From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id wFjZF4PSx2TEbQAASxT56A (envelope-from ) for ; Mon, 31 Jul 2023 17:25:55 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 2O7pF4PSx2Rx/QAA9RJhRA (envelope-from ) for ; Mon, 31 Jul 2023 17:25:55 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3A0694F0FA for ; Mon, 31 Jul 2023 17:25:55 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1690817155; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=cCnhK//G2DdKHq6qed5YxTD/buUMA7VnFpvJaCxcD6o=; b=LqVq3Qky3BIXiIZZNJLS9WrwsjDZ6n6nXBw7AWpOZYs26/w1JKYfMuDdJ4Xm82fkksoFzm CCiX/7qDte7OQWDf41jcZ9ZltKpa6NoEyqrMpnryImmEOU5sZ1ixLbkwr4B8Y07qdzlEpZ hpc4BkVzl4wWG+NE8MiGifO01wASfIbU6ITHB4Zbqkunn+Trq9odfVLmCy65FddxV8L+8n g1OpLYZhXN8NYXYPA8f7FWUeLa+4/SwrPiMG3bpEwp93L/D6axo/uYeCH7DgXhuD5uHxFm yNTgmga1XIDkE7a+QrwPdyvtayL9IO+6rIdABsEZap0sGB2BzUZkIsuxK1zUdg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1690817155; a=rsa-sha256; cv=none; b=Jg+HmVgRDd6TZ8sLLvaxCKppUGb/KaxuqagcafM6Kx9jE394/xPgfA8hk41jpBFDGIzCTM O6AgR+jTD8NBeDCxb5NkTzLo6TzhfO4ruLmcHp2yrSbcgbx3WHx9+St78s8CNfcN/MbX2C s0QW1QrfQCaLsNfhPeDUwq+fcqEG2tatuYeFVnlrbTrn1Nhb3E4TlLur82VFETvMe0i+vN gLUjf71F4dSoNvFQcdHS74UjVdp5R0/9uVZkDtjok3RsImQkysRUncighIMONKXrQuhiFj lYIUUj3BHgVG5RrpyFsxLeXRu5o0HhaMeV9Ix0wa69SeJUv+2Jz4zpHE/r2VOQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qQUm2-0005K6-O2; Mon, 31 Jul 2023 11:25:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQUm1-0005J5-4E for guix-devel@gnu.org; Mon, 31 Jul 2023 11:25:29 -0400 Received: from 6.mo583.mail-out.ovh.net ([178.32.119.138]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQUlz-0005Eg-94 for guix-devel@gnu.org; Mon, 31 Jul 2023 11:25:28 -0400 Received: from director9.ghost.mail-out.ovh.net (unknown [10.109.143.223]) by mo583.mail-out.ovh.net (Postfix) with ESMTP id 7286924BB1 for ; Mon, 31 Jul 2023 15:25:24 +0000 (UTC) Received: from ghost-submission-6684bf9d7b-2mgwh (unknown [10.110.208.162]) by director9.ghost.mail-out.ovh.net (Postfix) with ESMTPS id D80881FE98; Mon, 31 Jul 2023 15:25:23 +0000 (UTC) Received: from ngraves.fr ([37.59.142.95]) by ghost-submission-6684bf9d7b-2mgwh with ESMTPSA id 8U27MWPSx2TgPwAABR4rEg (envelope-from ); Mon, 31 Jul 2023 15:25:23 +0000 X-OVh-ClientIp: 81.67.140.142 To: Maxim Cournoyer , Luis Felipe Cc: guix-devel@gnu.org Subject: Re: Adding Django 4.2 LTS In-Reply-To: <87v8e0rfon.fsf@gmail.com> References: <8087a7ce-d17d-3005-f548-4562576aa82d@zoho.com> <87v8e0rfon.fsf@gmail.com> Date: Mon, 31 Jul 2023 17:25:23 +0200 Message-ID: <87mszc85ng.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: text/plain X-Ovh-Tracer-Id: 15160242248893456950 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedviedrjeeggdeihecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgesthdtredttddttdenucfhrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrnecuggftrfgrthhtvghrnhepudelhfetffeitdfhffetieegteffvdefjeelffehgeehuddtveejfeffveehffelnecuffhomhgrihhnpehgnhhurdhorhhgpdgujhgrnhhgohhprhhojhgvtghtrdgtohhmnecukfhppeduvdejrddtrddtrddupdekuddrieejrddugedtrddugedvpdefjedrheelrddugedvrdelheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepghhuihigqdguvghvvghlsehgnhhurdhorhhgpdfovfetjfhoshhtpehmohehkeefpdhmohguvgepshhmthhpohhuth Received-SPF: pass client-ip=178.32.119.138; envelope-from=ngraves@ngraves.fr; helo=6.mo583.mail-out.ovh.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: ngraves@ngraves.fr From: ngraves--- via "Development of GNU Guix and the GNU System distribution." Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx2.migadu.com X-Migadu-Spam-Score: -6.64 X-Spam-Score: -6.64 X-Migadu-Queue-Id: 3A0694F0FA X-TUID: DYxMKmX92cmj On 2023-07-30 22:13, Maxim Cournoyer wrote: > Hi, > > Luis Felipe writes: > >> Hi, >> >> I've been using Django 4.2.2 from my personal Guix channel for a >> couple of days and it seems to work alright, so I'd like to send a >> patch to include it in Guix, although I have some questions first. Hi! I've already submitted a patch series updating django to 4.2.2. It's in 55476, but I don't have feedback from the python team. >> >> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS >> series, there is a patch for it already >> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have >> known vulnerabilities and Django 4.2.2 works with it. Would it be okay >> to add it to Guix until someone else packages the latest version >> (3.7.2, but it currently fails to build for me: sanity-check >> DistributionNotFound or something)? > > This usually means one of the inputs of the package doesn't have a > compatible version. Please check which one it is (the Python error > message should contain that information). > >> 2. "guix lint python-django@4.2.2" says this version of DJango might >> be vulnerable to CVE-2023-31047 but reading the CVE description >> version 4.2.2 doesn't seem to be affected. Is there anything I should >> do regarding this warning? > > If you are absolutely sure about that you could add a 'lint-hidden-cve' > property to the package definition. > >> 3. Guix currently distributes versions of Django that no longer >> receive security updates or bug fixes. For example, >> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see >> https://www.djangoproject.com/download/). Should they be removed? > > They should be upgraded to the latest available version (the old > versions shouldn't be kept around). -- Best regards, Nicolas Graves