[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 590-1] python-django security update

On Tue, Aug 09, 2016 at 08:57:24PM +1000, Brian May wrote:
> > ah, CVE-2016-6186! :-) That "magic string" should have been part of your
> > announcement and of course thats very easy to say now.
> ... except CVE-2016-6186 had already been fixed by DLA 555-1 for Django
> version 1.4.5-1+deb7u17 - so it seemed pointless referring to a CVE that
> had already been fixed.

so I need to read the upstream changelog between 1.4.5 and 1.4.22 to
find out why?

I agree that I probably don't care this much and I believe a DLA stating
"this updates python-django from 1.4.5 to 1.4.22 fixing various
security issues, for details please check the upstream changelog $here"
would have been enough.

I guess what "annoys" me most about [DLA 590-1] is that the only
reasoning given is the _resulting action_ of something else, quote: "release
team recently approved rebasing jessie on latest python-django 1.7.x (see
#807654)" and then #807654 is about the 1.7 branch only, without stating
these bugs are (all or just some?) also affecting 1.4…

> I was considering sending the text here and asking for help. This would
> have delayed the DLA by up to 24 hours however, my experience has been
> that people get upset fast if the DLA isn't sent immediately.
> I think in future I will just delay the DLA anyway.

why not delay the upload? this issue(s?) haven't been fixed in jessie yet &
haven't been considered so urgent as to require an upload via

I'm sorry I contributed to making your first DLA such an unpleasent
activity. My only purpose here is to improve future DLAs.


Attachment: signature.asc
Description: Digital signature

Reply to: