Keynote: make me make good choices - Jessica McKellar

Tags: django, djangocon

Jessica McKellar is a PSF member and a twisted core developer.

Her goal: education and best practices by default for novice web developers. She started with OSX’ for-the-blind automatic reading of the Django homepage. We should learn to be inclusive to two kinds of people:

  • End users.
  • New developers.

Accessibility

One aspect accessibility. What about color blindness? She showed a status page with sites that were down or up, indicated with green/red lines. But she showed it as a red-colorblind person would see it. You could not make out the red ones. (Striking example!)

The most important standard is http://www.w3.org/WAI . One of the accessibility guidelines is to have an alt text on images. So she went to the django homepage and dissected it. The logo had a proper alt="logo". But a couple of highlight images did not. And those are examples that novice developers will copy/paste!

There are tools to help you. For instance a firefox addon for contrast checking.

How can Django help people like me to avoid, detect and address accessibility issues? One of the ways is to set a good example, to audit ourselves: websites, conference websites. And is there an accessibility tutorial?

Security

Django’s security is pretty good. But we need to keep the bar high. There are two basic things we can do to help end users and (mostly) new developers:

  • Conservative defaults.
  • Education.

Django already has protection for a lots of common security holes like XSS and CSRF and SQL injection (see Erik Romijn’s earlier talk on security). But originally CSRF protection needed to be enabled by hand. This means that the novice needs to be told to do it. (Note: it is on by default now, iirc).

Django 1.4 has clickjacking protection now. It is easy to enable but, again, a novice developer needs to be told to actually do it. And what about SESSION_COOKIE_SECURE? Should that be on by default?

Look at django-secure that “helps you remember to do all the stupid little things” to make your django site more secure.

How can django help? Even more conservative defaults? Part of the overview and tutorial? A specific security tutorial or checklist?

Internationalization

Localization, translation, timezones: done. Unicode everywhere: done.

But: hard-baked into django.contrib.auth is the name of the user: first name plus last name. But that really really does not fit a lot of cultures.

It is a hard problem to address. Thanks to the developers to stick with it, there’s over 6 years of thoughtful discussion about it on the django-developers mailinglist.

She showed a couple of well-known people and how the django first name/last name form breaks down for them. For instance world chess champion Anand. That is his name. Just that one word. If needed, you can add his father’s name if it is necessary to differentiate from another Anand.

She asks the core developers to really address this. Perhaps the easiest is to have a “full name” field and a “what should we call you when we send you an email” field?

(I saw a tweet after the talk by @andrefsp that illustrates it well: “My name is ‘Andre Filipe Santos da Palma’ and I never know what to type on those First and last name input boxes.)

Identity

Perhaps strange, but some people get a bit upset with the standard dropdown example “male/female”. They feel that that binary choice doesn’t properly represents them.

Can we find another example to use?

Closing comments

Django does already a really good job on most points!

But the bar needs to be even higher. We should help new developers make good choices by education and best practices.

Fietsen
blog comments powered by Disqus
 
vanrees.org logo

About me

My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):