Broadsheet

This post is a set of my observations on the current war in Iran and my thoughts on the broader strategic implications. I am not, of course, an expert on the region nor do I have access to any special information, so I am going to treat that all with a high degree of uncertainty. But I am a scholar of military history with a fair bit of training and experience in thinking about strategic problems, ancient and modern; it is this ‘guy that analyzes strategy’ focus that I want to bring to this.

I am doing this post outside of the normal Friday order because it is an unusual topic and I want to keep making it clear that even as world events continue to happen – as they must – I do not want this blog to turn into a politics newsletter. I simply haven’t had the time to polish and condense these thoughts for other publication – the hard work of much writing is turning 3,500 words (or 7,500, as it turns out) of thoughts into 1,500 words of a think piece – but I need to get them out of my head and on to the page before it burns out of the back of my head. That said, this post is going to be unavoidably ‘political,’ because as a citizen of the United States, commenting on the war means making a statement about the President who unilaterally and illegally launched it without much public debate and without consulting Congress.

And this war is dumb as hell.

I am going to spend the next however many words working through what I think are the strategic implications of where we are, but that is my broad thesis: for the United States this war was an unwise gamble on extremely long odds; the gamble (that the regime would collapse swiftly) has already failed and as a result locked in essentially nothing but negative outcomes. Even with the regime were to collapse in the coming weeks or suddenly sue for peace, every likely outcome leaves the United States in a meaningfully worse strategic position than when it started.

Now, before we go forward, I want to clarify a few things. First, none of this is a defense of the Iranian regime, which is odious. That said, there are many odious regimes in the world and we do not go to war with all of them. Second, this is a post fundamentally about American strategy or the lack thereof and thus not a post about Israeli strategy. For what it is worth, my view is that Benjamin Netanyahu has is playing an extremely short game because it benefits him politically and personally to do so and there is a significant (but by no means certain) chance that Israel will come to regret the decision to encourage this war. I’ll touch on some of that, but it isn’t my focus. Likewise, this is not a post about the strategy of the Gulf states, who – as is often the sad fate of small states – find their fate largely in the hands of larger powers. Finally, we should keep in mind that this isn’t an academic exercise: many, many people will suffer because of these decisions, both as victims of the violence in the region but also as a consequent of the economic ripples.

But that’s enough introduction. What I want to discuss here is first the extremely unwise gamble that the administration took and then the trap that it now finds itself in, from which there is no comfortable escape.

The Situation

We need to start by establishing some basic facts about Iran, as a country.

First, Iran is a large country. It has a population just over 90 million (somewhat more than Germany, about the same as Turkey), and a land area over more than 600,000 square miles (more than four times the size of Germany). Put another way Iran is more than twice as large as Texas, with roughly three times the population.

More relevantly for us, Iran is 3.5 times larger than Iraq and roughly twice the population. That’s a handy comparison because we know what it took to invade and then hold Iraq: coalition forces peaked at half a million deployed personnel during the invasion. Iran is bigger in every way and so would demand a larger army and thus an absolutely enormous investment of troops, money and fundamentally lives in order to subdue.

Via Wikipedia, a map of Iran. This is a **very big country**. It also has a lot of very challenging terrain: lots of very arid areas, lots of high mountains and plateaus. It is a hard country to invade and a harder country to occupy.

In practice, given that Iran did not and never has posed an existential threat to the United States (Iran aspires to be the kind of nuclear threat North Korea is and can only vaguely dream of being the kind of conventional threat that Russia is), that meant that a ground invasion of Iran was functionally impossible. While the United States had the raw resources to do it, the political will simply wasn’t there and was unlikely to ever be there.

Equally important, Iran was not a major strategic priority. This is something that in a lot of American policy discourse – especially but not exclusively on the right – gets lost because Iran is an ‘enemy’ (and to be clear, the Iranian regime is an enemy; they attack American interests and Americans regularly) and everyone likes to posture against the enemy. But the Middle East is a region composed primarily of poor, strategically unimportant countries. Please understand me: the people in these countries are not important, but as a matter of national strategy, some places are more important than others. Chad is not an area of vital security interest to the United States, whereas Taiwan (which makes our semiconductors) is and we all know it.

Neither is the Middle East. The entire region has exactly two strategic concerns of note: the Suez Canal (and connected Red Sea shipping system) and the oil production in the Persian Gulf and the shipping system used to export it. So long as these two arteries remained open the region does not matter very much to the United States. None of the region’s powers are more than regional powers (and mostly unimpressive ones at that), none of them can project power out of the region and none of them are the sort of dynamic, growing economies likely to do so in the future. The rich oil monarchies are too small in terms of population and the populous countries too poor.

In short then, Iran is very big and not very important, which means it would both be very expensive to do anything truly permanent about the Iranian regime and at the same time it would be impossible to sell that expense to the American people as being required or justified or necessary. So successive American presidents responded accordingly: they tried to keep a ‘lid’ on Iran at the lowest possible cost. The eventual triumph of this approach was the flawed but useful JCPOA (the ‘Iran deal’) in which Iran in exchange for sanctions relief swore off the pursuit of nuclear weapons (with inspections to verify), nuclear proliferation representing the main serious threat Iran could pose. So long as Iran remained non-nuclear, it could be contained and the threat to American interests, while not zero, could be kept minimal.

That deal was not perfect, I must stress: it essentially gave Iran carte blanche to reinforce its network of proxies across the region, which was robustly bad for Israel and mildly bad for the United States, but since the alternative was – as we’ll see – global economic disruption and the prospect of a large-scale war which would always be far more expensive than the alternatives, it was perhaps the best deal that could have been had. For what it is worth, my own view is that the Obama administration ‘overpaid’ for the concessions of the Iran deal, but the payment having been made, they were worth keeping. Trump scrapped them in 2017 in exchange for exactly nothing, which put us on the course for this outcome (as more than a few people pointed out at the time).

But that was the situation: Iran was big and hostile, but relatively unimportant. The United States is much stronger than Iran, but relatively uninterested in the region apart from the uninterrupted flow of natural gas, oil and other products from the Gulf (note: the one thing this war compromised – the war with Iran has cut off the only thing in this region of strategic importance, compromised the only thing that mattered at the outset), whereas Iran was wholly interested in the region because it lives there. The whole thing was the kind of uncomfortable frontier arrangement powerful states have always had to make because they have many security concerns, whereas regional powers have fewer, more intense focuses.

Which leads us to

The Gamble

The current war is best understood as the product of a fairly extreme gamble, although it is unclear to me if the current administration understood they were throwing the dice in June of 2025 rather than this year. As we’re going to see, this was not a super-well-planned-out affair.

The gamble was this: that the Iranian regime was weak enough that a solid blow, delivered primarily from the air, picking off key leaders, could cause it to collapse. For the United States, the hope seems to have been that a transition could then be managed to leaders perhaps associated with the regime but who would be significantly more pliant, along the lines of the regime change operation performed in Venezuela that put Delcy Rodriguez in power. By contrast, Israel seems to have been content to simply collapse the Iranian regime and replace it with nothing. That outcome would be – as we’ll see – robustly bad for a huge range of regional and global actors, including the United States, and it is not at all clear to me that the current administration understood how deeply their interests and Israel’s diverged here.

