Ubuntu
python-django package

Bug #1644346
Comment #2

Comment 2 for bug 1644346

Revision history for this message

Scott Kitterman (kitterman) wrote on 2016-11-30: Re: [Bug 1644346] Re: SRU update Trusty to Python Django 1.6.11

On Tuesday, November 29, 2016 06:12:30 PM you wrote:
> Hi Scott,
>
> This looks good to me, although I did notice three changes that I'd
> expect to be documented in debian/changelog:
>
> debian/patches/CVE-2015-5144.patch is updated in a way that looks
> reasonable.
>
> debian/patches/CVE-2015-596x.patch has a change that seems a little
> gratuitous. Was this intentional, and/or am I mistaken?
>
> debian/patches/file-encoding.diff is updated in a way that looks
> reasonable.

These are a result of upstream changes in the area around where the patch
touched. As an example, in the 596x.patch, this hunk (and the one after):

+@@ -225,12 +225,18 @@

- .. method:: flush
+ .. method:: flush()

- Delete the current session data from the session and regenerate the
- session key value that is sent back to the user in the cookie. This is

comes from upstream commit 6bf05c0267b388bdf6f2bda6f1915c1ac8a02b35 that was
included in django 1.6.2. These aren't separately documented because they are
part of the upstream update, which is.

> Did you intend to update these, or did the updates come from somewhere
> else?

Everything that's in here is based on either the upstream changes 1.6.2 -
1.6.11 or the Ubuntu security patches. I actively avoided using any
imagination on this.

> Do you have an opinion on quilt refreshes? These seem a little
> gratuitous too, adding a bunch of noise that makes it harder to spot
> real changes. https://wiki.debian.org/UsingQuilt recommends "-p ab --no-
> timestamps --no-index" and I prefer to see only quilt refreshes where
> they are needed to reduce review diff noise.

Since, given Django's history, we are virtually certain to have more security
updates in the future, I considered it better to refresh everything once and
have it apply cleanly now. While, as you say, it does increase the review
this time, it will make it easier and lower risk in the future.

Maybe I've just read enough of these, but skipping over the noise is something
I tend to just do and it hadn't occurred to me to do anything other than
quilt's default. I'll keep that in mind for the future.

> I appreciate that you've been doing this kind of thing far longer than I
> have, so if it is all intentional, then +1 to accept to Trusty - just
> let me know.

Thanks. I think it'll be good to get this in.

Scott K

On Tuesday, November 29, 2016 06:12:30 PM you wrote:
> Hi Scott,
> 
> This looks good to me, although I did notice three changes that I'd
> expect to be documented in debian/changelog:
> 
> debian/patches/CVE-2015-5144.patch is updated in a way that looks
> reasonable.
> 
> debian/patches/CVE-2015-596x.patch has a change that seems a little
> gratuitous. Was this intentional, and/or am I mistaken?
> 
> debian/patches/file-encoding.diff is updated in a way that looks
> reasonable.

These are a result of upstream changes in the area around where the patch 
touched.  As an example, in the 596x.patch, this hunk (and the one after):

+@@ -225,12 +225,18 @@
  
-     .. method:: flush
+     .. method:: flush()
  
 -      Delete the current session data from the session and regenerate the
 -      session key value that is sent back to the user in the cookie. This is

comes from upstream commit 6bf05c0267b388bdf6f2bda6f1915c1ac8a02b35 that was 
included in django 1.6.2.  These aren't separately documented because they are 
part of the upstream update, which is.

> Did you intend to update these, or did the updates come from somewhere
> else?

Everything that's in here is based on either the upstream changes 1.6.2 - 
1.6.11 or the Ubuntu security patches.  I actively avoided using any 
imagination on this.

Since, given Django's history, we are virtually certain to have more security 
updates in the future, I considered it better to refresh everything once and 
have it apply cleanly now.  While, as you say, it does increase the review 
this time, it will make it easier and lower risk in the future.

Maybe I've just read enough of these, but skipping over the noise is something 
I tend to just do and it hadn't occurred to me to do anything other than 
quilt's default.  I'll keep that in mind for the future.

> I appreciate that you've been doing this kind of thing far longer than I
> have, so if it is all intentional, then +1 to accept to Trusty - just
> let me know.

Thanks.  I think it'll be good to get this in.

Scott K

Ubuntupython-django package

Comment 2 for bug 1644346

Ubuntu
python-django package