[Python-modules-team] Bug#932960: python-django don't fix CVE and drop Python 2 support at the same time

[Paul Gevers]

Source: python-django
Control: found -1 python-django/2:2.2.3-5
Severity: important
User: debian-ci at lists.debian.org
Usertags: breaks
X-Debbugs-CC: debian-ci at lists.debian.org
Affects: django-maintenancemode django-restricted-resource
Affects: django-tables django-testscenarios factory-boy lava
Affects: python-django python-django-debug-toolbar python-django-mptt
Affects: python-sparkpost django-sekizai

Dear maintainers,

Your package is trying to fix a CVE, but at the same time dropping
Python 2 support. There is a multitude of packages that need updating
for that because they (test-) depend on python-django. I think it is
smart to revert the Python 2 removal and have the security fix migrate
to testing. I don't want to judge the severity of the CVE, but otherwise
I recommend to remove python-django from testing until all the fall-out
has been fixed.

With a recent upload of python-django the autopkgtest of the packages in
Affects: fail in testing when that autopkgtest is run with the binary
packages of python-django from unstable. It passes when run with only
packages from testing.

Currently this regression is blocking the migration of python-django to
testing [1], but otherwise the second part of britney would have blocked
migration due to non-installability reasons.

Paul

PS: I failed to spot bugs against (some of) those packages communication
the removal, I think that would be nice for those maintainers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190725/b4d2a852/attachment-0001.sig>