In any case, this gamble was never very likely to pay off for reasons we have actually already discussed. The Islamic Republic of Iran is not a personalist regime where the death of a single leader or even a group of leaders is likely to cause collapse: it is an institutional regime where the core centers of power (like the Iran Revolutionary Guards Corps or IRGC) are ‘bought in’ from the bottom to the top because the regime allows them access to disproportionate resources and power. Consequently if you blow up the leader, they will simply pick another one – in this case they picked the previous leader’s son, so the net effect of the regime change effort was to replace Supreme Leader Khamenei with Supreme Leader Khamenei…Jr.

But power in the Iranian regime isn’t wielded by the Supreme Leader alone either: the guardian council has power, the council of experts that select the Supreme Leader have power, the IRGC has power, the regular military has some power (but less than the IRGC), the elected government has some power (but less than the IRGC or the guardian council) and on and on. These sorts of governments can collapse, but not often. It certainly did not help that the United States had stood idle while the regime slaughtered tens of thousands of its opponents, before making the attempt, but I honestly do not think the attempt would have worked before.

The gamble here was that because the regime would simply collapse on cue, the United States could remove Iran’s regional threat without having to commit to a major military operation that might span weeks, disrupt global energy supplies, expand over the region, cost $200 billion dollars and potentially require ground operations. Because everyone knew that result was worse than the status quo and it would thus be really foolish to do that.

As you can tell, I think this was a bad gamble: it was very unlikely to succeed but instead always very likely to result in a significantly worse strategic situation for the United States, but only after it killed thousands of people unnecessarily. If you do a war where thousands of people die and billions of dollars are spent only to end up back where you started that is losing; if you end up worse than where you started, well, that is worse.

The problem is that once the gamble was made, once the dice were cast, the Trump administration would be effectively giving up control over much of what followed.

And if administration statements are to be believed, that decision was made, without knowing it, in June of last year. Administration officials, most notably Marco Rubio, have claimed that the decision was made to attempt this regime change gamble in part because they were aware that Israel was about to launch a series of decapitation strikes and they assessed – correctly, I suspect – that the ‘blowback’ would hit American assets (and energy production) in the region even if the United States did nothing. Essentially, Iran would assume that the United States was ‘in’ on the attack.

That is notable because Iran did not assume that immediately during the Twelve-Day War in 2025. Indeed, Iran did not treat the United States as a real co-belligerent even as American aircraft were actively intercepting Iranian missiles aimed at Israel. And then the United States executed a ‘bolt from the blue’ surprise attack on Iran’s nuclear facilities on June 22, 2025, catching Iran (which had been attempting to negotiate with the United States) by surprise.

The problem with that strike is that attacking in that way, at that time, meant that Iran would have to read any future attacks by Israel as likely also involving attacks by the United States. Remember, the fellow getting bombed does not get to carefully inspect the flag painted on the bomber: stuff blows up and to some degree the party being attacked has to rapidly guess who is attacking them. We’ve seen this play out repeatedly over the last several weeks where things explode in Iran and there is initially confusion over if the United States or Israel bombed them. But in the confusion of an initial air attack, Iran’s own retaliatory capability could not sit idle, waiting to be destroyed by overwhelming US airpower: it is a ‘wasting’ use-it-or-lose-it asset.

So Iran would now have to assume that an Israeli air attack was also likely an American air attack. It was hardly an insane assumption – evidently according to the Secretary of State, American intelligence made the exact same assessment.

But the result was that by bombing the Iranian nuclear facilities in June of 2025, the Trump administration created a situation where merely by launching a renewed air campaign on Iran, Israel could force the United States into a war with Iran at any time.

It should go without saying that creating the conditions where the sometimes unpredictable junior partner in a security relationship can unilaterally bring the senior partner into a major conflict is an enormous strategic error, precisely because it means you end up in a war when it is in the junior partner’s interests to do so even if it is not in the senior partner’s interests to do so.

Which is the case here. Because…

The Trap

Once started, a major regional war with Iran was always likely to be something of a ‘trap,’ – not in the sense of an ambush laid by Iran – but in the sense of a situation that, once entered, cannot be easily left or reversed.

The trap, of course, is the Strait of Hormuz and the broader Persian Gulf. The issue is that an enormous proportion of the world’s shipping, particularly energy (oil, liquid natural gas) and fertilizer components (urea) passes through this body of water. The Gulf is narrow along its whole length, extremely narrow in the Strait and bordered by Iran on its northern shore along its entire length. Iran can thus threaten the whole thing and can do so with cheap, easy to conceal, easy to manufacture systems.

And the scale here is significant. 25% of the world’s oil (refined and crude), 20% of its liquid natural gas and around 20% of the world’s fertilizer passes through the Strait of Hormuz which links the Persian Gulf to the Indian Ocean. Any of those figures would be enough for a major disruption to trigger huge economic ripples. And even worse there are only very limited, very insufficient alternative transport options. Some Saudi oil (about half) can move via pipeline to the Red Sea and some Emirati oil can move via pipeline to Fujairah outside of the Strait, but well over half of the oil and effectively all of the natural gas and fertilizer ingredients are trapped if ships cannot navigate the strait safely.

And here we come back to what Clausewitz calls the political object (drink!). Even something like a 50% reduction in shipping in the Gulf, were it to persist long term, would create strong global economic headwinds which would in turn arrive in the United States in the form of high energy prices and a general ‘supply shock’ that has, historically at least, not been politically survivable for the party in power.

And so that is the trap. While the United States can exchange tit-for-tat strikes with Iran without triggering an escalation spiral, once you try to collapse the regime, the members of the regime (who are making the decisions, not, alas, the Iranian people) have no reason to back down and indeed must try to reestablish deterrence. These are men who are almost certainly dead or poor-in-exile if the regime collapses. Moreover the entire raison d’être of this regime is resistance to Israel and the United States: passively accepting a massive decapitation attack and not responding would fatally undermine the regime’s legitimacy with its own supporters, leading right back to the ‘dead-or-poor-and-exiled’ problem.

Iran would have to respond and thus would have to try to find a way to inflict ‘pain’ on the United States to force the United States to back off. But whereas Israel is in reach of some Iranian weapons, the United States is not. Iran would thus need a ‘lever’ closer to home which could inflict costs on the United States. For – and I must stress this – for forty years everyone has known this was the strait. This is not a new discovery, we did this before in the 1980s. “If the regime is threatened, Iran will try to close the strait to exert pressure” is perhaps one of the most established strategic considerations in the region. We all knew this.

But the trap here is two sided: once the strait was effectively closed, the United States could not back off out of the war without suffering its own costs. Doing so, for one, would be an admission of defeat, politically damaging at home. Strategically, it would affirm Iran’s control over the strait, which would be a significantly worse outcome than not having done the war in the first place. And simply backing off might not fully return shipping flows: why should Iran care if the Gulf states can export their oil? An Iran that fully controls the strait, that had demonstrated it could exclude the United States might intentionally throttle everyone else’s oil – even just a bit – to get higher prices for its own or to exert leverage.

So once the strait was closed, the United States could not leave until it was reopened, or at least there was some prospect of doing so.

The result is a fairly classic escalation trap: once the conflict starts, it is extremely costly for either side to ever back down, which ensures that the conflict continues long past it being in the interests of either party. Every day this war goes on make both the United States and Iran weaker, poorer and less secure but it is very hard for either side to back down because there are huge costs connected to being the party that backs down. So both sides ‘escalate to de-escalate’ (this phrase is generally as foolish as it sounds), intensifying the conflict in an effort to hit hard enough to force the other guy to blink first. But since neither party can back down unilaterally and survive politically, there’s practically no amount of pain that can force them to do so.

Under these conditions, both sides might seek a purely military solution: remove the ability of your opponent to do harm in order to create the space to declare victory and deescalate. Such solutions are elusive. Iran simply has no real way of meaningfully diminishing American offensive power: they cannot strike the airfields, sink the carriers or reliably shoot down the planes (they have, as of this writing, managed to damage just one aircraft).

For the United States, a purely military solution is notionally possible: you could invade. But as noted, Iran is very, very big and has a large population, so a full-scale invasion would be an enormous undertaking, larger than any US military operation since the Second World War. Needless to say, the political will for this does not exist. But a ‘targeted’ ground operation against Iran’s ability to interdict the strait is also hard to concieve. Since Iran could launch underwater drones or one-way aerial attack drones from anywhere along the northern shore the United States would have to occupy many thousands of square miles to prevent this and of course then the ground troops doing that occupying would simply become the target for drones, mortars, artillery, IEDs and so on instead.

One can never know how well prepared an enemy is for something, but assuming the Iranians are even a little bit prepared for ground operations, any American force deployed on Iranian soil would end up eating Shahed and FPV drones – the sort we’ve seen in Ukraine – all day, every day.

Meanwhile escort operations in the strait itself are also deeply unpromising. For one, it would require many more ships, because the normal traffic through the strait is so large and because escorts would be required throughout the entire Gulf (unlike the Red Sea crisis, where the ‘zone’ of Houthi attacks was contained to only the southern part of the Red Sea). But the other problem is that Iran possesses modern anti-ship missiles (AShMs) in significant quantity and American escort ships (almost certainly Arleigh Burke-class destroyers) would be vulnerable escorting slow tankers in the constrained waters of the strait.

It isn’t even hard to imagine what the attack would look like: essentially a larger, more complex version of the attack that sunk the Moskva, to account for the Arleigh Burke’s better air defense. Iran would pick their moment (probably not the first transit) and try to distract the Burke, perhaps with a volley of cheap Shahed-type drones against a natural gas tanker, before attempting to ambush the Burke with a volley of AShMs, probably from the opposite direction. The aim would be to create just enough confusion that one AShM slipped through, which is all it might take to leave a $2.2bn destroyer with three hundred American service members on board disabled and vulnerable in the strait. Throw in speed-boats, underwater drones, naval mines, fishing boats pretending to be threats and so on to maximize confusion and the odds that one of perhaps half a dozen AShMs slips through.

And if I can reason this out, Iran – which has been planning for this exact thing for forty years certainly can. Which is why the navy is not eager to run escort.

But without escorts or an end to the conflict, shipping in the Gulf is not going to return to normal. Container ships are big and hard to sink but easy to damage. But while crude oil tankers are hard to set fire to, tankers carrying refined petroleum products are quite easy to set fire to, as we’ve seen, while tankers of liquid natural gas (LNG carriers) are essentially floating bombs.

The result is that right now it seems that the only ships moving through the strait are those Iran permits and they appear to have a checkpoint system, turning away ships they do not approve of. A military solution this problem is concievable, but extremely difficult to implement practically, requiring either a massive invasion of Iran’s coastline or an enormous sea escort operation. It seems more likely in both cases that the stoppage will continue until Iran decides it should stop. The good news on that front is that Iran benefits from the export of oil from the Gulf too, but the bad news is that while they are permitting some traffic, precisely because high energy prices are their only lever to make the United States and Israel stop killing them, they are unlikely to approve the transit of the kinds of numbers of ships which would allow energy markets to stabilize.

Just as a measure here, as I write this apparently over the last three days or so Iran has let some twenty ships through their checkpoint, charging fees apparently to do so. That may sound like a lot, but it is a quantity that, compared to the normal operation of the strait, is indistinguishable from zero. The Strait of Hormuz normally sees around 120 transits per day (including both directions). That scale should both explain why five or six ships a day paying Iran to transit is not going to really impact this equation – that’s still something like a 95% reduction in traffic (and all of the Iran-approved transits are outbound, I think) – but also why a solution like ‘just do escorts’ is so hard. Whatever navies attempted an escort solution would need to escort a hundred ships a day, with every ship being vulnerable at every moment from when it entered the Strait to when it docked for loading or offloading to its entire departure route. All along the entire Gulf coastline. All the time.

Likewise, even extremely punishing bombings of Iranian land-based facilities are unlikely to wholly remove their ability to throw enough threat into the Strait that traffic remains massively reduced. Sure some ship owners will pay Iran and others will take the risk, but if traffic remains down 90% or just 50% that is still a massive, global energy disruption. And we’ve seen with the campaign against the Houthis just how hard it is with airstrikes to compromise these capabilities: the United States spent more than a year hammering the Houthis and was never able to fully remove their attack capabilities. Cargo ships are too vulnerable and the weapons with which to attack them too cheap and too easy to hide.

There is a very real risk that this conflict will end with Iran as the de facto master of the Strait of Hormuz and the Persian Gulf, having demonstrated that no one can stop them from determining by force which ships pass and which ships cannot. That would, in fact, be a significant strategic victory for Iran and an enormous strategic defeat for the United States.

Peace Negotiations?

Which brings us to the question of strategic outcomes. As the above has made clear, I think the Trump administration erred spectacularly in starting this war. It appears as though, in part pressured by Israel, but mostly based on their own decisions (motivated, it sure seems, by the ease of the Venezuela regime-change) they decided to go ahead on the hopeful assumption the regime would collapse and as a result did not plan for the most likely outcome (large war, strait closure), despite this being the scenario that political leadership (Trump, Hegseth, Rubio) were warned was most likely.

The administration now appears to be trying to extricate itself from the problem has created, but as I write this, is currently still stuck in the ‘trap’ above. Now this is a fast moving topic, so by the time you actually read this the war well could have ended in a ceasefire (permanent or temporary) or intensified and expanded. Who knows! As I am writing the Trump administration claims that they are very near a negotiated ceasefire, while the Iranian regime claims they have rejected both of the United States’ interlocutors as unsuitable (‘backstabbing’ negotiators), while reporting suggests Israel may feel it in their interests to blow up any deal if the terms are too favorable to Iran.

That is a lot of uncertainty! But I think we can look at some outcomes here both in terms of what was militarily achieved, what the consequences of a ‘deal’ might be and what the consequences of not having a deal might be.

The Trump administration has offered a bewildering range of proposed objectives for this war, but I think it is fair to say the major strategic objectives have not been achieved. Initially, the stated objective was regime change or at least regime collapse; neither has occurred. The regime very much still survives and if the war ends soon it seems very plausible that the regime – able to say that it fought the United States and made the American president sue for peace – will emerge stronger, domestically (albeit with a lot of damage to fix and many political problems that are currently ‘on pause’ coming ‘un-paused’). The other core American strategic interest here is Iran’s nuclear program, the core of which is Iran’s supply of roughly 500kg of highly enriched uranium; no effort appears to have been made to recover or destroy this material and it remains in Iranian hands. Actually destroying (dispersing, really) or seizing this material by military force would be an extremely difficult operation with a very high risk of failure, since the HEU is underground buried in facilities (mostly Isfahan) in the center of the country. Any sort of special forces operation would thus run the risk of being surrounded and outnumbered very fast, even with ample air support, while trying to extract half a ton of uranium stored in gas form in heavy storage cylinders.

When the United States did this in Kazakhstan, removing about 600kg (so roughly the same amount) it required the team to spend 12 hours a day every day for a month to remove it, using multiple heavy cargo planes. And that facility was neither defended, nor buried under rubble.

Subsequently, administration aims seem to have retreated mostly to ‘fixing the mess we made:’ getting Iran to stop shooting and getting the Strait of Hormuz reopened and the ships moving again. They do seem to be asking for quite a bit more at the peace table, but the record of countries winning big concessions at the peace table which they not only haven’t secured militarily but do not appear able to do so is pretty slim.

Now it is possible that Iran blinks and takes a deal sooner rather than later. But I don’t think it is likely. And the simple reason is that Iran probably feels like it needs to reestablish deterrence. This is the second sudden bombing campaign the country has suffered in as many years – they do not want there to be a third next year and a fourth the year after that. But promises not to bomb them don’t mean a whole lot: establishing deterrence here means inflicting quite a lot of pain. In practice, if Iran wants future presidents not to repeat this war, the precedent they want to set is “attacking Iran is a presidency-ending mistake.” And to do that, well, they need to end a presidency or at least make clear they could have done.

Iran is thus going to very much want a deal that says ‘America blinked’ on the tin, which probably means at least some remaining nuclear program, a de facto Iranian veto on traffic in the strait and significant sanctions relief, along with formal paper promises of no more air strikes. That’s going to be a hard negotiating position to bridge, especially because Iran can ‘tough it out’ through quite a lot of bombing.

And I do want to stress that. There is a frequent mistake, often from folks who deal in economics, to assume that countries will give up on wars when the economics turn bad. But countries are often very willing to throw good money after bad even on distant wars of choice. For wars close to home that are viewed as existential? Well, the ‘turnip winter‘ where Germans started eating food previous thought fit only for animals (a result of the British blockade) began in 1916. The war did not end in 1916. It did not end in 1917. It did not end until November, 1918. Food deprivation and starvation in Germany was real and significant and painful for years before the country considered surrender. Just because the war is painful for Iran does not mean the regime will cave quickly: so long as they believe the survival of the regime is at stake, they will fight on.

There is a great deal of ruin in a nation.

Strategic Implications

So my conclusion here is that the United States has not yet achieved very much in this war on a strategic level. Oh, tactically, the United States has blown up an awful lot of stuff and done so with very minimal casualties of its own. But countries do not go to war simply to have a war – well, stupid fascist countries do, which is part of why they tend to be quite bad at war – they go to war to achieve specific goals and end-states.

None of the major goals here – regime change, an end to Iran’s nuclear ambitions – have been achieved. If the war ends tomorrow in a ‘white peace,’ Iran will reconstitute its military and proxies and continue its nuclear program. It is in fact possible to display astounding military skill and yet, due to strategic incoherence, not accomplish anything.

So the true, strategic gains here for all of the tactical effectiveness displayed, are functionally nil. Well what did it cost?

Well, first and foremost, to date the lives of 13 American soldiers (290 more WIA), 24 Israelis (thousands more injured), at least a thousand civilian deaths across ‘neutral’ countries (Lebanon mostly, but deaths in Kuwait, Iraq, Qatar, Bahrain, Saudi Arabia, etc) and probably at least a thousand if not more Iranian civilians (plus Iranian military losses). The cost of operations for the United States is reportedly one to two billion dollars a day, which adds up pretty quickly to a decent chunk of change.

All of the military resources spent in this war are in turn not available for other, more important theaters, most obviously the Asia-Pacific (INDOPACOM), but of course equally a lot of these munitions could have been doing work in Ukraine as well. As wars tend to do, this one continues to suck in assets as it rumbles on, so the American commitment is growing, not shrinking. And on top of spent things like munitions and fuel, the strain on ships, air frames and service personnel is also a substantial cost: it turns out keeping a carrier almost constantly running from one self-inflicted crisis to the next for ten months is a bad idea.

You could argue these costs would be worthwhile it they resulted in the destruction of Iran’s nuclear program – again, the key element here is the HEU, which has not been destroyed – or of the Iranian regime. But neither of those things have been achieved on the battlefield, so this is a long ledger of costs set against…no gains. Again, it is not a ‘gain’ in war simply to bloody your enemy: you are supposed to achieve something in doing so.

The next side of this are the economic consequences. Oil and natural gas have risen in price dramatically, but if you are just watching the commodity ticker on the Wall Street Journal, you may be missing some things. When folks talk about oil prices, they generally do so via either $/bbl (West Texas Intermediate – WTI – one-month front-month futures) or BRN00 (Brent Crude Oil Continuous Contracts). These are futures contracts, meaning the price being set is not for a barrel of oil right now but for a barrel of oil in the future; we can elide the sticky differences between these two price sets and just note that generally the figure you see is for delivery in more-or-less one month’s time. Those prices have risen dramatically (close to doubled), but may not reflect the full economic impact here: as the ‘air bubble’ created by the sudden stop of oil shipments expands, physical here-right-now prices for oil are much higher in many parts of the world and still rising.

Essentially, the futures markets are still hedging on the idea that this war might end and normal trade might resume pretty soon, a position encouraged by the current administration, which claims it has been negotiating with Iran (Iran denied the claim). The tricky thing here is that this is a war between two governments – the Trump administration and the Iranian regime – which both have a clear record of lying a lot. The Trump administration has, for instance, repeatedly claimed a peace deal between Ukraine and Russia was imminent, and that war remains ongoing. The markets are thus forced to try and guess everyone’s actions and intentions from statements that are unreliable. Cards on the table, I think the markets are underestimating the likelihood that this conflict continues for some time. Notably, the United States is moving assets into theater – an MEU, elements of the 82 Airborne – which will take some time to arrive (two weeks for the MEU which is still about a week out as I write this) and set up for operations.

In either case, while I am not an expert on oil extraction or shipping, what I have seen folks who are experts on those things say is that the return of normal operations after this war will be very slow, often on the order of ‘every extra week of conflict adds a month to recovery’ (which was Sal Mercogliano’s rule of thumb in a recent video). If the war ends instantly, right now, ship owners will first have to determine that the strait is safe, then ships will have to arrive and begin loading to create space in storage to start up refineries to create space in storage to start up oil wells that have been ‘shut in,’ some of which may require quite a bit of doing to restart. Those ships in turn have to spend weeks sailing to the places that need these products, where some of the oil and LNG is likely to be used to refill stockpiles rather than immediately going out to consumers. For many products, refineries and production at the point of sale – fertilizer plants, for instance – will also need to be restarted. Factory restarts can be pretty involved tasks.

This recovery period doesn’t just get pushed out by 24 hours each day it gets longer as more production is forced to shut down or is damaged in the fighting. As I write this, futures markets for the WTI seem to be expecting oil prices to remain elevated (above $70 or so) well into 2028.

