Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.15.2 includes two undocumented breaking changes #9450

Open
cliebBS opened this issue Jun 26, 2024 · 18 comments
Open

3.15.2 includes two undocumented breaking changes #9450

cliebBS opened this issue Jun 26, 2024 · 18 comments

Comments

@cliebBS
Copy link

cliebBS commented Jun 26, 2024

In the 3.15.2 release, two very large breaking changes were included:

  • Drop support for Python 3.6 and 3.7
    • 3.6 EoL: 23 Dec 2021
    • 3.7 EoL: 27 Jun 2023
  • Drop support for Django 3.0-4.1 (now requires >= 4.2)
    • 3.0 EoL: 06 Apr 2021
    • 3.1 EoL: 07 Dec 2021
    • 3.2 EoL: 01 Apr 2024
    • 4.0 EoL: 01 Apr 2023
    • 4.1 EoL: 01 Dec 2023

These were both breaking changes released as part of a bugfix release, which included a fix for a security issue, and which are not even documented in the release notes. Examining your past releases shows that you normally only do breaking changes like these ones in major and minor versions. At a minimum, the changelog should be updated to clearly call out that all of these releases are no longer supported.

@lampwins
Copy link

Not to get too philosophical, but this sort of thing is a major reason why people complain so much about the python packaging ecosystem. I know DRF does not state they use semantic versioning, but the documented versioning strategy does state for these "minor releases":

You should be able to upgrade between minor point releases without any other code changes.

If it is not painfully obvious, the modern python package tooling landscape does rely heavily on adhering to something that resembles the meaning of semantic versioning, when using a major.minor.patch like scheme. It's even more important for such an ubiquidous project within the django ecosystem.

I'm not trying to be mean, but I really hope that a project like DRF can lead by example.

@onegreyonewhite
Copy link
Contributor

Not to get too philosophical, but this sort of thing is a major reason why people complain so much about the python packaging ecosystem. I know DRF does not state they use semantic versioning, but the documented versioning strategy does state for these "minor releases":

You should be able to upgrade between minor point releases without any other code changes.

If it is not painfully obvious, the modern python package tooling landscape does rely heavily on adhering to something that resembles the meaning of semantic versioning, when using a major.minor.patch like scheme. It's even more important for such an ubiquidous project within the django ecosystem.

I'm not trying to be mean, but I really hope that a project like DRF can lead by example.

Damn, they just released 3.15.0 (it should be beta) because everyone was complaining and eagerly waiting for this release. The issue is that some pull requests should have been merged earlier since they promised to include them in this release. In fact, 3.15 was already supposed to drop support for older Python and Django versions.

As far as I remember, during the discussion about ending support for Python 3.6, @tomchristie suggested a great idea: to stick to the supported Django releases and their corresponding Python versions at the time of the release.

Everyone who follows the project and was preparing for the release has already updated their projects to the current versions. But I agree that there's nothing wrong with bumping the minor version every time a version of Python or Django is dropped. Especially since the project has moved into the stabilization phase and will be focusing more on maintenance rather than introducing new features.

@cliebBS
Copy link
Author

cliebBS commented Jun 26, 2024 via email

@lampwins
Copy link

Everyone who follows the project and was preparing for the release has already updated their projects to the current versions. But I agree that there's nothing wrong with bumping the minor version every time a version of Python or Django is dropped. Especially since the project has moved into the stabilization phase and will be focusing more on maintenance rather than introducing new features.

Exactly. It's all well and good to put such policies and procedures in place, but the adherence to versioning norms should still take place. So folks that are not closely watching the communications around a project can still safely rely on the versioning scheme and the broader python ecosystem conventions to not blow things up. Thats all. Much love for DRF still.

@tomchristie
Copy link
Member

tomchristie commented Jun 27, 2024

Ah okay, this will have been in error as a result of time pressure dealing with security related fix "Fix potential XSS vulnerability in browsable API." #9435

We haven't actually made any functional changes that prevent Python 3.6 / Django 3.0. See 1f2daaf Although the setup.py does exclude them.

I think what we should probably do here to minimise disruption is...

  • Rollback the setup.py changes with a 3.15.3 release.
  • The security fix ought to be highlighted with Security: ... in the release notes, as with two other occurrences there.

@TomNewChao
Copy link

TomNewChao commented Jul 8, 2024

Ah okay, this will have been in error as a result of time pressure dealing with security related fix "Fix potential XSS vulnerability in browsable API." #9435

We haven't actually made any functional changes that prevent Python 3.6 / Django 3.0. See 1f2daaf Although the setup.py does exclude them.

I think what we should probably do here to minimise disruption is...

