Gonçalo Valério

Author: Gonçalo Valério

  • Django Friday Tips: Security Checklist

    Security is one of those areas where it is very hard to know if everything is taken care of. So you have been working on this project for a while and you want to deploy it into a production server, there are several settings on this new environment that should differ from your development one.

    Since this is very common situation and there are many examples of misconfigurations that later turned to security issues, django has a security checklist (since version 1.8) to remind you of some basic aspects (mostly on/off switches) that you should make sure that are set correctly.

    To run it on your project you simply have to execute the following command:

    $python manage.py check --deploy

    After the verification you will be presented with warnings like this one:

    (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

    More information can be found in the documentation, since it uses the check framework, that has several interesting use cases.

    Interested in more information about security in django? Check this video from the last edition of “Django Under the Hood“.

  • 3 Months of Remote Work

    3 Months of Remote Work

    Three months have passed since I left the office and started working remotely (+1000 km), in this post I share the “pros and cons” of my short experience, even though across the Internet many people already covered this topic extensively.

    Whitesmith has been “remote friendly” since first day I joined, more recently the company is trying to become a “remote first” business, as described in a recent blog post. What this means is that remote workers should be treated as first class citizens and the company’s processes should assume that all employees are working remotely. This mindset gave me the possibility to move farther away for a while.

    The first thing that I’ve done was to rent a table in the nearest co-working space, because staying all 24/7 in the same house is not my thing. It was a good decision, this way is possible to meet and interact with new people from different backgrounds regularly and I have a spot where I can focus without too many distractions.

    Regarding the job related issues, the asynchronous nature of remote work is both its biggest strength and at the same time its biggest drawback. I say this because all the liberty and flexibility comes with a cost, which is the lack of a fast feedback loop and that instant discussion on the spot that settles everything down, without the need for more message round trips or checking my peer’s availability for a quick video call.

    On the social side, one aspect that I noticed (and already expected before embracing this new experience) was a small detachment of whats going on in the office. Slack is more active than ever but is not the same as the “water cooler”, plus new people are constantly joining in. Without a physical presence it is hard to get to know the newcomers.

    Even though there are these rough edges, I’m really enjoying working remotely. In 2016 I will try a few new strategies to overcome the above obstacles, such as:

    • Improve my written communication skills
    • Avoid slack for long running discussions and prefer more structured platforms
    • Organize some on-line activities/events
    • Work on small projects with the new teammates

    Lets see how it goes in the next few months.

  • Django Friday Tips: Managing Dependencies

    This one is not specific of django but it is very common during the development of any python project. Managing the contents of the requirements.txt file, that sometimes grows uncontrollably can be a mess. One of the root causes is the common work-flow of using virtualenv, install with pip all the required libraries and then do something like:

    $pip freeze > requirements.txt

    At the beginning this might work great, however soon you will need to change things and remove libraries. At this point, things start to get a little trickier, since you do not know which lines are a direct dependency of your project or if they were installed because a library you already removed needed them. This leads to some tedious work in order to maintain the dependency list clean.

    To solve this problem we might use pip-tools, which will help you declare the dependencies in a simple way and automatically generate the final requirements.txt. As it is shown in the project readme, we can declare the following requirements.in file:

    django
requests
pillow
celery

    Then we generate our “official” requirements.txt with the pip-compile command, that will product the following output:

    #
# This file is autogenerated by pip-compile
# Make changes in requirements.in, then run this to update:
#
#    pip-compile requirements.in
#
amqp==1.4.8               # via kombu
anyjson==0.3.3            # via kombu
billiard==3.3.0.22        # via celery
celery==3.1.19
django==1.9
kombu==3.0.30             # via celery
pillow==3.0.0
pytz==2015.7              # via celery
requests==2.8.1

    Now you can keep track of where all those libraries came from. Need to add or remove packages? Just run pip-compile again.

  • Securing IoT Devices

    During the first couple of months of the year 2015 I’ve worked a “little” on the subject of security in the Internet of things world. Even though there is a lot of information about this topic and its crucial role on this new era of the IoT. So today I will share a small document I’ve compiled, with information about simple issues, that we should take for granted in the functionality of these devices, that I’ve found out that they aren’t always done the right way.

    This document was written in the beginning of the summer but today I’ve decided to recompile the .tex files and share here. The PDF version can be found in this link and web version for quick consultation bellow in this post.

    The document is always open to updates and improvements, so if you have any suggestions just send me an email or leave some feedback in the comment’s section.

    (more…)

  • Django friday tips: Switch the user model

    In the most recent versions of django, you’re no longer attached to the default user model. So unlike what happened some time ago, when you had two models (User and Profile) “linked” together through an one-to-one relationship, nowadays you can extend or substitute the base user model.

    It is as simples as adding the following line to your settings.py:

    AUTH_USER_MODEL = 'djangoapp.UserModel'

    If you only want to extend it and avoid having to implement some boilerplate, you should sub class the AbstractUserModel like this:

    from django.contrib.auth.models import AbstractUser


class User(AbstractUser):
    ...

    This way you will be able to use all th predefined features, and even use the admin settings of the default user model by doing the following in your admin.py file:

    from django.contrib.auth.admin import UserAdmin as DefaultUserAdmin

@admin.register(User)
class UserAdmin(DefaultUserAdmin):
    ...

    If you are starting out I hope this information was useful.

  • Getting ready to ruumbleee…

    Getting ready to ruumbleee…

    After being absent last year, today I will start my participation in the Rails Rumble event. Together with a teammate we will try to finish a project within the next 48h, using the Ruby and its Ruby on Rails web framework. Personally I enjoy this kind of challenges, even though it’s not guaranteed that we will be able to finish anything. This was what happened 2 years ago when we weren’t able to finish our project, our final push had a bug that turned the application completely unusable. Even didn’t winning anything, we learned a lot and had some fun.

    Later we continued working on that project for while, eventually we were able to enter other contests with it and obtained very good feedback. The application was called Payup and is still online (but it doesn’t work very well).

    Payup landing page

    However the market for this kind of application already had many competitors, some of those more mature and well established. Our app had some flaws that needed to be fixed, with our day jobs and other projects we slowly let it die. But hey, it wasn’t bad for the work of one or two weekends.

    Not every personal project either related to a hobby or from a challenge must necessarily be a huge success and be maintained forever, that is the great thing about these kind of projects, you do it, you succeed, or you fail, and you move on to the next one and keep learning new stuff. If you had to maintain every project or experience, you once worked on forever, you probably would lose the interest in starting new things, even if they were just for fun.

    So today, we will do it again. I’m searching my list of ideas and discussing them with a teammate. A new ride is about to start…

  • Plasma 5 doesn’t start in Debian (testing)

    Well, I just lost a few hours of my time trying to solve an issue cause by an upgrade to my debian workstation. My desktop environment, which is KDE Plasma 5, was not starting so I had to switch to Gnome for a while to correctly use my computer and do my work. Also almost all of KDE applications were failing to start, with some “Dbus” related errors.

    After some research I found a few references that lead me to the solution:

    Specially this reply was very useful:

    So after trying lots of things the solution was simple, just to downgrade the library that was causing the problem, until it is fixed. So I looked at my local archives and with the following command I fixed the issue:

    $ sudo dpkg -i /var/cache/apt/archives/libqt5x11extras5_5.4.2-2+b1_amd64.deb

    So I hope this is useful to you and can save you some time if you are having similar issues.

    P.S.: I didn’t used gnome for a long time and after this ~6 hour experience, I hope I don’t need to go back. I tried to play around a bit and it has some soul crushing limitations (at least the base installation), for example, If you want to choose another wallpaper, it must he in a certain folder. Another one, for people that use 2 displays, only the main one changes when switching between several virtual desktops.

  • Democratizing the Eurozone

    Yesterday one of the most influential figures of this year’s European political scene visited Portugal. I was totally unaware of the event but thanks to the reddit’s community I was able to discover the video of the talk given by Yanis Varoufakis at the University of Coimbra. It’s a long video but I can assure you it is worthy of your time, both the lecture and the discussion that followed.

    The issues addressed and discussed in the video are very pertinent and, independently of your political views, deserve to be object of reflection and broader discussion in order to solve the current state of affairs in Europe.

    P.S.: Mr. Varoufakis lecture only begins on minute 00:40.

  • Multimedia tools for Linux

    Convincing someone to try and adopt a Linux based operating system is a hard task, not because these systems are hard (nowadays) or don’t offer enough functionality, but mainly because when people learn to use a certain system/product and it already is engrained in their workflow changing is hard.

    I’m certain this is the main line of thinking for many companies, when they offer their products for free to students during college. After that period switching to something else feels like a waste of time (even without addressing the non interoperable file formats that chain the users even more).

    In the field of software development we don’t notice this as much, since many of the tools we use for the majority of the tasks (programming languages, compilers, editors, debuggers, etc) are already open, cross-platform and there are lots of alternatives and competition. In many other areas this doesn’t happen. For a long time there is this notion that free software doesn’t offer “alternatives” with enough quality that could rival with widely established proprietary and expensive products in areas such as photo editing, vector graphics, video editing, 3D modelling, CAD software, sound editing, etc.

    So in this post I will try to aggregate a list of open-source multimedia tools and other non-free software that can run on Linux machines, that could be used by 75% of the users, instead of relying on expensive software, for common and basic tasks. I’m not saying that it covers all the use cases and that it fit for everyone, but I’m certain that it fits the use cases from amateurs to some professionals, and can save them a “few” bucks.

    All of the following examples can be installed in different operating systems, since adapting to new interfaces and work-flows is the most difficult part, so people can try first, change gradually and eventually move to a free operating system without losing any productivity.

    (I’m open to new suggestions, since, as it is expected, I’m not aware or tried everything that is out there)

    Gimp | Image Editing | gimp.org

    Krita | Illustration | krita.org

    Inkscape | Vector Graphics | inkscape.org

    Kdenlive | Video Editing | kdenlive.org

    Lightworks | Video Editing | lwks.com

    Natron | Video Composing | natron.fr

    Blender | 3D graphics and Animation | blender.org

    Audacity | Audio Editing | audacityteam.org

    Ardour | Audio Editing | ardour.org

    Scribus | Desktop Publishing  | scribus.net/

    Synfig | 2D Animation | synfig.org

    Darktable | Photography | darktable.org

    Updates:

    13/11/2015 –  Added two more projects

    18/08/2016 – Added one more project

  • An heavy chat application

    Following up the quote I pointed some time ago in an entry entitled “Bloat”, I will let here one good example. I know Slack it is a great application and it has some complex features, yet I don’t see any reason for any chat program to steal almost 900 Megabytes of my computer’s memory.

    slack memoryNote: I know the version I am using is still in beta but c’mon guys that’s too much.

  • Newsletters for Python web developers

    The amount of new information that is added each day to the web is overwhelming, trying to keep up daily with everything about a given topic can be a time consuming process. One good way I found to tackle this problem and to avoid wasting a good chunk of my day searching and filtering through lots of new content in order to know what’s going on, was to subscribe to good resources that curate this material and send to my email box at the end of each week/month.

    Over time I found that the following 4 sources have continuously provided me with selection of good and up to date content summing up what I might have missed in the previous week/month related to Python and web development in general.

    Pycoders weekly

    This weekly newsletter is not focused on the web but address what’s going on on the python community, suggests good articles so you can level up your python skills and showcases interesting projects or libraries.

    Url: http://pycoders.com/

    Django Round-Up

    This one is comes less frequently but I found the quality of the content to be high. As its name shows, Django round-up focus exclusively on contents related to the web framework.