Meanwhile, disruption of fertilizer production, which relies heavily on natural gas products, has the potential to raise food prices globally. Higher global food prices – and food prices have already been elevated by the impact of the War in Ukraine – are pretty strongly associated with political instability in less developed countries. After all, a 25% increase in the price of food in a rich country is annoying – you have to eat more cheaper foods (buy more ramen, etc.). But in a poor country it means people go hungry because they cannot afford food and hungry, desperate people do hungry, desperate things. A spike in food prices was one of the core causes of the 2010 Arab Spring which led in turn to the Syrian Civil War, the refugee crisis of which significantly altered the political landscape of Europe.

Via Wikipedia, a chart of the food price index, with the spikes on either side of 2010 clearly visible; they are thought to have contributed to the intense political instability of those years (alongside the financial crisis).

I am not saying this will happen – the equally big spike in food prices from the Ukraine War has not touched off a wave of revolutions – but that it increases the likelihood of chaotic, dynamic, unsettled political events.

But it does seem very clear that this war has created a set of global economic headwinds which will have negative repercussions for many countries, including the United States. The war has not, as of yet, made Americans any safer – but it has made them poorer.

Then there are the political implications. I think most folks understand that this war was a misfire for the United States, but I suspect it may end up being a terrible misfire for Israel as well. Israeli security and economic prosperity both depend to a significant degree on the US-Israeli security partnership and this war seems to be one more step in a process that very evidently imperils that partnership. Suspicion of Israel – which, let us be honest, often descends into rank, bigoted antisemitism, but it is also possible to critique Israel, a country with policies, without being antisemitic – is now openly discussed in both parties. More concerning is polling suggesting that not only is Israel underwater with the American public, but more Americans sympathize with Palestinians than Israelis for the first time in American history.

Again, predictions are hard, especially about the future, but it certainly seems like there is an open door to a future where this war is the final nail in the coffin of the American-Israeli security partnership, as it becomes impossible to sustain in the wake of curdling American public opinion. That would be a strategic catastrophe for Israel if it happened. On the security side, with Israel has an independent nuclear deterrent and some impressive domestic military-industrial production the country is not capable of designing and manufacturing the full range of high-end hardware that it relies on to remain militarily competitive despite its size. There’s a reason Israel flies F-35s. But a future president might well cut off spare parts and maintainers for those F-35s, refuse to sell new ones, refuse to sell armaments for them, and otherwise make it very difficult for Israel to acquire superior weapons compared to its regional rivals.

Economic coercion is equally dangerous: Israel is a small, substantially trade dependent country and its largest trading partner is the United States, followed by the European Union. But this trade dependency is not symmetrical: the USA and EU are hugely important players in Israel’s economy but Israel is a trivial player in the US and EU economies. Absent American diplomatic support then, the threat of economic sanctions is quite dire: Israel is meaningfully exposed and the sanctions would be very low cost for the ‘Status Quo Coalition’ (assuming the United States remains a member) to inflict under a future president.

A war in which Israel cripples Iran in 2026 but finds itself wholly diplomatically isolated in 2029 is a truly pyrrhic victory. As Thucydides might put it, an outcome like that would be an “example for the world to meditate upon.” That outcome is by no means guaranteed, but every day the war grinds on and becomes less popular in the United States, it becomes more likely.

But the United States is likewise going to bear diplomatic costs here. Right now the Gulf States have to shelter against Iranian attack but when the dust settles they – and many other countries – will remember that the United States unilaterally initiated by surprise a war of choice which set off severe global economic headwinds and uncertainty. Coming hot on the heels of the continuing drama around tariffs, the takeaway in many places may well be ‘Uncle Sam wants you to be poor,’ which is quite a damaging thing for diplomacy. And as President Trump was finding out when he called for help in the Strait of Hormuz and got told ‘no’ by all of our traditional allies, it is in fact no fun at all to be diplomatically isolated, no matter how powerful you are.

Of course the war, while quickly becoming an expensive, self-inflicted wound for the United States has also been disastrous for Iran. I said this at the top but I’ll say it again: the Iranian regime is odious. You will note also I have not called this war ‘unprovoked’ – the Iranian regime has been provoking the United States and Israel via its proxies almost non-stop for decades. That said, it is the Iranian people who will suffer the most from this war and they had no choice in the matter. They tried to reject this regime earlier this year and many were killed for it. But I think it is fair to say this war has been a tragedy for the Iranian people and a catastrophe for the Iranian regime.

And you may then ask, here at the end: if I am saying that Iran is being hammered, that they are suffering huge costs, how can I also be suggesting that the United States is on some level losing?

And the answer is simple: it is not possible for two sides to both win a war. But it is absolutely possible for both sides to lose; mutual ruin is an option. Every actor involved in this war – the United States, Iran, arguably Israel, the Gulf states, the rest of the energy-using world – is on net poorer, more vulnerable, more resource-precarious as a result.

In short, please understand this entire 7,000+ word post as one primal scream issued into the avoid at the careless, unnecessary folly of the decision to launch an ill-considered war without considering the obvious, nearly inevitable negative outcomes which would occur unless the initial strikes somehow managed to pull the inside straight-flush. They did not and now we are all living trapped in the consequences.

Maybe the war will be over tomorrow. The consequences will last a lot longer.

Way back in 2005, lots of people (ordinary people, not just people who work in tech) used to have personal blogs where they wrote about things, rather than using third-party short-form social media sites. I was one of those people (though I wasn’t yet blogging on this specific site, which launched the following year). And back in 2005, and even earlier, people liked to have comment sections on their blogs where readers could leave their thoughts on posts. And that was an absolute magnet for spam.

There were a few attempts to do something about this. One of them was Akismet, which launched that year and provided a web service you could send a comment (or other user-generated-content) submission to, and get back a classification of spam or not-spam. It turned out to be moderately popular, and is still around today.

The folks behind Akismet also documented their API and set up an API key system so people could write their own clients/plugins for various programming languages and blog engines and content-management systems. And so pretty quickly after the debut of the Akismet service, Michael Foord, who the Python community, and the world, tragically lost at the beginning of 2025, wrote and published a Python library, which he appropriately called akismet, that acted as an API client for it.

He published a total of five releases of his Python Akismet library over the next few years, and people started using it. Including me, because I had several use cases for spam filtering as a service. And for a while, things were good. But then Python 3 was released, and people started getting serious about migrating to it, and Michael, who had been promoted into the Python core team, didn’t have a ton of time to work on it. So I met up with him at a conference in 2015, and offered to maintain the Akismet library, and he graciously accepted the offer, imported a copy of his working tree into a GitHub repository for me, and gave me access to publish new packages.

In the process of porting the code to support both Python 2 and 3 (as was the fashion at the time), I did some rewriting and refactoring, mostly focused on simplifying the configuration process and the internals. Some configuration mechanisms were deprecated in favor of either explicitly passing in the appropriate values, or else using the 12-factor approach of storing configuration in environment variables, and the internal HTTP request stack, based entirely on the somewhat-cumbersome (at that time) Python standard library, was replaced with a dependency on requests. The result was akismet 1.0, published in 2017.

Over the next six years, I periodically pushed out small releases of akismet, mostly focused on keeping up with upstream Python version support (and finally going Python-3-only, in 2020 when Python 2.7 reached its end of upstream support). But beginning in 2024, I embarked on a more ambitious project which spanned multiple releases and turned into a complete rewrite of akismet which finished a few months ago. So today I’d like to talk about why I chose to do that, how the process went, and what it produced.

