On Tuesday, November 29, 2016 06:12:30 PM you wrote: > Hi Scott, > > This looks good to me, although I did notice three changes that I'd > expect to be documented in debian/changelog: > > debian/patches/CVE-2015-5144.patch is updated in a way that looks > reasonable. > > debian/patches/CVE-2015-596x.patch has a change that seems a little > gratuitous. Was this intentional, and/or am I mistaken? > > debian/patches/file-encoding.diff is updated in a way that looks > reasonable.
These are a result of upstream changes in the area around where the patch touched. As an example, in the 596x.patch, this hunk (and the one after): +@@ -225,12 +225,18 @@ - .. method:: flush + .. method:: flush() - Delete the current session data from the session and regenerate the - session key value that is sent back to the user in the cookie. This is comes from upstream commit 6bf05c0267b388bdf6f2bda6f1915c1ac8a02b35 that was included in django 1.6.2. These aren't separately documented because they are part of the upstream update, which is. > Did you intend to update these, or did the updates come from somewhere > else? Everything that's in here is based on either the upstream changes 1.6.2 - 1.6.11 or the Ubuntu security patches. I actively avoided using any imagination on this. > Do you have an opinion on quilt refreshes? These seem a little > gratuitous too, adding a bunch of noise that makes it harder to spot > real changes. https://wiki.debian.org/UsingQuilt recommends "-p ab --no- > timestamps --no-index" and I prefer to see only quilt refreshes where > they are needed to reduce review diff noise. Since, given Django's history, we are virtually certain to have more security updates in the future, I considered it better to refresh everything once and have it apply cleanly now. While, as you say, it does increase the review this time, it will make it easier and lower risk in the future. Maybe I've just read enough of these, but skipping over the noise is something I tend to just do and it hadn't occurred to me to do anything other than quilt's default. I'll keep that in mind for the future. > I appreciate that you've been doing this kind of thing far longer than I > have, so if it is all intentional, then +1 to accept to Trusty - just > let me know. Thanks. I think it'll be good to get this in. Scott K -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1644346 Title: SRU update Trusty to Python Django 1.6.11 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1644346/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
