On Thu, Aug 29, 2024 at 01:51:27PM +0200, Paul Gevers wrote: >On 28-08-2024 13:58, Steve McIntyre wrote: > >> That does very much look like a test with broken assumptions, I'll be >> honest. Ah, I see... >> >> I can see that Josh Schneier (the upstream for django-storages) is the >> person responsible for the CVE against django in the first place - he >> spotted the issue and reported it. In >> >> >> https://github.com/jschneier/django-storages/commit/330966293a74f2dabda18fa2e4a221952bf010a9 >> >> there's a fix on his side to cope with the django change. It looks >> like we'll want that change backporting into python-django-storages. I >> can try to do that too if you like, but I appreciate we're getting >> very tight on time before the weekend. :-/ > >I'm not SRM, just trying to help out with the autopkgtest infrastructure and >results. I'm predicting that SRM might not want a fixed >python-django-storages this late, so I think it would help if you can advise >the SRM: do you think the regression is less bad than leaving the CVE's >unfixed or the other way around? I.e. accept the regression, or keep the >fixed python-django out until the next point release (with a fixed >python-django-storages).
I've already spent some time looking at this, and in fact there are *already* changes in our version of django-storages that are clearly expected to work with the fixes in django. But they're not. I'm digging in further to see whether it's something I've done or a wider bug. I don't *think* it's my fault, but stranger things have happened! At this point, I would say let's be safe and hang back on the django update this - it will wait for the next point release. -- Steve McIntyre, Cambridge, UK. st...@einval.com "The problem with defending the purity of the English language is that English is about as pure as a cribhouse whore. We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat them unconscious and rifle their pockets for new vocabulary." -- James D. Nicoll
