RE: DoS using POST via hash algorithm collision
Paul McMillan had a very good posting about this on the Python issue tracker. The problem is that whenever you put user supplied data into a hashmap, you are vulnerable to this attack. This basically includes most Python modules, and I would guess a lot of user code, too. So, if you fix JSON and POST, you still have about 99% (likely would actually round to 100%) of attack surface left. I found these links very informative about this matter: http://lwn.net/Articles/474912/ and http://bugs.python.org/issue13703#msg150840 (the McMillan's post mentioned above). - Anssi From: django-developers@googlegroups.com [django-developers@googlegroups.com] On Behalf Of Luke Plant [l.plant...@cantab.net] Sent: Friday, January 20, 2012 15:46 To: django-developers@googlegroups.com Subject: Re: DoS using POST via hash algorithm collision On 20/01/12 08:47, Aymeric Augustin wrote: > 2012/1/20 Łukasz Rekucki <lreku...@gmail.com <mailto:lreku...@gmail.com>> > > We all know browsers won't crash and they will render the page exactly > the same. I volunteer to fix any issues in the test suite (considering > the hash changes also between 32-bit/64-bit Python, i'm not sure there > are even any or we would get a report on that, wouldn't we ?). > > I think it's important for the Django core team to voice their opinion > on this matter in python-dev. > > Hello Łukasz, > > I absolutely agree -- code that relies on a deterministic dictionary > order is broken and should be fixed. I agree with this completely, and Carl's post: http://mail.python.org/pipermail/python-dev/2012-January/115700.html Whether this should be fixed in Python or not is a different question. Most of the web specific problems can be fixed relatively easily with HTTP specific solutions and limits. We can easily change how we handle POST and GET data to a protected solution (by length limitation or a custom datastructure), and we can protect cookie parsing using simple length limits (and continue using stdlib SimpleCookie). However, JSON parsing, which is a common task for web sites, is much harder to fix, because almost by definition you've got to return dictionaries with arbitrary keys and arbitrary size, and because as a framework we don't control how developers do JSON parsing. Luke -- "Cross country skiing is great if you live in a small country." (Steven Wright) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
On 20/01/12 08:47, Aymeric Augustin wrote: > 2012/1/20 Łukasz Rekucki> > > We all know browsers won't crash and they will render the page exactly > the same. I volunteer to fix any issues in the test suite (considering > the hash changes also between 32-bit/64-bit Python, i'm not sure there > are even any or we would get a report on that, wouldn't we ?). > > I think it's important for the Django core team to voice their opinion > on this matter in python-dev. > > Hello Łukasz, > > I absolutely agree -- code that relies on a deterministic dictionary > order is broken and should be fixed. I agree with this completely, and Carl's post: http://mail.python.org/pipermail/python-dev/2012-January/115700.html Whether this should be fixed in Python or not is a different question. Most of the web specific problems can be fixed relatively easily with HTTP specific solutions and limits. We can easily change how we handle POST and GET data to a protected solution (by length limitation or a custom datastructure), and we can protect cookie parsing using simple length limits (and continue using stdlib SimpleCookie). However, JSON parsing, which is a common task for web sites, is much harder to fix, because almost by definition you've got to return dictionaries with arbitrary keys and arbitrary size, and because as a framework we don't control how developers do JSON parsing. Luke -- "Cross country skiing is great if you live in a small country." (Steven Wright) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
2012/1/20 Łukasz Rekucki> We all know browsers won't crash and they will render the page exactly > the same. I volunteer to fix any issues in the test suite (considering > the hash changes also between 32-bit/64-bit Python, i'm not sure there > are even any or we would get a report on that, wouldn't we ?). > > I think it's important for the Django core team to voice their opinion > on this matter in python-dev. > Hello Łukasz, I absolutely agree — code that relies on a deterministic dictionary order is broken and should be fixed. Best regards, -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
Dear django-developers, It seems that Django has now become the argument for NOT fixing this issue properly. Citing python-dev: > For example, in the Django test > suite, the HTML output is different at each run. Web browsers may > render the web page differently, or crash, or ... I don't think that > Django would like to sort attributes of each HTML tag, just because we > wanted to fix a vulnerability. We all know browsers won't crash and they will render the page exactly the same. I volunteer to fix any issues in the test suite (considering the hash changes also between 32-bit/64-bit Python, i'm not sure there are even any or we would get a report on that, wouldn't we ?). I think it's important for the Django core team to voice their opinion on this matter in python-dev. Thank you!, Łukasz Rekucki -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
Hi Luciano, Curious, I was unaware of any such DoS vulnerability - makes for very interesting reading. Thanks for sharing this with the list - may be worth sending to django-users as well. Cal On Thu, Dec 29, 2011 at 2:26 AM, Luciano Pachecowrote: > Hi all, > > Have you guys seen this? > http://www.ocert.org/advisories/ocert-2011-003.html > > PDF with some more explanation: > http://www.nruns.com/_downloads/advisory28122011.pdf > > Regards, > -- > Luciano Pacheco > blog.lucmult.com.br > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
> invasive to app code. It seems that this crafted-hash-collision > vector doesn't have a clean answer like that. There are workarounds, > but they may not apply to particular codebases. Yeah. The discussion going on over at python-dev suggests that Python itself may actually implement support after all, which would be really nice. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
On Thu, Dec 29, 2011 at 12:10 PM, Paul McMillanwrote: ... >> That seems like a simpler workaround than arch upgrade or replacing >> dict implementation. > > This problem has nothing to do with slowloris. > > Replacing dict implementation prevents an attacker from producing keys > which are intentionally n^2 hard for dictionary operations. Sure, I understand these are 2 different attack vectors. I just meant that putting a proxy in front is a general solution that isn't invasive to app code. It seems that this crafted-hash-collision vector doesn't have a clean answer like that. There are workarounds, but they may not apply to particular codebases. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
> Slow Loris can be avoided by putting a proxy capable of buffering > requests until completion between the app server and the web, right? Yes, use nginx or similar. Slowloris is generally not a problem when that is properly configured. > That seems like a simpler workaround than arch upgrade or replacing > dict implementation. This problem has nothing to do with slowloris. Replacing dict implementation prevents an attacker from producing keys which are intentionally n^2 hard for dictionary operations. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
On Thu, Dec 29, 2011 at 8:19 AM, Christophe Pettuswrote: ... > It's an interesting result, but I'm not sure how much to be worried about it > in the field. A SlowLoris or similar attack would seem to be far more > effective and less implementation-dependent. Slow Loris can be avoided by putting a proxy capable of buffering requests until completion between the app server and the web, right? That seems like a simpler workaround than arch upgrade or replacing dict implementation. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
Thanks On Thu, Dec 29, 2011 at 11:36 AM, Alex Gaynorwrote: > > > On Thu, Dec 29, 2011 at 10:32 AM, Daniel Sokolowski < > daniel.sokolow...@klinsight.com> wrote: > >> Would someone be so kind and explain why POST variables are stored in >> hash tables? What is the reasoning behind it? Speed? Or is this simply done >> at the Python level when using a dictionary type? Thank you >> >> >> On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus wrote: >> >>> >>> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: >>> >>> > So this would effect django because of the CSRF token check --- which >>> requires the hash to be regenerated before comparing it yes? >>> >>> No, the problem is somewhat different. The attacker constructs a POST >>> request in which the field names are constructed to be a degenerate case of >>> a hash table. Since pretty much every web framework in existence >>> (including Django) automatically takes the incoming POST fields and inserts >>> them into a hash table (a Python dict being implemented as a hash table), >>> the framework will grind through this degenerate case very, very slowly. >>> >>> If I'm reading the paper correctly, it only applies to 32-bit Python >>> implementations, as the 64-bit ones are not practically vulnerable to this >>> attack. >>> >>> It's an interesting result, but I'm not sure how much to be worried >>> about it in the field. A SlowLoris or similar attack would seem to be far >>> more effective and less implementation-dependent. >>> -- >>> -- Christophe Pettus >>> x...