[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

Luke Faraone lfaraone at debian.org
Thu Jul 25 21:14:30 BST 2019 

On 25/07/2019 15:45, Paul Gevers wrote:
>> Can you elaborate? I'm a little distracted by DebConf stuff but I
>> can't seem to grok what you mean here specifically.
> 
> https://qa.debian.org/excuses.php?package=python-django says this
upload
> will fix bug #931316 in testing. That bug is about CVE-2019-12781.
> Testing has not seen the fix yet, and due to the dropping of Python 2,
> it will take time before it does, as python-django can not migrate
> before reverse dependencies are fixed or removed.

That is just the excuses script's auto-generated output, I think you
might be reading too much into it. It is a true statement that when the
package makes it into testing, that bug will be fixed, unless I am
misunderstanding something.

The migration happened in a previous upload[1]:
 python-django (2:2.2.3-2) unstable; urgency=medium
    * Upload (Python 3.x-only) branch to unstable after the release of
     Debian "buster".
   * Update debian/gbp.conf to refer to debian/sid after merge.

… so we did not drop Python3 just for a security update, despite this
bug's title.

> The latter isn't very
> nice for your reverse dependencies if you didn't give them proper
> heads-up. The former isn't nice for the python-django users of testing.

I do recall the discussion Chris mentioned, although I admit I can't
find the thread at the moment. (I'm also a bit busy with DebConf)

Note that testing is explicitly not recommended for those that care
about security support[2][3].

[1]:
https://tracker.debian.org/news/1042323/accepted-python-django-2223-2-source-all-into-unstable/
[2]: https://www.debian.org/security/faq#testing
[3]: https://wiki.debian.org/DebianTesting#Considerations

Cheers,
Luke Faraone

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190725/b8388373/attachment-0001.sig>

More information about the Python-modules-team mailing list