Adam Johnson is a Django core developer responsible for the popular django-mysql package. We discuss why MySQL still makes sense with Django, security, hosting on AWS, and more.
Carlton Gibson 0:06
Hi, and welcome to another episode of Django chat. I'm Carlton Gibson joined as ever by Will Vincent Carlton. Hi Will. And today we have special guest Adam Johnson with us. Hi, Adam.
Adam Johnson 0:14
Thanks for having me on.
Carlton Gibson 0:17
So Adam, you're gonna have to tell us about yourself. So who are you and how did you get into Django? Let's begin.
Adam Johnson 0:23
Yeah, I am a member of the core team since 2016. But I started working with Django back in 2012. At my first full time job memorize, and since then, I've worked with Django, other companies, why plan timeout, Jean Sai and now I am a contractor offering services under my company, AWS, Adams web services.
Will Vincent 0:48
So now in university had you done anything with web frameworks before Django
Adam Johnson 0:54
and I actually started building my first website when I was 11 years old. As a little freelancer, I was paid a very small sum for building the podiatry website for a friend's friend of the family's business. And then when I was 16, me and my brother set up a shareware service, offering a game creation software, as well as red Fox Studios. And for that we had a PHP website with no framework. So I kind of experienced the world of framework lis web development, just PHP, some files on a server. Yeah. The concept PHP did
Carlton Gibson 1:37
crack open the template, open the tag, start writing some stuff. Yeah.
Will Vincent 1:41
Well, that's I wanted to ask you about you mentioned memorize. So I was at Quizlet. I think at the same time, maybe some overlap. And Quizlet was a PHP no framework site.
Adam Johnson 1:52
So I'm really
Will Vincent 1:54
because it was originally built in 2005, the founder when he was in high school, so there was Lots of learnings around that fun. But it's still going, it's selling so.
Adam Johnson 2:08
So what was how to
how to develop the kind of internal framework or was it?
Will Vincent 2:13
I think was just pieced together? The honest answer, and sort of Frankenstein. And, you know, that's not uncommon, especially when, you know, the creator was, was young, and it was pre these really great PHP frameworks like Laravel and stuff. So you know, it's hosted on giant servers, you know, so it was a long time ago, 14 years ago, setting up a website, I mean, way more or less located across the board. I mean, payments ads, while that stuff was just lightyears more complicated.
Adam Johnson 2:41
I think deployments are easier because you drag and drop the photos onto the
Carlton Gibson 2:44
server. Well, the joke The joke is the sink and the can of beer, right? It's just what Yeah, what's your upload and if it didn't work, you just re upload it and edit it live and FTP and oh, yeah, it's done. Yeah, it's fixed.
Will Vincent 2:57
Well, so I could dance and memorize for you. You The only web developer on the team?
Adam Johnson 3:01
Is that correct? When you were there? No, no, there was a period when I was the only web developer, okay,
Will Vincent 3:06
because it was already quite a large site, because I know that the founders knew each other back in 2010 to 13, when I was at Quizlet. And we knew of memorize and, you know, even back then,
Adam Johnson 3:19
yeah, I was at memorize 2012 to 2014. And in around mid 2013, there was like, quite big stuffing change. So we ended up with one person looking after the mobile app, me looking after the website and a part time contractor having DevOps where the, the service needed rebuilding effectively. So that's when I learnt quite a lot of the depths of my SQL and the value of doing DevOps properly.
Will Vincent 3:47
And was it always Django was it was Django before you came on to it? It was Django
Adam Johnson 3:51
before I came on to it. Yes. And I remember doing the Django tutorial, and thinking oh, wow, well, the structure to building a website. This is just how
Will Vincent 4:00
Testing. Right. especially coming from Yeah. From CSP without a framework.
Adam Johnson 4:05
Yeah, one of my first two weeks I did the tutorials like
Will Vincent 4:10
I've been using it since and you've been my sequel fan ever since two, right? I mean, cuz memorize was dealing with a lot of data even back then. And so I'm sure you've got to roll up your sleeves and feel some, some real database scaling fun.
Adam Johnson 4:22
Yes. I remember I had to sit down and read the, the my SQL book for scaling websites called high performance, my SQL. And that's by some of the key people in my SQL community. like Peter said, Sam, the CEO of percona, who are my SQL consultancy, and oh, yeah, we just digging through that we used
Will Vincent 4:45
percona at Quizlet. We had them at the highest tier of retainer, and they were very needed.
Adam Johnson 4:53
Yeah, we haven't quite hit that scale. I don't think when I was working there, but we had a lot of data But one table was 100 gigabytes.
Will Vincent 5:02
Oh, wow. Well, we also had, again, growing pains. It's been a long time and quizlets. Big inside. I think Andrew reminds me telling this, but at one point he, we didn't really have much permissions. I mean, we had two developers at the time, or when I first joined two developers, and Andrew went into delete a record and dropped the entire database by accident. So that was, that was a fun, five, six hours, and we called it percona. Like, hey, we need some help here. You know,
Carlton Gibson 5:29
those backups? You said we had? Yeah.
Will Vincent 5:32
Yeah. No, I was, I remember, they said the gold standard for a consultancy because we had, you know, generally scaling or whatever challenges and we weren't the experts, and they would always be someone different, usually in Eastern Europe, and they would just almost immediately be able to diagnose and fix the problem. It was pretty miraculous, actually.
Adam Johnson 5:53
Yeah, one of those things where they just know everything about the system. And so now I definitely got impression reading the book in that blog posts that they know everything there is to know about my school.
Will Vincent 6:05
Yeah, I mean, we almost couldn't pay him enough. It was just, you know, even though it was a lot it was. I was just blown away. They always knew it. And I guess it makes sense, though. I mean, they're consultants they've seen, you know, that was our first time building a site at scale, but they've been through it. So the issues that we're not unusual,
Carlton Gibson 6:22
so well, like you mentioned, you're you're part of the core team. And the the sort of the thing you're known for there is working on the LRM and working on the my SQL side, and you maintain my Django my SQL package, as well. So could you tell us a little bit about that? What that's what that does. And what sorry,
Adam Johnson 6:40
back to the table at the package is how I got invited into the 14. And so the package is on originally called Django, Moscow. And we were using my SQL why plan as well. And I saw Django Contract Postgres come in from Mark tamarins, great work and the Kickstarter there. And I got a bit frustrated that, you know, mice Koch do some of these things as well. And we had some use for this feature or that feature. So first development stuff in house and then I was very quickly given the chance to open source it under my own name, and then it kind of snowballed from there. I tried to cover as many features as possible, I found it quite enjoyable just reading chenko fields and things like that. They can't package well tested. And then at the third Django under the hood, I had quite a long chat with Josh Smeaton, who's also a core member. And a few months later, unexpectedly, I got found myself invited to Django core. It was a very nice experience just seeing everyone who voted for me and I've had some impact with with my work. Okay. Yes,
Carlton Gibson 7:52
super. And so. So my story I began with PHP and my SQL back in the day, and I was using it very happy. For a long, long time, and then, you know, the whole contract post group, Postgres thing came along. And I started using Postgres because I wanted the extra functionalities available. And all of a sudden, over the course of two, three years, my skill just dropped away. And I think now for me personally, and I think Postgres now is in a position where it has a lot of the mindshare, but it's not necessarily the most well, maybe the most capable database or not, but what is my SQL got to offer us that? Perhaps we you know, we're in this Django world where Django comes packaged with this extra functionality for Postgres. Why should we be considering my SQL? Because I think that's a great topic for use it.
Adam Johnson 8:38
Yeah, I think my school has had a bit of a troubled past, after its acquisition by Oracle, as I recall, have their own database as well. So they've been seen as not focusing on my skills development, and it definitely lag behind feature wise from Postgres in many respects, and, but now is the ecos system there is a bit stronger. So percona, who we're talking about maintain their own fork where they have a number of fixes that they've merged in from that consultancy experience. And then there's Maria dB, which is a completely hard fork at this point that implements features faster has a faster release cycle, and is effectively the Postgres of the MySQL world at this point. And so it's fully open source.
Carlton Gibson 9:25
If I'm a user, I should I really be looking at Maria dB. If I'm, you know, at
Adam Johnson 9:29
this point, yes. And in my in my recommendation, at least, if you're maybe a more of a corporate user, you might still want to look at my SQL because Oracle's bigger and maybe your it'll be easier for you to get a contract with them. Okay, you can
Carlton Gibson 9:48
get a support contract, that kind of thing.
Adam Johnson 9:51
Yeah. But I think Maria DB is in a better position going forwards and the place that I think my shines over PostgreSQL is in replication, okay? So Postgres has had like, a load of different replication methods in the past. And then they've eventually merged one into the core after changing their minds that replication should be something that server should do. Right. Okay. And whereas my school has had it from the start, and there's a lot more flexible, and one use case I've seen a few times is having a replica of your master database, but still being able to write to it on perhaps a different table. And you can't do this in Postgres. And one of my clients won't work right now. They just like dump and load the database every hour or so into a replica so that they can have a writable replica. The take
Carlton Gibson 10:49
on there would be the scaling up of big data you think my SQL has got? Is it more competitive in that area?
Adam Johnson 10:56
Yeah, I think that's probably more big distribution. my skull on the world then Postgres increased by quite a lot of
Carlton Gibson 11:03
Yeah, I mean, I don't know,
Adam Johnson 11:04
orders of magnitudes. Like, Facebook is my SQL, YouTube is my SQL. I don't think last time I looked none of the Alexa top 100 were Postgres. Right.
Carlton Gibson 11:15
Okay, and let's go tell you something you think?
Adam Johnson 11:18
Yeah. Okay, interesting. And maybe that's also just like, like sampling bias, right? Like, maybe these companies started to exist and scaled up and fixed my SQL on the way. And if you wanted to create a big company, you could also use Postgres and fix the problems on the way. Okay,
Carlton Gibson 11:35
and so out of the features that country Postgres gives gives us what is Django my SQL?
Unknown Speaker 11:42
Give us,
Adam Johnson 11:42
I think it about matches it. And the key thing is the JSON field, which you and I are both mentoring for an implementation in core that works on all database back yet,
Carlton Gibson 11:54
so hopefully, that'll be in 3.0. It's close. We should get there. Hopefully Fingers crossed.
Adam Johnson 11:58
Yeah, but When I started like Postgres had it mice, well, Maria DB just implemented it and no SQL. But it wasn't clear that there's like complete overlap with all the databases. Yeah. And so if you're on my SQL or Maria DB today, I want to use a JSON field, then you can use check in my skull.
Carlton Gibson 12:21
Yeah. Okay. And I mean, the thing is, as well, like, anything that's in the core ORM is going to have to be support all the for database can have to support my SQL, db, Postgres, Oracle, and SQL lite SQL Lite. Which may be it can't do but react. In reality, your project isn't using four databases, it's using one. So if you're on my SQL, or you're looking into my SQL, you can use your package. Right?
Adam Johnson 12:47
Exactly. And there are a few little extras in there that will never work on other databases because there are some feature that might come from I did ages ago. Okay. One thing I found useful is the user locks. So you can use my SQL Maria DB as a locking server with a string. So you can create a lock per se user if you need it. And in Postgres, they have such a feature, but you only get to lock by an integer between one and 4 billion. So even having two applications on the same database server becomes a property. Okay?
Will Vincent 13:26
Yeah, this is my own ignorance. But does Maria DB MySQL have the same sort of Full Text Search support that Postgres has built in?
Adam Johnson 13:35
It does not have exactly the same there's Sphinx, which I think you can use under Maria dB, but I've never really tried. And
Carlton Gibson 13:45
it has a basic Full Text Search, but it's definitely more basic than Postgres is. Yeah, I mean, back in the day, I used to use that. That was like kind of the okay first, what poor persons, you know, search. You could use it and it worked and it was not bad. If you didn't want to scale up to, you know, a proper search engine,
Will Vincent 14:03
well, I asked just because I'm giving a talk at Django con, this fall where I'm going to, I need to learn a little bit more about the Postgres options because I'm aware of them in the abstract. I haven't implemented myself. So that's sort of an excuse to tell you to do that. Always a good idea with TAs be like, I wish I knew more about this. Let me propose a talk on it.
Adam Johnson 14:23
Yeah. Well, I think I have an open ticket on Django, Moscow to add some of the extra search support like Django contra Postgres has. So if you want to look at that,
Will Vincent 14:33
right, I actually had one more question. Since you're both core. You guys mentioned Oracle still get support who's working on Oracle, in the open source world, like how does that like how does that keep up with, you know, these are the other ones where you have folks like yourself, Adam, who are doing such such great work? That's sort of an open question like is is, is it just sort of chugging along because I don't get the sense that anyone on their free time they You know, keeping Oracle
Carlton Gibson 15:02
current with Django, but we'll know well, like Marius is our sort of who's the other Django fellow at the moment he he's our sort of Oracle superstar. He knows it really well, he knows all the different versions and versions come up and he makes sure it's maintained and he, you know, have an issue comes in that, you know, there's some incompatibilities with Oracle 12 point, whatever, and he's in there and he knows the details and you know, without Marius, we'd be in trouble there. He really, he really takes that on
Will Vincent 15:32
and had him on the show yet. Now. I don't know him personally, but I assume there's one or many people doing that work to keep it up. So I just curious who they were.
Adam Johnson 15:39
I think at this point, it's one I know Josh Smith used to but change job and then doesn't want to touch on.
I think that's what Oracle Does, does do people
Carlton Gibson 15:51
but like we have to get married on now because we're you know, we're not gonna defend it, but he will defend it. And he he's like, Look, it's not so bad. It's nice. He's got these things. You know, he'll tell us all about what the positives are
Will Vincent 16:02
on shouldn't Oracle fund Jango bit as the only paid database?
Carlton Gibson 16:07
Yeah, don't get me started. Yes, they should. Um,
Adam Johnson 16:10
yeah. Okay. Yes, I think I think you're more likely to see Microsoft funding before.
Will Vincent 16:19
Well, on that note, hosting, there's a bunch of questions we wanted to talk to you about. So I think in particular, you know, AWS, right, is that your Is that the one? Yes,
Adam Johnson 16:29
AWS as an Amazon.
Will Vincent 16:31
Yes, Amazon that Adam? So we've we've done an episode or so talking about this, talking about this, but what's your take on Amazon Web Services versus platforms as a service like Heroku? Or Divya? How would you if someone came to you for advice? How would you advise thinking about that and then maybe we can get into some horror stories or production stories of how to using them.
Adam Johnson 16:53
My general advice these days is that a pass is is the solution. People are looking for. Roku dbo they work right out of the box. And Roku and, and tbo have both also like contributed to Django and definitely keep that integrations working and that tutorials up to date. And there's also Elastic Beanstalk, which is the past from AWS.
Will Vincent 17:17
Yeah, they change the change the name of it. It's something I think it's something else. There's a newer Elastic Beanstalk. Oh, did it Yeah, but it's the I'll look it up. But it's Yeah, that Amazon has a pass option.
Adam Johnson 17:28
Yeah, I've heard less good things about that. Like more mixed reviews. And I know Christian glass is relatively active Django blog and user he, he brings about it but everyone else has spoken to is like, I wouldn't use it again.
Carlton Gibson 17:44
I personally found the docs very opaque. And it's not the platform as a service story that I found elsewhere. You know, Google iroko, with as your where you kind of it's quite simple and I found that out. Personally, my personal experience with Elastic Beanstalk was I'm running through treacle here like trying to get make progress at that point. I just rather spin up an EC two and
Will Vincent 18:09
do it the old way. So I found it. So actually it will this is for anyone listening, why you should blog. So I blog Django hosting things. And a post that I wrote came up, which I totally forgot about. So it's called AWS code star. That's there. Okay.
Adam Johnson 18:23
Yes, that's like the integrated, it brings in the code pipeline ci service and the code commit to get hosting.
Will Vincent 18:31
Yeah, so I think that golden boy host trying to be more like Heroku like option and yeah, yeah. But yeah, so AWS, I mean, just when I just using, you know, s3 or CDN, or CloudFront. I don't even know where anything is. I mean, it the underlying tech is so great, but the user experience is just garbage. For me. How is it as a power user, do you know where to go because and they change the interface every six months to so I just, every time I use it personally I get incredibly frustrated, but I don't work on huge projects myself. So
Adam Johnson 19:05
it is a bit of a maze. And, like, what what 300 services are? The same thing is to maintain a kind of whitelist. And like, just be like we're gonna only touch these.
Will Vincent 19:18
Yes, yeah, exactly.
Adam Johnson 19:20
So at timeout, I was in charge of the DevOps team. And over the course of a year, we migrated 26 applications to AWS. So once every two weeks Oh, wow. And, and that's how learning the main way we did that was with easy two instances. We had a bit more of a pony lingo environment. So some Java, some Scala, JavaScript, PHP, and Python. And so we kind of set out the ways to do this. And stuck every application through very similar and similar setup. And the main way we achieve this with infrastructures code using AWS cloudformation to. So we could just copy paste the setup from one app to the other as code. And a lot of it ends up being a bit of like taco coating, like, we know that we need this resource and that resource, but we only know it because it's in that other template.
Carlton Gibson 20:29
But like you don't like so, you know, interesting. So you use cloud formation rather than mine of chef or Ansible or whatever, because it Ansible on right. Okay, sort of tied into the Amazon system and right. But it's exactly like that. If you've got an Ansible role. You're just going to reuse that role. You're not going to necessarily dig through the details every single time because that defeats the purpose that it's meant. It's meant to be kind of pluggable, I know I need I need a cache. I need you know, a database I need like nails Here's my Ansible script, deploy it brilliant it works. And maybe it's not 100% tuned for that particular service. But it only took 20 minutes versus, you know, days it used to take to provision machines by hand and install the right dependencies. And, you know, I wouldn't go back to this.
