[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
Moritz Mühlenhoff
jmm at inutil.org
Thu Jul 25 21:21:14 BST 2019
On Thu, Jul 25, 2019 at 08:45:48PM +0200, Paul Gevers wrote:
> Control: tags -1 moreinfo
>
> Hi Chris,
>
> On 25-07-2019 18:51, Chris Lamb wrote:
> >> PS: I failed to spot bugs against (some of) those packages communication
> >> the removal, I think that would be nice for those maintainers.
> >
> > This might have been justifiably and fairly missed as it was dicussed
> > quite some time, possibly years, ago. Not your fault, possibly ours…
> > However, as Brian mentions we do really have no option but to use the
> > 2.x branch of Django these days and, unfortunately, this means that
> > Python 2.x support is accordingly dropped.
>
> It's OK to move on and it's very OK to do that at the beginning of a
> release cycle. However I expect you to coordinate this with your reverse
> dependencies and *I* didn't see that so far (but of course it's easy for
> me to miss stuff).
>
> > The packages you list may thus need to be updated or removed. (I'm
> > afraid I haven't looked into the specifics...)
>
> Sure. Contacting the maintainers, and they can help as well, I guess.
>
> >> Your package is trying to fix a CVE
> >
> > Can you elaborate? I'm a little distracted by DebConf stuff but I
> > can't seem to grok what you mean here specifically.
>
> https://qa.debian.org/excuses.php?package=python-django says this upload
> will fix bug #931316 in testing. That bug is about CVE-2019-12781.
> Testing has not seen the fix yet, and due to the dropping of Python 2,
> it will take time before it does, as python-django can not migrate
> before reverse dependencies are fixed or removed. The latter isn't very
> nice for your reverse dependencies if you didn't give them proper
> heads-up. The former isn't nice for the python-django users of testing.
As mentioned on IRC the scope of CVE-2019-12781 seems acceptable and there's
hardly a month which would better? This seems like a fine tradeoff to me.
If there's something earth-shattering in 1.11, it would still be possible
to fix that one via a targeted 1.11 upload to testing, I assume?
Cheers,
Moritz
More information about the Python-modules-team
mailing list