Hi Luke, On 25-07-2019 22:14, Luke Faraone wrote: > On 25/07/2019 15:45, Paul Gevers wrote: > That is just the excuses script's auto-generated output, I think you > might be reading too much into it. It is a true statement that when the > package makes it into testing, that bug will be fixed, unless I am > misunderstanding something.
No, it's not "just the excuses script" output. It shows all relevant differences between unstable and testing. > The migration happened in a previous upload[1]: > python-django (2:2.2.3-2) unstable; urgency=medium > * Upload (Python 3.x-only) branch to unstable after the release of > Debian "buster". > * Update debian/gbp.conf to refer to debian/sid after merge. > > … so we did not drop Python3 just for a security update, despite this > bug's title. Yes, it's true that all this didn't happen in one upload, but there are a whole lot of upload of python-django that didn't make it into testing yet, so this changelog is also relevant: python-django (1:1.11.22-1) unstable; urgency=medium * New upstream security release. <https://www.djangoproject.com/weblog/2019/jul/01/security-releases/> (Closes: #931316) -- Chris Lamb <la...@debian.org> Mon, 01 Jul 2019 17:09:52 -0300 >> The latter isn't very >> nice for your reverse dependencies if you didn't give them proper >> heads-up. The former isn't nice for the python-django users of testing. [...] > Note that testing is explicitly not recommended for those that care > about security support[2][3]. Yes, I know very well, but that doesn't mean we shouldn't try or care. In this case I think the current situation could have been avoided by letting 1:1.11.22-1 migrate before the upload of the version with the Python 2 drop. Probably a day would have been enough. As Moritz just noted this CVE isn't particularly severe, so you can just bit the bullet. But please inform your reverse dependencies ASAP, so that everyone can start working on doing the required work. In my opinion reverting to the pre 2 version for a well defined time to enable others to do their work isn't so bad socially. Paul