[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding Django 4.2 LTS
|
From: |
Maxim Cournoyer |
|
Subject: |
Re: Adding Django 4.2 LTS |
|
Date: |
Sun, 30 Jul 2023 22:13:44 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi,
Luis Felipe <sirgazil@zoho.com> writes:
> Hi,
>
> I've been using Django 4.2.2 from my personal Guix channel for a
> couple of days and it seems to work alright, so I'd like to send a
> patch to include it in Guix, although I have some questions first.
>
> 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS
> series, there is a patch for it already
> (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have
> known vulnerabilities and Django 4.2.2 works with it. Would it be okay
> to add it to Guix until someone else packages the latest version
> (3.7.2, but it currently fails to build for me: sanity-check
> DistributionNotFound or something)?
This usually means one of the inputs of the package doesn't have a
compatible version. Please check which one it is (the Python error
message should contain that information).
> 2. "guix lint python-django@4.2.2" says this version of DJango might
> be vulnerable to CVE-2023-31047 but reading the CVE description
> version 4.2.2 doesn't seem to be affected. Is there anything I should
> do regarding this warning?
If you are absolutely sure about that you could add a 'lint-hidden-cve'
property to the package definition.
> 3. Guix currently distributes versions of Django that no longer
> receive security updates or bug fixes. For example,
> python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see
> https://www.djangoproject.com/download/). Should they be removed?
They should be upgraded to the latest available version (the old
versions shouldn't be kept around).
--
Thanks,
Maxim
- Re: Adding Django 4.2 LTS,
Maxim Cournoyer <=