Adam Johnson 21:17
Yeah, I think it's a bit of the same, like, there's so much on offer in terms of services that you do have to kind of Lego brick it up, like, package it. But that is why it's so overwhelming to begin with. And I think many of the decisions in terms of design are like aimed at capturing some corporate clients particular use case, and they don't really care about the average use case. So one example I think of is like when you create a lambda function, you can hook it up to a service, but you in conformation, at least, you also need to declare the middle thing, which is the permission for the one service that you provisioned to talk to the other service that you've provisioned. I think that should just be the default. Like, why do I need to give permission to things that I already just told to do things so like
Carlton Gibson 22:07
I am I am and permissions and access policies and it's that's where it gets to be like, this is really hard now like it, you know, you get through it and it's been
Adam Johnson 22:18
it's
Carlton Gibson 22:20
it can be as slow. But you know, it's powerful, right. super
Will Vincent 22:23
powerful. So what was the when you're switching over? Maybe for for listeners who haven't ever done that kind of switch? So you Yeah, you have it on AWS? I guess maybe just like the DNS part. How do you know? So you have duplicate copy? How do you feel comfortable? You can switch over and then what does that switching over process like? Is it just the DNS, what what else? What else are you doing? And
Adam Johnson 22:45
yeah, one of the key things that we would do for every switchover is build a checklist and discuss it with the team try and get as many points in there. And it depends on your uptime. goes. So if you're happy with your website going down for an hour, then switching the DNS can be the easiest switchover. And the most complicated involves like moving each individual service inside inside that, so maybe you move the database, then you move the cache server, okay, and you maintain like a network connection like a VPN between the old data center and the new one.
And,
yeah, and as for like, checking that a copy is as good as the one that's running. And the best way is to edit your etc hosts file to point to the new DNS record, okay, effectively, and browse that see that it looks right. And maybe if you have a list of the Top 20 URLs to check, or someone who uses the system to step through any automated testing also helps.
Will Vincent 23:56
And then always do it on like a Friday afternoon right before
Carlton Gibson 23:58
the weekend. So just after you Right, exactly. Press the button as you walk out the door.
Will Vincent 24:05
What about um, Jimmy experience with containers for deployments, I only asked because for my new book Django for professionals, I use Docker and then we use containers on Roku. And this is a growing trend that makes a lot of sense to me, but I don't know, is that in the AWS world? Can you do containers within AWS?
Adam Johnson 24:25
Yeah, there are a number of solutions on AWS and like, the naming of them has gotten some ribbing as well. One was it elastic Kubernetes service on elastic Container Service classes
Will Vincent 24:37
classic. Yeah,
Adam Johnson 24:38
yeah. And
I personally have avoided containers up to this point, like timeout would have been one point where we considered it but ultimately went down the easy route. And we looked at using easy to with the same benefits that containers tend to bring which is like a frozen image. So in new instances faster create things configured from like, variables outside of that server. So you can use the easy to user data much like you can use environment variables. without so much of the complexity and the tool chain, and VMs, and easy to in general, any, any VM provider, they're pretty stable and what they offer. Whereas I find even, like every six months, there's some blog posts that tells me something brand new about containers that I know I'd have to rework everything just to keep up.
Will Vincent 25:38
Yeah, it is. It is definitely a moving variable. I bet I mean, and then the same time Kubernetes is clearly built by and for big companies with their needs. So I find that the leap from the leap from contained, you know, a couple containers to Kubernetes is a really hard one to make.
Adam Johnson 25:56
Yes, and I understand you need tools on top of it. Like counter really make it usable in like, again. And, yeah, I think there is a bit of a trend towards like AWS and containers being the kind of IBM decisions era. So, you know, nobody got fired for choosing IBM, maybe nobody got fired for trying containers, because
that's what everyone's doing. Right.
Will Vincent 26:24
That's a horrible thought that probably true. Well, it's also I mean, just you mentioned your experiences and so much on the DevOps side speaks to something, Carlton, I have mentioned on this podcast, which is that on the spectrum, Django is actually kind of a front end framework. It sort of doesn't really, you know, add massive scale. Django or another framework isn't the issue in terms of scaling up, it's the database. It's all these other things that are very separate from your programming languages and your frameworks.
Adam Johnson 26:53
Yeah, definitely.
