Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-11-19 Thread Antonio Terceiro 
Control: affects -1 - src:python-django-bootstrap-form
Control: affects -1 - src:python-semantic-version
Control: affects -1 - src:django-modeltranslation
Control: affects -1 - src:django-reversion
Control: affects -1 - src:python-aws-xray-sdk
Control: affects -1 - bcfg2-web

On Mon, 16 Sep 2019 22:18:36 +0200 Paul Gevers  wrote:
> Control: affects -1 src:python-django-bootstrap-form
> Control: affects -1 src:python-semantic-version
> Control: affects -1 src:django-modeltranslation
> Control: affects -1 src:django-reversion
> Control: affects -1 src:python-aws-xray-sdk
> Control: affects -1 bcfg2-web
> 
> Hi,
> 
> How is progress here? I failed to spot recent activity, but I may have
> missed it.
> 
> Paul
> 
> paul@testavoira ~ $ reverse-depends python-django -r testing -b
> Reverse-Build-Depends-Indep
> ===
> * python-django-bootstrap-form
> * python-semantic-version
> 
> Reverse-Build-Depends
> =
> * django-modeltranslation
> * django-picklefield
> * django-reversion
> * python-aws-xray-sdk
> 
> paul@testavoira ~ $ reverse-depends python-django -r testing
> Reverse-Depends
> ===
> * bcfg2-web
> * python-bootstrapform
> * python-django-modeltranslation
> * python-django-pagination
> * python-django-picklefield
> * python-django-reversion

I just double checked and all of the above (with the exception of
bcfg2-web which has been removed) now build fine in unstable. And:

~$ reverse-depends python-django -r testing
~$ reverse-depends python-django -r testing -b
No reverse dependencies found

I think we could let python-django migrate at this point.


signature.asc
Description: PGP signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-09-17 Thread Chris Lamb 
Hi Paul,

> How is progress here? I failed to spot recent activity, but I may have
> missed it.

I'm not sure you've missed anything, at least from me -- I've not found
it possible to prioritise time on this, alas.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-09-16 Thread Paul Gevers 
Control: affects -1 src:python-django-bootstrap-form
Control: affects -1 src:python-semantic-version
Control: affects -1 src:django-modeltranslation
Control: affects -1 src:django-reversion
Control: affects -1 src:python-aws-xray-sdk
Control: affects -1 bcfg2-web

Hi,

How is progress here? I failed to spot recent activity, but I may have
missed it.

Paul

paul@testavoira ~ $ reverse-depends python-django -r testing -b
Reverse-Build-Depends-Indep
===
* python-django-bootstrap-form
* python-semantic-version

Reverse-Build-Depends
=
* django-modeltranslation
* django-picklefield
* django-reversion
* python-aws-xray-sdk

paul@testavoira ~ $ reverse-depends python-django -r testing
Reverse-Depends
===
* bcfg2-web
* python-bootstrapform
* python-django-modeltranslation
* python-django-pagination
* python-django-picklefield
* python-django-reversion

Packages without architectures listed are reverse-dependencies in:
amd64, arm64, armel, armhf, i386, mipsel, ppc64el, s390x



signature.asc
Description: OpenPGP digital signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-08-31 Thread Paul Gevers 
Hi,

On Fri, 02 Aug 2019 23:02:51 +0100 "Chris Lamb"  wrote:
> So, it looks like:
> 
> django-compat django-hijack
> django-ratelimit
> django-testscenarios
> grr
> python-aws-xray-sdk
> python-carrot
> python-django-bootstrap-form
> python-oauth2client
> python-semantic-version
> 
> … still Build-Depend or Build-Depend-Indep on python-django.
> 
> (Zigo, did you neglect python-oauth2client and python-semantic-version
> in your mass uploads recently?)

The list is going down steadily. Currently this is what I see as remaining:

paul@testavoira ~ $ reverse-depends -b python-django
Reverse-Build-Depends-Indep
===
* kombu
* python-django-bootstrap-form
* python-django-registration
* python-oauth2client
* python-semantic-version

Reverse-Build-Depends
=
* django-compat
* django-hijack
* django-modeltranslation
* django-nose
* django-picklefield
* django-prometheus
* django-ratelimit
* grr
* mini-buildd
* python-aws-xray-sdk

paul@testavoira ~ $ reverse-depends python-django
Reverse-Depends
===
* bcfg2-web
* djagios
* grr-server
* python-ajax-select
* python-bootstrapform
* python-django-app-plugins
* python-django-compat
* python-django-modeltranslation
* python-django-nose
* python-django-picklefield
* python-django-prometheus
* python-django-ratelimit
* python-django-registration
* python-django-rosetta
* python-django-threaded-multihost
* python-mini-buildd

Packages without architectures listed are reverse-dependencies in:
amd64, arm64, armel, armhf, i386, mipsel, ppc64el, s390x

And the lava autopkgtest failure, however src:lava is currently marked
for autoremoval on 7 September.

The dependencies are properly tracked by britney, I'll drop my block
when all the reverse build dependencies are fixed.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-08-02 Thread Chris Lamb 
Hi Paul et al.,

> > Thanks again for your patience and understanding here, Paul.

So, it looks like:

django-compat django-hijack
django-ratelimit
django-testscenarios
grr
python-aws-xray-sdk
python-carrot
python-django-bootstrap-form
python-oauth2client
python-semantic-version

… still Build-Depend or Build-Depend-Indep on python-django.

(Zigo, did you neglect python-oauth2client and python-semantic-version
in your mass uploads recently?)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-26 Thread Paul Gevers 
Hi,

On 26-07-2019 15:43, Chris Lamb wrote:
> Do you have a convenient script that will generate a list of these?

No, I don't.

> I
> can generate a list of regular reverse-dependencies but I fear I would
> be missing the test ones. Or: if someone could furnish me with such a
> list I will happily file the bugs in question.

But if you take the regular reverse-(build)-dependencies and the
packages that I marked as affected by this bug, you have all the ones
that need to be aware. The others didn't fail, so apparently aren't
affected.

> Thanks again for your patience and understanding here, Paul.

You're welcome.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-26 Thread Chris Lamb 
Dear Paul,

> I try to always assume good faith :), so it's close to what I suspected
> to be the case.

… and to take this a level deeper, I also assumed you would assume
good faith as well. :)  I guess I was being explicit as a way of
clumsily segueing into my "frenzy of post-Buster release motivation"
excuse.

> Either the [..] best way forward is to upload a
> 2:2.2.3+really1:1.11.22-1 package [..] or trust that it can wait
> until the time we allow for this transition.

Indeed. Unfortunately, I have an instictive gut reaction against the
former so I'm afraid I will have to disappoint you once again in this
area by falling back to the latter approach against your preference.

> for the latter approach it's crucial to inform your reverse (test)
> dependencies

Do you have a convenient script that will generate a list of these? I
can generate a list of regular reverse-dependencies but I fear I would
be missing the test ones. Or: if someone could furnish me with such a
list I will happily file the bugs in question.

Thanks again for your patience and understanding here, Paul.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-26 Thread Paul Gevers 
Hi Chris,

On 26-07-2019 04:03, Chris Lamb wrote:
> Hi Paul,
> 
>> it will take time before it does, as python-django can not migrate
>> before reverse dependencies are fixed or removed. The latter isn't very
>> nice for your reverse dependencies if you didn't give them proper
>> heads-up. The former isn't nice for the python-django users of testing.
> 
> Mmm and I see that now. As in, please be assured that I didn't
> override those feelings out of a lack of care or concern for the
> reverse dependencies and their maintainers; it merely didn't really
> occur to me, perhaps in a frenzy of post-Buster release motivation.

I try to always assume good faith :), so it's close to what I suspected
to be the case.

> What do you suggest going forward regarding this CVE, at least?

Either you want to have the CVE fix migrate to testing soon, than the
best way forward is to upload a 2:2.2.3+really1:1.11.22-1 package, wait
until that migrates and than upload the current package as
2:2.2.3+reallynow-1 (or something like that). Or you trust that it can
wait until the time we allow for this transition (it sort of is one) to
have run out, we remove the un-migrated packages from testing and your
new package will migrate.

I prefer the former approach, but I can live with the latter, as Moritz
said fixing the CVE in testing could wait a bit. But for the latter
approach it's crucial to inform your reverse (test) dependencies and set
them a deadline. Either case, please file bugs at severity level
serious, which also means that the autoremoval counter starts ticking
for those packages, but still let them know of the deadline (something
like 4 or 6 weeks, what is reasonable?). Autoremovals are reset by
people pinging the bug, we don't want to let this happen indefinitely.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-25 Thread Chris Lamb 
Hi Paul,

> it will take time before it does, as python-django can not migrate
> before reverse dependencies are fixed or removed. The latter isn't very
> nice for your reverse dependencies if you didn't give them proper
> heads-up. The former isn't nice for the python-django users of testing.