Why?

Although I’m not generally a believer in the concept of software projects being “done” and thus no longer needing active work (in the same sense as “a person isn’t really dead as long as their name is still spoken”, I believe a piece of software isn’t really “done” as long as it has at least one user), a major rewrite is still something that needs a justification. In the case of akismet, there were two specific things I wanted to accomplish that led me to this point.

One was support for a specific feature of the Akismet API. The akismet Python client’s implementation of the most important API method—the one that tells you whether Akismet thinks content is spam, called comment-check—had, since the very first version, always returned a bool. Which at first sight makes sense, because the Akismet web service’s response body for that endpoint is plain text and is either the string true (Akismet thinks the content is spam) or the string false (Akismet thinks it isn’t spam). Except actually Akismet supports a third option: “blatant” spam, meaning Akismet is so confident in its determination that it thinks you can throw away the content without further review (while a normal “spam” determination might still need a human to look at it and double-check). It signals this by returning the true text response and also setting a custom HTTP response header (X-Akismet-Pro-Tip: discard). But the akismet Python client couldn’t usefully expose this, since the original API design of the client chose to have this method return a two-value bool instead of some other type that could handle a three-value situation. And any attempt to fix it would necessarily change the return type, which would be a breaking change.

The other big motivating factor for a rewrite was the rise of asynchronous Python via async and await, originally introduced in Python 3.5. The async Python ecosystem has grown tremendously, and I wanted to have a version of akismet that could support async/non-blocking HTTP requests to the Akismet web service.

Keep it classy?

The first thing I did was spend a bit of time exploring whether I could replace the entire class-based design of the library. Since the very first version back in 2005, the akismet library had always provided its client as a class (named Akismet) with one method for each supported Akismet HTTP API method. But it’s always worth asking if a class is actually the right abstraction. Very often it’s not! And while Python is an object-oriented language and allows you to write classes, it doesn’t require you to write them. So I spent a little while sketching out a purely function-based API.

One immediate issue with this was how to handle the API credentials. Akismet requires you to obtain an API key and to register one or more sites which will use that API key, and most Akismet web API operations require that both the API key and the current site be sent with the request. There’s also a verify-key API operation which lets you submit a key and site and tells you if they’re valid; if you don’t use this, and accidentally start trying to use the rest of the Akismet API with an invalid key and/or site, the other Akismet API operations send back responses with a body of invalid.

As noted above, the 1.0 release already nudged users of akismet in the direction of putting config in the environment, so reading the key and site from env variables was already well-supported. But some people probably can’t, or won’t want to, use environment variables for configuration. For example: they might have multiple sets of Akismet credentials in a multi-tenant application, and need to explicitly pass different sets of credentials depending on which site they’re performing checks for. So in any function-based interface, all the functions would not only need to be able to read configuration from the environment (which at least could be factored out into a helper function), they’d also need to explicitly accept credentials as optional arguments. That complicates the argument signatures (which are already somewhat gnarly because of all the optional information you can provide to Akismet to help with spam determinations), and makes the API start to look cumbersome.

This was a clue that the function-based approach was probably not the right one: if a bunch of functions all have to accept extra arguments for a common piece of data they all need, it’s a sign that they may really want to be a class which just has the necessary data available internally.

The other big sticking point was how to handle credential verification. It requires an HTTP request/response to Akismet, so ideally you’d do this once (per set of credentials per process). Say, if you’re using Akismet in a web application, you’d want to check your credentials at process startup, and then just treat them as known-good for the lifetime of the process after that. Which is what the the existing class-based code did: it performed a verify-key on instantiation and then could re-use the verified credentials after that point (or raise an immediate exception if the credentials were missing or invalid). I really like the ergonomics of that, since it makes it much more difficult to create an Akismet client in an invalid/misconfigured state, but it basically requires some sort of shared state. Even if the API key and site URL are read from the environment or passed as arguments every time, there needs to be some sort of additional information kept by the client code to indicate they’ve been validated.

It still would be possible to do this in a function-based interface. It could implicitly verify each new key/site pair on first use, and either keep a full list of ones that had been verified or maybe some sort of LRU cache of them. Or there could be an explicit function for introducing a new key/site pair and verifying them. But the end result of that is a secretly-stateful module full of functions that rely on (and in some cases act on) the state; at that point the case for it being a class is pretty overwhelming.

As an aside, I find that spending a bit of time thinking about, or perhaps even writing sample documentation for, how to use a hypothetical API often uncovers issues like this one. Also, for a lot of people it’s seemingly a lot easier, psychologically, to throw away documentation than to throw away even barely-working code.

One class or two?

Another idea that I rejected pretty quickly was trying to stick to a single Akismet client class. There is a trend of libraries and frameworks providing both sync and async code paths in the same class, often using a naming scheme which prefixes the async versions of the methods with an a (like method_name() for the sync version and amethod_name() for async), but it wasn’t really compatible with what I wanted to do. As mentioned above, I liked the ergonomics of having the client automatically validate your API key and site URL, but doing that in a single class supporting both sync and async has a problem: which code path to use to perform the automatic credential validation? Users who want async wouldn’t be happy about a synchronous/blocking request being automatically issued. And trying to choose the async path by default would introduce issues of how to safely obtain a running event loop (and not just any event loop, but an instance of the particular event loop implementation the end user of the library actually wants).

So I made the decision to have two client classes, one sync and one async. As a nice bonus, this meant I could do all the work of rewriting in new classes with new names. That would let me mark the old Akismet class as deprecated but not have to immediately remove it or break its API, giving users of akismet plenty of notice of what was going on and a chance to migrate to the new clients. So I started working on the new client classes, calling them akismet.SyncClient and akismet.AsyncClient to be as boringly clear as possible about what they’re for.

How to handle async, part one

Unfortunately, the two-class solution didn’t fully solve the issue of how to handle the automatic credential validation. On the old Akismet client class it had been easy, and on the new SyncClient class it would still be easy, because the __init__() method could perform a verify-key operation before returning, and raise an exception if the credentials weren’t found or were invalid.

But in Python, __init__() cannot be (usefully) async, which posed the tricky question of how to perform automatic credential validation at instantiation time for AsyncClient.

As I dug into this I considered a few different options, and at one point even thought about going back to the one-class approach just to be able to issue a single HTTP request at instantiation without needing an event loop. But I wanted AsyncClient to be truly and thoroughly async, so I ended up settling for a compromise solution, implemented in two phases:

Both SyncClient and AsyncClient were given an alternate constructor method named validated_client(). Alternate constructors can be usefully async, so the AsyncClient version could be implemented as an async method. I documented that if you’re directly constructing a client instance you intend to keep around for a while, this is the preferred constructor since it will perform automatic credential validation for you (direct instantiation via __init__() will not, on either class). And then…
I implemented the context-manager protocol for SyncClient and the async context-manager protocol for AsyncClient. This allows constructing the sync client in a with statement, or an async with statement for AsyncClient. And since async with is an async execution context, it can issue an async HTTP request for credential validation.