@thebuild.com >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django developers" group. >>> To post to this group, send email to django-developers@googlegroups.com. >>> To unsubscribe from this group, send email to >>> django-developers+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/django-developers?hl=en. >>> >>> >> >> >> -- >> Daniel Sokolowski >> Web Engineer >> KL Insight >> http://klinsight.com/ >> Tel: 613-344-2116 | Fax: 613.634.7029 >> 993 Princess Street, Suite 212 >> Kingston, ON K7L 1H3, Canada >> >> >> Notice of Confidentiality: >> The information transmitted is intended only for the person or entity to >> which it is addressed and may contain confidential and/or privileged >> material. Any review re-transmission dissemination or other use of or >> taking of any action in reliance upon this information by persons or >> entities other than the intended recipient is prohibited. If you received >> this in error please contact the sender immediately by return electronic >> transmission and then immediately delete this transmission including all >> attachments without copying distributing or disclosing same. >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> > > Well, what structure would you use to store them? POST variables are > "obviously" a mapping of key to value, and the way one does that in Python > is generally a dict (which are presently backed by a hashtable on every > Python VM I know of). > > Alex > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
On Thu, Dec 29, 2011 at 10:32 AM, Daniel Sokolowski < daniel.sokolow...@klinsight.com> wrote: > Would someone be so kind and explain why POST variables are stored in hash > tables? What is the reasoning behind it? Speed? Or is this simply done at > the Python level when using a dictionary type? Thank you > > > On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettuswrote: > >> >> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: >> >> > So this would effect django because of the CSRF token check --- which >> requires the hash to be regenerated before comparing it yes? >> >> No, the problem is somewhat different. The attacker constructs a POST >> request in which the field names are constructed to be a degenerate case of >> a hash table. Since pretty much every web framework in existence >> (including Django) automatically takes the incoming POST fields and inserts >> them into a hash table (a Python dict being implemented as a hash table), >> the framework will grind through this degenerate case very, very slowly. >> >> If I'm reading the paper correctly, it only applies to 32-bit Python >> implementations, as the 64-bit ones are not practically vulnerable to this >> attack. >> >> It's an interesting result, but I'm not sure how much to be worried about >> it in the field. A SlowLoris or similar attack would seem to be far more >> effective and less implementation-dependent. >> -- >> -- Christophe Pettus >> x...@thebuild.com >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> >> > > > -- > Daniel Sokolowski > Web Engineer > KL Insight > http://klinsight.com/ > Tel: 613-344-2116 | Fax: 613.634.7029 > 993 Princess Street, Suite 212 > Kingston, ON K7L 1H3, Canada > > > Notice of Confidentiality: > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review re-transmission dissemination or other use of or > taking of any action in reliance upon this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error please contact the sender immediately by return electronic > transmission and then immediately delete this transmission including all > attachments without copying distributing or disclosing same. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > Well, what structure would you use to store them? POST variables are "obviously" a mapping of key to value, and the way one does that in Python is generally a dict (which are presently backed by a hashtable on every Python VM I know of). Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
Would someone be so kind and explain why POST variables are stored in hash tables? What is the reasoning behind it? Speed? Or is this simply done at the Python level when using a dictionary type? Thank you On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettuswrote: > > On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: > > > So this would effect django because of the CSRF token check --- which > requires the hash to be regenerated before comparing it yes? > > No, the problem is somewhat different. The attacker constructs a POST > request in which the field names are constructed to be a degenerate case of > a hash table. Since pretty much every web framework in existence > (including Django) automatically takes the incoming POST fields and inserts > them into a hash table (a Python dict being implemented as a hash table), > the framework will grind through this degenerate case very, very slowly. > > If I'm reading the paper correctly, it only applies to 32-bit Python > implementations, as the 64-bit ones are not practically vulnerable to this > attack. > > It's an interesting result, but I'm not sure how much to be worried about > it in the field. A SlowLoris or similar attack would seem to be far more > effective and less implementation-dependent. > -- > -- Christophe Pettus > x...@thebuild.com > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- Daniel Sokolowski Web Engineer KL Insight http://klinsight.com/ Tel: 613-344-2116 | Fax: 613.634.7029 993 Princess Street, Suite 212 Kingston, ON K7L 1H3, Canada Notice of Confidentiality: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review re-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error please contact the sender immediately by return electronic transmission and then immediately delete this transmission including all attachments without copying distributing or disclosing same. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: > So this would effect django because of the CSRF token check --- which > requires the hash to be regenerated before comparing it yes? No, the problem is somewhat different. The attacker constructs a POST request in which the field names are constructed to be a degenerate case of a hash table. Since pretty much every web framework in existence (including Django) automatically takes the incoming POST fields and inserts them into a hash table (a Python dict being implemented as a hash table), the framework will grind through this degenerate case very, very slowly. If I'm reading the paper correctly, it only applies to 32-bit Python implementations, as the 64-bit ones are not practically vulnerable to this attack. It's an interesting result, but I'm not sure how much to be worried about it in the field. A SlowLoris or similar attack would seem to be far more effective and less implementation-dependent. -- -- Christophe Pettus x...@thebuild.com -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
So this would effect django because of the CSRF token check --- which requires the hash to be regenerated before comparing it yes? On Wed, Dec 28, 2011 at 9:26 PM, Luciano Pachecowrote: > Hi all, > > Have you guys seen this? > http://www.ocert.org/advisories/ocert-2011-003.html > > PDF with some more explanation: > http://www.nruns.com/_downloads/advisory28122011.pdf > > Regards, > -- > Luciano Pacheco > blog.lucmult.com.br > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- Daniel Sokolowski Web Engineer KL Insight http://klinsight.com/ Tel: 613-344-2116 | Fax: 613.634.7029 993 Princess Street, Suite 212 Kingston, ON K7L 1H3, Canada Notice of Confidentiality: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review re-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error please contact the sender immediately by return electronic transmission and then immediately delete this transmission including all attachments without copying distributing or disclosing same. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
On Thu, Dec 29, 2011 at 11:48 AM, Luciano Pachecowrote: > > > On Thu, Dec 29, 2011 at 1:56 PM, Paul McMillan wrote: >> >> >> Even though this issue is now public, please continue report security >> problems privately to secur...@djangoproject.com. > > > > Hi Paul, > > Thanks for your response. > > I've searched our community page for this address, before send to djang-dev > list, but I haven't found it. > > https://www.djangoproject.com/community/ Thanks for the suggestion -- putting a link to the security mailing contact on the community page definitely seems like a good idea to me. I've just opened ticket #17479 to track this idea. https://code.djangoproject.com/ticket/17479 For the record, the security contact is listed on the "create a new ticket page" https://code.djangoproject.com/newticket and in the FAQ: https://docs.djangoproject.com/en/dev/faq/help/#i-think-i-ve-found-a-security-problem-what-should-i-do However, it certainly doesn't hurt to have more links on our security reporting procedures. Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: DoS using POST via hash algorithm collision
Yes, we've seen it and are working on it. Python hasn't directly addressed the problem (and may not - it's arguable whether it's an application or a language-level issue), so we'll probably have to ship our own workaround. This is a non-trivial fix. In the meantime, workarounds include using 64 bit python, severely limiting the length of requests your server accepts, limiting the number of allowed parameters in a POST, and strictly limiting the amount of time a Django process can exist before the webserver kills it. Fortunately, attack code has not yet been made public (if you know otherwise please contact me privately). Even though this issue is now public, please continue report security problems privately to secur...@djangoproject.com. -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
DoS using POST via hash algorithm collision
Hi all, Have you guys seen this? http://www.ocert.org/advisories/ocert-2011-003.html PDF with some more explanation: http://www.nruns.com/_downloads/advisory28122011.pdf Regards, -- Luciano Pacheco blog.lucmult.com.br -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.