[Python-modules-team] Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time
Paul Gevers
elbrus at debian.org
Fri Jul 26 08:45:03 BST 2019
Hi Chris,
On 26-07-2019 04:03, Chris Lamb wrote:
> Hi Paul,
>
>> it will take time before it does, as python-django can not migrate
>> before reverse dependencies are fixed or removed. The latter isn't very
>> nice for your reverse dependencies if you didn't give them proper
>> heads-up. The former isn't nice for the python-django users of testing.
>
> Mmm and I see that now. As in, please be assured that I didn't
> override those feelings out of a lack of care or concern for the
> reverse dependencies and their maintainers; it merely didn't really
> occur to me, perhaps in a frenzy of post-Buster release motivation.
I try to always assume good faith :), so it's close to what I suspected
to be the case.
> What do you suggest going forward regarding this CVE, at least?
Either you want to have the CVE fix migrate to testing soon, than the
best way forward is to upload a 2:2.2.3+really1:1.11.22-1 package, wait
until that migrates and than upload the current package as
2:2.2.3+reallynow-1 (or something like that). Or you trust that it can
wait until the time we allow for this transition (it sort of is one) to
have run out, we remove the un-migrated packages from testing and your
new package will migrate.
I prefer the former approach, but I can live with the latter, as Moritz
said fixing the CVE in testing could wait a bit. But for the latter
approach it's crucial to inform your reverse (test) dependencies and set
them a deadline. Either case, please file bugs at severity level
serious, which also means that the autoremoval counter starts ticking
for those packages, but still let them know of the deadline (something
like 4 or 6 weeks, what is reasonable?). Autoremovals are reset by
people pinging the bug, we don't want to let this happen indefinitely.
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190726/8fbc516e/attachment-0001.sig>
More information about the Python-modules-team
mailing list