So you can get automatic credential validation from either approach, depending on your needs:

import akismet


# Long-lived client object you'll keep around:
sync_client = akismet.SyncClient.validated_client()
async_client = await akismet.AsyncClient.validated_client()

# Or for the duration of a "with" block, cleaned up at exit:
with akismet.SyncClient() as sync_client:
    # Do things...

async with akismet.AsyncClient() as async_client:
    # Do things...

Most Python libraries can benefit from these sorts of conveniences, so I’d recommend investing time into learning how to implement them. If you’re looking for ideas, Lynn Root’s “The Design of Everyday APIs” covers a lot of ways to make your own code easier to use.

How to handle async, part deux

The other thing about writing code that supports both sync and async operations is how to handle the things they have in common. There are a few different ways to do this: you can write one implementation and have the other one call it. Or you can write two full implementations and live with the duplication. Or you can try to separate the I/O and the pure logic as much as possible, and reuse the logic while duplicating only the I/O code (or, since the two implementations aren’t perfect duplicates, writing two I/O implementations which heavily rhyme).

For akismet, I went with a hybrid of the last two of these approaches. I started out with my two classes each fully implementing everything they needed, including a lot of duplicate code between them (in fact, the first draft was just one class which was then copy/pasted and async-ified to produce the other). Then I gradually extracted the non-I/O bits into a common module they could both import from and use, building up a library of helpers for things like validating arguments, preparing requests, processing the responses, and so on.

One final object-oriented design decision here (or, I guess, not object-oriented decision): that common code is a set of functions in a module. It’s not a class. It’s not stateful the way the clients themselves are: turning an Akismet web API response into the desired Python return value, or validating a set of arguments and turning them into the correct request parameters (to pick a couple examples) are literally pure functions, whose outputs are dependent solely on their inputs.

And the common code also isn’t some sort of abstract base class that the two concrete clients would inherit from. An akismet.SyncClient and an akismet.AsyncClient are not two different subtypes of a parent “Akismet client” class or interface! Because of the different calling conventions of sync and async Python, there is no public parent interface that they share or could be substitutable for.

The current code of akismet still has some duplication, primarily around error handling since the try/except blocks need to wrap the correct version of their respective I/O operations, and I might be able to achieve some further refactoring to reduce that to the absolute minimum (for example, by splitting out a bunch of duplicated except clauses into a single common pattern-matching implementation now that Python 3.10 is the minimum supported version). But I’m not in a big hurry to do that; the current code is, I think, in a pretty reasonable state.

Enumerating the options

As I mentioned back at the start of this post, the akismet library historically used a Python bool to indicate the result of a spam-checking operation: either the content was spam (True) or it wasn’t (False). Which makes a lot of sense at first glance, and also matches the way the Akismet web service behaves: for content it thinks is spam, the HTTP response has a body consisting of the string true, and for content that it doesn’t think is spam the response body is the string false.

But for many years now, the Akismet web service has actually supported three possible values, with the third option being “blatant” spam, spam so obvious that it can simply be thrown away with no further human review. Akismet signals this by returning the true response body, and then adding a custom HTTP header to the response: X-Akismet-Pro-Tip, with a value of discard.

Python has had support for enums (via the enum module in the standard library) since Python 3.4, so that seemed the most natural way to represent the possible results. The enum module lets you use lots of different data types for enum values, but I went with an integer-valued enum (enum.IntEnum) for this, because it lets developers still work with the result as a pseudo-boolean type if they don’t care about the extra information from the third option (since in Python 0 is false and all other integers are true).

Python historical trivia

Originally, Python did not have a built-in boolean type, and the typical convention was similar to C, using the integers 0 and 1 to indicate false/true.

Python phased in a real boolean type early in the Python 2 days. First, the Python 2.2 release series (technically, Python 2.2.1) assigned the built-in names False and True to the integer values 0 and 1, and introduced a built-in bool() function which returned the integer truth value of its argument. Then in Python 2.3, the bool type was formally introduced, and was implemented as a subclass of int, constrained to have only two instances. Those instances are bound to the names False and True and have the integer values 0 and 1.

That’s how Python’s bool still works today: it’s still a subclass of int, and so you can use a bool anywhere an int is called for, and do arithmetic with booleans if you really want to, though this isn’t really useful except for writing deliberately-obfuscated code.

For more details on the history and decision process behind Python’s bool type, check out PEP 285 and this blog post from Guido van Rossum.

The only tricky thing here was how to name the third enum member. The first two were HAM and SPAM to match the way Akismet describes them. The third value is described as “blatant spam” in some documentation, but is represented by the string “discard” in responses, so BLATANT_SPAM and DISCARD both seemed like reasonable options. I ended up choosing DISCARD; it probably doesn’t matter much, but I like having the name match the actual value of the response header.

The enum itself is named CheckResponse since it represents the response values of the spam-checking operation (Akismet actually calls it comment-check because that’s what its original name was, despite the fact Akismet now supports sending other types of content besides comments).

Bring your own HTTP client

Back when I put together the 1.0 release, akismet adopted the requests library as a dependency, which greatly simplified the process of issuing HTTP requests to the Akismet web API. As part of the more recent rewrite, I switched instead to the Python HTTPX library, which has an API broadly compatible with requests but also, importantly, provides both sync and async implementations.

Async httpx requires the use of a client object (the equivalent of a requests.Session), so the Akismet client classes each internally construct the appropriate type of httpx object: httpx.Client for akismet.SyncClient, and httpx.AsyncClient for akismet.AsyncClient.

And since the internal usage was switching from directly calling the function-based API of requests to using HTTP client objects, it seemed like a good idea to also allow passing in your own HTTP client object in the constructors of the Akismet client classes. These are annotated as httpx.Client/httpx.AsyncClient, but as a practical matter anything with a compatible API will work.

One immediate benefit of this is it’s easier to accommodate situations like HTTP proxies, and server environments where all outbound HTTP requests must go through a particular proxy. You can just create the appropriate type of HTTP client object with the correct proxy settings, and pass it to the constructor of the Akismet client class:

import akismet
import httpx

from your_app.config import settings

akismet_client = akismet.SyncClient.validated_client(
    http_client=httpx.Client(
        proxy=settings.PROXY_URL,
        headers={"User-Agent": akismet.USER_AGENT}
    )
)

But an even bigger benefit came a little bit later on, when I started working on improvements to akismet‘s testing story.

Testing should be easy

Right here, right now, I’m not going to get into a deep debate about how to define “unit” versus “integration” tests or which types you should be writing. I’ll just say that historically, libraries which make HTTP requests have been some of my least favorite code to test, whether as the author of the library or as a user of it verifying my usage. Far too often this ends up with fragile piles of patched-in mock objects to try to avoid the slowdowns (and other potential side effects and even dangers) of making real requests to a live, remote service during a test run.

I do think some fully end-to-end tests making real requests are necessary and valuable, but they probably should not be used as part of the main test suite that you run every time you’re making changes in local development.

Fortunately, httpx offers a feature that I wrote about a few years ago, which greatly simplifies both akismet‘s own test suite, and your ability to test your usage of it: swappable HTTP transports which you can drop in to affect HTTP client behavior, including a MockTransport that doesn’t make real requests but lets you programmatically supply responses.

