[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

Paul Gevers elbrus at debian.org
Thu Jul 25 21:41:33 BST 2019 

Hi Luke,

On 25-07-2019 22:14, Luke Faraone wrote:
> On 25/07/2019 15:45, Paul Gevers wrote:
> That is just the excuses script's auto-generated output, I think you
> might be reading too much into it. It is a true statement that when the
> package makes it into testing, that bug will be fixed, unless I am
> misunderstanding something.

No, it's not "just the excuses script" output. It shows all relevant
differences between unstable and testing.

> The migration happened in a previous upload[1]:
>  python-django (2:2.2.3-2) unstable; urgency=medium
>     * Upload (Python 3.x-only) branch to unstable after the release of
>      Debian "buster".
>    * Update debian/gbp.conf to refer to debian/sid after merge.
> 
> … so we did not drop Python3 just for a security update, despite this
> bug's title.

Yes, it's true that all this didn't happen in one upload, but there are
a whole lot of upload of python-django that didn't make it into testing
yet, so this changelog is also relevant:

python-django (1:1.11.22-1) unstable; urgency=medium

  * New upstream security release.
    <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/>
    (Closes: #931316)

 -- Chris Lamb <lamby at debian.org>  Mon, 01 Jul 2019 17:09:52 -0300

>> The latter isn't very
>> nice for your reverse dependencies if you didn't give them proper
>> heads-up. The former isn't nice for the python-django users of testing.

[...]

> Note that testing is explicitly not recommended for those that care
> about security support[2][3].

Yes, I know very well, but that doesn't mean we shouldn't try or care.

In this case I think the current situation could have been avoided by
letting 1:1.11.22-1 migrate before the upload of the version with the
Python 2 drop. Probably a day would have been enough.

As Moritz just noted this CVE isn't particularly severe, so you can just
bit the bullet. But please inform your reverse dependencies ASAP, so
that everyone can start working on doing the required work. In my
opinion reverting to the pre 2 version for a well defined time to enable
others to do their work isn't so bad socially.

Paul

More information about the Python-modules-team mailing list