Day 1 of PyCon AU 2019: DjangoCon

I'm attending PyCon Australia this year, and I'll try to give a daily overview over the talks I attended and looked up afterwards. If you prefer reading text over watching video, this might be for you.

The first day of PyCon Australia consists of four separate tracks, or mini conferences, in parallel: Security & Privacy, DjangoCon, Education, and Science & Data. I attended the DjangoCon track, so this is what happened there. I might get round to watching the videos of the other tracks, in that case I'll publish additional blog posts!

Rust's Recipes for Code and Community

E. Dunham gave a brilliant keynote, complete with hand-drawn illustrations, on how the Rust community manages decisions, and how the community works. Issues like group decisions and steering a language community have a big potential to go wrong (and in fact, the Python community is struggling with many of the aspects mentioned), so this was very good to hear. In addition, we were also told how (and when!) to include Rust code in Python projects, which I'm sure will come in handy for some, and is way easier than I would have suspected.

The notes on community interactions start on a high level, like community attitude towards change and compatibility, and follow through to resulting choices like tooling – for example how mailing lists are somewhat incompatible with good CoC enforcement. Very good thoughts all around, and I appreciate how non-partisan and helpful the talk was – at no point there was even a hint of a language war, or a "use X instead of Y" attitude.

Safely eval Python syntax using the AST module

Common wisdom is that you can't make Python's eval safe – in fact, this is the topic of countless CTF challenges, as you can see in one of my earliest blog posts. Tim Savage shows neat ways of using the AST module to figure out what a code string is going to do, and how to whitelist specific actions (like, assigning variables – this starts at a low level!) to make eval actually usable.

Web Accessibility In Django

Parth Shandilya shared ways to improve the accessibility of your websites. I appreciated that he stressed that some improvement is always better than no improvement, so putting off accessibility because there is so much to do is just a lazy excuse. He also shows how everybody profits when a website is made accessible, and the current state of web accessibility world-wide. This was a solid and up-to-date introduction to the topic, including current topics like ad-blockers and tools like Alexa and Google Assistant.

Forklifting Django: Migrating A Complex Django App To Kubernetes

Noah Katrowitz gave a very hands-on explanation of how to start using Kubernetes (which is apparently too long to type, and is hence shortened to K8S – wonder when Django will become D4O) with a fairly typical Django application, including a Celery setup and some other moving parts. I wasn't familiar at all with the Kubernetes world before that, so there was a lot to take in. This talk probably works best if you have at least looked at Kubernetes before, or if you follow up by reading around in the ecosystem.

I appreciated very much how Noah pointed out current challenges and how to resolve them, including which tooling has usability and security issues. This is exactly the kind of advice I'd hope to get from a talk, so if you have any intention to get any Python application to run on Kubernetes, this talk will be a very good starting point to get an overview over what to use and how to structure the move.

WASM matter?

Russell Keith-Magee, the grand master of running Python on platforms not quite intended to run Python, explains Web Assembly. This talk has it all: If you're not quite clear on how compiled languages work, or how interpreted languages are different, you'll get a very comprehensive introduction into the basics. If you have a vague memory of asm.js or WASM, you'll get illustrated examples of how Web Assembly works and what WAT files are (naming things, people!), you'll get code examples that explain this part of the puzzle. And we even get to see how to compile C to run in the browser. It's an age of trippy magic, seriously.

A great talk to get both a high-level understanding of WASM, and to see how to actually use it, and what the future of WASM could be.

Just Add Await: Retrofitting Async Into Django

Andrew Godwin, currently better known as the wizard single-handedly pulling Django (not quite kicking and screaming) into the async age, explains this latest epic project. Adding async to Django is a huge amount of work, and Andrew did a tremendous job by

  • Writing channels to figure out how to deal with websockets/async things in relation to Django
  • Writing a wonderful and readable outline on how to add async to Django
  • Then going on to write DEP-9, an incredibly detailed and readable proposal on a roadmap and feature set in Django
  • Implementing ASGI compatibility for Django
  • Implementing async compatibility up to the views layer (tests still failing, nearly ready to be merged, but still)

This 70-minutes talk introduces async concepts, illustrates how and where async is tricky, and how the combination between async code and sync code can work. Andrew then drills down to the actual issues encountered in Django, like database access, threadlocals, and lots of other fun stuff. This talk tackles a very complex topic, and it's impressive how well Andrew managed to explain it. These 70 minutes are well worth your time if you have any interest in asyncio, or the async effort in Django.

Pony, Cat, and Paw: Getting Started with the Open Source Menagerie

It me! I gave an introduction into contributing to Django by way of pull requests, triage, and PR review, because that's not always as straightforward as it looks. The talk walks you through a PR contribution, starting at ticket selection, and then including PR checklists, review advice, where to get help, and how to tackle problems you may run into. If you want to start contributing to open source projects, particularly Django, this is for you! The slides, which were a point of pride, are online here with detailed notes and links.

The Unspeakable Horror of Discovering You Didn't Write Tests

In a very entertaining talk, Melanie Crutchfield gave an introduction into how to get into testing, what these different kinds of tests are, and how to write tests for a Django project. Among lots of hilarious commentary, she shared best practices (yay pytest), so if you're not terribly familiar with testing, or have been putting off adding tests to your projects, please go and watch this talk!

Using Python, Django, and ruthlessness to protect people from social media harassment.

You can always rely on Tom Eastman to pack a punch, and this closing talk did not disappoint. The central thesis: If you have the ability to protect people from harm, you have a moral obligation to do so.

In what never quite descended into a rant about the harmful and intentionally abuse-spreading behaviour Twitter encourages and even builds, Tom showed his project secateur. Secateur provides you with the ability to block or mute people temporarily, and to block people and their followers temporarily.

The implementation details were a great showcase for the complexity that creeps in even in a limited scope like this, and the things to take care of: This includes both API timeouts and rate limits, and reasoning about threat vectors: By running an app like that, you have sensitive data of your users (at least their block lists and absurdly capable API token), so it's your responsibility to make sure those are safe – or to allow your users to run the code themselves, by open-sourcing it.