On Thu, Aug 29, 2024 at 01:51:27PM +0200, Paul Gevers wrote:
>On 28-08-2024 13:58, Steve McIntyre wrote:
>
>> That does very much look like a test with broken assumptions, I'll be
>> honest. Ah, I see...
>> 
>> I can see that Josh Schneier (the upstream for django-storages) is the
>> person responsible for the CVE against django in the first place - he
>> spotted the issue and reported it. In
>> 
>>    
>> https://github.com/jschneier/django-storages/commit/330966293a74f2dabda18fa2e4a221952bf010a9
>> 
>> there's a fix on his side to cope with the django change. It looks
>> like we'll want that change backporting into python-django-storages. I
>> can try to do that too if you like, but I appreciate we're getting
>> very tight on time before the weekend. :-/
>
>I'm not SRM, just trying to help out with the autopkgtest infrastructure and
>results. I'm predicting that SRM might not want a fixed
>python-django-storages this late, so I think it would help if you can advise
>the SRM: do you think the regression is less bad than leaving the CVE's
>unfixed or the other way around? I.e. accept the regression, or keep the
>fixed python-django out until the next point release (with a fixed
>python-django-storages).

I've already spent some time looking at this, and in fact there are
*already* changes in our version of django-storages that are clearly
expected to work with the fixes in django. But they're not. I'm
digging in further to see whether it's something I've done or a wider
bug. I don't *think* it's my fault, but stranger things have
happened!

At this point, I would say let's be safe and hang back on the django
update this - it will wait for the next point release.

-- 
Steve McIntyre, Cambridge, UK.                                st...@einval.com
"The problem with defending the purity of the English language is that
 English is about as pure as a cribhouse whore. We don't just borrow words; on
 occasion, English has pursued other languages down alleyways to beat them
 unconscious and rifle their pockets for new vocabulary."  -- James D. Nicoll

Reply via email to