On 25/07/2019 15:45, Paul Gevers wrote: >> Can you elaborate? I'm a little distracted by DebConf stuff but I >> can't seem to grok what you mean here specifically. > > https://qa.debian.org/excuses.php?package=python-django says this upload > will fix bug #931316 in testing. That bug is about CVE-2019-12781. > Testing has not seen the fix yet, and due to the dropping of Python 2, > it will take time before it does, as python-django can not migrate > before reverse dependencies are fixed or removed.
That is just the excuses script's auto-generated output, I think you
might be reading too much into it. It is a true statement that when the
package makes it into testing, that bug will be fixed, unless I am
misunderstanding something.
The migration happened in a previous upload[1]:
python-django (2:2.2.3-2) unstable; urgency=medium
* Upload (Python 3.x-only) branch to unstable after the release of
Debian "buster".
* Update debian/gbp.conf to refer to debian/sid after merge.
… so we did not drop Python3 just for a security update, despite this
bug's title.
> The latter isn't very
> nice for your reverse dependencies if you didn't give them proper
> heads-up. The former isn't nice for the python-django users of testing.
I do recall the discussion Chris mentioned, although I admit I can't
find the thread at the moment. (I'm also a bit busy with DebConf)
Note that testing is explicitly not recommended for those that care
about security support[2][3].
[1]:
https://tracker.debian.org/news/1042323/accepted-python-django-2223-2-source-all-into-unstable/
[2]: https://www.debian.org/security/faq#testing
[3]: https://wiki.debian.org/DebianTesting#Considerations
Cheers,
Luke Faraone
signature.asc
Description: OpenPGP digital signature
