Florian is a long-time Django contributor who previously served on the Steering Council and Security Team. We discuss changes to Django over the last 20 years, switching over to `uv`, why he’s not a fan of environment variables, and drawing inspiration from other frameworks.
This episode was brought to you by HackSoft, your development partner beyond code. From custom software development to consulting, team augmentation, or opening an office in Bulgaria, they’re ready to take your Django project to the next level!
Will Vincent 0:00
This episode is sponsored by HackSoft, your Django development partner, beyond code, more in their services later in the show.
Carlton Gibson 0:12
Hi, welcome to Django chat podcast on the Django web framework. I'm Carlton Gibson. Joined as ever by Will Vincent, Hello, Will.
Will Vincent 0:18
Hello, Carlton
Carlton Gibson 0:19
Hello. Will today we got, got with us. Florian, upon those long time Django contributors, former security team member, former steering council members, everything, and yet somehow still so young. Florian, thank you for coming on the show.
Florian Apolloner 0:32
Hello. Thank you for having me. It's a pleasure to be here. Yeah, well, no,
Carlton Gibson 0:35
it's fully I'm really excited to have you gone. Will gone? I
Will Vincent 0:37
was just gonna ask. So you've kind of already lived the life that Carlton's just stepped into now, like, what do you know that he doesn't?
Florian Apolloner 0:46
I do I don't think I know anything he doesn't, but I probably had the pleasure of starting earlier, right? So well,
Will Vincent 0:56
maybe let's, let's start with that. Because you are, for those who can't see you, you are still quite young, especially given how long you've been involved with Django. When did you first start with Django? How did that happen?
Florian Apolloner 1:07
So I think it was around 2006 or 2007 it was quite, quite early. I think the famous magic removal branch had mostly just happened. So give me it's a long time ago. I can't remember the old code anymore. I know I saw a bit of it, but I I know Django like it is nowadays, which speaks a bit to its backwards compatibility, right, right? Yeah. And
Carlton Gibson 1:40
so how did a young person find it in 2006 what was it or 2007 what was it that led you to Django? So let me, let me just rephrase that, because, because you're not based in Lawrence, Kansas, okay,
Florian Apolloner 1:56
my father is based, is working in it as a programmer. And it's, it is for medical clinics and stuff like that. So not web frameworks, but internal clinic systems. And I was always impressed. I liked playing Age of Empires, one at the company computers and so
Carlton Gibson 2:20
big screen, no small
Florian Apolloner 2:23
screens. There were no big screens at the time. And at some point, I wanted to do what my father did, namely programming. And so we started to look for a project that we could do, because I'm really a bad learner. If I learn something just for the sake of it, I need, I need a reason to do something right. And our idea was to write a cookbook software where we could put in our dishes and recycles. And we started doing this with, I think, two book years. I'm not sure if ever used it, and used at the time sul this was the XML user interface Mozilla used quite a long time for Firefox, where you could create native looking user interfaces in the browser, which was kind of nice. I'm kind of said that they dropped it. And so we started working on this application, and at some point, I don't know, we became bored or so, and looked around what there are other options, and then we found Django, and from that point on, it was Django. So if
Carlton Gibson 3:37
in doubt, rewrite it from scratch.
Florian Apolloner 3:41
Absolutely I think tuba gears wasn't even, maybe not even the first implementation. So there were, like three implementations. I think we actually rewrote it every year, and then at some point we got bored rewriting. And this was the time, I think around 2006 or so when I met Armin ronager. He lived well near me, 100 kilometers or something, and we met at the bar camp. And he was working on Ubuntu users, which is the German Ubuntu platform. And we had, or they, at the point, at the point in time, had a software containing of phpp, the burning port software, Moin, Moin wiki, the which was Python based already, and something self written, a news portal in Django. And they were already rewriting it completely to Django. And at this point I joined, and I think it's one of the largest and oldest Django deployments still running in Germany, and
Carlton Gibson 4:48
that's probably open source as well. So if people are looking for a long lived open source Django application to study from, they could perhaps use that. Yeah.
Florian Apolloner 4:59
Yeah, but this is actually not open source. We we never got around it. I also was against releasing it, to be honest, because we didn't know what we were doing, right, and the COVID evolved. We had our own user model. We had everything, and it took us a while till we could switch to the user model or the abstract User Model Django, provided we had our own, I don't know, caching before Django got those caching options. So release after release, we worked hard to port over to modern Django. And, yeah, modernize the whole stack. Okay,
Will Vincent 5:43
well, you said user model, which is, was like my thing for last year. So I'm curious if you could, what do you make of the current status of the Django user model, and do you have any thoughts on because there's a number of proposed changes to it. How do you feel about all that?
Florian Apolloner 6:00
Um, I don't know. I'm a I'm a bit torn. I see the recommendations is like, always start with a custom user model, but I need
Will Vincent 6:09
not anymore. Carlton got that taken, taken
Carlton Gibson 6:12
out all. It was a very small change I made. Was like, highly recommend. Got rid of the really scary warnings that the world was going to end if you didn't,
Will Vincent 6:22
I'm sorry that I mentioned that. We've been sort of, like silent, not intentionally, not talking about that for like, half a year now. Carlton, but the change has been out there. No
Carlton Gibson 6:31
conform. Finish it quick. What do you think? I mean, if you think, as we're going forward, what's the best story?
Florian Apolloner 6:36
What's the I think the story is kind of okay. What I would like to see more in terms of business applications, is actually support for OpenID Connect, at which point the user model becomes a little bit more well irrelevant. What I see, what I use, it currently still for, is that, like I'm thinking, the groups that are rather I get roles from Open ID connect, and then automatically create groups in Django for that and assign permissions and so on to that. So all I need, basically, is some some user model. I don't think I even fill the first name and last name. I just foreign key, yeah. And for display, you get something from Open ID, connect anyways, and you can put that into the session in the worst case, or have an extra model value store the extra data. It's it's one extra query compared to, well, I don't know the work maintaining the custom user model. Also, it's simply not worth it for my use cases. But I'm mostly doing internal applications, and you can tell users there that, well, it is like it is, and we are not going to change anything. Okay?
