the BDFL, not they do sort of, they definitely do, so

61:27.5

they can move faster, right?

61:29.2

So I think the question is, over the long term, what happens when those companies or

61:34.7

people want to step down?

61:36.5

But, you know, that's, I strongly suspect that's why they can move faster, because there's

61:42.5

someone with a profit motive working full time, whereas there's no one in the Django community

61:46.5

doing that. Yeah. And I also don't imagine that spring or something is going away soon because

61:53.0

there are so many big, really, really big companies using it. So there will always be

61:59.2

someone picking it up. If they end up in the same situation as Django, then I don't know, but

62:03.9

there is enough incentive and money behind it, I guess.

62:07.8

Oh, but if we had, you know, I don't know, if Instagram had decided to, like, put a ton of money into Django, like, it would move faster.

62:15.0

It would still be a community, right?

62:16.3

Like, so there's more the question of VMware or some for-profit thing that pushes it as opposed to 100% community.

62:26.1

Would that actually be true?

62:27.6

I mean, we always say we do have roughly enough money.

62:30.9

I mean, more money would be good, certainly, but we don't really have the best plans to spend it yet.

62:37.7

Like what I could imagine, for instance, is like if Instagram employed relatively early on all of the Django core members and took it over, that we might be in a similar situation like Spring is because then you would have a clear leadership in that sense.

62:57.3

i don't think that money provides this um clear goal of where to head next unless it's um coming

63:04.4

with the tag like okay um this money is for improving the orm to this situation or something

63:12.5

like that it's an ongoing thing yeah absolutely i've got to say something like i think for me

63:21.1

it's very much we the trouble with having everything in in core all together and everything

63:27.7

going through core and everybody wants to get their feature into core is that everybody's then

63:32.1

having trying to have one conversation and it ends up with too many people having the same

63:36.1

conversation and what would for me what i'm trying to think of ways without you know taking out the

63:41.8

orm so you know you'd have to install that stuff but find a way where we can just modularize

63:47.0

slightly so that there can be three or four conversations going on which don't all have to

63:52.4

go through the same bottleneck and i don't know quite how we get there but i've kind of feel like

63:58.4

we need to do something in that direction what the boost library is doing it's i mean it's a c++

64:03.4

library they have this um git master repo where they have submodules for every submodule basically

64:11.0

um but i think this would be kind of hard for django because like the the components are so

64:17.9

so intermingled and it we don't have clear boundaries right and we don't want them in

64:25.5

the end because that's what makes django great that the form framework integrates so well with

64:30.9

the models and um i'm not sure if it gets better if we have more boundaries in between um as

64:40.0

little small slight they are but yeah no but exactly so what what was the reason you use it

64:46.1

you use it because of that integration that it is you know it's got that Django feel right

64:51.3

I think we're basically up on time was there anything you wanted to mention or

64:57.2

you wanted us to ask you while you have a microphone

65:00.5

um no I think we've covered quite a lot um well actually what what we didn't talk about no

65:09.9

we are going to talk about that now um how this that project template uh looks like which is what

65:16.6

actually brought us in here right yeah because we were talking about it on the social medias

65:21.8

exactly and so well just as a quick recap so that there are always those discussions what

65:29.2

start project and everything um should include or should not include and i think it depends a

65:36.2

bit on what you're doing right um we we already have start project templates and there is cookie

65:41.5

cutter and django and copier out there which which i really like because it allows you to

65:49.1

release new versions of your template and then update existing projects

65:54.0

and you obviously sometimes get conflicts then but this provides some

65:59.2

nice way to actually update your projects without manually reapplying all your changes

66:05.4

And what I'm doing is basically I'm shipping applications, right?

66:10.9

I'm not in an area where I say, okay, this is the application added to your settings

66:17.6

file and I'm shipping complete application like Netbox or maybe Venueless ships.

66:25.3

And what I found useful is that you could just use that project and then immediately

66:31.6

at this generated project as installed application into your setting uh into your settings file and

66:40.7

this solely means i think at the current point it means you still have to um create an empty

66:47.0

models.py file but aside from that you're basically pain-free and then you can add further

66:54.3

applications as on on a sub directory sub package basis because it's it's way easier for me to have

67:03.9

like my current project for instance is named oversight it's way easier to have an oversight

67:09.6

dot core application and oversight dot user and oversight dot something application than to think

67:16.7

about valid package names for every application and it's it's meant to be used together right

67:23.2

and we have this namespacing and we can use this and i don't see any any reason anymore for this

67:30.8

project a project for me so in in django speak is basically a settings file or not even that

67:38.0

the environment module uh django settings uh the environment variable django settings module

67:44.8

basically defines what your project is and you can bootstrap everything from that so

67:50.7

that's what i'm using okay so it's like the single folder right the the start project folder is the

67:57.1

app itself and i think i think that's a big step forward because the you know will often talks

68:04.1

about this with these books but like you've got the start that first run experience where you go

68:08.4

start project now start app now add it to installed apps now which folder am i meant to be in which

68:13.4

file am i meant to be in it's just too much going on right and it would make tutorials quite a bit

