[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 590-1] python-django security update


On Tue, 09 Aug 2016, Holger Levsen wrote:
> so I need to read the upstream changelog between 1.4.5 and 1.4.22 to
> find out why?

This update does fix bugs but not security bugs that would have warranted
a DLA on their own... it's just easier for us to work on the latest 1.4.x
release and makes our patch more useful for other 1.4.x users.

> I guess what "annoys" me most about [DLA 590-1] is that the only
> reasoning given is the _resulting action_ of something else, quote: "release
> team recently approved rebasing jessie on latest python-django 1.7.x (see
> #807654)" and then #807654 is about the 1.7 branch only, without stating
> these bugs are (all or just some?) also affecting 1.4…

The reasons I gave to the release team to update jessie to latest 1.7.x
also apply to update wheezy to latest 1.4.x. They are not about specific
issues but they are about maintainability of Django during the lifetime
of our releases.

> I'm sorry I contributed to making your first DLA such an unpleasent
> activity. My only purpose here is to improve future DLAs.

It's not Brian's first DLA… he has been working in the LTS team for
multiple months already.

That said, if I had done this myself, I would have probably prepared
the update in git and would have waited the next security issue to release
the 1.4.22 update at the same time.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: