= Proposal topic = Allow Django 1.2.x security update to go to stable before the 1 week Fedora waiting period. Per https://fedoraproject.org/wiki/Package_update_acceptance_criteria I'm requesting FESCo look and either approve or deny this request.
I do not believe this is classified as a critical path package.
= Overview = {{{ Today the Django team is issuing a new release -- Django 1.2.2 -- to remedy a security issue reported to us. This issue was disclosed independently by two different parties, and all users of Django 1.2 are urged to upgrade immediately. }}} Source: http://www.djangoproject.com/weblog/2010/sep/08/security-release/
Packages: * https://admin.fedoraproject.org/updates/Django-1.2.2-1.fc14 * https://admin.fedoraproject.org/updates/Django-1.2.2-1.fc13 * https://admin.fedoraproject.org/updates/Django-1.2.2-1.fc12
= Problem space = As stated in the above link, this security issue was released to the public before it was fixed. This did not allow packagers time to go through the normal channels of release prep before disclosure.
Since Bodhi is enforces the 1 week waiting period or karma I currently see the following note when requesting stable:
{{{This update has not yet met the minimum testing requirements defined in the Package Update Acceptance Criteria}}}
I thought about lowering the Karma to 0 or 1 and then stating it works for me, but I feel that would be attempting to use a loophole rather than following the established process.
= Solution Overview = Since The issue is public and a fix is available it seems like it would be proper to release a fixed package as soon as reasonably possible. No one other than myself has publicly tested the packages listed above as noted by the karma in Bodhi. I myself have tested it with a few of my development projects and didn't have any issue (all on F13).
= Active Ingredients = Anyone using Django 1.2.x series. This is Fedora 12-Rawhide. EL5 packages are not effected as it is 1.1.x.
= Owners = * Steve Milner
Several notes:
It seems like it might be possible to get enough folks to test this so it goes to stable? Try in #fedora-qa on irc, and/or a post to the test list?
We have a bad record of acting on tickets outside of fesco meetings. ;( This makes me sad, but given that it's friday, I don't know if we could get enough fesco people voting on this to matter. (I would love to be proven wrong).
Updates pushes are typically not done over weekends, so the soonest this would push anyhow is monday. ;(
Adding some test method to the updates would also likely increase the number of people who can/are willing to test it.
Thanks for the fast response. A lot of the folks who normally do testing are at DjangoCon in Portland right now (DOH!). I'll see if I can drum up testers through #fedora-qa. I've already put a request out on Twitter and Identi.ca.
Looks like the f12/f13 updates have already gotten enough karma to go to stable. F14 is waiting on one more positive karma. ;)
Hopefully they will all go out monday, no need for an exception.
Shall we go ahead and close this now?
Yes, this can be closed. Thank you so much for the help!
Login to comment on this ticket.