On 2023-07-30 22:13, Maxim Cournoyer wrote: > Hi, > > Luis Felipe <sirga...@zoho.com> writes: > >> Hi, >> >> I've been using Django 4.2.2 from my personal Guix channel for a >> couple of days and it seems to work alright, so I'd like to send a >> patch to include it in Guix, although I have some questions first.
Hi! I've already submitted a patch series updating django to 4.2.2. It's in 55476, but I don't have feedback from the python team. >> >> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS >> series, there is a patch for it already >> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have >> known vulnerabilities and Django 4.2.2 works with it. Would it be okay >> to add it to Guix until someone else packages the latest version >> (3.7.2, but it currently fails to build for me: sanity-check >> DistributionNotFound or something)? > > This usually means one of the inputs of the package doesn't have a > compatible version. Please check which one it is (the Python error > message should contain that information). > >> 2. "guix lint python-django@4.2.2" says this version of DJango might >> be vulnerable to CVE-2023-31047 but reading the CVE description >> version 4.2.2 doesn't seem to be affected. Is there anything I should >> do regarding this warning? > > If you are absolutely sure about that you could add a 'lint-hidden-cve' > property to the package definition. > >> 3. Guix currently distributes versions of Django that no longer >> receive security updates or bug fixes. For example, >> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see >> https://www.djangoproject.com/download/). Should they be removed? > > They should be upgraded to the latest available version (the old > versions shouldn't be kept around). -- Best regards, Nicolas Graves