    Url: https://lincolnloop.com/django-round-up/

    HTML5 Weekley

    The first two were about the server side, with this one we move to the browser. HTML5 Weekly focuses on what can be done in the browser and were these technologies are heading to.

    Url: http://html5weekly.com/

    Javascript Weekly

    Being a web development post we can’t leave JavaScript behind, at least for now. This newsletter gives you the latest news and tools related to this programming language.

    Url: http://javascriptweekly.com/

    I hope you like it. If you find them useful you might also want to follow my Django Collection bundle (which I described in this old post), where I collect useful material related with the Django web framework.

  • Getting started with GPG

    Getting started with GPG

    Last week I gave a small workshop during the lunch hour (the famous Whitesmith’s “Lunch’n Learn”) about openPGP. It only covered the most basic aspects so that non-technical people could be introduced to this tool, something that can be very useful when someone is sharing or working with sensitive information (either personal or work related).

    It covers aspects such as key pair generation, key revocation, exportation/importation of keys and obviously encryption and decryption of documents. Most of the examples use a command line interface but there are several frontends available which are straightforward to use once you are familiarized with the concepts. Perhaps it can also be useful to you (somehow) so here is the link to the presentation, if you have any question feel free to ask in the comments section.

  • Integrating security tests into web applications

    Today I published a blog post about how to easily run and automate security tests while developing your websites and web applications using Zed Attack Proxy. The example uses Ruby on Rails framework but it is independent of any stack. I’m planning to write a follow up article on the same theme, so any feedback on this first part is welcome. You can check the blog post here (whitesmith.co/blog) and the sample code here (Github).

  • “Bloat”

    Last week I’ve read a great post entitled “Web Design: The First 100 Years“, it is a long one but definitely worth reading. I will just leave here a quote (3 short paragraphs) because it puts into words something that already crossed my mind multiple times.

    “A further symptom of our exponential hangover is bloat. As soon as a system shows signs of performance, developers will add enough abstraction to make it borderline unusable. Software forever remains at the limits of what people will put up with. Developers and designers together create overweight systems in hopes that the hardware will catch up in time and cover their mistakes.

    We complained for years that browsers couldn’t do layout and javascript consistently. As soon as that got fixed, we got busy writing libraries that reimplemented the browser within itself, only slower.

    It’s 2014, and consider one hot blogging site, Medium. On a late-model computer it takes me ten seconds for a Medium page (which is literally a formatted text file) to load and render. This experience was faster in the sixties.” Maciej Cegłowski

  • Disable Firefox’s pocket integration

    Firefox has been my browser of choice for quite some time now. However recent decisions made by Mozilla are increasing my desire to change soon. They added “ads” on the “new tab page”, changed the UI to just look like chrome, decided to include DRM directly into the browser (more on that), etc. The last one was to include Pocket, a proprietary service, directly into the open-source browser.

    While this service might be useful for many users, other people do not like/use it. This kind of functionality should be relegated to pluggable extensions, one of the features that in its early days gave notoriety to Firefox. So a browser that was supposed to be light, open-source and extensible is slowly starting to drift apart from its initial strengths. This post describes in a short way what seems to be happening.

    Somebody yesterday wrote a rant about it with some valid points and concerns. So here’s how I disabled pockets in my browser:

    1. Write “about:config” in the address bar.
    2. Click “I will be careful, I promise“.
    3. Search for “pocket“.
    4. Modify it like is shown in the picture bellow.
    5. Restart the browser.

    disable-pocket

    Small extra: if you, like me, don’t like the tab style that just looks like chrome, you can switch to the development theme by changing the line “browser.devedition.theme.enabled” to true. Want the dark theme? Change the line “devtools.theme” to “dark“.

    Now lets hope that Mozilla puts an end to this series of bad decisions in a near future.

    Note: In Firefox v40 the development theme is no longer available (or at least accessible), so to use it you will need an extension.