I think one of the questions I've come across on Korra recently was summer Wilson's answer to does Django scale? And the answer was, it's just like any other framework, the reason the database, it will go horizontally, it's going to be the database. That's,
Will Vincent 27:11
yeah. Well, he said as much on the podcast, and we had Andrew Godwin on as well, just came out. Today, as we record. I know Simon sort of flippantly said is sort of boring, you know, how you shard and go horizontally. But I think his definition of boredom is different than most people's.
Carlton Gibson 27:30
So, there was an old years ago, just before we switch gear, there was an old mag super nose, you know, cutting my teeth was the heart, the hardest thing you go is from one server to like, you know, that when you're all at when it's all on one box, you know, that's great. You can learn loads, and then you reach the limit of that one box and you have to scale to two boxes. And that's, that's like a whole life changing experience. But then the third box, that's just the same as what you did to get to the second box and yeah, you know, I think I think that still holds true
Will Vincent 28:00
something for me to look forward to. I haven't gone off
Adam Johnson 28:03
the one box. I think there's also the quote, there's only three numbers your computer program should take, as limits 01 or infinity.
Will Vincent 28:15
Yeah, exactly. So testing, I want to talk about testing because I know you have written and spoken about it. And it's a question we get a lot about. And maybe specifically, we can talk about pi test. So for folks who don't know, this is an A, I guess, in addition to built in tools that I think you've worked a lot with that a lot of people in a professional setting, use PI test, but maybe people who are learning Django don't understand what it is or why you would use it over unit testing the built in Django test runner.
Adam Johnson 28:45
Yeah, I'm a big fan of pi test.
It's definitely the more pythonic way of testing. And remember learning Django is unit test and having done a lot of Java At university, I thought it was quite natural. But then I came to realize it doesn't really fit in very well with the rest of more like idiomatic Python code that I was writing in my views, and models. So I think pi tests is like, the only way I would write tests these days. And for Django, you install the PI test Django plugin, and it hooks into your Django settings and configures. The databases just like Django test runner does.
Will Vincent 29:29
I mean, I would agree, anecdotally, I think almost everyone I know running a production site uses pi test. Carlton, Does that ring true for you?
Carlton Gibson 29:37
Yeah, well, like so I'm sort of in kind of halfway house in that I use PI test as the testing framework and the PI test command. I'll use that every time. And I love I absolutely love using plain Python asserts because I can never remember whether it's self assert, you know, has more than or less than I can never remember those 50 two methods, I can just about, remember, say equal assert true, you know, a certain number of queries is kind of handy in Django land. But I'd much rather just write assert some Python expression, and then you know, a message. That's kind of handy. But the thing I still do quite like and still use a lot is unit tests, test cases, because I like them to group use them to groups, I'm using pi tests to run them. And I'm using plain asserts inside the test cases, but I'm still using that unit test class. Because for the for the grouping that it gets me in. That's just sort of where I'm, where I'm at. It's not a religious thing. It's just it's kind of where I've reached I, I haven't delved into the further realms of pi test with the fixtures and, you know, the parameterization, and those kind of things, which all look really cool, but I just one more thing for me to learn at this
Will Vincent 30:48
stage. Well, Adam, you have a nice blog post on speeding up Django test cases, right?
Adam Johnson 30:55
Yes. Ah, I wrote this post last last week.
Will Vincent 30:59
I was okay. Yeah. You I get Yeah, I guess is the fifth ninth of July. Yeah. So we'll link to
Adam Johnson 31:03
nine, nine days ago
Will Vincent 31:05
that the notes
Adam Johnson 31:07
Yeah, this was with a client recently, Evie energy. And they're an electric vehicle charging optimization company. I hope I've done justice in that explanation. And so they have a not huge Django app at the moment, but it had tests running for what was it was about six minutes, and I got them down to two minutes or so. And, and the main way of doing this was by changing the test case comes from Django that was in use. So for historical reasons, they use the transaction test case, which I think is slightly badly named. And this has more complicated database rollback behavior than the test case, which you're recommended to use generally and then Use that because it fix a bug in their testing, it makes sense at the time. And the speed up, the speed difference would have been noticeable when they were just maybe a few hundred tests. But now that test suite has scaled, it was now taking a not insignificant amount of time. Six minutes is still pretty fast.
Will Vincent 32:20
Yeah, well, that's true, right? It's it's pretty fast, but it's also long enough to be a nuisance. So
Adam Johnson 32:26
yeah, it's, it's go make a cup of tea or browse Reddit, right? It's not just wait for it. And so you can go read the blog post and see why it made a difference to switch down to test case for most of their test classes. And, but I really wrote the post because I thought this is a great story of like, where to look in Django testing to have fast tests.
