Re: Should we require pytz for timezone support in Django?

2016-10-10 Thread Carl Meyer 
Hi Kevin,

On 10/09/2016 11:09 AM, Kevin Brown wrote:
> I agree with requiring pytz if you have timezone support enabled in
> Django, as that cuts out a set of edge cases and likely simplifies the
> code base a bit in the long run. And I even agree with forcing it to be
> installed with Django if we want to encourage people to use Django with
> timezone support by default.
> 
> But I don't see the value in requiring pytz to be installed whenever you
> install Django, even if you explicitly disable timezone support. This
> means that there is the potential to force pytz to be installed in cases
> where it may never be used, and at the moment isn't even required.
> 
> If there was interest in dropping support for using Django without
> timezones (so removing USE_TZ = False), then I would understand the push
> for making pytz required for everyone.

I made this same argument a while back. The main problem with it is that
the default startproject sets USE_TZ = True. That means that with your
proposal, the default experience for every new Django dev would be 1.
install Django, 2. run startproject, 3. run runserver and get an error
that pytz isn't installed. That's not acceptable. Having pytz installed
in some cases when it isn't strictly needed is a very small price to pay
for a smoother path in the common case.

Carl

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/f03ff8ad-a71e-ba56-df1e-42f1ef02a41c%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: disclosing security release dates on django-announce

2016-10-10 Thread Tim Graham 
Thanks, I added that to the PR.

On Monday, October 10, 2016 at 3:43:09 PM UTC-4, Alex_Gaynor wrote:
>
> We already have one :-), our bounty indicates several severity levels: 
> https://hackerone.com/django
>
> Alex
>
> On Mon, Oct 10, 2016 at 3:40 PM, Tim Graham  > wrote:
>
>> Providing an indication of severity would be fine with me. Does anyone 
>> know of other web frameworks that have descriptions of severity 
>> classifications that we could borrow?
>>
>>
>> On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:
>>>
>>> On Friday 07 October 2016 19:47:38 Markus Holtermann wrote: 
>>> > On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote: 
>>> > > The Django team proposes [0] to add the following to the security 
>>> policy: 
>>> > > 
>>> > > Approximately one week before public disclosure, ... 
>>> > > we notify django-announce [1] of the date and approximate time of 
>>> the 
>>> > > upcoming security release. No information about the issues is given. 
>>> [...] 
>>> > 
>>> > While we haven't decided of any particular format, you can expect the 
>>> > announcements to look a bit like 
>>> >
>>> https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html
>>>  
>>> > 
>>>
>>> with nitpicking(): 
>>> this example does give some information about the issues -- the 
>>> number of 
>>> issues and an assessment of their severitly level. I believe it 
>>> is a good 
>>> example to follow. 
>>>
>>> Shai. 
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/41d3c6cc-76d6-4e10-aed6-5f1cb0d85f3f%40googlegroups.com
>>  
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> "I disapprove of what you say, but I will defend to the death your right 
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/1e27a8a4-f760-494f-866d-9118b52e3bcb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Should we require pytz for timezone support in Django?

2016-10-10 Thread Florian Apolloner 


On Monday, October 10, 2016 at 9:50:51 PM UTC+2, Aymeric Augustin wrote:
>
> I think it’s best to state the expected value explicitly.
>

In theory yes, in pratice I think that is at least annoying on Windows 
which only allows for the System-TZ I think?

Cheers,
Florian

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/55b7f343-96ed-4861-9f14-006201624ac9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Should we require pytz for timezone support in Django?

