Django's goals are probably not our goals for our web application

The author essentially states that he just wants to build a website and &quot;be done with it&quot; and never have to touch it again. He seems to acquiesce that security updates are necessary, and I suppose his greatest complaint is that old versions of software (eg python 2, django 1.11) are no longer receiving security updates, which necessitates him to update to python3 and django 2.<p>I feel that. But on the other hand, without trying to sound too mean: what exactly does he expect? Is he also complaining that &quot;Windows&#x27;s goals are not our goals&quot; because Microsoft stopped supporting Windows XP? Does he complain that Ubuntu version 11 is no longer getting updates? Java SE 9?<p>For better or for worse, this is simply how software works. Things have to be updated. Unless you want to eschew security updates (which is not smart), there is never such a thing as a fully &quot;finished&quot; product. Software maintenance is part of the job responsibilities.<p>This post is particularly targeted at Django, but I feel that it applies to almost every web framework or piece of software, and I&#x27;m afraid this is unfairly casting Django in a bad light. I&#x27;m also afraid that we&#x27;re going to see a <i>lot</i> more posts like this in the second half of 2019 as we move towards python 2&#x27;s EOL date.

On the frontend, our company uses Backbone.js.<p>My favorite part of Backbone.js is that its development as a framework is essentially “complete” (it works as designed, functions reliably &#x2F; predictably, and the maintainers aren’t running in circles trying to reinvent the framework with breaking changes)<p>That said, I feel like I’m losing “street cred” for admitting that we still use Backbone.<p>It would be great, at least in my opinion, to see more frameworks like Backbone.js (with respect to reaching a “framework is complete” state).<p>Backbone.js Changelog: <a href="https:&#x2F;&#x2F;backbonejs.org&#x2F;#changelog" rel="nofollow">https:&#x2F;&#x2F;backbonejs.org&#x2F;#changelog</a><p>Edit: All of the above also applies to Underscore.js (<a href="https:&#x2F;&#x2F;underscorejs.org&#x2F;#changelog" rel="nofollow">https:&#x2F;&#x2F;underscorejs.org&#x2F;#changelog</a>)

The author writes that they have a particularly big piece of maintenance coming up.<p>&gt; The latest change we need is an especially large amount of work, as we will have to move from Python 2 to Python 3.<p>This sounds like the transition from Django 1.11 to (probably) Django 2.2, if they&#x27;re moving from LTS to LTS, and it definitely is a big piece of work if you also have to change python versions.<p>Django defined a release schedule DEP[0] a few years back to try to preference stability and reduce the amount of maintenance when moving between LTS versions, which is approximately every 3 years.<p>If your application runs on an LTS version without any deprecation warnings, then you <i></i>should<i></i> be able to move to the next LTS version without <i></i>any<i></i> changes. Which is nice in theory, but 3rd party packages in particular aren&#x27;t always aligned in such a nice way. If the stars align though, it is 6 years (LTS + LTS) of no changes.<p>This is all to say, I think the author has a point, but that Django has recognised the maintenance burden as an issue, and has tried to help developers with that as best they can, without just shutting down all progress. I think the balance is mostly right.<p>Moving from 1.11 to 2.2 should be mostly painless. Unfortunately, moving from Python 2 to Python 3 is going to make that more painful. From 2.2 the maintenance burden should be much less than in previous years. Stick with Django if the features meet your needs.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;django&#x2F;deps&#x2F;blob&#x2F;master&#x2F;final&#x2F;0004-release-schedule.rst" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;django&#x2F;deps&#x2F;blob&#x2F;master&#x2F;final&#x2F;0004-releas...</a>

I feel their pain.<p>One of the big sites that I maintain was built upon a framework that was fine for its purposes five years ago. But the developers of that framework have decided to take it in a direction that is incompatible with the site&#x27;s goals.<p>Once I&#x27;m done with my current project, my next task is to rebuild that site without its current framework, and there&#x27;s a 95% chance I&#x27;ll go without any framework at all. Just plain HTML5 + PHP + MySQL + CSS3 + a <i>very</i> small amount of javascript.<p>I know it sounds primitive for a 700+ page site with interactive elements supporting English, Spanish, and Chinese; but earlier this year my boss gave me permission to de-framework a similarly-sized site, and it worked out really well.<p>Frameworks are great for many projects, but not all. It&#x27;s important to weigh the risks of being at the mercy of someone else, and that organization may eventually adopt a different vision of the future. Their pivot will not make your life easier.

