Re: Why Django Document site always redirect to an earlier version

2017-09-21 Thread Dylan Reinhold 
>From the main site, or from other site like stack-overflow or google? From
the main site I get 1.11.
>From another site you cant control what links are used.

Dylan

On Thu, Sep 21, 2017 at 6:07 PM, Zhiqiang Liu  wrote:

> Most of the times it is redirected to v1.6, sometimes 1.10, not sure why
> it happens?
>
> Are people aware of that?
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/98fcb742-83a4-4b5b-ad7a-
> 5b4e8c47769c%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44A4q2QDnAzWAkcLmqyONp2KM%3DBY_U4UtiEMb8LwutisEA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: New Feature: Allow password reset token to expire in under a day

2017-09-21 Thread Dylan Reinhold 
I agree about deprecating PASSWORD_RESET_TIMEOUT_DAYS, with no rush to
remove. Then if PASSWORD_RESET_TIMEOUT it takes precedent.
Now for the input to PASSWORD_RESET_TIMEOUT looking at current settings in
django, anything I found that is time/age based is expressed in integer
seconds.
I would say stay with seconds,

Dylan

On Wed, Sep 20, 2017 at 7:56 PM, Zhiqiang Liu  wrote:

> I need general consensus on how to proceed with supporting password expire
> time to be under a day. Currently it is not possible because we use
> PASSWORD_RESET_TIMEOUT_DAYS.
>
> In ticket 28622  we have two
> options.
>
> One is to continue to use the same setting PASSWORD_RESET_TIMEOUT_DAYS,
> but change the value to non-integer (such as timedelta) so we can send
> hours, minutes, etc to it.
>
> The other one is to create a new setting like PASSWORD_RESET_TIMEOUT which
> takes seconds.To support backward compatibility, I think we should keep
> PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use
> PASSWORD_RESET_TIMEOUT when provided.
>
> I'm unsure which one is better, so inputs are welcome.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/c8e96008-eb95-4924-8e5e-
> 9b02d6b90c99%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44B_yZrfeY%3DrwS%3DzjpyUwY%3DbJCSH6DXGD24%3DNP3nyiqeHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: New Feature: Allow password reset token to expire in under a day

2017-09-21 Thread Dylan Reinhold 
I still think seconds are the way to go, but maybe the documentation could
give a clue that timedelta().seconds can be used for readability
PASSWORD_RESET_TIMEOUT = datetime.timedelta(hours=6, minutes=30).seconds

Dylan

On Thu, Sep 21, 2017 at 6:14 AM, Zhiqiang Liu  wrote:

> Yeah I don't think float number of days is a good choice because the
> calculation will be weird with precision issues.
>
> I think it makes sense to use PASSWORD_RESET_TIMEOUT. For timedelta vs.
> integer seconds. Timedelta has the benefit of readability, but integer has
> the benefit of simplicity. I think in SETTINGS everything should be as
> simple as possible, so I think integer seconds is a better choice here. And
> it is used in most applications too.
>
>
> On Thursday, September 21, 2017 at 8:56:36 AM UTC-4, charettes wrote:
>>
>> That's what I proposed on the ticket but I feel like it felt odd to me,
>> the setting name does't suggest this is possible and it might be hard to
>> achieve exact second precious because of float rounding?
>>
>> In my opinion introducing PASSWORD_RESET_TIMEOUT with timedelta support
>> would be the best option.
>>
>> Simon
>>
>> Le jeudi 21 septembre 2017 05:26:23 UTC-4, Adam Johnson a écrit :
>>>
>>> Why not just keep PASSWORD_RESET_TIMEOUT_DAYS and allow floats? Then
>>> you can just do 1/24 for an hour.
>>>
>>> On 21 September 2017 at 09:50, Eddy C  wrote:
>>>
 I think Minute, with default value 30 or 60, is the best unit for this
 setting.

 3 minutes (even 1) is short enough for edge case and 720 (12 hours)
 also looks good.

 On Thursday, September 21, 2017 at 6:22:20 PM UTC+10, Tom Forbes wrote:
>
> I think we shouldn't shoe-horn a timedelta into the existing setting,
> so my vote is with the second option, but I think a timedelta is much more
> readable than just an integer.
>
> Also, the existing 3 day timeout for password links is quite
> surprising from a security point of view. The consultants I work with 
> would
> flag up a token that lasts longer than 12 hours as an issue during a
> pentest.
>
> IMO a new, far shorter default should be added to this setting.
>
> On 21 Sep 2017 03:56, "Zhiqiang Liu"  wrote:
>
> I need general consensus on how to proceed with supporting password
> expire time to be under a day. Currently it is not possible because we use
> PASSWORD_RESET_TIMEOUT_DAYS.
>
> In ticket 28622  we have
> two options.
>
> One is to continue to use the same setting
> PASSWORD_RESET_TIMEOUT_DAYS, but change the value to non-integer (such as
> timedelta) so we can send hours, minutes, etc to it.
>
> The other one is to create a new setting like PASSWORD_RESET_TIMEOUT
> which takes seconds.To support backward compatibility, I think we should
> keep PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use
> PASSWORD_RESET_TIMEOUT when provided.
>
> I'm unsure which one is better, so inputs are welcome.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-develop...@googlegroups.com.
> To post to this group, send email to django-d...@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/c8e96008
> -eb95-4924-8e5e-9b02d6b90c99%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
 You received this message because you are subscribed to the Google
 Groups "Django developers (Contributions to Django itself)" group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to django-develop...@googlegroups.com.
 To post to this group, send email to django-d...@googlegroups.com.
 Visit this group at https://groups.google.com/group/django-developers.
 To view this discussion on the web visit https://groups.google.com/d/ms
 gid/django-developers/6d0d4251-64bc-40a0-b191-9cf3dfe8c91b%
 40googlegroups.com
 
 .