68:19.0

easier i think i'm i mean we would change the start project template probably to account for

68:25.1

that so not just add the application to the project to install applications but also like

68:30.3

provide a dummy models.py and tests.py which we don't use and maybe i don't know i'm sometimes

68:38.6

moving the the whisky module into a sub package then because it's it's a little bit ugly on the

68:46.5

top level right but that's whatever you prefer i mean i think for especially for newcomers if you

68:52.5

so i have a open source thing called lithium now that was django x that basically just gives you

68:59.1

django all off and a little bit of config but if you had it'd be nice if there was an official

69:04.7

you know bootstrapped blog or crud with auth or right there's only two or three kind of things

69:12.2

people want. And if there was, you know, start project gave you that, that would certainly up

69:18.2

the learning curve. And then of course the big one would be have production, right? Where you

69:22.9

default to production and you'd probably need to use environment variables, but have a way to do

69:30.9

that. You know, if I, you know, if I could go work on Django for like a year, I would add those

69:37.0

happily and just put them in. Cause I think that would help newcomers for sure.

69:42.2

I mean, I started doing that with a copier template where you could provide in.

69:48.4

So copier asks you a few things on startup and you can define those questions and like, do you want a bootstrap template?

69:55.7

Do you want this JavaScript integration?

69:58.1

So basically provide a kitchen sink Django template.

70:03.1

I stopped doing that because when I'm using Django, I use this one CSS framework.

70:09.7

use this one javascript library and um i think in in all those generics uh there are days

70:18.9

lots to be lost because with all this flexibility there comes uh much more complexity and so we

70:27.8

probably need like um 10 or 15 start project default templates well if we were you know and

70:35.2

If we were Laravel, we'd just charge for them, you know, so.

70:38.5

Right, right, right.

70:40.1

But I think there are also some Django software as a service templates where you click together.

70:48.4

Like I want to include authentication.

70:50.3

I want to include Vault for secrets management and everything.

70:55.6

And they are selling.

70:58.0

I don't know how well or something, but certainly an area to look at.

71:04.2

I mean, I'm not exactly sure about the business model because.

71:09.5

Well, it's it's I mean, Corey, Corey Zhu has SAS Pegasus.

71:13.2

He's, I believe, working on that full time.

71:15.4

So that's working.

71:16.3

Then there's a dozen other ones I could name that do similar iterations.

71:22.2

My sense is that it seems people want the SAS integration more than they want the rest of it.

71:27.5

Right.

71:28.4

But once you download the code, probably licensing is stopping you from using it for another project.

71:37.1

But you get the ideas, right, how such a thing is built after you paid for the first one.

71:43.0

So I don't necessarily see it scaling that well inside one company that you can sell it many times.

71:51.7

But I'm happy to be proven wrong.

71:53.5

And if it works for him, it's perfect because that's certainly something we miss.

71:58.4

well we're going over time i think it's like it's people it's an education thing people use i mean

72:04.1

this has been done other frameworks where people use a sass starter thing in rails to get going

72:09.2

and then fill in the details i think it works a lot like that actually for people but

72:15.8

yeah i don't know i don't know exactly just let me just finish this topic there is a depth that

72:22.3

we're hopefully going to push forward in the 6.0 or 1 timescale

72:26.6

to update the start project template,

72:29.1

make it a bit simpler along the lines you've talked about there, Florian.

72:32.5

And then also as part of that,

72:34.6

try to promote using templates a little bit more

72:38.2

to make it more obvious to people that, you know,

72:40.6

there are these templates out there and you can create your own one.

72:43.1

And, you know, then maybe we can have two or three or four example apps,

72:48.1

simple example apps that are like, oh yeah, look, there's a blog.

72:51.4

There's a wagtail example.

72:54.1

There's a who knows what.

72:56.5

Yeah, hopefully it's just the templates currently are a little bit hard to use.

73:01.3

If you use non-standard files, you have to include it in the command.

73:04.5

And that's what Copier gave me.

73:07.4

And it's like reinventing the wheel.

73:09.3

Why improve Django in this direction if we can use Cookiecutter or Copier?

73:14.0

I don't know.

73:14.6

Maybe use something else.

73:17.1

Yeah, okay.

73:17.6

Well, that's a good point.

73:20.1

We probably will leave it at that and hash it out.

73:22.4

Yes, yes, let's do that.

73:24.6

So Florian, thank you for coming on.

73:26.9

When we first started this podcast,

73:28.5

you were one of the names we wanted to have on

73:30.1

and six years later, here you are.

73:32.8

We finally did it.

73:36.6

Yeah, I'm good at escaping those things.

73:39.9

Yeah, well, that's probably why you're productive.

73:42.8

So again, thank you for making the time.

73:44.5

We'll have links to everything in the show notes,

73:46.8

chat, jangochat.com, and we'll see everyone next time.

73:50.0

Bye-bye.

73:50.9

See you next time.

73:51.7

Thank you.

73:51.9

Bye-bye.

73:54.5

This episode was sponsored by Hacksoft, your Django development partner beyond code.

73:58.6

Learn more about their services in the link in the description.