So akismet ships with two testing variants of its API clients: akismet.TestSyncClient and akismet.TestAsyncClient. They’re subclasses of the real ones, but they use the ability to swap out HTTP clients (covered above) to plug in custom HTTP clients with MockTransport and hard-coded stock responses. This lets you write code like:

import akismet


class AlwaysSpam(akismet.TestSyncClient):
    comment_check_response = akismet.CheckResponse.SPAM

and then use it in tests. That test client above will never issue a real HTTP request, and will always label any content you check with it as spam. You can also set the attribute verify_key_response to False on a test client to have it always fail API key verification, if you want to test your handling of that situation.

This means you can test your use of akismet without having to build piles of custom mocks and patch them in to the right places. You can just drop in instances of appropriately-configured test clients, and rely on their behavior.

If I ever became King of Programming, with the ability to issue enforceable decrees, requiring every network-interacting library to provide this kind of testing-friendly version of its core constructs would be among them. But since I don’t have that power, I do what I can by providing it in my own libraries.

(py)Testing should be easy

In the Python ecosystem there are two major testing frameworks:

The unittest module in the Python standard library, which is a direct port to Python of the xUnit style of test frameworks seen in many other languages (including xUnit style naming conventions, which don’t match typical Python naming conventions).
The third-party pytest framework, which aims to be a more natively “Pythonic” testing framework and encourages function- rather than class-based tests and heavy use of dependency injection (which it calls fixtures).

For a long time I stuck to unittest, or unittest-derived testing tools like the ones that ship with Django. Although I understand and appreciate the particular separation of concerns pytest is going for, I found its fixture system a bit too magical for my taste; I personally prefer dependency injection to use explicit registration so I can know what’s available, versus the implicit way pytest discovers fixtures based on their presence or absence in particularly-named locations.

But pytest pretty consistently shows up as more popular and more broadly used in surveys of the Python community, and every place I’ve worked for the last decade or so has used it. So I decided to port akismet’s tests to pytest, and in the process decided to write a pytest plugin to help users of akismet with their own tests.

That meant writing a pytest plugin to automatically provide a set of dependency-injection fixtures. There are four fixtures: two sync and two async, with each flavor getting a fixture to provide a client class object (which lets you test instantiation-time behavior like API key verification failures), and a fixture to provide an already-constructed client object. Configuration is through a custom pytest mark called akismet_client, which accepts arguments specifying the desired behavior. For example:

import akismet
import pytest

@pytest.mark.akismet_client(comment_check_response=akismet.CheckResponse.DISCARD)
def test_akismet_discard_response(akismet_sync_client: akismet.SyncClient):
    # Inside this test, akismet_sync_client's comment_check() will always
    # return DISCARD.

@pytest.mark.akismet_client(verify_key_response=False)
def test_akismet_fails_key_verification(akismet_sync_class: type[akismet.SyncClient]):
    # API key verification will always fail on this class.
    with pytest.raises(akismet.APIKeyError):
        akismet_sync_class.validated_client()

Odds and ends

Python has had the ability to add annotations to function and method signatures since 3.0, and more recently gained the ability to annotate attributes as well; originally, no specific use case was mandated for this feature, but everybody used it for type hints, so now that’s the official use case for annotations. I’ve had a lot of concerns about the way type hinting and type checking have been implemented for Python, largely around the fact that idiomatic Python really wants to be a structurally-typed language, or as some people have called it “interfacely-typed”, rather than nominally-typed. Which is to say: in Python you almost never care about the actual exact type name of something, you care about the interfaces (nowadays, called “protocols” in Python typing-speak) it implements. So you don’t care whether something is precisely an instance of list, you care about it being iterable or indexable or whatever.

On top of which, some design choices made in the development of type-hinted Python have made it (as I understand it) impossible to distribute a single-file module with type hints and have type checkers actually pick them up. Which was a problem for akismet, because traditionally it was a single-file module, installing a file named akismet.py containing all its code.

But as part of the rewrite I was reorganizing akismet into multiple files, so that objection no longer held, and eventually I went ahead and began running mypy as a type checker as part of the CI suite for akismet. The type annotations had been added earlier, because I find them useful as inline documentation even if I’m not running a type checker (and the Sphinx documentation tool, which all my projects use, will automatically extract them to document argument signatures for you). I did have to make some changes to work around mypy, though It didn’t find any bugs, but did uncover a few things that were written in ways it couldn’t handle, and maybe I’ll write about those in more detail another time.

As part of splitting akismet up into multiple files, I also went with an approach I’ve used on a few other projects, of prefixing most file names with an underscore (i.e., the async client is defined in a file named _async_client.py, not async_client.py). By convention, this marks the files in question as “private”, and though Python doesn’t enforce that, many common Python linters will flag it. The things that are meant to be supported public API are exported via the __all__ declaration of the akismet package.

I also switched the version numbering scheme to Calendar Versioning. I don’t generally trust version schemes that try to encode information about API stability or breaking changes into the version number, but a date-based version number at least tells you how old something is and gives you a general idea of whether it’s still being actively maintained.

There are also a few dev-only changes:  * Local dev environment management and packaging are handled by PDM and its package-build backend. Of the current crop of clean-sheet modern Python packaging tools, PDM is my personal favorite, so it’s what my personal projects are using. * I added a Makefile which can execute a lot of common developer tasks, including setting up the local dev environment with proper dependencies, and running the full CI suite or subsets of its checks. * As mentioned above, the test suite moved from unittest to pytest, using AnyIO’s plugin for supporting async tests in pytest. There’s a lot of use of pytest parametrization to generate test cases, so the number of test cases grew a lot, but it’s still pretty fast—around half a second for each Python version being tested, on my laptop. The full CI suite, testing every supported Python version and running a bunch of linters and packaging checks, takes around 30 seconds on my laptop, and about a minute and a half on GitHub CI.

That’s it (for now)

In October of last year I released akismet 25.10.0 (and then 25.10.1 to fix a documentation error, because there’s always something wrong with a big release), which completed the rewrite process by finally removing the old Akismet client class. At this point I think akismet is feature-complete unless the Akismet web service itself changes, so although there were more frequent releases over a period of about a year and a half as I did the rewrite, it’s likely the cadence will settle down now to one a year (to handle supporting new Python versions as they come out) unless someone finds a bug.

Overall, I think the rewrite was an interesting process, because it was pretty drastic (I believe it touched literally every pre-existing line of code, and added a lot of new code), but also… not that drastic? If you were previously using akismet with your configuration in environment variables (as recommended), I think the only change you’d need to make is rewriting imports from akismet.Akismet to akismet.SyncClient. The mechanism for manually passing in configuration changed, but I believe that and the new client class names were the only actual breaking changes in the entire rewrite; everything else was adding features/functionality or reworking the internals in ways that didn’t affect public API.

I had hoped to write this up sooner, but I’ve struggled with this post for a while now, because I still have trouble with the fact that Michael’s gone, and every time I sat down to write I was reminded of that. It’s heartbreaking to know I’ll never run into him at a conference again. I’ll miss chatting with him. I’ll miss his energy. I’m thankful for all he gave to the Python community over many years, and I wish I could tell him that one more time. And though it’s a small thing, I hope I’ve managed to honor his work and to repay some of his kindness and his trust in me by being a good steward of his package. I have no idea whether Akismet the service will still be around in another 20 years, or whether I’ll still be around or writing code or maintaining this Python package in that case, but I’d like to think I’ve done my part to make sure it’s on sound footing to last that long, or longer.