Latest entries
Django 1.2 release schedule
Those of you that have been paying attention to the Django release roadmap will have noticed that the original estimated release date for Django 1.2 final has passed, but we haven't actually made a final release.
Although Django's release cycle is generally date-based, we also try to keep our release dates flexible to account for bugfixing time. At the beginning of the development sprints at PyCon a few weeks ago, over 300 tickets were still open on the Django 1.2 milestone. Now it's down to 120 (we've been clearing out, on average, about ten tickets a day), but that's still a lot more than we're comfortable shipping; as a result, we're pushing back the final 1.2 release a bit.
Some of the tickets still open for 1.2 are documentation or translation updates; these will be dealt with before the final 1.2 release. Others are minor bugs or edge cases which are difficult to trigger or unlikely to cause serious problems in actual deployment; these tickets will likely be bumped to a pure-bugfix release in the 1.2 series, or to 1.3 as warranted.
Over the next couple of days, the Django core team will be reviewing all of the currently-open tickets, and identifying those which:
Tickets which don't meet these criteria may be removed from the 1.2 milestone, or may simply be left out of the final release. We won't forget about these issues -- they'll still be in Trac, and they will be addressed -- but bugfix work prior to the 1.2 release will focus in major issues fitting the criteria above.
We're sensitive to the fact that during the Django 1.2 release cycle, we haven't paid as much attention to bugs and smaller features as we have done during previous releases. To address this, we're considering making Django 1.3 a "feature light" release -- that is, we will spend more time focussing on little features and long standing bugs, rather than adding lots of big features like we have done with Django 1.2. Once 1.2 lands, we'll have some more details about our exact plans for the 1.3 cycle.
Until then, we'll be posting here every few days to give you a status update, letting you know how many tickets remain, any problems we foresee, and to provide an updated estimate of the 1.2 final delivery date.
So: there are 120 tickets remaining, but quite a few of these of these will be bumped from the final release. It's difficult to know exactly how much work is left before we do the final ticket cull, but our first-cut revised estimate is for an RC1 release around March 22, with a final release around March 29. This is, for those of you who were following along during the early parts of the 1.2 cycle, roughly consistent with extra time added to the release schedule for the 1.2 alpha and beta milestones.
As always, any assistance preparing, reviewing or testing patches is most welcome; the more help we get, the sooner we can release. If you want to help out, check out the 1.2 todo list, find something that sounds interesting and dig in!
Posted by Russell Keith-Magee and James Bennett on March 9, 2010
Django 1.2 beta 1 released
As part of the Django 1.2 release process, tonight we've released Django 1.2 beta 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.2. As with all alpha and beta packages, this is not for production use, but if you'd like to try out some of the new goodies coming in 1.2, or if you'd like to pitch in and help us fix bugs before the final 1.2 release (due in April), feel free to grab a copy and give it a spin.
You can get a copy of the 1.2 beta package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.2 beta package are available.
Also, note that this release constitutes the final feature freeze for Django 1.2. No further new feature development will take place before the final 1.2 release; only bugfix work will be accepted in trunk until 1.2 lands.
Posted by James Bennett on February 6, 2010
Django 1.2 alpha 1 released
As part of the Django 1.2 release process, tonight we've released Django 1.2 alpha 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.2. As with all alpha and beta packages, this is not for production use, but if you'd like to try out some of the new goodies coming in 1.2, or if you'd like to pitch in and help us fix bugs before the final 1.2 release (due in April), feel free to grab a copy and give it a spin.
You can get a copy of the 1.2 alpha package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.2 alpha package are available.
Posted by James Bennett on January 6, 2010
DjangoSki 2010
Registration is now open for the first DjangoSki Conference in Whistler, March 2-4 2010.
DjangoSki is a conference with a difference. It's set in the ski resort of Whistler, British Columbia and is half conference, half un-conference and, erm, half skiing.
Come to the conference and meet with our keynote speakers: Jacob Kaplan-Moss, Matt Berg and David Ascher, then go skiing on the hills with everyone in the afternoon.
Most of the rest of the conference is composed of ad-hoc talks, sprints and lightning talks. However if you'd like to speak there, we'd love to sign you up for a talk in advance.
Afternoons, we break for skiing before reconvening in the evening. There's lots more to talk about, but check out the website for more. Early birds are on a first come, first served basis but will run out on January 13th, so sign up soon.
We look forward to seeing you here.
— Andy McKay, DjangoSki Conference Chair
Posted by Jacob Kaplan-Moss on January 5, 2010
Join us for a development sprint
I'll pass the microphone over to Jeremy Dunck, our volunteer Sprint organizer:
There will be a Django Development sprint in Uptown Dallas next weekend (Dec 12 and 13). A development sprint is an excuse to get together, write some code, and have a good time doing it. The purpose of this sprint will be to help finish features and push out bug fixes in preparation for the Django 1.2 release, which feature freezes January 26. If you're interested in coming to work on other open source Django-based projects, that's welcome too.
We'll be meeting at CoHabitat (2517 Thomas Avenue, Dallas, TX 75201) and I'll be there to open the doors at 9am both days. RSVP via Eventbrite if you're interested.
There will be another gathering in the Triangle, NC area, meeting at Carrboro Creative Coworking, (205 Lloyd St, Carrboro, NC 27510).
For more information, please check out the wiki pages (Dallas, Triangle, NC).
We're looking for sponsors (lunch, coffee, beer, firewood, etc.), so out the sponsors section of the wiki and add yourself (or your company) if you'd like to bring something.
If you can't make it to Dallas or Norh Carolina in person, join us in the #django-sprint IRC channel and help out that way.
Hope to see you there!
Posted by Russell Keith-Magee on December 5, 2009
Security updates released
Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.
Description of vulnerability
Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.
Affected versions
Any Django application making use of EmailField or URLField in the following versions is vulnerable:
- Django development trunk
- Django 1.1
- Django 1.0
Resolution
The regular expressions used for email address and URL validation have been modified to eliminate the pathological performance case.
Patches were applied in the following changesets:
- Django development trunk: 11603.
- Django 1.1 release series: 11604.
- Django 1.0 release series: 11605.
The following releases are being issued immediately:
These releases are available on our download page and on PyPI.
As this issue is being actively exploited in the wild, all users of affected versions of Django are strongly encouraged to upgrade or apply the appropriate patch immediately.
Note regarding security reporting
As mentioned above, this issue was initially disclosed publicly on a high-traffic mailing list. We'd like to remind our users that the correct channel for security reports is to send them to security@djangoproject.com. This allows the development team time to develop a solution and coordinate disclosure, both to the Django community as a whole and to the numerous third parties who maintain and distribute packaged versions of Django.
When debating whether a particular issue impacts security, we ask that you err on the side of caution and always contact security@djangoproject.com; we will be more than happy to work with you in analyzing and assessing potential security issues.
Posted by James Bennett on October 9, 2009
Django 0.96.5 released
The recent security-oriented releases of Django included what was intended to be the final supported release in the Django 0.96 series. However, an issue was discovered with the patch applied to the 0.96 release branch; a portion of the updated code was not correctly applied, and as a result the runserver command no longer functioned at all.
To remedy this, tonight we have issued Django 0.96.5, which includes the full corrected code. The relevant changesets in the 0.96 release branch are:
The following download is also available:
All users of Django 0.96 are encouraged to upgrade, but are warned that this is the final release which will be issued in the Django 0.96 series, and official support for Django 0.96 is now ended.
Posted by James Bennett on August 19, 2009
Django 1.1 released
After nearly a year of development, lots of new features and thousands of other improvements, Django 1.1 is here and ready for prime time!
For a full rundown of what's new and what's changed, consult the release notes; to grab a copy, swing by the Django download page. And for the security-conscious, signed checksums for the release tarball are available.
This release also contains the security update rolled out earlier tonight for older release series.
Django 1.1 is the result of hard work by hundreds of people who've contributed code to Django and many more who've donated their time to reporting, triaging, tracking down and helping to fix bugs and develop new features. Django literally would not be able to happen without all of you, so stop and give yourselves (and any other contributors you know) a pat on the back.
Thanks once again to everyone who's helped out, and we hope to see you all at DjangoCon 2009 in Portland, Oregon, and all along the path to Django 1.2.
Posted by James Bennett on July 29, 2009
Security updates released
In accordance with our security policy, today the Django project is issuing a set of releases to remedy a vulnerability reported to us. This announcement contains a description of the vulnerability, a description of the changes made to fix it, and pointers to the patches for each supported version of Django.
Also covered here is an unrelated issue which, though security-related and resulting in changes to future Django releases, is not being treated as a vulnerability in Django itself.
Description of vulnerability
Django includes a lightweight, WSGI-based web server for use in learning Django and in testing new applications during early stages of development. For sake of convenience, this web server automatically maps certain URLs corresponding to the static media files used by the Django administrative application.
The handler which maps these URLs did not properly check the requested URL to verify that it corresponds to a static media file used by Django. As such, a carefully-crafted URL can cause the development server to serve any file to which it has read access.
By default, the development server does not listen on interfaces other than the local IPv4 loopback, and Django's documentation has and will continue to have stern warnings against the use of the development server in other situations (e.g., listening on a publicy- or network-accessible interface), and stating that the development server is not considered secure or performant enough for such use.
Affected versions
- Django development trunk
- Django 1.0
- Django 0.96
Resolution
The development server's admin media handler has been patched to verify that the requested URL corresponds to a static media file which should be served, and to properly emit an HTTP 404 ("File Not Found") response when the URL does not correspond to such a file.
Patches were applied in the following changesets:
- Django development trunk: changeset 11351
- Django 1.0.X release series: changeset 11353.
- Django 0.96.X release series: changeset 11354.
The following releases are being issued immediately:
These releases are strongly encouraged upgrades for all users of affected versions of Django.
The final release of Django 1.1, due within hours of these releases, will include the above patch from the development trunk.
Secondary issue
A common deployment strategy for Django in some types of hosting environments involves placing the server which handles Django behind some other web server, which then acts as an HTTP proxy. In such situations, the REMOTE_ADDR environment variable is typically the IP address of the proxy. For convenience, Django includes an optional middleware class -- django.middleware.http.SetRemoteAddrFromForwardedFor -- which updates the value of REMOTE_ADDR based on the HTTP X-Forwarded-For header commonly set by some proxy configurations.
It has been demonstrated that this mechanism cannot be made reliable enough for general-purpose use, and that (despite documentation to the contrary) its inclusion in Django may lead application developers to assume that the value of REMOTE_ADDR is "safe" or in some way reliable as a source of authentication.
While not directly a security issue (since relying on REMOTE_ADDR or similar values is widely known to be a worst practice), the Django team has decided to deprecate and begin the process of removing this middleware with the Django 1.1 release.
This middleware class will be left as-is in the 1.0 and 0.96 release series, but in the 1.1 release series it will be replaced with a class which takes no action other than raising a deprecation error. It is expected that this placeholder warning class will be removed in the Django 1.2 release series.
Miscellaneous
Please note that the release of Django 1.1 will trigger end-of-life for the Django 0.96 release series; as such, Django 0.96.4 will be the last official release in that series and it will no longer receive bugfix or security support directly from the Django development team.
Posted by James Bennett on July 28, 2009
Django 1.1 release candidate available
As part of the Django 1.1 release process, tonight we've released Django 1.1 release candidate 1, a preview/testing package which, hopefully, is quite close to what will constitute the final Django 1.1 release. As with all pre-release packages, this is not for production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in approximately one week), feel free to grab a copy and give it a spin.
You can get a copy of the 1.1 RC from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 release candidate package are available.
If no show-stopping bugs are found, the Django 1.1 final release will take place in one week. In the meantime, only critical release-blocking bugs will be considered for the final release. Django 1.1 is also now in string freeze; strings marked for translation will not change between now and the final release, so if you have translations to contribute now's the time.
With luck, we'll see you back here in a week for the release of Django 1.1.
Posted by James Bennett on July 21, 2009
DjangoCon 2009
Has it really been a year since DjangoCon 2008? Apparently so: registration for DjangoCon 2009 is now open! I'll let the conference chair, Robert Lofthouse, take over from here:
DjangoCon '09 will be in Portland, Oregon at the DoubleTree Green Hotel between 8th and 12th September. The first 3 days are conference days and the last 2 days are sprint days.
The keynote speakers will be:
Registration is now open, and early bird rates are available through this Sunday, July 19th. The call for talk submissions is open through the 1st of August. You can keep up to date with the latest news at djangocon.org.
DjangoCon '08 was a success at Google HQ in Mountain View (see videos from DjangoCon '08) and I'm sure we're going to have a lot of fun this time around as well.
Hope to see you there!