Carlton Gibson 8:00
So I was thinking about what you talk about, Open ID connect there. It's sort of one option in the auth world. And I think there's lots of people that have come on the podcast, and lots of conversations we've had on the forum and place about how we need to sort of bump up dangers. All story is solid and it's good, but things like to FA things like, you know, third party auth providers and whatnot. I've been thinking about that recently, because we could take on some sort of mega project and try and merge everything into core, or we could, at least for a first part, try and, like, document the ecosystem options out there and what? What's your sort of take? What? How do you think we can move forward in this space? Because, you know, it's difficult for us to bring everything into core, because we just don't have the capacity to maintain things. Yeah,
Florian Apolloner 8:42
so I guess this is one of the main problems, because, like, days Open ID, connect, but it's, it's not, it's standardized, right? But it's like, you have login with Google, you have login with Microsoft, and depending on the directory provider, you don't get back a username, but, like a domain name, which is display name which looks ugly, and keycloak gives you the full name and whatnot, so I'm not sure. I think we should look out a little bit just because we're using it at work, is Java and the spring ecosystem, and they have relatively good support, from what I gather, what the developers are telling me, that they can easily, like, add OpenID, connect to an application, and it all basically works. And I haven't looked at that because I'm not a developer anymore, but I guess we should take more inspirations from other frameworks, be that spring or rails, Ruby on Rails, Omni out which GitLab uses, and maybe see what they use, and then draw the conclusions from there.
Carlton Gibson 9:53
Try and rob some ideas from places. Yeah,
Florian Apolloner 9:56
because it's not like, it's not, I mean, it's a sort. Problem right? At least for some things, you always will need extra templates, probably because, like, you want to put log in with Google at the first position, or something like that. And I would question whether it makes sense to have this all in code or just ask the user to reorder things, reshuffle things in a template. It's also like, do you support just one authentication provider, which is typical for an internal enterprise application, or do you go software as a service and need to support based on like, the email domain of your username, different IDPs, it's a different health story,
Carlton Gibson 10:44
right? And too complex for Django to have one simple answer for everybody, right? Yeah.
Will Vincent 10:49
Well, I mean, one good thing is that Raymond Penner is with Django olath. He's doing a lot of really great work, kind of pushing all this forward without the community needing to get involved. So that's that's a positive thing, like he's already, he got a grant, and he's already done a bunch, but I think I just use Django all off, honestly, as and it has most of the things I need at this point.
Florian Apolloner 11:14
I do as well, but it required quite a bit of tinkering around, if I remember correctly, it reads the role from the user info endpoint, and our IDP default gives it in the access token, or in the ID to, I think, in the ID token. So and it's not, not really well documented where from it gets the roles or extra attributes, which makes it a bit hard, but generally, I think it's the best option currently, but you have to dig into the code, especially if you want to do more than just log in, because what's very important for us is that we we get some kind of roles that we then can map to permissions on our side.
Will Vincent 12:03
You mentioned you're not really a developer anymore. Can you expand upon that? Yeah,
Florian Apolloner 12:08
so I'm mostly doing system administration nowadays. The funny part of the story is that when I started at the current company, I actually got, or was forbidden, to do any code. The idea behind was that we actually need a system administrator way more than another developer, and to ensure that their priorities are set straight. I was not allowed to code which was mostly in jest, but still, it's kind of true. So you'd
Carlton Gibson 12:45
sneak back late one night just to get a couple of lines in.
Florian Apolloner 12:50
No, I actually currently sneaking back and writing my own Django application for some internal tooling. But, I mean, that's like, I think seven or eight years in,
Will Vincent 13:03
well, what is, what is that world like? Right? Clearly, it's engaging enough to keep you occupied. I'm thinking about silos in the context of I've been very much head down in the web space, and I'm doing a DjangoCon talk on Django and data science, because data science is a thing that I know very little about, so I'm curious someone who knows both Django and then, you know, let's just pick on System Administration. What, yeah, what do you see as the similarities and differences between the two? I mean, it's all programming, but it's a totally different world. Um,
Florian Apolloner 13:35
I, I don't think it's a different word. Actually. I actually like to see more people getting involved into system administration and coding at the same time, because there is, there are so many things like you, you have to think about your software from a different perspective, right? If I'm getting handed down software from the developers and I'm putting it into production, I need some, some kind of conventions. Be that like this, we have config files, or we pass it in via environment variables. And you need useful log lines, especially if you don't speak the language the program is written in, which can happen as well, or usually is the case if you're a normal system administrator. And I think software development can or in both direction, we can learn from each other, because they are like this structure, structured thing for a system administrator, where you say you want your lock lines all in the same format, independent of like when I have 10 applications or 20 This makes also sense for a developer, because they are faster when all their programs output the same log format. It's easier to recognize patterns if you don't. Have to focus on every new lock line and guest format and so on. This
Carlton Gibson 15:05
idea was, I know, like the term now has just become a sort of postage to marketing, but this was the idea behind the DevOps movement. Originally, right was that if you get developers closer to ops, they can think with an ops mindset and vice versa.
Florian Apolloner 15:21
I honestly, honestly don't, don't like dev ops as such, because it's the idea was there, I think. But in the end, it turned somewhere. So it's like nowadays, it's sometimes feels like you don't know enough from either world, right? And I think it's better to have like a developer who's interested in operations and the system administration, who is administrator, who is interested in development, but you can accept that you don't wear both hats. I mean, in smaller companies, it's often happening, right? But this distinction still makes sense. But you you have to look over the border and see what the rest of the company is doing. You, you don't want those silos,
Carlton Gibson 16:15
right? So it's not like, right? I've written it now. You deploy it. No, I'm not going to deploy it, throw it back over the wall several times. Yeah, that's obviously not healthy. It's
Florian Apolloner 16:26
especially when it comes to like configuration management, where we're using Ansible quite a lot. You have to think about how to handle secrets, and you you need to support from the developers. They need to adjust, in the worst case, the application, depending on whether you are reading the secret from, I don't know, world, or using HSM for hashing or signing stuff, this completely changes the completely changes how you work, Because quite often you can't use a few libraries because, like, they make the assumption, assumption that you always have access to the private key, which the private key is not on your system is not going to work.
Carlton Gibson 17:14
There's talk in the Django world. Sorry, there's talk in the Django world about trying to do something to smooth the road from so the start project template is very beginner friendly. It's very, you know, get up and running, but it's not. There's quite a number of steps to get to production, get to deployment. It's like a big challenge that people have. And one of the questions is about secret handling and whether we can build in better handling of environment variables. Or, you know, have you got any thoughts about, you know, if you we could do something in that space, what would you like to see?
Florian Apolloner 17:45
Hot, hard topic, the where to even start? So I'm using, I think Django, good conf, which gives me all this environment handling, which works nicely. But as soon as you start to integrate secret management systems, especially with rotating secrets, it becomes really, really hard. Like, if you think about our database back ends, you can really, I mean, you can if you override the database back end, but like, you can change the password every five minutes, and same goes for service discovery, like a new connections should always resolve via console or something. This is really hard. The Django settings module works best with static credentials, and I'm, I'm not a fan of environment variables. I try to get rid of them as far as possible, because
Carlton Gibson 18:48
you're going to explain why. Yeah,
Florian Apolloner 18:51
yeah. So the reason is, we are doing mostly Java, and in Java, it's not that bad, because you, you do have your virtual machine, basically, so the Java Virtual Machine, and there are usually no program forks or anything, but if you're using Django and having a Python project, it can happen that you, I don't know, call out to some sub process, and this sub process automatically inherits all the environment variables by default. Usually, I mean, there might nowadays be some options, and Python nowadays also closes, for instance, open file descriptors by default. But in the earlier days, this all got inherited to the sub process, and especially if you're using the sub process for things like rendering a PDF file or something, and you got an exploit there, you have access to all your secrets. And I think every code execute, remote code execution that I know, tries to look for secret, secrets we. Environment variables, because that's since Heroku. I think Heroku was it with the 12 factor stuff. Popularized. It really, really hard. And now you know, if you are inside a process, you have environment variables. And if you put all those things into files, it's way more you have to figure out where, where the file is. I mean, that's, it's not exactly hard, but if you take more of the shelf stuff, and depending on the system it, the environment variables are leaking around everywhere. I mean, it's the same user, you can always look them up in the proc file system on Linux, which, which is kind of okay. I mean, that that's how it's designed, and it works like that, right? But, um, yeah, a file is easier. I think
Carlton Gibson 20:49
it's too much space for exploits, yeah.
Florian Apolloner 20:53
And also, good luck trying to encode, I don't know, a list or something, or a hash map or any structure in environment variables where you see ugly solutions where you then have underscore, 12345, and pass through that, or JSON encode and put a prefix in, and it's like, Ah,
Carlton Gibson 21:13
okay. So here's my question, because my sort of follow up to that, because I think, but when people starting out and they just hard code the credentials in the settings file, that's clear a step to move environment variables is clearly a step up. But then there's a step beyond environment variables, for the reasons you've talked about because they're not, they're not the securest thing in the world. And I think any solution that we have in Django needs to account for the evolution along that pathway, right? It needs to have back ends for proper vault systems as well as environment handling. But
Florian Apolloner 21:46
I think once you have a generic back end, you get all that for free. The main question that you usually have to answer is, how does this back end work? Right? Do you read up all environment variables at startup. Or do you access the environment once the variable is accessed? Because this this at some point, begs the question, do you have a schema and can read all the needed data in advance? Or if you need to go to an outside system, does that mean an HTTP call for every variable when it first read. Or can you like, in in bulk, read, read the whole configuration. And this is where it gets interesting and hard, I think. And this
Carlton Gibson 22:29
is why every time we have a discussion about it, we never make any progress.
Florian Apolloner 22:34
Yeah. But I mean, most config systems I know out there for Django already support files and environment variables in some form, and usually you can mix and match them. One thing I ran recently in two was I'm running I wanted to run system D inside a Docker container and use that to start my application, because I'm trying to ship my applications a single container. And this really easily breaks down if you use environment variables, because system D won't start your service with the environment variables that you passed into the container by default. And so if your application just reads a config file, it's readable from everywhere for your application, and you don't have to think about whether it started via system D, and are the environment variables passed down or not. And
Carlton Gibson 23:33
the system D's got this credentials, thing that you're meant to use on you it,
Florian Apolloner 23:42
I haven't tried it inside containers. To be fair, we are currently playing with it. It actually solves a bit of problems for us, because you can store the credential as the root use on the system and then provide it to the service and it has access. And in combination with containers, it you get very interesting and great deployment patterns. For instance, we are also using socket not socket activation likes, like in a D style. And so we have our containers without network access, but they provide an HTTP API to the outside world, which is perfect, because you can now execute some code that might call out to the outside world, like any document, literally like printing an HTML page or something which could include an image. And this is all blocked by default because the container has no network. And I think system D provides some nice deployment units in that sense.
Carlton Gibson 24:49
Okay, so
Will Vincent 24:52
go on, remember. No, you go. Keep going. Okay,
Carlton Gibson 24:55
okay, so I was going to ask like, so you, you write into the world you're. Right into deployments. You're using quite advanced containerized whatnots and Kubernetes, I guess. And what I don't know, not Kubernetes, right? Not gonna ask, what's the what's your kind of what are your favorite things from that landscape, from of all the tools that come by? What are the ones that you think, yeah, no, that's that really makes the difference.
Florian Apolloner 25:19
So we are using Ansible a lot, really, really, a lot, basically, for everything. We are slowly evaluating Kubernetes. I'm impressed by what I'm seeing there, but I'm also kind of afraid, like we need to understand our systems, and we so chat for context, the company I'm working at is Trust Center, which is under the eidas regulations, where we concern ourselves with digital signatures and whatnot, and we basically Have an uptime of 100% so 99.999 something or so for the last five years, and this includes basically maintenance and everything. And we, we are really, really afraid of systems that we don't understand. And I, I like the fact that you can put a database onto Kubernetes and the operator. So they this, they have this operator pattern which will upgrade and make backups and everything. But what happens when the operator goes wrong? Sure, it's better tested than your usual setup, but when it goes wrong you you have to fix it anyways, yeah.
Carlton Gibson 26:41
And the problem with that the high nines, the uncommon problems become problems, right? They happen, yeah.
Florian Apolloner 26:47
And so we keep it really simple as as much as possible. So we we have ans where we can deploy a new virtual machine in minutes, or actually seconds, what it takes to clone it, basically, after that, Ansible runs over it, and usually that's it. So we get certificates issued, everything automatically, and then we can use the machine. And it's not like we don't need to scale that much, so we have a rather static setup, and it's questionable how much Kubernetes makes sense there, right? I mean, for something certainly in the future, but I still think that Docker Compose, per se, is a nice deployment pattern because it allows you to put things together nicely with all its ups and downs, like the network routing and everything, but no matter what you use, right? You have to know the stack. You have to own it if you want to be successful. So that means providing patches to Docker Botman as well, and digging in really deep.