This is endemic to the tech world. So much of it is invested in a reflexive forward momentum that is inimical to at least some of the products it facilitates. This is very much true for example of many pretty slow-moving small-scale line of business mobile &amp; web apps. So many of them end up being a waste of money after initial launch as the platform outruns them, and further work becomes, as the author here suggests, pure overhead.<p>It&#x27;s among the reasons I tend to be deflationary when being consulted with about extending web or mobile presence by small business. Often I just suggest they don&#x27;t bother, or do something far more minimal than their first impulse.

This is a need I’d like to see addressed more broadly in software. The computing needs of many in my non-technical entourage have not changed meaningfully in the past 10 years - they crop photos, write letters, put together videos of family holidays, do basic spreadsheets, etc - and yet every few months I field support requests because their software has updated and some feature has gone missing, or the UI has been redesigned, or it’s not compatible with the new OS update, etc.<p>Bug&#x2F;security fixes and new format support (eg a photo editor probably wants to support HEIC in the 202x) are fine, but we don’t really need the user facing part to change. This is a niche that seems open source could fill nicely.<p>(The big edge case in all this is the web browser)

There&#x27;s a business opportunity here that Rails people already caught onto: you can start a 3rd-party &quot;Django LTS&quot; service that backports security fixes, and charge money for that.

I think complexity here is migration to Python 3. Seems like the author picked Django and Python 2 in 2011. Python 3 was released in 2008. So by 2011 should have been clear that you might be facing a migration project sometime in future. Having made that choice getting 8 years out of Py 2 is pretty good. (Not saying he made the wrong choice. Would have made the same choice myself.)

I&#x27;m aware of the well-established movement to static websites for (mostly) static sites, but what work is happening right now to counter this problem in rich web applications? Are there frameworks that take a stance that favors stability and maintenance?

Different frameworks and language run-times move at different paces. It&#x27;s very often the case that projects don&#x27;t match their product pace and life-cycle to their toolset pace and life-cycle. &quot;Standards&quot; be it ABIs, APIs, data formats or markup languages all have different paces and life-cycles. Then there are the paces and life-cycles of the stacks underneath, the OS, the hardware, networks and data sources.<p>Then there&#x27;s the security question. If this is a concern at all, ultimately the system may need to be air-gapped (e.g. like many systems depending on Windows XP are these days) to safely keep it running in lieu of fixes.<p>Another approach is common in the gaming scene with painstaking work on timing and bug-accurate emulation to keep old software running.<p>Ultimatley every system has a cost per annum, not a static capital cost. The end game being to maintain the hardware and &quot;firewall&quot; or update the software.

The author isn&#x27;t considering an alternative strategy, which is to address security issues in-place (i.e., without upgrading Django). This means keeping up on them and substantively addressing them through configuration or possibly custom code, but for something they want to freeze in time with respect to a platform, it&#x27;s a reasonable choice.<p>Every time I&#x27;ve had security issues to address, there&#x27;s almost always a short term fix (close a port, disable a particular eval method). In the cost&#x2F;benefit analysis of maintaining a legacy app, it&#x27;s a legitimate option to simply rely on those.

Take a day or two to do your upgrades once in a year and you&#x27;ll be just fine. Start upgrading your own plugins as soon as possible, so that you can learn how to practice the upgrade steps. Python 2 to 3 was hard for me for the first few codebases, but then piece of cake for the other dozens of codebases I have upgraded.

I don&#x27;t really understand the point being made here. Can someone reinterpret for me please?

That&#x27;s why you develop in Common Lisp. The language specification is 20 years old and is never getting updated. Your software will work forever!

Vanilla PHP is your friend then. Don&#x27;t use frameworks.