Mmm and I see that now. As in, please be assured that I didn't
override those feelings out of a lack of care or concern for the
reverse dependencies and their maintainers; it merely didn't really
occur to me, perhaps in a frenzy of post-Buster release motivation.

What do you suggest going forward regarding this CVE, at least?


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-25 Thread Paul Gevers 
Hi Luke,

On 25-07-2019 22:14, Luke Faraone wrote:
> On 25/07/2019 15:45, Paul Gevers wrote:
> That is just the excuses script's auto-generated output, I think you
> might be reading too much into it. It is a true statement that when the
> package makes it into testing, that bug will be fixed, unless I am
> misunderstanding something.

No, it's not "just the excuses script" output. It shows all relevant
differences between unstable and testing.

> The migration happened in a previous upload[1]:
>  python-django (2:2.2.3-2) unstable; urgency=medium
> * Upload (Python 3.x-only) branch to unstable after the release of
>  Debian "buster".
>* Update debian/gbp.conf to refer to debian/sid after merge.
> 
> … so we did not drop Python3 just for a security update, despite this
> bug's title.

Yes, it's true that all this didn't happen in one upload, but there are
a whole lot of upload of python-django that didn't make it into testing
yet, so this changelog is also relevant:

python-django (1:1.11.22-1) unstable; urgency=medium

  * New upstream security release.

(Closes: #931316)

 -- Chris Lamb   Mon, 01 Jul 2019 17:09:52 -0300

>> The latter isn't very
>> nice for your reverse dependencies if you didn't give them proper
>> heads-up. The former isn't nice for the python-django users of testing.

[...]

> Note that testing is explicitly not recommended for those that care
> about security support[2][3].

Yes, I know very well, but that doesn't mean we shouldn't try or care.

In this case I think the current situation could have been avoided by
letting 1:1.11.22-1 migrate before the upload of the version with the
Python 2 drop. Probably a day would have been enough.

As Moritz just noted this CVE isn't particularly severe, so you can just
bit the bullet. But please inform your reverse dependencies ASAP, so
that everyone can start working on doing the required work. In my
opinion reverting to the pre 2 version for a well defined time to enable
others to do their work isn't so bad socially.

Paul

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-25 Thread Moritz Mühlenhoff 
On Thu, Jul 25, 2019 at 08:45:48PM +0200, Paul Gevers wrote:
> Control: tags -1 moreinfo
> 
> Hi Chris,
> 
> On 25-07-2019 18:51, Chris Lamb wrote:
> >> PS: I failed to spot bugs against (some of) those packages communication
> >> the removal, I think that would be nice for those maintainers.
> > 
> > This might have been justifiably and fairly missed as it was dicussed
> > quite some time, possibly years, ago. Not your fault, possibly ours…
> > However, as Brian mentions we do really have no option but to use the
> > 2.x branch of Django these days and, unfortunately, this means that
> > Python 2.x support is accordingly dropped.
> 
> It's OK to move on and it's very OK to do that at the beginning of a
> release cycle. However I expect you to coordinate this with your reverse
> dependencies and *I* didn't see that so far (but of course it's easy for
> me to miss stuff).
> 
> > The packages you list may thus need to be updated or removed. (I'm
> > afraid I haven't looked into the specifics...)
> 
> Sure. Contacting the maintainers, and they can help as well, I guess.
> 
> >> Your package is trying to fix a CVE
> > 
> > Can you elaborate? I'm a little distracted by DebConf stuff but I
> > can't seem to grok what you mean here specifically.
> 
> https://qa.debian.org/excuses.php?package=python-django says this upload
> will fix bug #931316 in testing. That bug is about CVE-2019-12781.
> Testing has not seen the fix yet, and due to the dropping of Python 2,
> it will take time before it does, as python-django can not migrate
> before reverse dependencies are fixed or removed. The latter isn't very
> nice for your reverse dependencies if you didn't give them proper
> heads-up. The former isn't nice for the python-django users of testing.

As mentioned on IRC the scope of CVE-2019-12781 seems acceptable and there's
hardly a month which would better? This seems like a fine tradeoff to me.

If there's something earth-shattering in 1.11, it would still be possible
to fix that one via a targeted 1.11 upload to testing, I assume?

Cheers,
 Moritz

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-25 Thread Luke Faraone 
On 25/07/2019 15:45, Paul Gevers wrote:
>> Can you elaborate? I'm a little distracted by DebConf stuff but I
>> can't seem to grok what you mean here specifically.
> 
> https://qa.debian.org/excuses.php?package=python-django says this
upload
> will fix bug #931316 in testing. That bug is about CVE-2019-12781.
> Testing has not seen the fix yet, and due to the dropping of Python 2,
> it will take time before it does, as python-django can not migrate
> before reverse dependencies are fixed or removed.

That is just the excuses script's auto-generated output, I think you
might be reading too much into it. It is a true statement that when the
package makes it into testing, that bug will be fixed, unless I am
misunderstanding something.

The migration happened in a previous upload[1]:
 python-django (2:2.2.3-2) unstable; urgency=medium
* Upload (Python 3.x-only) branch to unstable after the release of
 Debian "buster".
   * Update debian/gbp.conf to refer to debian/sid after merge.

… so we did not drop Python3 just for a security update, despite this
bug's title.

> The latter isn't very
> nice for your reverse dependencies if you didn't give them proper
> heads-up. The former isn't nice for the python-django users of testing.

I do recall the discussion Chris mentioned, although I admit I can't
find the thread at the moment. (I'm also a bit busy with DebConf)

Note that testing is explicitly not recommended for those that care
about security support[2][3].

[1]:
https://tracker.debian.org/news/1042323/accepted-python-django-2223-2-source-all-into-unstable/
[2]: https://www.debian.org/security/faq#testing
[3]: https://wiki.debian.org/DebianTesting#Considerations

Cheers,
Luke Faraone



signature.asc
Description: OpenPGP digital signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-25 Thread Paul Gevers 
Control: tags -1 moreinfo

Hi Chris,

On 25-07-2019 18:51, Chris Lamb wrote:
>> PS: I failed to spot bugs against (some of) those packages communication
>> the removal, I think that would be nice for those maintainers.
> 
> This might have been justifiably and fairly missed as it was dicussed
> quite some time, possibly years, ago. Not your fault, possibly ours…
> However, as Brian mentions we do really have no option but to use the
> 2.x branch of Django these days and, unfortunately, this means that
> Python 2.x support is accordingly dropped.

It's OK to move on and it's very OK to do that at the beginning of a
release cycle. However I expect you to coordinate this with your reverse
dependencies and *I* didn't see that so far (but of course it's easy for
me to miss stuff).

> The packages you list may thus need to be updated or removed. (I'm
> afraid I haven't looked into the specifics...)

Sure. Contacting the maintainers, and they can help as well, I guess.

>> Your package is trying to fix a CVE
> 
> Can you elaborate? I'm a little distracted by DebConf stuff but I
> can't seem to grok what you mean here specifically.

https://qa.debian.org/excuses.php?package=python-django says this upload
will fix bug #931316 in testing. That bug is about CVE-2019-12781.
Testing has not seen the fix yet, and due to the dropping of Python 2,
it will take time before it does, as python-django can not migrate
before reverse dependencies are fixed or removed. The latter isn't very
nice for your reverse dependencies if you didn't give them proper
heads-up. The former isn't nice for the python-django users of testing.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#932960: python-django doesn't fix a CVE and drops Python 2 support at the same time

2019-07-25 Thread Chris Lamb 
tags 932960 + moreinfo
thanks

Hi Paul,

> PS: I failed to spot bugs against (some of) those packages communication
> the removal, I think that would be nice for those maintainers.

This might have been justifiably and fairly missed as it was dicussed
quite some time, possibly years, ago. Not your fault, possibly ours…
However, as Brian mentions we do really have no option but to use the
2.x branch of Django these days and, unfortunately, this means that
Python 2.x support is accordingly dropped.

The packages you list may thus need to be updated or removed. (I'm
afraid I haven't looked into the specifics...)

> Your package is trying to fix a CVE

Can you elaborate? I'm a little distracted by DebConf stuff but I
can't seem to grok what you mean here specifically.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-