Will Vincent 27:59
Hacksoft is your development partner, beyond code, from custom software development to consulting team augmentation or opening office in Bulgaria, they're ready to take your project to the next level. I want to ask you if there so you're on the security team for Django, and Django is well known for having one of the best security stories out there, but that's very much behind the veil, because people submit them privately and they're handled. I'm curious. I'm sure there were some wild stories of especially early days security issues. I don't curious if any kind of mind really
Florian Apolloner 28:32
bad when you're on the team, right? Mostly, it's like denial of service quite often via regular expressions or something. And I guess the worst thing that we had, which was only in the main branch at the time, when we moved the login view to class based views, or was it the password reset view, you were able to reset a password for any user without the password reset link, basically, the it was, it really is subtle change, but that that was horrifying. I wouldn't have wanted that on a live site, right?
Will Vincent 29:15
Yeah, well, but I mean, mean, Carlton, you're, you still, you're still on it. Carlton, yeah, I'm still, I'm still on
Carlton Gibson 29:21
the security team, yeah, hanging, hanging on in there for now.
Will Vincent 29:25
I mean, if I think of things that are important, but completely hidden, security team is up there, right? So, yeah,
Carlton Gibson 29:32
the one that comes to mind was GitHub had a password hijack thing where, with no Unicode encoding of emails similar look alike emails of UNIQ. Oh, yeah. And they remember they published, they published a blog post about how they'd fixed it in Rails. And Simon Charette was reading his, you know, with his coffee and his RSS reader, the ping network security list. Like, Hey, folks, I think we need to do something about this. Some we all have a quick look. Oh, yes. And then so a hot fix went out, I think, the very next day. And normally, Django has the seven day, pre, pre, pre announcement and to tell people that the security fix is coming. But on that one, it was like, Look, because, because this has been made public, and it's, it's quite, it was quite a serious vulnerability, as Florian says, most of them are kind of denial of service ones, which they're worth fixing, but they're questionable to whether an individual installation is going to get hit. This is kind of like a much more serious one. And it was like, No, we've got to drop the seven day advance and just put it out as fast as we can. That's the one that comes to mind as the sort of most pricing from my time on it, and
Florian Apolloner 30:42
I mean that also goes a little bit back to looking at what other frameworks are doing, because especially with security issues, we are fixing the same security issue in a multitude of frameworks, especially when you look at flask curso, if flask has an issue In its HTTP handling. I bet Django has it as well, and also in the other direction. I mean, it's happened once or twice, I think. And same goes for PHP and Ruby. This is something with all this security posture going around nowadays, with we need software, inventories and whatnot. What we first need is to talk with each other and find a common channel where we can, like, easily exchange security issue classes basically, basically like we got this kind of problem. Can you look if you also have it? Because chances are that most systems have it, and sometimes you see it in the published issues that day after day, a new framework joins the release process and says, Oh, we have the same issue. We have the same issue, and this, this is something which would be great to work on, but it's, it's really hard to get, like, multi language programs started, right?
Carlton Gibson 32:12
Yeah, or even multi framework, it's difficult enough to, you know, David Lord has reached out to us a few times, and we are in communication with with flask and David over there, but it's difficult enough to handle, sort of our own reports, because a lot of them, you know, there's a lot of traffic to that, to the security list, and so it, you know, it's like, okay, we need to stay on top of that as well as reaching out as well. And is there a common space? No, there isn't. I mean, I wonder if we can get something going with Python and this, you know, with Seth doing such a good job there, if he could nerd hurt us into the same room,
Will Vincent 32:44
it's nothing a couple million dollars and a dozen full time employees can't solve.
Carlton Gibson 32:49
Yeah, exactly, exactly, exactly. Brian, so you said you were still working on your internal application that would Django. Yeah. Okay, so after all this time, what keeps you fresh? What keeps you staying with Django? Is it just that you know it, or the bits that you think, no, that's why. Well,
Florian Apolloner 33:07
part of it is certainly that I know it. I don't have the time to play around and learn a new framework just to write an application for internal use. And the other thing is, what I still like about Django is that, even so, it's sometimes horrible to work with, you get everything out of one hand, right? You don't have to explain to someone using Django how forms and models interact, and I don't need so many extensions or dependencies. In that sense, the current project has, like, I think five or so. This is massive for me, especially. This is by no means anything against flask, so, but when I need login. I know I can count on Django to some extent, right? There's no open ID connect, like we said, but I've got that covered. I've got form validation covered. I've got models. I don't need to think about how to integrate SQL alchemy, which I love and think is way, way, way superior than the Django or, I mean, some sciences, and the same goes true for flask itself. But it's like this thing you where you have everything out of one hand, and you have one documentation to look at. You have one one channel for support, where you don't get told to this is not a problem with the form handling, but is with the models different this other channel, because this is all a different company, or something like that.
Carlton Gibson 34:48
Okay, so that that one hand, that battery, is included. I guess you could, if you think about the scope of Django, is it is now, and thinking about this from, you know, we constantly add things, but do we ever take anything out? Is it other bits that. You think we could retire from core, or take out of core or separate, and contrary to that, as well other bits that you think, no, actually, I'd like to bring that in, and that's missing from my
Florian Apolloner 35:08
desk. So for me, it's most certainly the low level tooling, like authentication, configuration, and there was a third one, but this I would like to see in core and more of it, but I've never used the sites framework, for instance, but it's hard to throw stuff out. I understand that. But all in all, I think the scope should should stay roughly. I also wouldn't want to add too much support, for instance, for HTML, I know plenty of people are using it, but still like it's it feels like new. It's great. Some people are using something else, and maybe, maybe in three years, we are back to somewhere else. But this is especially an area where we can experiment outside. And you know, when we edit for I think it was template partials where you needed something to make it work. This has been the story for Django all along, right? What's the minimal thing we can do to enable you to implement your ideas? And in this case, it's two lines, and you can build Django template partials, which offers much, much more flexibility, but what you needed in core was one line. I understand that this doesn't work for stuff like authentication or not always where, say, like, yeah, it would feel better if I don't have like, 10 libraries of glue code. I want one security solution and want that to work. Do
Will Vincent 36:53
you have any thoughts on UV I see you have a repo on it. Have you had a chance to play around with that at all?