2016-10-10 Thread Tim Graham 
Here's the ticket that added support for TIME_ZONE=None: 
https://code.djangoproject.com/ticket/1480

On Monday, October 10, 2016 at 3:50:51 PM UTC-4, Aymeric Augustin wrote:
>
> On 10 Oct 2016, at 21:31, Tim Graham  
> wrote:
>
> I forgot to mention (and document) that (if I'm following the code 
> correctly) this change removes support for setting TIME_ZONE=None. 
> According to the docs, TIME_ZONE=None "causes cause Django to fall back to 
> using the system timezone. However, this is discouraged when USE_TZ = True 
> , because it makes 
> conversions between local time and UTC less reliable." Is removing that 
> option acceptable as a backwards-incompatible change?
>
>
> I don’t have an opinion on that.
>
> I don’t think USE_TZ = None provides a particularly useful behavior. I 
> think it’s best to state the expected value explicitly.
>
> Perhaps that option was implemented because someone asked for it? I don’t 
> remember.
>
> -- 
> Aymeric.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/d915b200-11b9-4103-883e-243449c9a358%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Should we require pytz for timezone support in Django?

2016-10-10 Thread Aymeric Augustin 
> On 10 Oct 2016, at 21:31, Tim Graham  wrote:
> 
> I forgot to mention (and document) that (if I'm following the code correctly) 
> this change removes support for setting TIME_ZONE=None. According to the 
> docs, TIME_ZONE=None "causes cause Django to fall back to using the system 
> timezone. However, this is discouraged when USE_TZ = True 
> , because it makes 
> conversions between local time and UTC less reliable." Is removing that 
> option acceptable as a backwards-incompatible change?

I don’t have an opinion on that.

I don’t think USE_TZ = None provides a particularly useful behavior. I think 
it’s best to state the expected value explicitly.

Perhaps that option was implemented because someone asked for it? I don’t 
remember.

-- 
Aymeric.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/70E556C2-6CF6-43CF-9763-89EE0C50C2EB%40polytechnique.org.
For more options, visit https://groups.google.com/d/optout.

Re: disclosing security release dates on django-announce

2016-10-10 Thread Alex Gaynor 
We already have one :-), our bounty indicates several severity levels:
https://hackerone.com/django

Alex

On Mon, Oct 10, 2016 at 3:40 PM, Tim Graham  wrote:

> Providing an indication of severity would be fine with me. Does anyone
> know of other web frameworks that have descriptions of severity
> classifications that we could borrow?
>
>
> On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:
>>
>> On Friday 07 October 2016 19:47:38 Markus Holtermann wrote:
>> > On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote:
>> > > The Django team proposes [0] to add the following to the security
>> policy:
>> > >
>> > > Approximately one week before public disclosure, ...
>> > > we notify django-announce [1] of the date and approximate time of the
>> > > upcoming security release. No information about the issues is given.
>> [...]
>> >
>> > While we haven't decided of any particular format, you can expect the
>> > announcements to look a bit like
>> >https://mta.openssl.org/pipermail/openssl-announce/2016-
>> September/76.html
>> >
>>
>> with nitpicking():
>> this example does give some information about the issues -- the
>> number of
>> issues and an assessment of their severitly level. I believe it
>> is a good
>> example to follow.
>>
>> Shai.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/41d3c6cc-76d6-4e10-aed6-
> 5f1cb0d85f3f%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFRnB2XjKM%3DLBm3yX4QmA9dEOJog9%3Dgi8rJC2aDB%2BvDARW%2Bkpg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: disclosing security release dates on django-announce

2016-10-10 Thread Tim Graham 
Providing an indication of severity would be fine with me. Does anyone know 
of other web frameworks that have descriptions of severity classifications 
that we could borrow?

On Saturday, October 8, 2016 at 11:26:06 AM UTC-4, Shai Berger wrote:
>
> On Friday 07 October 2016 19:47:38 Markus Holtermann wrote: 
> > On Friday, October 7, 2016 at 4:58:00 PM UTC+2, Tim Graham wrote: 
> > > The Django team proposes [0] to add the following to the security 
> policy: 
> > > 
> > > Approximately one week before public disclosure, ... 
> > > we notify django-announce [1] of the date and approximate time of the 
> > > upcoming security release. No information about the issues is given. 
> [...] 
> > 
> > While we haven't decided of any particular format, you can expect the 
> > announcements to look a bit like 
> >
> https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html 
> > 
>
> with nitpicking(): 
> this example does give some information about the issues -- the 
> number of 
> issues and an assessment of their severitly level. I believe it is 
> a good 
> example to follow. 
>
> Shai. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/41d3c6cc-76d6-4e10-aed6-5f1cb0d85f3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Should we require pytz for timezone support in Django?

2016-10-10 Thread Tim Graham 
I forgot to mention (and document) that (if I'm following the code 
correctly) this change removes support for setting TIME_ZONE=None. 
According to the docs, TIME_ZONE=None "causes cause Django to fall back to 
using the system timezone. However, this is discouraged when USE_TZ = True 
, because it makes 
conversions between local time and UTC less reliable." Is removing that 
option acceptable as a backwards-incompatible change?

On Sunday, October 9, 2016 at 4:22:30 PM UTC-4, Aymeric Augustin wrote:
>
> Hello Kevin, 
>
> > On 09 Oct 2016, at 20:09, Kevin Brown  
> wrote: 
> > 
> > If there was interest in dropping support for using Django without 
> timezones (so removing USE_TZ = False), then I would understand the push 
> for making pytz required for everyone. 
>
> You’re making the assumption that pytz is only needed when USE_TZ = True. 
> In practice it isn’t that simple. 
>
> If you look at Tim’s patch you’ll see that code that relies pytz doesn’t 
> look like `if settings.USE_TZ: # do something with pytz` in general. 
> Several APIs need to account for time zones to produce accurate results 
> even when USE_TZ = False, for example, if memory serves, template tags that 
> humanize durations, probably others. Also django.utils.timezone can be 
> useful even when USE_TZ = False. 
>
> The patch makes it clear that managing with / without pytz alternatives 
> everywhere creates a lot of noise and a lot of error messages that boil 
> down to “yeah, this doesn’t work without pytz, install it”. Forcing the 
> install upfront has a negligible cost and removes the possibility to hit 
> these frustrating errors 
>
> Also supporting two code paths cause a non-negligible overhead for the 
> development of Django. Every time someone wants to add a test that involves 
> datetimes, they have to figure out what happens with or without pytz, 
> whether the test should be skipped and in which circumstances, etc. Often, 
> I still have to intervene myself, even though it’s been four years since I 
> added time zone support to Django. The developer experience in this area is 
> awful :-/ 
>
> Of course the point of Django is to have few people make efforts so that 
> everyone else doesn’t have to, but in this case, the burden added on 
> everyone else seems barely noticeable. If the concern is the size of a 
> Django install, honestly, there are other areas to target (e.g. ship 
> contrib apps, translations, etc. separately). 
>
> I hope this clarifies the situation, 
>
> -- 
> Aymeric. 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/7a89192f-f3be-4ce3-ad7a-2fcb54a0365d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: DEP pre-proposal for a simpler URLs syntax.

2016-10-10 Thread Tom Christie 
> What is the current status of this pre-proposal?

I think it's ready for some initial work to validate the approach.
I've got some time available for this in the near future, given that I'm 
currently on open source work full time 
.

> Is there anything I can help with?
If you also wanted to get involved I'd suggest considering:

A PR for the DEP, taking it from the current markdown Gist, into a properly 
formatted Rst document.
A PR for any of the implementation tasks listed (all fairly separate pieces 
of work) to get things moving. (Things may still change once the DEP starts 
to be fully reviewed, but there's no great harm in getting started.)

Cheers,

  Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/50b149c9-6a28-4f88-9690-1a5b291a72ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: DEP pre-proposal for a simpler URLs syntax.

2016-10-10 Thread Sjoerd Job Postmus 
What is the current status of this pre-proposal? Is there anything I can 
help with?

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/8b85ae8e-0cd5-424a-a479-4f90ac19342c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.