Hi, Luis Felipe <sirga...@zoho.com> writes:
> Hi, > > I've been using Django 4.2.2 from my personal Guix channel for a > couple of days and it seems to work alright, so I'd like to send a > patch to include it in Guix, although I have some questions first. > > 1. python-asgiref >= 3.6.0 and < 4 is a requirement for Django 4.2 LTS > series, there is a patch for it already > (https://issues.guix.gnu.org/61543), it builds, doesn't appear to have > known vulnerabilities and Django 4.2.2 works with it. Would it be okay > to add it to Guix until someone else packages the latest version > (3.7.2, but it currently fails to build for me: sanity-check > DistributionNotFound or something)? This usually means one of the inputs of the package doesn't have a compatible version. Please check which one it is (the Python error message should contain that information). > 2. "guix lint python-django@4.2.2" says this version of DJango might > be vulnerable to CVE-2023-31047 but reading the CVE description > version 4.2.2 doesn't seem to be affected. Is there anything I should > do regarding this warning? If you are absolutely sure about that you could add a 'lint-hidden-cve' property to the package definition. > 3. Guix currently distributes versions of Django that no longer > receive security updates or bug fixes. For example, > python-django@4.0.7, python-django@3.1.14, python-django@2.2.28 (see > https://www.djangoproject.com/download/). Should they be removed? They should be upgraded to the latest available version (the old versions shouldn't be kept around). -- Thanks, Maxim