Florian Apolloner 37:01
I'm I've converted pretty much everything to it. Okay, so that's
Will Vincent 37:05
a yes, yeah, yes,
Florian Apolloner 37:09
but not well, how to put it. Everyone is complaining every time that packaging in Python doesn't work, which, like, I guess is or was true to some extent. But for me, it's how to put this. It's like writing a web application without knowing HTTP, right? You, you can use Django without knowing HTTP, but you, you have a much better understanding of it, if you know that HTTP is supposed or, yeah, is stateless. And what this means, what when you should get, when you should use get, when you should use post, and what the implications of that are. So for me, UV is mostly useful in the sense that I've I'm getting a single binary that I can easily include in my Docker files, in my intermediate build containers, without having to install much, and from that on, let UV take over. But similarly, I had the same thing with poetry and PDM. I think I'm switching my package manager for Python yearly. So, okay, okay,
Carlton Gibson 38:25
but I'm in the other school every 20 years. Well,
Will Vincent 38:27
we had, we had hen recently, and he's fully on board with UV. And I think when I ask around, most people who've who've tried it, are like, Yeah, this is certainly for the foreseeable future. This is the way to do it
Florian Apolloner 38:42
well. And what's helping me currently is that they are well, maybe because they are funded, or just because they are funded, there is a really, really quick turnaround on issues. And while I understand that stuff doesn't move fast in open source. It's like when you're when you can build your project anymore because some new package got released somewhere which breaks the dependency resolving of your package manager. And it's, it's not like resolving packages is an easy task, right? So it's, not something I can fix, even if I want it, and it really helps to get a quick turnaround there, and even if it's like with some stop hatches, to explicitly tell the package manager use just this package. I don't care whether it works on Windows or not. I don't care if it works on a Mac. I just want it to work in this specific Docker container. And this is my deployment unit. It's great that it doesn't resolve for, I don't know, CUDA and whatever GPU stuff you have nowadays, but that's not what I need.
Carlton Gibson 39:49
Have you looked into it close enough, closely enough to see into the sort of the performance enhancements? Because I think whilst it's obviously written in Rust, but I think my. Most of the enhancements are just because it's clever about how it searches for packages, and there's it's more aggressive about caching and things like that. I wonder if you know anything about whether those, those speed gains can be brought into, say, PIP or like, you know, the community tools. I
Florian Apolloner 40:18
do think so, because PDM actually uses the resolver, or users can use UV for resolving nowadays. So it's certainly doable, but I'm not sure if the resolver itself. I mean, the resolver certainly plays part in it, but I'm just guessing. I haven't provided. But what I do know is that there is aggressive, really, really aggressive caching going on to the extent like when your package is installed and it's installed in editable mode, and it then gets put into the cache with an explicit version, and which means your later log files will then include this version instead of your project, so instead of your dev version. I mean, that got fixed, but there are, we are moving to caching bugs now in UV. So whether that's a good sign or a bad sign, I don't know, but it certainly works, and it works fast. So
Carlton Gibson 41:19
Okay, okay, cool, cool, cool. I have
Will Vincent 41:22
a question. This is probably just because I started working at JetBrains, which makes pie charm IntelliJ. I'm curious what, what text editor Id do you like to use these days, and why?
Florian Apolloner 41:34
I guess, out of habit, Visual Studio code. I was using vim for a long time before, but the Yeah, the easy, let's put it that way, the easy integration of auto completion and everything won me over. I do know that I can do everything with Vim and emacs as well, but I just don't care, especially if I'm using vim on servers. I usually VIM is one of the editors installed on some servers, not not those, necessarily, that we manage, but I had my fair share working with other servers, and you have a default configuration there, and once you use Wim on your local laptop and connect to a server and the configuration is different there, it's it stops becoming viable this. This is one of the reason I don't want the editor that I use and configured with the default settings for system administration also be my programming environment and Visual Studio Code was fast enough I'm I'm still an unhappy user. So to say, because I'm not going or I can't justify paying, and maybe I could, I don't know what the policies are, or if it's possible to pay for it. But with all these Python plugins becoming more and more closed source and the digital right management stuff around it. I'm not too happy about it. I understand parts of it, but I haven't found a better solution yet. And also, I mean, I know we do use chat prints here and there, but and correct me if I'm wrong. Last time I looked at it, it was 10 years ago, but I think it's still like, you have one program for one language, and in Visual Studio code, I have some plugins, and it works well enough, and I'm I'm switching between five languages A day, so I wanted the consistency.
Will Vincent 43:41
That's a common thing out there. There's some truth in it, and I think it's not totally true. For example, if you use PyCharm for Python, it also pulls in WebStorm, which has support for JavaScript, TypeScript, HTML, CSS. So you know, if you want to Job hop over to Java, can't do that as easily. So there's, I think JetBrains doesn't talk about that, the bundling, partly because there's like the Pro and the free version. So it's, it's mostly true. I mean, there's, it's interesting that there it's a little bit VS code is a little bit like flask, and that it's micro and then you rely on the community for most of the plugins that you want to use. Whereas jet brains is a little more like Django. It's all in house. I mean, under the hood it's this. It's basically the IntelliJ Java engine. So there's like a global engine that drives things, and then there's specific things for PHP or Python or what have you. So it's a little more Django II, but yeah, the end of the day, that's a common thing people say. And I think if you are bouncing between a lot of languages like I certainly understand why you'd want just one IDE for that.
Florian Apolloner 44:54
And I mean, for me, it's not, I'm not doing much editing, right? I'm mostly looking. Code, but on a normal work day, it's probably go rust, in the worst case, a little bit of C and then usually some Java and whatever I have with Ansible so mostly Yammer scripts or Yammer files, and it's I need most. I mostly need syntax highlighting, and that's about it.
Will Vincent 45:20
Have you tried? Have you tried Zed at all that? Do you know about this project? No, it's, I have. It's from the people who made the Atom editor for GitHub. Will clop, who's involved in the Django community. He's, yeah, it's public. He just started working there part time. That's interesting there. It's interesting that they're not going 1,000% AI focus yet, the way everyone else is, right? So obviously, VS code is JetBrains is cursor, you know, there's sort of these two extremes of like, you know, have AI, have full integration agents and stuff. And then there's also, I just want to text editor IDE with some syntax highlighting that isn't slow, right?
