I Use This!
Very High Activity


Analyzed 2 days ago. based on code collected 2 months ago.
Posted 4 months ago by Rebecca Conley & DSF Code of Conduct committee
Happy New Year to the Django Community! As we begin 2017, many of us are reflecting on how to maintain safe, inclusive spaces within our communities. One meaningful way to do that is to serve on the Django Code of Conduct committee. In 2013, with ... [More] input from the community, Django Core members and the DSF board developed a code of conduct, the purpose of which was explained by Alex Gaynor and Jacob Kaplan Moss: “Why do we need a code of conduct? To best keep with some of our core values: documentation and 'explicit is better than implicit.' We want to maintain a vibrant, diverse, and technically excellent community, and we believe that a part of that is writing down the standards of behavior we hold ourselves to.” As of May 2016, Committee members serve a six month fixed term. You will serve in a rotation of being “on-call” (via email) for a week at a time in order to respond to reports from the community. This is a great service to the Django community, particularly to those who are most at risk, and it is made more manageable when shared. If you are interested in volunteering to serve a six-month term, please review the online documentation and procedures regarding the CofC Committee, then email conduct@djangoproject.com. Thank you for reading, and all the best in 2017! [Less]
Posted 4 months ago by Tim Graham
Django 1.11 alpha 1 is now available. It represents the first stage in the 1.11 release cycle and is an opportunity for you to try out the changes coming in Django 1.11. Django 1.11 has a medley of new features which you can read about in the ... [More] in-development 1.11 release notes. This alpha milestone marks a complete feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list. As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252. [Less]
Posted 5 months ago by Frank Wiles
We're happy to announce the winners of the DSF Board elections for 2017. Frank Wiles, Daniele Procida, and James Bennett were re-elected for another term. Our new Board members are Kenneth Love, Ken W. Alger, and Rebecca Conley. Rebecca, as you may ... [More] be aware, served as Board Secretary during 2016 to fill a vacancy but will be returning again this year. We wish to thank Christophe Pettus and Karen Tracey who did not run again this year for their service and the wisdom they brought to us. The Board will be having our first meeting in the coming days to ratify the slate of officers at which time we'll update the website accordingly. We look forward to another great year of helping further Django and the Django Community. [Less]
Posted 5 months ago by Tim Graham
Today we've issued the 1.10.5 bugfix release. Happy New Year! The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.
Posted 5 months ago by Tim Graham
2016 concludes my second year working full-time to support the development of Django. Here are some highlights from my weekly summaries published on the django-developers mailing list. On the infrastructure front, I keep Django's continuous ... [More] integration servers running smoothly, including the pull request checks that help keep code quality high and allow reviewers to focus on less trivial concerns. I also upgraded the djangoproject.com website to Django 1.10 and contributed several patches to third-party dependencies. I moved two under-maintained community sites, Django People and Django Snippets, to the djangoproject GitHub organization and upgraded them to supported versions of Django. In Django's ticket tracker, I triage around 10-15 new tickets each week. A working knowledge of the 1000+ accepted tickets allows me to quickly identify duplicate and related issues and steer contributors in the right direction. I coordinate security releases by preparing patches and backporting them to all supported versions of Django. In 2016, seven security issues were promptly fixed over five releases. Django 1.10 marked the third consecutive on-time major release. As the release manager, I send regular email updates on the status of release blockers to django-developers, and I fix blockers when no one else has time or interest. The Django 1.11 alpha is scheduled for mid-January with the final release scheduled for April 1. Following the 1.11 alpha release, the master development branch will target Django 2.0 and drop support for Python 2.7. I'm excited to see the simplifications and improvements we'll be able to make as a result. Over the Python 3.6 prerelease period, I ensured compatibility with the Django master branch, including contributing several fixes and improvements for Python. I co-mentored a Google Summer of Code project by Akshesh Doshi to add support for class-based indexes. This work is included in Django 1.11. I also made the final push to finish the template-based widget rendering patch that Preston Timmons started several years ago, and this is also included in 1.11. While working toward the 1.11 feature release, we've had monthly bug fix releases for the 1.10 branch that have fixed over 40 regressions or bugs in new features. On the code review front, I review an average of fifteen non-trivial patches a week from community members. Providing timely code reviews helps prevent would-be contributors from abandoning us. I hope that gives you a good taste of what I've been doing. As always, please encourage your employer to become a corporate member of the Django Software Foundation and consider a gift to the Django Software Foundation to allow the fellowship to continue. I'm grateful for this opportunity and for the community's support. Thank you! [Less]
Posted 5 months ago by Frank Wiles
The Django Software Foundation (DSF) is proud to announce the winner of the 2016 Malcolm Tredinnick Memorial Prize: Aisha Bello! Aisha (@AishaXBello) joined the Django community when she attended a Django Girls workshop during EuroPython in 2015. ... [More] From that point on, Aisha's trajectory in the Django world was unstoppable. She is not only a talented developer but her desire to keep learning and sharing her knowledge with others is simply inspiring. She organized or helped organize a huge number of Django Girls workshop in her home country of Nigeria. Thanks to her, Nigeria is on its way to be the world-record holder of most Django Girls events organized. She's coached at other Django Girls events, introducing even more people to our community. She's spoken at several conferences (including PyCon Namibia and DjangoCon US) sharing her unique knowledge and insight with the rest of us. You can read more about her and her history at Your Django Story: Meet Aisha Bello. She embodies the values of the Malcolm Tredinnick prize and we can't wait to see what she will achieve in the future. Congratulations Aisha! [Less]
Posted 6 months ago by Emanuela Dal Mas, Iacopo Spalletti, Daniele Procida
2017’s DjangoCon Europe takes place against the gorgeous backdrop of Florence in the springtime. Once again the event will be organised by a local committee of volunteers on behalf of the global Django community. The event will be held in the ... [More] historic Odeon Cinema in the centre of the city. It’s an architectural gem, an Art Deco interior in a Renaissance palace. Key points Ticket sales are now open. Early-bird rates are available until the 17th January. The call for proposals is open too, until the 31st December. Generous financial assistance packages are offered, to help ensure that everyone who will benefit has the opportunity to attend. The conference can even offer discounted public transport passes (see the tickets page) valid for the duration of the event, to help you get around the city. The call for proposals The programme of talks will represent the vibrant diversity of interests and endeavours across the Django community, including some that you had not only never heard of, but would not have imagined. The speaker roster will also feature some of the best-known names in the world of Django. There’ll be talks from those who are leading its development into the future, and about its deepest internals - discussions on the highest technical level. The organisers invite proposals from all. Whatever your level of technical or speaking experience, you are invited to share what you know or have done with Django with your friends and colleagues in the community. Both the speaker line-up and the selection of talks will be curated to offer a wide and representative balance, so the platform created by DjangoCon Europe 2017 will have room for everyone. And just in case five days in Florence are not enough, PyCon Italia immediately follows DjangoCon Europe. You’re invited to submit your talk proposal to PyCon Italia too, in the same process, by ticking a single box on the form. The ambitions of DjangoCon Europe 2017 The conference Each successive DjangoCon Europe has advanced new ideas about how a conference should be run and has set new standards for itself. Just measuring up to past editions is challenge enough, but the organisers of 2017’s event have ambitions for it of their own, that also extend beyond this gathering of nearly 400 Djangonauts. The Italian context The organisers consider DjangoCon Europe 2017 an opportunity for the whole Italian Django community to use it as a launching pad for future organisation, development and activity, so that it makes a tangible and material difference to the open-source software community and industry in Italy. The social context The organisers want the event to harness the energy, know-how and organisation skills in the community, and put them to work in local organisations that work to advance social inclusion, in particular, amongst women from immigrant communities, who are disproportionately marginalised and excluded socially, technologically, economically and educationally. Responsibility and sustainability The Django community has always generally been conscious that its technology exists in a social context and not a vacuum. The overall themes of this DjangoCon Europe are responsibility and sustainability: responsibility to others in our industry and of our industry’s responsibility to the wider world, and the sustainability - economic, personal and social - of the industry itself. The conference invites its attendees to participate in these discussions, and to consider how our technology’s long-term viability depends on them as much as it does on the technical brilliance of its technologists. A Django festival of ideas and collaboration These are ambitions and aspirations. Their vehicle will be the international festival of community that each DjangoCon Europe represents, and reinvests with new energy each year. The organisers give you Florence in the springtime, a magnificent capital of history, culture, beauty and food, and the perfect foundation for building the future with Django. Don’t miss it. [Less]
Posted 6 months ago by Tim Graham
Today we've issued the 1.10.4, 1.9.12, and 1.8.17 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.
Posted 6 months ago by Markus Holtermann
Today, Florian Apolloner, a member of the Django security team, discovered and fixed a critical security issue in the new PasswordResetConfirmView that was added to the Django master branch on July 16th, 2016. The view didn't validate the password ... [More] reset token on POST requests and therefore allowed anyone to reset passwords for any user. This issue doesn't affect any released versions of Django. Per our security policy, security issues in master, but not present in any released version, are disclosed and fixed in public without pre-notification. The issue demonstrates the complexity of class-based generic views, and the Django team advises caution when using them for security-sensitive functionality. We'll consider removing the class-based authentication views that are in the master branch, planned for Django 1.11. The discussion for this will take place publicly on the django-developers mailing list. [Less]
Posted 7 months ago by Tim Graham
In accordance with our security release policy, the Django team released Django 1.10.3, Django 1.9.11, and 1.8.16. These releases addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] CVE-2016-9013: User with hardcoded password created when running tests on Oracle When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings TEST dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect. This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb option or if the user has an active session (such as an attacker's connection). A randomly generated password is now used for each test run. Thanks Marti Raudsepp for reporting the issue. CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack. While Django doesn't ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance, for example. If a project uses a package like the django-debug-toolbar, then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account. settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following variations of localhost are allowed ['localhost', '', '::1']. If your local settings file has your production ALLOWED_HOSTS value, you must now omit it to get those fallback values. Thanks Aymeric Augustin for reporting the issue. Security Advisory: Social media fingerprinting Along with the above security issues, we want to inform you about a "social media fingerprinting" information leakage technique that was recently disclosed. If you enable redirect_authenticated_user on the login views, other websites will be able to determine if their visitors are authenticated on your site by requesting redirect URLs to image files on your website. To avoid this, host all images and your favicon on a separate domain that is not part of the ALLOWED_HOSTS. Affected supported versions Django master development branch Django 1.10 Django 1.9 Django 1.8 Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Resolution Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following commits: Master: CVE-2016-9013, CVE-2016-9014 1.10.x: CVE-2016-9013, CVE-2016-9014 1.9.x: CVE-2016-9013, CVE-2016-9014 1.8.x: CVE-2016-9013, CVE-2016-9014 The following new releases have been issued: Django 1.10.3 (download Django 1.10.3 | 1.10.3 checksums) Django 1.9.11 (download Django 1.9.11 | 1.9.11 checksums) Django 1.8.16 (download Django 1.8.16 | 1.8.16 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information. [Less]