[mg]

    You don’t want to deal with ...

Well, I do all that and it works just fine for me.

All my projects are 100% my own code down to the core. No frameworks, nothing. There might be some traces of jquery in there from when browsers were more unreliable. I don't even use that these days.

To get to know those frameworks, I built some projects with Symfony, Laravel, Django and some others. But it didn't stick. They are too aggressive in their "do it my way, don't worry what happens behind the scenes, let me do the magic" approach. I had the best impression of Django. That is the only one I might give another try.

[ransackdev]

How’s your vulnerability reporting process and how much experience do you have interpreting complicated pen tester bug reports about some buffer overflow zero day in your homebrew query string parser?

Huge difference between working fine, and working right. The security implications of rolling your own, is why I say “you don’t want to…”

Also, none of that code has anything to do with the product you’re actually trying to build. Imo it’s additional maintaining, tech debt, attack surface, and it’s a solved problem by a large community and has more knowledge from the security community baked in, and more eyes finding and plugging holes.

[pragmar]

In the aughts, when everyone was rolling their own framework, security and maintenance were a nightmare. It's undeniable. We traded one problem for another, however, and we've gone too far. I think the question at hand is which is more secure/maintainable: 10kb of custom utilities or 100mb of mystery-meat modules that, let's face it, will never be reviewed. It's not a simple answer.

[ransackdev]

Smaller file sizes or less LOC is not inherently safer than larger sizes or more LOC. if you’re building web apps, you’re more than likely reaching for a handful of packages, and so are millions of other people, and so are multi billion dollar companies, companies with staff who’s job it is to do supply chain security, PCI compliance auditing, security assessments, who hire pen testing firms, and some even write browsers and can sway the direction of our entire industry and the internet as a whole. Countless static code analysis is ran on the millions of CI jobs a day on builds that pull in the package, etc. If you’re using popular and maintained open source packages, people are looking at them. Shy away from no name packages with no usage unless you personally look at the code. That’s my take on it. I tend to trust the open source community to all be working towards the shared goal of well crafted and secure code for the world to use and benefit from

[mattgreenrocks]

I’ve yet to find a framework that I really like. Ironically, most Python frameworks feel like they force way more coupling on your code than necessary, which is awful considering they are a dynamically typed language. So it feels like the worst of all worlds: Python performance, high coupling to something you don’t control, and dynamic typing.

I understand why these are designed that way, but also don’t enjoy using them. Frameworks can feel very narcissistic in that sense, all the code is about them, despite their promise that you’ll focus on your domain more.

I need to play with some of the Kotlin web libraries more, such as ktor or Javalin. There has to be something better out there.

[philote]

Django is a super heavy framework that includes most anything you'd ever want. There's a ton to learn. Have you tried lighter-weight ones like Flask? I much prefer a lightweight web framework with an easy-to-use ORM/ODM.

Also, even though you don't use frameworks, I assume you use various libraries to handle web requests and such, right?

[mg]

How is Django more heavy than Flask?

When I think about heavy, I think about how hard it would be to replace the framework with my own code in the future. So I don't like magic.

One thing that keeps me from investigating Flask further is that Django seems to be way more popular:

https://trends.google.com/trends/explore?date=all&q=django%2...

So it will probably stay around longer.

Me and other devs maintain this repo which shows how to get from a fresh Debian install to a running web app via different frameworks:

https://github.com/no-gravity/web_app_from_scratch

As you can see, it also has a Flask version.

Contributions are welcome!

As for libraries: PHP has great http and html support build in already. Python is a bit tricky in this regard. That's why I would give Django another try for new web projects. But I also had success just rolling my own http/html code in Python.

[msm_]

>How is Django more heavy than Flask?

Because it is, by far, much larger project? Django has 551k LoC in 31933 commits, Flask has 27k LoC in 5156 commits. Django philosophy is "be opinioated, and bundle everything necessary for developers". Flask philosophy is "do just one thing and just be a good HTTP server, let users pick a solution to all the other problems". Django is a full-blown framework, whereas flask is almost a library. Both approaches are OK, but from your previous message (GP) you prefer lightweight and magic-less frameworks (and Django relies on some conventions to do its magic).

>One thing that keeps me from investigating Flask further is that Django seems to be way more popular:

Both Django and Flask are way more popular that what you're doing (writing everyting yourself. By the way does it mean you write your own HTTP server too?), so I don't know why that stops you. Flask is not going anywhere.

>Me and other devs maintain this repo which shows how to get from a fresh Debian install to a running web app via different frameworks:

Interesting project, thanks for sharing! But that's a bit random - what was your intention when linking it? Also I can't help but notice that the flask example there has three third-party dependencies other than flask (flask-sqlalchemy, flask-login and wtforms). Since you like rolling your own solutions, maybe you would prefer Flask without such libraries? (I personally don't use flask-login and wtforms, and only sometimes use flask-sqlalchemy - I usually use standard sqlalchemy, my custom ORM, or just write SQL directly for simpler projects).

[mg]

I don't mind so much about the LOC of a framework. If there is stuff in there that I don't use and that does not get in the way of me doing things, thats not that much of a problem.

As for Flask not going anywhere - well, all projects go down the drain at some point. Just 10 years ago, the Zend framework was more popular than Django and Flask combined:

https://trends.google.com/trends/explore?date=all&q=django%2...

Good point about the dependencies of the flask version. I did not write it.

If you like to write a pull request which gets rid of the flask-sqlalchemy and replaces it with pure SQL, I would love to see that.