Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Django 3 End-of-life #262907

Open
4 of 6 tasks
mweinelt opened this issue Oct 23, 2023 · 14 comments · May be fixed by #324777
Open
4 of 6 tasks

Django 3 End-of-life #262907

mweinelt opened this issue Oct 23, 2023 · 14 comments · May be fixed by #324777
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 5. scope: tracking Long-lived issue tracking long-term fixes or multiple sub-problems 6.topic: python

Comments

@mweinelt
Copy link
Member

mweinelt commented Oct 23, 2023
edited by dotlambda
Loading

Hi everyone, Django package maintainer here 👋

With Django 3.2.x running out of support after 2024/04/01 we have to make a decision how to handle it in NixOS 23.11.

https://endoflife.date/django

My preference would be to remove it before branch-off, but I fully expect you have packages that still require it. For now, I want you to check with your upstreams if and how their Django 4 migration is going, so we can make an informed decision.
@felschr felschr mentioned this issue Oct 23, 2023
Closed
@alyssais
Copy link
Member

I did some testing of Mailman with Django 4 last week, and it seems fine, but I want to do a little more testing.

@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 23, 2023
alyssais added a commit to alyssais/nixpkgs that referenced this issue Oct 30, 2023
@alyssais
Revert "mailmanPackages: pin to django_3"
ec12568 
This reverts commit 84f6a67.

Mailman now supports Django 4.x.

Link: NixOS#262907
@alyssais alyssais mentioned this issue Oct 30, 2023
Merged
13 tasks
Ma27 added a commit to Ma27/nixpkgs that referenced this issue Oct 31, 2023
@Ma27
privacyidea: remove
5927d55 
Related to NixOS#262907 (Django3 removal from nixpkgs).

This package already required an unreasonable amount of maintenance
regularly for a such small leaf-package. It has a few highly outdated
dependencies (e.g. flask 1, jinja2 2.11, sqlalchemy 1.3).

After at least each Python package-set update one had to fix up a lot of
dependencies to fix the package itself, so it was only useful on stable
branches. And having so much outdated software in a security-sensitive
piece of software seems questionable.

Finally, globin and I won't be available for maintaining this now that
Mayflower is migrating to another solution (and we'll do that as well)
and I'd expect this to bitrot extremely quick if we both bail out.
@Ma27 Ma27 mentioned this issue Oct 31, 2023
Merged
13 tasks
yu-re-ka pushed a commit that referenced this issue Nov 9, 2023
@alyssais @yu-re-ka
Revert "mailmanPackages: pin to django_3"
6e2323c 
This reverts commit 84f6a67.

Mailman now supports Django 4.x.

Link: #262907
@siraben siraben mentioned this issue Nov 10, 2023
Closed
@mweinelt
Copy link
Member Author

mweinelt commented Mar 24, 2024
edited
Loading

End of life has been pushed back to the end of April 2024. My plan for 24.05 is to keep django_3 around, but mark it with

  meta.knownVulnerabilities = [ "Django 3 has reached its end of life on 2024-04-30. And here some URL for context." ]

Also we seem to have two new consumers, since this issue was opened.

@greizgh
Copy link
Contributor

greizgh commented Mar 25, 2024

Also we seem to have two new consumers, since this issue was opened.

* [ ]  seahub (@greizgh, @schmittlauch)

Thanks for the heads up. Upstream has updated to django4 but also dropped support for postgresql, which is the only db supported by the module 🙃. I don't have much bandwidth and am not sure about the future course of action for seafile module.

@mweinelt
Copy link
Member Author

https://github.com/ArchiveBox/ArchiveBox/releases/tag/v0.8.0-rc cc @siraben

@siraben
Copy link
Member

siraben commented Apr 4, 2024

Should I wait for it to hit PyPi or change the source to the GitHub?

@mweinelt
Copy link
Member Author

mweinelt commented Apr 4, 2024

If you think it is too early we might have to live with transitive knownVulnerabilities. No strong opinion either way.

@siraben
Copy link
Member

siraben commented Apr 4, 2024

Upstream says those CVEs aren't in their code path, and the package is unlikely security critical enough for us to chase pre releases, so I'll just leave it as is until pypi is updated.

@JohnRTitor JohnRTitor moved this to Blocked in 24.05 Blockers Apr 12, 2024
mweinelt added a commit to mweinelt/nixpkgs that referenced this issue May 21, 2024
@mweinelt
python311Packages.django_3: communicate end of life
9ffcb76 
Django 3 was supported until 2024-04-01, and we're taking it into NixOS
24.05 under the condition of people having to opt into its consumption.

Related: NixOS#262907
@mweinelt mweinelt mentioned this issue May 21, 2024
Merged
13 tasks
@mweinelt
Copy link
Member Author

Will be marked vulnerable as of #313501, which will land in NixOS 24.05.

@pyrox0
Copy link
Member

pyrox0 commented May 29, 2024

For Baserow, it uses Django 4 in releases 1.22.2 and later, 4.1 in 1.22.3 and later. There's a lot of breaking changes between the currently packaged release(1.12.1) and these versions, so if upgraded, it should be mentioned in the release notes.

For Etebase, there was an issue opened at etesync/server#173, but there's been no comments or seemingly any movement on it since March.

@siraben
Copy link
Member

siraben commented May 30, 2024

archivebox has updated to Django 4 https://github.com/ArchiveBox/ArchiveBox/blob/99b19e19173296058bbc0d00cbcdc9f9632c7953/pyproject.toml

@mweinelt mweinelt moved this from Blocked to Deferred in 24.05 Blockers May 31, 2024
@tasn
Copy link

tasn commented Jun 3, 2024

For Etebase, there was an issue opened at etesync/server#173, but there's been no comments or seemingly any movement on it since March.

@pyrox0: Done. Apologies for the delay!

@pyrox0
Copy link
Member

pyrox0 commented Jun 3, 2024
edited
Loading

For Etebase, there was an issue opened at etesync/server#173, but there's been no comments or seemingly any movement on it since March.

@pyrox0: Done. Apologies for the delay!

Thank you very much, appreciate the quick response on this! I'll see about getting the package bumped ASAP.

Edit: See #316984.

@pyrox0 pyrox0 mentioned this issue Jun 3, 2024
Merged
13 tasks
pyrox0 added a commit to pyrox0/nixpkgs that referenced this issue Jun 4, 2024
@pyrox0
etebase-server: 0.11.0 -> 0.13.1
3d3f029 
Removes the dependency on Django 3, fixing NixOS#262907.
github-actions bot pushed a commit that referenced this issue Jun 8, 2024
@pyrox0 @github-actions
etebase-server: 0.11.0 -> 0.13.1
ba0136b 
Removes the dependency on Django 3, fixing #262907.

(cherry picked from commit 3d3f029)
@pyrox0 pyrox0 added the 5. scope: tracking Long-lived issue tracking long-term fixes or multiple sub-problems label Jul 31, 2024
@melvyn2
Copy link
Contributor

melvyn2 commented Oct 1, 2024

Seahub can be checked off the list: #318727

@onny onny linked a pull request Oct 11, 2024 that will close this issue
Draft
17 tasks
@mweinelt
Copy link
Member Author

One year later and I want to yank django 3.x from nixpkgs until the end of the year.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 5. scope: tracking Long-lived issue tracking long-term fixes or multiple sub-problems 6.topic: python
Projects
No open projects
24.05 Blockers
Status: Deferred
Milestone
No milestone
8 participants
@tasn @mweinelt @greizgh @alyssais @siraben @melvyn2 @pyrox0 @tomodachi94