Django 1.3 and extensions.gnome.org



So, extensions.gnome.org is written as a Django application. And i
particular it's written against Django-1.3, which is the issue here.
It's not very hard for us to build a local version of Django and put it
in the gnome package repositories, but this brings up issues.

Compatibility
=============
We have (I think) three current apps using Django:

 tomboy-online.org (snowy): Runs on on Django-1.2.6 on RHEL6, the code
  also has been tested on Django-1.3 and works.

 shell-perf.gnome.org: small, unimportant, currently running on
  Django-1.2.6 on webapps.gnome.org, could presumably be ported to
  Django-1.3 without problem

 l10n.gnome.org (damned-lies): runs on progress.gnome.org, which is
  not part of the main gnome.org cluster and runs Ubuntu 10.4 LTS
  with Django-1.1.2

As well as a Django version of Mango in development, but not yet
deployed.

Security
========

My main concern with a locally-built version of Django is we need to
rebuild it when security issues are found in Django, and we're just not
set up to do that. (*) Django definitely does have security updates - in
the last 2 years, there seem to be:

https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
https://www.djangoproject.com/weblog/2011/feb/08/security/
https://www.djangoproject.com/weblog/2010/dec/22/security/
https://www.djangoproject.com/weblog/2010/sep/08/security-release/

The impact of these is a little hard to evaluate - the typical thing
seems to be a XSS or CSRF vulnerability that is exploitable with some
configurations and applications, but not with others. But it's not too
hard to imagine that a more generic XSS/CSRF vulnerability might show
up.

Conclusion
==========

The safest thing seems to be to just downgrade the e.g.o code to
Django 1.2, where we'll inherit security updates from EPEL; it's going
to be a few days of unpleasant work, but shouldn't be fundamentally
hard. But if people have ideas about how we can switch to Django 1.3,
that would definitely be interesting.

- Owen

(*) What I'd like to see is us having a monitoring framework that was
    flexible enough for us plug-in things like checking the Django
    web feeds, and then to have a single curated status page for
    the most critical items, like this or keeping our SSL certs current.
    Pretty blue-sky.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]