— Robert Lofthouse, DjangoCon Chairman
Posted by Jacob Kaplan-Moss on July 13, 2009
Django 1.1 status update
It's well past time for a quick update on the status of Django 1.1:
Anyone who's been following our development process and can read a calendar will probably have noticed that we've missed our originally-targeted ship date of April 13th. So we're now about a month behind.
The reason for the schedule slip is pretty typical for most software projects: we reached the target date with a number of bugs still open. Putting out buggy code on time simply isn't an option, so we've been working to get these final issues closed before we ship any code.
As I write this we have about fifty bugs still open (see the complete list here). I'm pretty hopeful about getting these fixed in short order: today is the first day of the EuroDjangoCon sprints, and we've got quite a turnout. A number of tricky bugs have been fixed already today.
Unfortunately, many of these remaining issues are quite tricky. Ironically, this is caused by Django's general stability: we've already fixed all the easy bugs!
We're not setting a timeline for the 1.1 release because the remaining issues are "blockers": they have to be fixed before we can put a release out. So while we're hoping to have the first release candidate out in a matter of days, this isn't a promise. We'll ship Django 1.1 when it's stable, and not a moment before.
Thanks for your understanding, and watch this space for updates.
Posted by Jacob Kaplan-Moss on May 7, 2009
Django 1.1 beta released
As part of the Django 1.1 release process, tonight we've released Django 1.1 beta 1, a preview package that shows off the new features coming in Django 1.1. As with all alpha and beta packages, this is not for production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in April), feel free to grab a copy and give it a spin.
You can get a copy of the 1.1 beta package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 beta package are available.
Our next stop will be the 2009 US PyCon in Chicago where, among other things, we'll be running development sprints targeted at producing the final Django 1.1 release. For a full 1.1 roadmap, see the 1.1 alpha release notes.
Posted by Jacob Kaplan-Moss on March 23, 2009
Django 1.1 alpha 1 released
As part of the Django 1.1 release process, tonight we've released Django 1.1 alpha 1, a preview/testing package that gives a little taste of some of the new features coming in Django 1.1. As with all alpha and beta packages, this is not for production use, but if you'd like to try out some of the new goodies coming in 1.1, or if you'd like to pitch in and help us fix bugs before the final 1.1 release (due in March), feel free to grab a copy and give it a spin.
You can get a copy of the 1.1 alpha package from our downloads page, and we recommend you read the release notes. Also, for the security conscious, signed MD5 and SHA1 checksums of the 1.1 alpha package are available.
Our next stop will be the 2009 US PyCon in Chicago where, among other things, we'll be running development sprints targeted at producing a feature-frozen 1.1 beta package (for a full 1.1 roadmap, see the 1.1 alpha release notes).
Posted by James Bennett on February 23, 2009
PyCon 2009
It's almost spring, and you know what that means: PyCon is here! Early-bird registration ends soon, so take advantage of the low prices and register now!
PyCon's consistently among the best technical conferences in the world. The conference is chock-full of interesting talks about everything Python, and the unofficial parts of the conference (the "hallway track," open spaces, sprints, etc.) are even better.
As with previous years, Django will be very well represented at PyCon.
James Bennett and I will be teaching a tutorial, Django in the Real World, covering all the stuff you need to do after you've written your app. The tutorial's filling up, so if you're interested I recommend registering soon.
New to PyCon 2009 are invited speakers: a select group of fantastic Python speakers invited to drop some knowledge. Adrian is one of the invited speakers, and he'll be giving us all a look behind the scenes of EveryBlock.com. I'm really looking forward to this!
Then there's a whopping nine talks covering Django, including talks on Pinax, Google App Engine, Django on Jython, a panel discussing ORM design, and a talk with what has to be the most awesome title ever: Searching for Neutrinos Using Python at the Bottom of the World.`
Adrian and I will also deliver a "State of Django" talk discussing where the project is, and where it's going.
Finally, after the talks end, the annual development sprint begins: four solid days of hacking! Anyone interested in working on Django is encouraged to attend, and note that the sprints at PyCon are open to anyone, not just PyCon attendees. So, if you're in Chicago feel free to stop on by!
Early-bird registration ends in just a couple of days, so make sure to register soon to take advantage of the discounts!
Hope to see lots of Djangonauts there!
Posted by Jacob Kaplan-Moss on February 20, 2009
