Hi Chris,
> > Thanks for the update, much appreciated. So yes this means we will
> > have to defer updates to the later point releases (window for uploads
> > is closing this weekend).
Thanks for moving this forward!
> I finally have an update here locally, fixing 22 (!) CVEs in total. Three
> topics to raise at this point:
>
> 1. bookworm's Django is currently based on Django 3.2.19. However, we make
> some of the changes cleaner if we base this update on 3.2.25 instead,
> as this version includes 4 or 5 CVEs fixed without explicit Debian patches;
> changes that aren't the nicest to backport. Any objections to this
> version bump? Alas, upstream won't be releasing any more 3.2.x updates.
That's perfectly fine. Let's follow upstream releases until they are
end-of-life
and after the final release we do cherrypicks. We're doing the same for other
software as well (e.g. Wireshark or Samba).
> 2. In #1126461, Moritz replied that they would prefer to fix Django in
> trixie via a DSA instead. Shall we do that for bookworm as well — i.e.
> not a pu after all?
Yes, let's also fix this via a DSA.
> 3. My candidate version causes the same regression in the
> python-django-storages
> testsuite previously observed. As Steve pointed out, though "there are
> *already* changes in our version of django-storages that are clearly
> expected to work with the fixes in django. But they're not.". I am
> investigating this.
Since you identified the, let's simply release a fixed version of
python-django-storages
via bookworm-security alongside.
> 4. For completeness, my candidate version also causes some reverse-autopkgtest
> failures in django-fsm-admin, django-markupfield, django-webpack-loader and
> python-xapian-haystack (thanks, Debusine). However, these are not actually
> regressions; the testsuite already/always fails for these packages. This
> is mostly an FYI, but let me know if I need to do anything special for
> those.
Ok, noted!
> §
>
> My current/candidate changelog entry is as follows:
>
> Source: python-django
> Version: 3:3.2.25-1+deb12u1
Can you make that 3:3.2.25-0+deb12u1 please? And can you please send the full
debdiff
for review or alternatively push it to the bookworm branch for a full review?
Cheers,
Moritz
