From: ngraves--- via "Development of GNU Guix and the GNU System distribution." <guix-devel@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>,
Luis Felipe <sirgazil@zoho.com>
Cc: guix-devel@gnu.org
Subject: Re: Adding Django 4.2 LTS
Date: Mon, 31 Jul 2023 17:25:23 +0200 [thread overview]
Message-ID: <87mszc85ng.fsf@ngraves.fr> (raw)
In-Reply-To: <87v8e0rfon.fsf@gmail.com>
On 2023-07-30 22:13, Maxim Cournoyer wrote:
> Hi,
>
> Luis Felipe <sirgazil@zoho.com> writes:
>
>> Hi,
>>
>> I've been using Django 4.2.2 from my personal Guix channel for a
>> couple of days and it seems to work alright, so I'd like to send a
>> patch to include it in Guix, although I have some questions first.
Hi!
I've already submitted a patch series updating django to 4.2.2. It's in
55476, but I don't have feedback from the python team.
>>
>> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS
>> series, there is a patch for it already
>> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have
>> known vulnerabilities and Django 4.2.2 works with it. Would it be okay
>> to add it to Guix until someone else packages the latest version
>> (3.7.2, but it currently fails to build for me: sanity-check
>> DistributionNotFound or something)?
>
> This usually means one of the inputs of the package doesn't have a
> compatible version. Please check which one it is (the Python error
> message should contain that information).
>
>> 2. "guix lint python-django@4.2.2" says this version of DJango might
>> be vulnerable to CVE-2023-31047 but reading the CVE description
>> version 4.2.2 doesn't seem to be affected. Is there anything I should
>> do regarding this warning?
>
> If you are absolutely sure about that you could add a 'lint-hidden-cve'
> property to the package definition.
>
>> 3. Guix currently distributes versions of Django that no longer
>> receive security updates or bug fixes. For example,
>> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see
>> https://www.djangoproject.com/download/). Should they be removed?
>
> They should be upgraded to the latest available version (the old
> versions shouldn't be kept around).
--
Best regards,
Nicolas Graves
prev parent reply other threads:[~2023-07-31 15:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 18:36 Adding Django 4.2 LTS Luis Felipe
2023-07-31 2:13 ` Maxim Cournoyer
2023-07-31 15:24 ` ngraves--- via Development of GNU Guix and the GNU System distribution.
2023-07-31 15:25 ` ngraves--- via Development of GNU Guix and the GNU System distribution. [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mszc85ng.fsf@ngraves.fr \
--to=guix-devel@gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=ngraves@ngraves.fr \
--cc=sirgazil@zoho.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).