Florian Apolloner 46:01
Yeah. And I mean, looking at other things is part of my day job, right? And so if I aim to change my personal editor or something, the pain it inflicts on me needs to be really, really high. I just don't have the capacity to change my system and everything every other day, because that's already my day job, right? And I want some consistency in in some things that I use,
Carlton Gibson 46:32
just mentioning the AI, because I imagine you can't go near it really at work, because you can't risk, you can't risk errors, I
Florian Apolloner 46:40
don't know. I'm not involved in those discussions. I actually don't know, aside from coffee table discussions, if there are any, but I honestly don't think it would be a problem, because we would still have code review and everything that it would still be your fault, not not that we assign blame or anything, but you, you have to take ownership of the code you want to submit. And I think like Simon is Simon Wilson is blogging quite a bit about it. It is like with everything, if you know something like Django well and AI can help you iterate faster. And I'm not sure if it, maybe it was Guido in his early days after joining Microsoft or something like that. It might might have not been him, but I have this quote, or rough quote, in my head where he says, like, you don't need an IDE if you know where everything is right. And for me, this holds true to some extent, because an IDE doesn't help you find stuff all the time. You still need to know where to go looking. And I see this nowadays with Visual Studio Code. I'm not doing that much Django anymore, so I use the auto completion, and I like, I need to import and response object, or something like that, and I get a completion with 30 response objects. 10 response objects are from sub projects like Django DRF or Django ninja, which re import and so, so you still need to know which response object is the correct one for the task, and whether this is just a forward import or if it's a subclass. So, yes, use AI by all means. I mean, I would be careful or ask legal whether I can send stuff outside our work perimeter, but in the end, it's a tool like everything. I wouldn't be too afraid of it.
Carlton Gibson 48:55
Okay? I was
Will Vincent 48:56
just watching Guido had an interview with Lex Friedman a couple years ago in his podcast talking about text editors, and Guido was saying that he used, for a time, he used pie charm specifically just for the search, but then he would go back into, I forget Vin or EMAC, something you know now, VS code, so there's something around, like these tools help you find stuff in a huge project, but then you just want something minimal. If you know, know exactly what you're doing. I would also say that that's part of so I'll just say one more thing. Like, you know, if you see a drop down of 3030, imports, that's something that, for example, like pie charm has a Django integration. So I think in some cases, at least we do a better job with that. But like, how do we I'm only a month in, so how do we communicate that? How do you say that you know marginally better? It's hard, right? Because we pick a tool, we get used to it, and then, especially as you're senior, you don't really want to switch around your tooling that much.
Florian Apolloner 49:52
Yeah, and I mean, even whether you're better or not, it honestly doesn't matter. As soon as you're going to say it. You're going to start a flame war, because people will find this one edge case where Wim also performs better, and I'm just not sure if it's worth it and what, what came all out for me is that this language, server protocol, so all those generic integrations into the editors, which are not always that generic, but those helped a lot, and this is really important for me. When I look at go project or rust project where I have literally no idea and I'm able to find sub implementations or references to this piece of code, which is not so fun in Python, which is, I mean, chat points has good support there in Java, but with all this dependency injection going on, like you can, you can view all the implementations of an interface, but you still have no idea what you get auto wired via configuration somewhere. So it's really hard for me, even with the I don't know what the chat brains sub IDE for Java is, but I have looked at that at one point and I found everything I needed, but I just didn't know what was actually in use. But that's not chat brains for it, right? But if you take an interface, it can be anything.
Carlton Gibson 51:20
So I reckon that the main difference there between the different grades of order complete you get is the static typing on the languages. So rust, super go great. Python, not so great, which leads us naturally into the question of typing in Django, it's come a long way over the last few years typing, I think, in Python. What are your thoughts on that as we go into 2025 like, how do we push that forwards?
Florian Apolloner 51:49
I, I'm honestly not sure, but because I think it's, it's an incredible tool. I personally, I'm now at the stage where I would like to see it. I'm not sure how to start right, because, for instance, we need to be able to type the low level objects first and then kind of build up from that. So I don't think that an approach where we just annotate new code is going to be that helpful, especially we would want to have, like, type checking in CI that verifies that we're using it correctly, and if 90% of the code base are not annotated, I honestly don't know how this is working so, but that's just me not using typing that much, especially not in Django, because it's not there in my other projects. I do use it, and it is really hard, I have to admit. So whenever you are trying to do something tricky, it sometimes feels like I'm writing C Plus Plus again, right in the sense that in in Python, I have this elegant idea. This is done in one line, and then the type checker says, Yeah, you can do that. Yeah, okay. I know. I can write it like I would write static code with no extra features, and then my types will work. This is probably a bit unfair to both languages, but for me, it is really hard to get started, especially like when you say Unicode and text, you have like, be be lenient in what you what you accept, but you have to be strict on output, like HTML rendering and everything. And this kind of is the same thing here, like in typing, do you take a list? Do you take an iterable? How? How far do you go? What happens if you take an iterable and you want to be strict in your output, then you put a list or something there. But does the iterable convert to list? Probably not, because it can be anything. And
Carlton Gibson 54:09
I had a case. So I know some version of Django. Let's call it two point something made allowed hosts. It said, No, it has to be added a check where allowed host had to be a list. And I'm like, I've got a project from the old days that has an iterator there, and it's just broken. And like, why?
Florian Apolloner 54:27
Yeah, that's so certainly type checking is is hard. I really see the benefits, especially in in smaller projects. At one company where I work, we had, like communication with phone systems like in a hotel guest, check in, check out and stuff like that. And those are phone systems from really old age, basically where you have serial cable updated to Ethernet and. Via converter and so, and you basically get the raw serial screen over TCP or USB, depending on what you use. And we were writing code against that, and nowadays with Python, and it was really hard for me to write tests for such a thing, because the code was async, and I tried to write it with this dance IO approach. But in the end, for some projects, I just can't justify writing the tests or I mean, that's probably not true, but it's really, really hard, and typing there helped a lot. It eradicates a whole class of mistakes, I think, be that typos. I mean, the IDEs are already good with typos, per se, but everything else, like trying to add an integer to a list or something with the wrong operands, this is really, really great, and it shouldn't mean that you don't have to test anymore, but you you don't have to test that much, I would say, because previously you have, you're taking an object, basically, and you either have to document very carefully what the function actually takes, or you have to check inside and throw errors. And then you would want to test this. And now you say, okay, but if I say this is a string or something, I rely on the type checker during development that it ensures that it's a string, and then I don't test what happens if I pass in an integer?
Carlton Gibson 56:31
Yeah, with a compiled language, you have that as soon as it compiles, often it just runs and it is bug free because you've satisfied the compiler. The same applies with type checking, right to a certain extent,
Florian Apolloner 56:43
but it's still not easy. No.
Carlton Gibson 56:46
Okay, so I've got one more sort of question I want to ask you, as a, you know, a very long standing community member, you see where we're at with, you know, discussions and featured requests and, you know, the difficulties we've had pushing Django forward. I think over the last few years it's been very stable. But, you know, there's a lot of desire to push Django forward. How do you think we can do that best? What are you sort of, you know, as you as you watch and as you partake in the conversations, how do you think we can move forward? Now,
Florian Apolloner 57:21
that's one of those where I think I don't have an answer. Part of me, not being this active with Django anymore is probably kind of I wouldn't call it burnout, but it's this, this inertia that exists where you just can't get anything off the ground, because no matter what you suggest, the default setting is, no, we are not going to do that. And this is the reason, also, on the other hand, why I like programming in Django, because I can rely on it to work like this in one year, which makes it really, really hard. One idea that just came to mind literally now, so no idea if it's viable, is to ask other communities like rails or spring to talk about exactly this on Django conferences that they provide their experience how they managed to move beyond such a point, or maybe they didn't have this point, this problem at all, and this would give us an outside perspective. I think we're doing better recently than we did a year or two years ago, especially with the new steering council as well. Because I think we, we need to make choices now, and I'm, I'm happy if, if someone makes those choices, and I whether they align with what I want, is not necessarily required. It's just there is a choice, and we know this is the path forward. For instance, the async support in Django is something that that lingers around with no no good path forward. I think because do we want to add duplicate code for every method? I don't think so. And now we have this code generation idea, and we will see how it turns out. Personally, I'm not using async Django that much, and I'm not sure, maybe for some parts, one can use it, but I won't see Django as a general async framework, especially with this handling or how the async code in Python generally. Looks, I mean, it's not so bad nowadays, but I have bad memories of the callback helsin JavaScript, and to some extent, been twisted which, which really makes it hard to follow the code. And this is probably because I stayed away from it, and also I don't need it. I for a general purpose home page. There is no need to serve every view, asynchronous, if you especially with python three point 13. I mean, it started there. It will get better and free threading. We finally have the possibility to catch up with our web servers and spawn like 100 threads, and this is what we can handle, instead of a few processes. I
Will Vincent 1:00:44
love your idea of having someone from the other communities come to a DjangoCon and speak. I mean, we, for example, we had David hennemayer Henson on this podcast early on. My hypothesis would be that if you look at So Java, spring, VMware, largely runs that rails, Ruby on Rails. You know, that's David hannama Hanson. He largely runs that. Still, if you look at Laravel, you know, they raised $72 million and one person kind of runs it, you know, that's, that's kind of, the difference is that all these other ones were competing against, you know, fast API. It's Sebastian in charge. They, they do have a little bit more of the bdfl, not, not, not, they do, sort of, they definitely do. So they can move faster, right? So I think the question is, over the long term, what happens when those companies or people want to step down? But, you know, that's I, I strongly suspect that's why they can move faster, because there's someone with a pro someone with a profit motive working full time, whereas there's no one in the Django community doing that. Yeah,
Florian Apolloner 1:01:47
and I also don't imagine that spring or something is going away soon, because there are so many big, really, really big companies using it, so there will always be someone picking it up if they end up in the same situation as Django, then, I don't know, but there days enough is incentive and money behind it, I guess,
Will Vincent 1:02:07
well, but if we had, you know, I don't know if Instagram had decided to, like, put a ton of money into Django, like, it would move faster. It would still be a community, right? Like, so there's, there's more the question of VMware or some for profit thing that pushes it as opposed to 100% community.
Florian Apolloner 1:02:26
Would that actually be true? I mean, we always say we do have roughly enough money. I mean, more money would be good, certainly, but we don't really have the best plans to spend it yet. I what I could imagine, for instance, is like if Instagram employed relatively early on all of the Django core members and took it over, that we might be in a similar situation like spring, is because then you would have a clear leadership in that sense, I don't think that money provides This clear goal of where to head next, unless it's coming with the tag like, Okay, this money is for improving the ORM to this situation or something like that.
Will Vincent 1:03:13
It's an ongoing thing. Yeah,
Florian Apolloner 1:03:14
absolutely.
Carlton Gibson 1:03:18
I've got to say something like, I think for me, it's very much we the trouble with having everything in core altogether, and everything going through core, and everybody wants to get their feature into core, is that everybody's then having, trying to have one conversation, and it ends up with too many people having the same conversation. And what would, for me, what I'm trying to think of ways without, you know, taking out the ORM. So, you know, you'd have to install that step, but find a way where we can just modularize slightly so that there can be three or four conversations going on which don't all have to go through the same bottleneck. And I don't know quite how we get there, but I kind of feel like we need to do something in that direction.
Florian Apolloner 1:03:59
What the boost library is doing. It's, I mean, it's a C Plus Plus library. They have this git master repo where they have sub modules for every sub module, basically. But I think this would be kind of hard for Django, because, like, the components are so, so intermingled, and we don't have clear boundaries, right? And we don't want them in the end, because that's what makes Django great, that the form framework integrates so well with the models. And I'm not sure if it gets better if we have more boundaries in between, as little small. It's like they are, but,
Carlton Gibson 1:04:43
yeah, no, but exactly so what was the reason you use it? You use it because of that integration that it is. It's got that Django feel, right?
Will Vincent 1:04:52
I think we're basically up on time. Was there anything you wanted to mention, or you wanted us to ask you while you have. Microphone?
Florian Apolloner 1:05:02
No, I think we've covered quite a lot. Well, actually, what we didn't talk about, no, we are going to talk about that now. How does that project template looks like? Which is what actually brought us in here, right?
Carlton Gibson 1:05:17
Yeah, because we were talking about it on the social medias
Florian Apolloner 1:05:21
exactly, and so what? Just as a quick recap, so that there are always those discussions, what start project and everything should include or should not include. And I think it depends a little bit on what you're doing, right? We already have start project templates, and there's cookie cutter and Django and copier out there, which, which I really like, because it allows you to release new versions of your template and then update existing projects. And you obviously sometimes get conflicts then, but this provides some nice way to actually update your projects without manually reapplying all your changes. And what I'm doing is basically, I'm shipping applications, right? I'm not in an area where you say, Okay, this is the application added to your settings file, and I'm shipping complete application like NetBox or maybe venueless ships. And what I found useful is that you could just use that project and then immediately add this generated project, as in stored application into your setting into your settings file. This solely means, I think, at the current point, it means you still have to create an empty model pi file. But aside from that, you're basically pain free. And then you can add further applications as on, on a sub directory, sub package basis, because it's, it's way easier for me to have, like my current project, for instance, is named oversight. It's way easier to have an oversight dot, core application and oversight, dot, user and oversight, dot something application, than to think about valid package names for every application and it's, it's meant to be used together, right? And we have this name spacing, and we can use this. And I don't see any any reason anymore for this project, a project for me, so in Django speak, is basically a settings file, or not even that did the environment module Django settings, the environment variable Django settings module basically defines what your project is, and you can bootstrap everything from that. So that's what I'm using. Okay?
Carlton Gibson 1:07:52
So it's like the single folder right the start product folder is the app itself. And I think, I think that's a big step forward, because the you know, will often talks about this with these books, but like you've got the start that first run experience where you go start project, now start app, now add it to installed apps. Now, which folder am I meant to be in? Which file am I meant to be in? It's just too much going on, right?
Florian Apolloner 1:08:15
And it would make tutorials quite a bit easier. I think I'm I mean, we would change the start project template, probably to account for that. So not just add the application to the project to install the applications, but also, like provide a dummy models.py and test spot.py which we don't use. And maybe I don't know, I'm sometimes moving the whiskey module into a sub package. Then, because it's, it's a little bit ugly on the top level, right? But that's whatever you prefer.
Will Vincent 1:08:49
I mean, I think for especially for newcomers, if you so, I have a open source thing called lithium. Now that was Django X that basically just gives you Django all off and a little bit of config. But if you had it'd be nice if there was an official, you know, bootstrapped blog, or crud with auth, or right, there's only two or three kind of things people want. And if there was, you know, start project gave you that, that would certainly up the learning curve. And then, of course, the big one would be have production right where you default to production, and you'd probably need to use environment variables, but have a, have a way to do that. You know, if I, you know if, if I could go work on Django for like, a year, I would add those happily and just put them in, because I think that would help newcomers, for sure.
Florian Apolloner 1:09:41
I mean, I started doing that with a copier template where you could provide in so copier asks you a few things on startup, and you can define those questions and like, Do you want a bootstrap template? Do you want this JavaScript integration? So basically, provide. The kitchen sink, Django template. I stopped doing that, because when I'm using Django, I I use this one CSS framework, I use this one JavaScript library. And I think in in all those generics, there days lots to be lost, because with all this flexibility, there comes much more complexity. And so we probably need, like, 10 or 15 start project default templates.
Will Vincent 1:10:33
Well, if we were, you know, and if we were Laravel, we just charge for them, you know. So,
Florian Apolloner 1:10:38
right, right, right. But I think there are also some Django Software as a Service templates where you click together, like I want to include authentication, I want to include vault for secrets management and everything. And they are selling, I don't know how well or something, but certainly an area to look at. I mean, I'm not exactly sure about the business model, because,
Will Vincent 1:11:09
well, it's, it's, I mean, Corey, Corey zoo has SAS Pegasus. He's, I believe, working on that full time. So that's working. Then there's a dozen other ones I could name that do similar iterations. My sense is that it seems people want the SaaS integration more than they want the rest of it,
Florian Apolloner 1:11:27
right? But like, once you download the code, probably licensing is stopping you from using it for another project, but you get the ideas right how such a thing is built after you paid for the first one, so I don't necessarily see it scaling that well inside one company that you can sell it many times, but I'm happy to be proven wrong, and if it works for him, it's perfect, because that's certainly something we miss. Well,
Will Vincent 1:11:58
we're going over time. I think it's like, it's people, it's an education thing people use. I mean, this has been done in other frameworks, where people use a SaaS starter thing in Rails to get going and then fill in the details. I think it works a lot like that, actually, for people. But, yeah, I don't know. I don't know exactly. Just,
Carlton Gibson 1:12:19
let me just finish this topic. There is a depth that we're hopefully going to push forward in the 6.0 or one time scale to update the start project template, make it a bit simpler in the along the lines you've talked about there Florian. And then also, as part of that, try to promote using templates a little bit more, to make it more obvious to people that that you know, there are these templates out there, and you can create your own one. And you know, then maybe we can have two or three or four example, that simple example apps that like, Oh yeah, look, there's, there's a blog, there's a there's a wagtail example, there's a, who knows what,
Florian Apolloner 1:12:56
yeah, hopefully it's just a template. It's currently a little bit hard to use. If you use non standard files, you have to include it in the command. And that's, that's what copier gave me, and it's like reinventing the wheel. Why? Why improve Django in this direction? If you can use cookie cutter copier, I don't know. Maybe. Yes,
Carlton Gibson 1:13:17
yeah, okay, well, that's a good point.
Florian Apolloner 1:13:19
You probably will leave it at that and hash it out. Yes,
Will Vincent 1:13:22
yes, let's do let's do that. So Florian, thank you for coming on. We've when we first started this podcast, you were one of the names we wanted to have on. And six years later, here you are. We finally did it.
Florian Apolloner 1:13:36
Yeah, I'm good at escaping those things,
Will Vincent 1:13:39
yeah, well, that's probably why you're productive. So again, thank you for making the time. We will have links to everything in the show notes, chat, Django, chat.com, and we'll see everyone next time bye, bye,
Carlton Gibson 1:13:50
see you next time.
Will Vincent 1:13:54
This episode was sponsored by hacksoft, your Django development partner beyond code. Learn more about their services and the link in the description you.