Hi, Andreas Henriksson <andr...@fatal.se> (2025-02-17): > [ Impact ] > djoser has a very low popcon, so impact should thus be low. > > [ Tests ] > not covered by testsuite. > > [ Risks ] > The patch cherry-picked from upstream is a revert to a previous state of > the code (before introducing the breakage which wasn't know to have > security implications). > The risks should thus be very low, since it's not "new" code. > > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > (except debian/gbp.conf branch name, which I think is changelog > clutter) > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > (via a new upstream release) > > [ Changes ] > Revert validation code to previous working code with proper > auth validation.
I was curious to see apt install a new package and I had a quick look.
While debian/control received no modifications, the binary package is
getting new dependencies compared to the version in bookworm:
Before:
Depends: python3-django, python3-djangorestframework (>= 3),
python3-asgiref, python3-coreapi, python3-social-django, python3:any
After:
Depends: python3-django, python3-djangorestframework (>= 3),
python3-asgiref, python3-coreapi, python3-djangorestframework-simplejwt,
python3-importlib-metadata | python3 (>> 3.8), python3-social-django,
python3:any
For reference, debian/control has:
Depends:
python3-django,
python3-djangorestframework (>= 3),
${misc:Depends},
${python3:Depends},
and the extra dependencies flow through ${python3:Depends}:
python3:Depends=python3-asgiref, python3-coreapi,
python3-djangorestframework-simplejwt, python3-importlib-metadata | python3 (>>
3.8), python3-social-django, python3:any
I thought that's curious enough to leave a note here, just in case
someone else wonders whether that's known and/or expected.
Cheers,
--
Cyril Brulebois (k...@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
