Monday, August 18, 2008
This Week in Django 34
This Week in Django is a weekly podcast about all things Django.
This week we discuss Django 1.0 Beta 1, a bunch of source commits, some cool projects from the community, and a tip of the week.
Please see the Show Notes below for all the pertinent information and links
Downloads
AAC Enhanced Podcast (40.1 MB, 48:34, AAC)
MP3 Edition (33.4 MB, 48:34, MP3)
OGG Edition (26.2 MB, 48:34, Vorbis)
The Enhanced Podcast version contains screenshots and easy access links to all of the items we discuss throughout the podcast.
Give Us Feedback
Want to give us some feedback on the show? We’re always looking for ideas or suggestions that will help improve each episode. Please contact us at feedback <i>at</i> thisweekindjango.com.
Show Notes
Big News (0:36)
- Django 1.0 Beta 1 – Just released. Great point of stability and the ongoing press towards 1.0.
- Upcoming Events
- August 21, 2008 – Django 1.0 release candidate 1
- August 22, 2008: Sprint based in Portland, Oregon, USA, and online in #django-sprint on freenode.
Tracking Trunk (4:29)
- Changed exact matches in MySQL to use database native collation
(8319)– This might alter the behavior you were expecting.
- Removed validate methods
(8348)– These were not used or supported. Post version 1.0 will have a kick ass-validation implementation.
Community Catchup (21:50)
- Cyberstar – Adrian Holovaty is as red-hot as a techie can get. His EveryBlock.com tells you all about your neighborhood-including who’s taking bribes
- Horror Story with GeoDjango – Alberto García Hierro posts about some of his frustrations with converting over a geo-based project to GeoDjango.
- GeoDjango Dependencies Installed through Apt Get on Ubuntu – Nice wiki information on how to get all of the GeoDjango dependencies installed without a lot of fuss.
- Django on Jython: It’s here! – Pretty impressive. Django is now running on Jython unpatched.
- GenericForeignKeys with less queries – Another excellent post by Horst Gutmann where he outlines how to do content loading yourself to reduce the number of queries when working with Generic Foreign Keys.
- RequestFactory Snippet – This snippet by Simon Willison Makes it easy to create mock request objects in Django, which you can then use for testing view functions directly (bypassing the current test client mechanism which requires views to be assigned to a URLconf before they can be tested).
Tip of the Week (38:04)
This Tip of the Week comes from Eric Holscher in his blog post titled, Using mock objects in django and python testing.
import unittest
class LoadDateutil(TemplateTestCase):
def test_load(self):
olddatetime = datetime.datetime
datetime.datetime = make_datetime(5)
self.assertEqual(self.render(u'{% load dateutil %}{% ifnight %}Hi{% endifnight %}'), u'')
datetime.datetime = olddatetime
It’s implementation looks like:
import datetime
def make_datetime(hour):
class MockDatetime(datetime.datetime):
@classmethod
def now(cls):
return datetime.datetime(2007, 1, 1, hour)
return MockDatetime
- Mock by Michael Foord – Makes mocking out objects for testing purposes really easy.
- GitPython – Python interface to Git. Uses Mock by Michael Foord to mock out a Git repository.
Thank You! (43:02)
- The Show
- Brian Rosner
- Kevin Fricovsky
- Monty Lounge Industries – Kevin’s web strategy, design, and development company.
- How I Work Daily – Kevin’s blog.
- Michael Trier
- Running Time: 48:34
Comments - 5 people have already said something. Join the discussion.
Darren said…
I can here all the twid viewers shouting from the roof tops - Yeah at last 'a django site'.
congrats guy's
Felix Ingram said…
RE: Session attacks
Hi guys,
You mentioned a change which allowed moving from anonymous to authenticated sessions and asked for some feedback around the security issues associated with this, so I thought I'd oblige. The issue with this is based around the actual session ID itself. The attack is normally seen in a public terminal scenario. The malicious party uses the terminal and captures the current (anonymous) session ID. When the victim comes at a later time and authenticates to the application then the attacker will be able to spoof their session ID on another terminal and act as the authenticated user with all of their privileges.
This is only an issue if the session ID remains the same in the anonymous and authenticated sessions, so it'd be good if you could let us all know whether a new ID is generated upon authentication (keeping all the other data intact) or whether it stays the same (in which case we should file a ticket).
Hope this makes sense.
Malcolm Tredinnick said…
I haven't listened to the episode, so I'm not sure of the originaly question, but in response to Felix Ingram's comment: the code to recycle the session key when moving to authenticated isn't in trunk yet, but it is written. I wanted to let the first round of changes settle a bit first to work any bugs there before introducing this last place where the session key will be changed. It's just a matter of only having to debug one problem at a time. So, yes, that attack vector is something we're aware of and will be guarded against in 1.0 -- code will be in the tree in the next couple of days.
mike said…
"Post version 1.0 will have a kick ass-validation implementation."
Wow, that´s awesome!! How does it work? Can I upload pictures of naked butts and Django then scores them for me, like: "Oh yeah, that´s hot! Definately 10 out of 10."
I guess you guys know this one ;) />
http://xkcd.com/37/
haha said…
It would be good if we could just play it directly withoutt downloading