  • Rollback the setup.py changes with a 3.15.3 release.
  • The security fix ought to be highlighted with Security: ... in the release notes, as with two other occurrences there.

Yeah, You are right. To resolve CVE-2024-21520, I upgraded django-rest-framework to 3.15.2, but django-rest-framework requires django to be installed later than 3.2.25, which forced me to upgrade django. This is really fucked up.

@browniebroke
Copy link
Contributor

Django 3.2 is no longer maintained and has probably a few CVEs too. Perhaps upgrade that first?

@TomNewChao
Copy link

Django 3.2 is no longer maintained and has probably a few CVEs too. Perhaps upgrade that first?

Currently, Django 3.2.25 has not scanned for CVE vulnerabilities. This version was released 4 months ago. For details, see: https://github.com/django/django/commits/3.2.25/. If CVE vulnerabilities are found in the future, we will consider upgrading.

@browniebroke
Copy link
Contributor

Might want to look whether 3.2 has the vulnerabilities from https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

I checked the code from the 3.2 branch and at least one of them is present. So... Time to upgrade, I guess?

@omasback
Copy link

  • Rollback the setup.py changes with a 3.15.3 release.

Is this going to happen? Not trying to rush you – just looking for guidance.

@TomNewChao
Copy link

TomNewChao commented Jul 10, 2024

Might want to look whether 3.2 has the vulnerabilities from https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

I checked the code from the 3.2 branch and at least one of them is present. So... Time to upgrade, I guess?

glad to receive your reply, but I used trivy tool to scan Django 3.2.25 version, but did not find any vulnerability hints.

@cliebBS
Copy link
Author

cliebBS commented Jul 10, 2024

glad to receive your reply, but I used trivy tool to scan Django 3.2.25 version, but did not find any vulnerability hints.

This is most likely because the CVEs that were issued for these vulns were only issued for the currently supported versions of Django. I went through each of the MRs for each of the CVEs (they are linked at the bottom of the article) and verified that all of them exist in 3.2.25, so the CVEs are just as valid for 3.2.25 as they are for the unpatched versions of 4.2 and 5.0.

@TomNewChao
Copy link

glad to receive your reply, but I used trivy tool to scan Django 3.2.25 version, but did not find any vulnerability hints.

This is most likely because the CVEs that were issued for these vulns were only issued for the currently supported versions of Django. I went through each of the MRs for each of the CVEs (they are linked at the bottom of the article) and verified that all of them exist in 3.2.25, so the CVEs are just as valid for 3.2.25 as they are for the unpatched versions of 4.2 and 5.0.

ok, got it, Let's plan to upgrade Django.

@ryanisnan
Copy link

Thanks for the response to this ticket. I want to add an additional request here that DRF maintains compliance with its own guidance as mentioned here. Needing to scrutinize minor version bumps, on top of painful medium version bumps is not ideal.

As always, take this feedback with a grain of salt. We are very thankful for the efforts of this community.

@tomchristie
Copy link
Member

@encode/django-rest-framework Okay, suppose we roll a 3.15.3 release without the setup.py changes. And then do the version upgrades in a 3.16.0 release. In line with previous releases.

Is there anything else that ought to make it in to 3.15.3 to minimised any other 3.14.x upgrade disruptions?

(Apologies all for the churn this time around, it's not been ideal but we do at least have a handle on getting things settled down now.)

@peterthomassen
Copy link
Contributor

Is there anything else that ought to make it in to 3.15.3 to minimised any other 3.14.x upgrade disruptions?

I think the following regressions still need to be addressed: #9358, #9378, #9410.

@SorianoMarmol
Copy link

Is there anything else that ought to make it in to 3.15.3 to minimised any other 3.14.x upgrade disruptions?

I think the following regressions still need to be addressed: #9358, #9378, #9410.

Do we know if a version 3.15.3 is currently in the works? Will it include any of these issues?

Is there anything else that ought to make it in to 3.15.3 to minimised any other 3.14.x upgrade disruptions?

I have suggested applying the security patch to the previous version (3.14) to allow more time for updating to 3.15.

@BillSchumacher
Copy link

BillSchumacher commented Oct 29, 2024

@encode/django-rest-framework Okay, suppose we roll a 3.15.3 release without the setup.py changes. And then do the version upgrades in a 3.16.0 release. In line with previous releases.

Is there anything else that ought to make it in to 3.15.3 to minimised any other 3.14.x upgrade disruptions?

(Apologies all for the churn this time around, it's not been ideal but we do at least have a handle on getting things settled down now.)

I have constraints that are conditional uniques on nullable values which have been made required.

#9531 #9360

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests