SRU update Trusty to Python Django 1.6.11
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* Between Django 1.6.1 and 1.6.11 upstream did considerable non-security bug fixing that it would be good to be able to take advantage of. Since 1.6.11 is the terminal upstream release in the 1.6 branch, this is one time request.
* Many projects are not ready to move to a newer Django version (as some porting is required) and will remain on Trusty for some time to come. We should provide users with the best package we can.
[Test Case]
* Upstream provides an extensive test suite (in fact many additional tests are provided in 1.6.11 over what 1.6.1 shipped) that is run during package build [1]. If any tests fail, the package build will fail. Execution of the test suite should be considered an adequate test.
* If the package built, the test is complete.
[Regression Potential]
* Regression potential is low. Upstream is focused on limiting changes in the release branch to needed bug fixes and when regressions were identified during 1.6 maintenance, new releases were produced to repair the regression. Upstream has a similar guidelines to those used by Ubuntu SRU for maintenance upates [2].
* I'm involved in a project that had been running the trusty-security version of python-django 1.6.1 and upgraded to this proposed package without issue. We've been running it in production for several weeks with no issue noted.
* Despite the test suite coverage, this is a complex package so the SRU is not risk free, but the combination of the build time tests and our experience with the package in production lead me to think issues are unlikely. Additionally, I did some Googling and it did not appear to be aware of regression issues that were unresolved (and this is an old enough release, I think I'd have found it if it were an issue).
[Other Info]
* The diff is large. Much of the diff is conversion of Ubuntu security patches to upstream source for issues that were fixed in 1.6.2 - 1.6.11. I have reviewed the entire diff and don't see any new features.
[1] https:/
[2] https:/
Changed in python-django (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in python-django (Ubuntu Trusty): | |
importance: | Undecided → Medium |
status: | New → In Progress |
Hi Scott,
This looks good to me, although I did notice three changes that I'd expect to be documented in debian/changelog:
debian/ patches/ CVE-2015- 5144.patch is updated in a way that looks reasonable.
debian/ patches/ CVE-2015- 596x.patch has a change that seems a little gratuitous. Was this intentional, and/or am I mistaken?
debian/ patches/ file-encoding. diff is updated in a way that looks reasonable.
Did you intend to update these, or did the updates come from somewhere else?
Do you have an opinion on quilt refreshes? These seem a little gratuitous too, adding a bunch of noise that makes it harder to spot real changes. https:/ /wiki.debian. org/UsingQuilt recommends "-p ab --no-timestamps --no-index" and I prefer to see only quilt refreshes where they are needed to reduce review diff noise.
I appreciate that you've been doing this kind of thing far longer than I have, so if it is all intentional, then +1 to accept to Trusty - just let me know.
Thanks!