Will Vincent 32:52
Yeah. And related to testing. I know you've also written on coverage, I think, which is a fantastic package for people and actually Ned who maintains it is here in Boston. I need to get him on. But could you talk about coverage so that? How would you describe coverage to people who haven't used it before?
Adam Johnson 33:10
Sure. So coverage is when you run a program, and you keep a record of which lines will run. And this isn't so easy in compiled languages, but Python makes it relatively easy. And Ned batchelder, who creates the coverage Python package has maintained it for many years at this point, maybe 10 years or more. And so when you run the program with coverage, you get to see which lines have run. And so the main use case for that is to create a test suite and check which lines of your actual program in our case a Django app have been touched by tests. And the goal you can set is to try to get to 100% coverage that is every And your program has run.
Will Vincent 34:01
What do you think that's a good goal.
Adam Johnson 34:03
And I think it's a good goal. And in fact, I go one step further with the branch option, which is every every branch has been taken both ways. So if there's an if in your code, it must go through both true and false. So you can't have a line of code that does like if something that's only true in your test suite. So you might have like, if user is admin, yeah. And then to run all your tests with admin, but then you haven't tested the normal user experience of your website.
Will Vincent 34:34
This is the mind of a Django core contributor people. Okay, nothing I didn't know about that. I love that.
Adam Johnson 34:41
Yeah. And so my blog post guides you to how to set up Django for coverage testing, and two ways one with the Django build and test runner one with PI tests, which you install the PI test Cove plugin, which sets up coverage and I think everywhere I've worked has had not 100% coverage, because apart from once when I worked on an app on my own,
Will Vincent 35:08
because there is an argument that it's sort of a goal that isn't worth, you know, the last 10%. And so it should just be used as a metric of that's kind of why I asked. I've heard people espouse that theory that, you know, the last 510 percent isn't worth the time, I think.
Adam Johnson 35:25
Yeah, I think it depends on the last five to 10% of what we're discussing. If you're building a nuclear power plant, I sincerely hope that you have better testing then just 100% coverage, you know, you're testing 100% of the scenarios, hopefully.
Carlton Gibson 35:42
But this is the the software quality versus cost issue, right. So it was always that all software engineering doesn't deserve the name because it's impossible to build reliable software. It's no it's not impossible. There are standards you know, NASA have these these standards, which you can use, but they cost five times as much to build the software. So you take Got to accompany and say, Hey, we're gonna build it to NASA standards, then they're just gonna throw it out the door. They want it shipped quickly, and it's got some bugs, it doesn't matter. You know, it's the, there's always the
Will Vincent 36:12
same thing with uptime going from an hour to, you know, a second or something is exponential in
Carlton Gibson 36:19
cost. And you know, one nine, no problem two nines, yeah, no problems. Six nines. That's hard.
Adam Johnson 36:24
Yeah, yeah.
Will Vincent 36:26
Well, unrelated to security. I also wanted to get a chance to talk about your talk you gave at Django con Europe this year on security headers, because that's, I like to use which was fantastic, which is fantastic. A couple people before you had said security is boring. And you emphatically made the case that it is not so perhaps you could give the highlights of, of that talk.
Adam Johnson 36:46
Sure. And so the talk which has a corresponding blog post, goes through how you set up seven different headers on a Jenkins site to make it more secure. And this is To pass a grade on a website called security headers calm, and which is by a security researcher called Scott Helm and will help you get like some assurance that you are keeping your users secure. Security can be seen as boring because it's often like checking some boxes or reordering things you've already written. But I like to think of it from the perspective of a hacker. And I kind of got into web security as a teenager on a website called hack this site.org, which I checked recently, it still teaches you like the basics of all the different attacks, hackers might run. And then these security headers that you can activate in Django, four of them come out of the box, and they help you protect against all these relatively basic attacks. And if you're running a Django website, without these headers on, you're definitely at more risk, and they're very well known simple attacks. That you can protect things. Yeah.
Carlton Gibson 38:01
But the
defaults there are, these are things you have to turn on, or these come turned on automatically.
Adam Johnson 38:07
And so some stuff is on by default in Django, and think of the headers is only the x Frame Options. That is set by default. Yeah, if you run the deployment checklist,
Will Vincent 38:19
you'll these these will spring up, but most of them, and this is only top of mine, because I just read these chapters from my book, only most of them are are turned off by default.
