On Thu, Jul 25, 2013 at 3:03 AM, Bjorn Tipling <bjorn.tipl...@gmail.com>wrote:
> The django downloads section says versions of Django 1.3 are no longer > supported with bug and security fixes. Obviously nobody ought to start a > new project with Django 1.3, but is it critical to update? Since the > release updates are broken down by version, it isn't clear to me if any of > the issues that affect 1.4 or 1.5 also affect 1.3. > > https://docs.djangoproject.com/en/1.3/releases/ > I'd say yes, it's a good idea to update when you have a chance. The reason for this? You don't know when the next security issue will be announced. When (and unfortunately, despite our best efforts, it is a matter of when, not if) the next security problem is announced, you don't want to be scrambling to update to 1.4 *and* fix the security issue, or trying to manually back port the security issue to 1.3. If you're up to date, you just have to update your requirements file or deployment script. If you're still on 1.3, you have a lot of work to do, and you may need to do it quickly because the exploit will be in the wild, and you might be exposed to a problem. It's impossible to say for certain if a problem found in 1.4 will also affect 1.3 without knowing specifics, but broadly speaking, it's safe to assume that it will -- past history with security problem has demonstrated that the problems that are found aren't glaring problems with newly added features -- they're deeply embedded edge case problems that have existed for several versions. For example, our most recent security release (1.4.2 [1]) described a class of problem that has existed since Django was first released. [1] https://docs.djangoproject.com/en/dev/releases/1.4.2/ I also do not see any security fixes since the 1.3 deprecation. > Correct. To date, we haven't announced any security problems that haven't been backported to 1.3. The way you can check this -- if there was a point release in the 1.5 tree that included a security patch, that patch would be included in 1.4, but would *not* be back ported. We're currently sitting at 1.5.1, and the .1 patch release was to address a memory leak and two other small problems identified in the 1.5.0 release [2] [3]. [2] https://docs.djangoproject.com/en/dev/releases/1.5.1/ [3] https://www.djangoproject.com/weblog/2013/mar/28/django-151/ Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
