So, extensions.gnome.org is written as a Django application. And i particular it's written against Django-1.3, which is the issue here. It's not very hard for us to build a local version of Django and put it in the gnome package repositories, but this brings up issues.
Compatibility ============= We have (I think) three current apps using Django: tomboy-online.org (snowy): Runs on on Django-1.2.6 on RHEL6, the code also has been tested on Django-1.3 and works. shell-perf.gnome.org: small, unimportant, currently running on Django-1.2.6 on webapps.gnome.org, could presumably be ported to Django-1.3 without problem l10n.gnome.org (damned-lies): runs on progress.gnome.org, which is not part of the main gnome.org cluster and runs Ubuntu 10.4 LTS with Django-1.1.2 As well as a Django version of Mango in development, but not yet deployed. Security ======== My main concern with a locally-built version of Django is we need to rebuild it when security issues are found in Django, and we're just not set up to do that. (*) Django definitely does have security updates - in the last 2 years, there seem to be: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ https://www.djangoproject.com/weblog/2011/feb/08/security/ https://www.djangoproject.com/weblog/2010/dec/22/security/ https://www.djangoproject.com/weblog/2010/sep/08/security-release/ The impact of these is a little hard to evaluate - the typical thing seems to be a XSS or CSRF vulnerability that is exploitable with some configurations and applications, but not with others. But it's not too hard to imagine that a more generic XSS/CSRF vulnerability might show up. Conclusion ========== The safest thing seems to be to just downgrade the e.g.o code to Django 1.2, where we'll inherit security updates from EPEL; it's going to be a few days of unpleasant work, but shouldn't be fundamentally hard. But if people have ideas about how we can switch to Django 1.3, that would definitely be interesting. - Owen (*) What I'd like to see is us having a monitoring framework that was flexible enough for us plug-in things like checking the Django web feeds, and then to have a single curated status page for the most critical items, like this or keeping our SSL certs current. Pretty blue-sky. _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