Adam Johnson 38:28
Yeah. And I opened a ticket after my talk to consider turning them on by default from Django 3.0.
Carlton Gibson 38:36
That sounds like a good idea. Do we accept that?
Adam Johnson 38:39
Yeah, I haven't got around to that. But I think Marius took a stab at it.
Will Vincent 38:43
I think the challenge for maybe beginner intermediate folks is setting up the local and the production environment for testing. You know, because you, you want different things in both environments and that leap. Do you do it with containers? Do you do it with different settings files? It's not Default there. It's not their responsibility of Django core to explain that. But I think that's probably the hardest part of of doing that, because everyone does it a little bit differently.
Adam Johnson 39:09
I think some of these headers are perfectly safe to activate both locally and in production. So yeah. So definitely, like extreme options is one where there's a default, and Django can just switch to the more secure default. x x SS protection is another one that just helps the browser protect you against injection attack. Yeah,
Will Vincent 39:31
fair enough. I think there's a measure is nine things that no deployment checklist you need to switch and one of those, I think two of those, it's like debug and allowed hosts and the other seven are largely header related.
Adam Johnson 39:43
Yeah, and there's all system checks for these that if you run manage.pi, check with your with the deploy flag with your production settings and you get the messages. But I've found a number of my clients. My friends have been We've gone through the deployment checklist when deploying.
Will Vincent 40:03
So are there any other projects or packages you want to give a shout out to.
Adam Johnson 40:07
And I have a projects page on my site that describes some of the things I make Asides from Django, mice 12. There are a number of smaller packages that work with Jango. And one of them is for a security header and Django feature policy as for a draft security header called feature policy that enables disabling features in the web browser that you don't want,
Carlton Gibson 40:31
like webcams.
Adam Johnson 40:34
Yeah, exactly. And so if you if someone injects adverts onto your site, you're not gonna let them ask for the webcam of your visitors.
Will Vincent 40:43
Sounds like a good idea. Yeah.
Adam Johnson 40:47
And
Will Vincent 40:49
those are the main things that I'm working on. You can see on my projects, and then how are you finding I'm always curious life as as a freelancer because you've worked at companies obviously the mix works for you how Would you describe the difference between those two lifestyles? Why makes it sweat?
Adam Johnson 41:04
Yeah. And I made the switch in January, mostly because I wanted to explore the ecosystem a bit more, I might say so. And it I find it quite stimulating to jump between different projects and help people out in various capacities. And it's quite interesting in that regard. Also, I think it's helping me like make some better decisions for Django, cool. I'm no longer stuck on one big website that I'm thinking about, like, oh, most users are ending up not doing this like not activating the security headers. So hopefully I can feed that back in the lifestyle wise, like at the start, I didn't have much work coming in. I found a bit stressful thinking about how am I going to pay rent this month for paper man, but on the flip side, like it's a lot more flexibility and freedom and when work does come my way. I'm turning it down these days
Carlton Gibson 42:01
into the interesting thing with freelancing is the pipeline is that you've got to always see what's coming up next. And you know, if you get sucked into a current project and don't work the pipeline, you're suddenly you've project finishes and you've got some money and you've got a nice break, but you haven't got any work coming in. It's like, I needed to be doing the pipe, the kind development, the business development work, whilst the other project project was still going on and learning to manage that is, you know, it's, it's the freelance, but it's the business side of freelancing.
Will Vincent 42:32
Yeah, well, there is the middle there is a middle ground where you you work for a consultancy, so they sort of tee up the projects for you and you sacrifice a little bit I guess in terms of pay, but you don't have that. You don't have to spend all that time on business development and marketing and all the rest it does. You know, it is it can be challenging, right to spend all day teeing up projects and not actually coding and not actually getting paid.
Adam Johnson 42:54
Yeah, I've got a number of friends who do contract in that way in London. It seems to be quite a popular way of Movie developers between projects as well. A lot of companies are engaging with that.
Will Vincent 43:04
Yeah. Great. Well, Adam, thank you so much for taking the time to come on and share all your work on Django. with us.
Carlton Gibson 43:11
Yeah, super. Thank you. Thanks for
Will Vincent 43:13
Thanks for coming. Know that. That's great. Oh, and we should mention Carlton, for if people want to listen to the podcast, you can find it on your favorite podcast player. It's on Jango chat, calm. And if you have feedback, you can leave it on the site or on Twitter. We're at chat Django. So again, Adam, thank you so much for taking the time. Thank you. I
Adam Johnson 43:30
thank you very much for having