[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#932960: python-django don't fix CVE and drop Python 2 support at the same time



Source: python-django
Control: found -1 python-django/2:2.2.3-5
Severity: important
User: debian-ci@lists.debian.org
Usertags: breaks
X-Debbugs-CC: debian-ci@lists.debian.org
Affects: django-maintenancemode django-restricted-resource
Affects: django-tables django-testscenarios factory-boy lava
Affects: python-django python-django-debug-toolbar python-django-mptt
Affects: python-sparkpost django-sekizai

Dear maintainers,

Your package is trying to fix a CVE, but at the same time dropping
Python 2 support. There is a multitude of packages that need updating
for that because they (test-) depend on python-django. I think it is
smart to revert the Python 2 removal and have the security fix migrate
to testing. I don't want to judge the severity of the CVE, but otherwise
I recommend to remove python-django from testing until all the fall-out
has been fixed.

With a recent upload of python-django the autopkgtest of the packages in
Affects: fail in testing when that autopkgtest is run with the binary
packages of python-django from unstable. It passes when run with only
packages from testing.

Currently this regression is blocking the migration of python-django to
testing [1], but otherwise the second part of britney would have blocked
migration due to non-installability reasons.

Paul

PS: I failed to spot bugs against (some of) those packages communication
the removal, I think that would be nice for those maintainers.

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: