Request to upgrade DJango
ayoung at redhat.com
Fri Apr 20 13:42:26 UTC 2012
On 04/19/2012 09:56 PM, Stephen Gallagher wrote:
> On Tue, 2012-04-17 at 20:10 +0200, Matthias Runge wrote:
>> On 17/04/12 19:43, Adam Young wrote:
>>> While looking into EPEL support for Openstack, we came across the issue
>>> that EPEL ships with 1.2.7 and Openstack expects 1.3. Upon looking at
>>> I see that one of the major differences is protection against XSRF. This
>>> alone is sufficient reason to upgrade.
>>> Installing an RPM from the Sourceforge site worked well with Openstack,
>>> so it seems to fit our needs as well.
>>> Are there any objections to upgrading EPEL's version of Django To the
>> Umh, my fault. I'm planning to upgrade django for epel6 to version 1.3.x
>> since two weeks now; sadly, real life kept me really busy.
>> There have been some requests to upgrade to version 1.4 (to skip 1.3.x).
>> I'm aware of at least one application, which would break, if we upgrade
>> to django-1,4: reviewboard.
>> So, I'd do an update to django-1.3.1 in the next few days. An additional
>> reason to upgrade is, that django developers only support the two latest
>> versions, so 1.2.7 is not actively maintained any more.
> Yes, ReviewBoard currently cannot work with Django 1.4. This is a known
> issue and last I heard probably won't be fixed until ReviewBoard 1.7.0
> (not yet in beta release).
> However, now that your 1.3.1 packages are in updates-testing, I have
> been able to package up ReviewBoard 1.6.5 which requires Django 1.3, so
> thanks for that. :) There are a lot of improvements in the 1.6.x series
> that I think people will like.
> epel-devel-list mailing list
> epel-devel-list at redhat.com
One caveat. Any DJango app (Probably most Python wsgi apps, actually)
is going to give an AVC Denial warning upon startup. DJango imports
Python's UUID module which in turn imports ctypes. Ctypes does dynamic
code generation, specifically by writing a file andd then trying to
execute it, which, as you can imagine, is a pretty big security hole.
Let the wsgi community know that, until we have that fixed, we should
not attempt to get rid of the AVC denial warning message, but instead
should push on the Python upstread to get a fix in. Yes, David Malcolm
is aware of it.
By not allowing this action, the UUID generation code becomes inactive,
but DJango continues to function normally. For ReviewBoard, and most
apps, this is acceptable.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the epel-devel-list