 For more options, visit https://groups.google.com/d/optout.

>>>
>>>
>>>
>>> --
>>> Adam
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
>

Re: Vendoring Select2

2017-12-16 Thread Dylan Reinhold 
Mithlesh,
The django project web sites has a page about how to contribute :
https://code.djangoproject.com/#Gettinginvolved


On Sat, Dec 16, 2017 at 5:35 PM, Mithlesh Kumar <
mithlesh.kumar.4...@gmail.com> wrote:

> Hi,
>
> I'm very new to Open Source. I like to contribute to `Django`. How can I
> do so ?
>
> Thanks
> Mithlesh K
>
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-developers/748d95d9-4964-4bed-ac01-
> d4e8d2512dcc%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44D-%2Bu3GBnpjX9uUj7C0D-U77FKYu%3D7nichWoOhX7j2uKQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Introduction as a new member to django contributions mailing list

2019-01-26 Thread Dylan Reinhold 
On the project home page https://www.djangoproject.com/  it has the link on
how to contribute.

https://docs.djangoproject.com/en/dev/internals/contributing

If you have a specific question feel free to ask, but this is a good
starting point.

Dylan

On Sat, Jan 26, 2019 at 10:51 AM Yemdjih Kaze Nasser 
wrote:

> Hello
> My names are Yemdjih Kaze Nasser and I am new to the mailing list and I
> would like to contribute the django organisations.
> Please can how can I get started
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/50a23743-d915-429d-be51-271cc54d13eb%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44CJfsoKggmTphuj7jZGRRm09797%2BzUQ%3DiwbCwHKGWbYEw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Please help me to find this page

2022-01-18 Thread Dylan Reinhold 
https://docs.djangoproject.com/en/dev/intro/contributing/

On Tue, Jan 18, 2022 at 10:08 AM Mariusz Felisiak <
felisiak.mari...@gmail.com> wrote:

> See docs/intro/contributing.txt
> 
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/013666e1-aaf2-4cc6-957c-67d5beb63a7an%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44A_3PetGZ0x%2BN7Y66%3D-obsVWeRis9%3DCwnFRs3JWdkMyyw%40mail.gmail.com.

Re: Blocking disposable or temporary email addresses

2022-05-11 Thread Dylan Reinhold 
You will never be able to define a "disposable or temporary" email address
or provider, so it's a non-starter from my perspective.

Dylan

On Wed, May 11, 2022 at 2:21 PM Yonas 
wrote:

> Hi,
>
> Hope everyone is doing well!
>
> What does the community think about adding a feature to Django where
> disposable or temporary emails are not accepted during account registration?
>
> Best,
> Yonas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/c6101816-f267-4568-88d8-5b8f17bfd92en%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44Dh8N7h8qsrNXebTs1CFEWpOGNhQU1Mqj-dF-cEzG3Byw%40mail.gmail.com.

Re: Should Django use Ada?

2024-04-01 Thread Dylan Reinhold 
I always wonder why people feel the need to belittle others' work with
statements like " But Python, being maintained mostly by volunteers, did
the minimum needed work to fix the vulnerability without really fixing the
urlparse library properly."
But then add something about their time being too valuable to work on
making it better.


Dylan


On Mon, Apr 1, 2024 at 1:37 PM 'Michael Lissner' via Django developers
(Contributions to Django itself)  wrote:

> Hi all,
>
> A few years ago, I reported a vulnerability in Django because Python
> wasn't parsing URLs containing tabs or newlines correctly. In this ticket,
> it was fixed in Python:
>
> https://bugs.python.org/issue43882
>
> But Python, being maintained mostly by volunteers, did the minimum needed
> work to fix the vulnerability without really fixing the urlparse library
> properly.
>
> This means that it's probably still possible to send a URL to django that
> urlparse doesn't know how to handle. When this happens:
>
> 1. It could still be a vulnerability.* If this is the case, Django could
> redirect people to domains where it shouldn't.
>
> 2. It could fail to parse the URL properly, leading to the wrong URL being
> provided to the user.
>
> 3. urlparse could decide it's an invalid URL even though it's not.
>
> This is all pretty bad, but there is some hope in the form of a tool
> called Ada, which aims to actually support URL parsing properly:
>
> Homepage: https://www.ada-url.com/
> Github (more useful, really): https://github.com/ada-url/ada
>
> It's written in C++, is used in Node and Cloudflare Workers. It has
> bindings for Python, Rust, R, and Go. It's licensed under MIT and Apache
> License 2.0. It's fuzzed by Google OSS Fuzzer, and it's much faster than
> urlparse.
>
> I'm curious: Would Django consider switching to this library? I'm not sure
> if I'll have time to do the work, but I can at least open an issue if it's
> a useful switch to make, and I might be able to assign a developer to it if
> this is something we want.
>
> Love to hear thoughts,
>
> Mike
>
>
> * I'm posting this publicly because this kind of vulnerability is really
> well known these days, and exists across most general-purpose languages.
> URLs are just very difficult to parse properly.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/f31bc17b-c0c5-4ce4--7d1ec3dfe90bn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAHtg44DJfVrF4ZmUQLVaJyGTCcb%2BcQ4rJZr0%3DV39_f-PwVDTxg%40mail.gmail.com.