[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

[Paul Gevers]

Control: tags -1 moreinfo

Hi Chris,

On 25-07-2019 18:51, Chris Lamb wrote:
>> PS: I failed to spot bugs against (some of) those packages communication
>> the removal, I think that would be nice for those maintainers.
> 
> This might have been justifiably and fairly missed as it was dicussed
> quite some time, possibly years, ago. Not your fault, possibly ours…
> However, as Brian mentions we do really have no option but to use the
> 2.x branch of Django these days and, unfortunately, this means that
> Python 2.x support is accordingly dropped.

It's OK to move on and it's very OK to do that at the beginning of a
release cycle. However I expect you to coordinate this with your reverse
dependencies and *I* didn't see that so far (but of course it's easy for
me to miss stuff).

> The packages you list may thus need to be updated or removed. (I'm
> afraid I haven't looked into the specifics...)

Sure. Contacting the maintainers, and they can help as well, I guess.

>> Your package is trying to fix a CVE
> 
> Can you elaborate? I'm a little distracted by DebConf stuff but I
> can't seem to grok what you mean here specifically.

https://qa.debian.org/excuses.php?package=python-django says this upload
will fix bug #931316 in testing. That bug is about CVE-2019-12781.
Testing has not seen the fix yet, and due to the dropping of Python 2,
it will take time before it does, as python-django can not migrate
before reverse dependencies are fixed or removed. The latter isn't very
nice for your reverse dependencies if you didn't give them proper
heads-up. The former isn't nice for the python-django users of testing.

Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190725/198a8031/attachment.sig>