Adding Django 4.2 LTS

Adding Django 4.2 LTS

[Luis Felipe]

[-- Attachment #1.1.1: Type: text/plain, Size: 1231 bytes --]

Hi,

I've been using Django 4.2.2 from my personal Guix channel for a couple 
of days and it seems to work alright, so I'd like to send a patch to 
include it in Guix, although I have some questions first.

1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS 
series, there is a patch for it already 
(https://issues.guix.gnu.org/61543), it builds, doesn't appear to have 
known vulnerabilities and Django 4.2.2 works with it. Would it be okay 
to add it to Guix until someone else packages the latest version (3.7.2, 
but it currently fails to build for me: sanity-check 
DistributionNotFound or something)?

2. "guix lint python-django@4.2.2" says this version of DJango might be 
vulnerable to CVE-2023-31047 but reading the CVE description version 
4.2.2 doesn't seem to be affected. Is there anything I should do 
regarding this warning?

3. Guix currently distributes versions of Django that no longer receive 
security updates or bug fixes. For example, python-django@4.0.7, 
python-django@3.1.14, python-django@2.2.28 (see 
https://www.djangoproject.com/download/). Should they be removed?

Thanks in advance,

-- 
Luis Felipe López Acevedo
https://luis-felipe.gitlab.io/


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2881 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: Adding Django 4.2 LTS

[Maxim Cournoyer]

Hi,

Luis Felipe <sirgazil@zoho.com> writes:

> Hi,
>
> I've been using Django 4.2.2 from my personal Guix channel for a
> couple of days and it seems to work alright, so I'd like to send a
> patch to include it in Guix, although I have some questions first.
>
> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS
> series, there is a patch for it already
> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have
> known vulnerabilities and Django 4.2.2 works with it. Would it be okay
> to add it to Guix until someone else packages the latest version
> (3.7.2, but it currently fails to build for me: sanity-check
> DistributionNotFound or something)?

This usually means one of the inputs of the package doesn't have a
compatible version.  Please check which one it is (the Python error
message should contain that information).

> 2. "guix lint python-django@4.2.2" says this version of DJango might
> be vulnerable to CVE-2023-31047 but reading the CVE description
> version 4.2.2 doesn't seem to be affected. Is there anything I should
> do regarding this warning?

If you are absolutely sure about that you could add a 'lint-hidden-cve'
property to the package definition.

> 3. Guix currently distributes versions of Django that no longer
> receive security updates or bug fixes. For example,
> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see
> https://www.djangoproject.com/download/). Should they be removed?

They should be upgraded to the latest available version (the old
versions shouldn't be kept around).

-- 
Thanks,
Maxim

Re: Adding Django 4.2 LTS

[ngraves--- via Development of GNU Guix and the GNU System distribution.]

On 2023-07-30 22:13, Maxim Cournoyer wrote:

> Hi,
>
> Luis Felipe <sirgazil@zoho.com> writes:
>
>> Hi,
>>
>> I've been using Django 4.2.2 from my personal Guix channel for a
>> couple of days and it seems to work alright, so I'd like to send a
>> patch to include it in Guix, although I have some questions first.

Hi!

I've already submitted a patch series updating django to 4.2.2. It's in
55476, but I don't have feedback from the python team. 

>>
>> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS
>> series, there is a patch for it already
>> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have
>> known vulnerabilities and Django 4.2.2 works with it. Would it be okay
>> to add it to Guix until someone else packages the latest version
>> (3.7.2, but it currently fails to build for me: sanity-check
>> DistributionNotFound or something)?
>
> This usually means one of the inputs of the package doesn't have a
> compatible version.  Please check which one it is (the Python error
> message should contain that information).
>
>> 2. "guix lint python-django@4.2.2" says this version of DJango might
>> be vulnerable to CVE-2023-31047 but reading the CVE description
>> version 4.2.2 doesn't seem to be affected. Is there anything I should
>> do regarding this warning?
>
> If you are absolutely sure about that you could add a 'lint-hidden-cve'
> property to the package definition.
>
>> 3. Guix currently distributes versions of Django that no longer
>> receive security updates or bug fixes. For example,
>> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see
>> https://www.djangoproject.com/download/). Should they be removed?
>
> They should be upgraded to the latest available version (the old
> versions shouldn't be kept around).

-- 
Best regards,
Nicolas Graves

Re: Adding Django 4.2 LTS

[ngraves--- via Development of GNU Guix and the GNU System distribution.]

On 2023-07-30 22:13, Maxim Cournoyer wrote:

> Hi,
>
> Luis Felipe <sirgazil@zoho.com> writes:
>
>> Hi,
>>
>> I've been using Django 4.2.2 from my personal Guix channel for a
>> couple of days and it seems to work alright, so I'd like to send a
>> patch to include it in Guix, although I have some questions first.

Hi!

I've already submitted a patch series updating django to 4.2.2. It's in
55476, but I don't have feedback from the python team. 

>>
>> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS
>> series, there is a patch for it already
>> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have
>> known vulnerabilities and Django 4.2.2 works with it. Would it be okay
>> to add it to Guix until someone else packages the latest version
>> (3.7.2, but it currently fails to build for me: sanity-check
>> DistributionNotFound or something)?
>
> This usually means one of the inputs of the package doesn't have a
> compatible version.  Please check which one it is (the Python error
> message should contain that information).
>
>> 2. "guix lint python-django@4.2.2" says this version of DJango might
>> be vulnerable to CVE-2023-31047 but reading the CVE description
>> version 4.2.2 doesn't seem to be affected. Is there anything I should
>> do regarding this warning?
>
> If you are absolutely sure about that you could add a 'lint-hidden-cve'
> property to the package definition.
>
>> 3. Guix currently distributes versions of Django that no longer
>> receive security updates or bug fixes. For example,
>> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see
>> https://www.djangoproject.com/download/). Should they be removed?
>
> They should be upgraded to the latest available version (the old
> versions shouldn't be kept around).

-- 
Best regards,
Nicolas Graves