Status of 3.1 release blockers.

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Status of 3.1 release blockers.

Mariusz Felisiak
Hi y'all,

Time to begin release process for the next major release, Django 3.1!

The 3.1 feature freeze is scheduled (according to https://code.djangoproject.com/wiki/Version3.1Roadmap) for May 11. We'll probably release the alpha a few days later.

We have a few larger patches we want to finish reviewing:

https://github.com/django/django/pull/12392 - Fixed #12990, Refs #27694 -- Added JSONField model field.
https://github.com/django/django/pull/12851 - Fixed #25236 -- Deprecated {% ifequal %} and {% ifnotequal %} template tags.
https://github.com/django/django/pull/12159 - Fixed #31034 -- Added a navigation sidebar to the admin.

Best,
Mariusz

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/77fd1697-76f2-413a-9242-0cc97eefe696%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Claude Paroz
Hi Mariusz,

I think we should also address:

https://code.djangoproject.com/ticket/30678 - GDAL 3 support

as release blocker, because more and more installations will have GDAL 3 by default and the backwards compatibility issues are serious. I'll try to prepare a patch ASAP. As this is only affecting GeoDjango projects, we might make an exception to the rule and fix it between alpha and beta, depending on the time it takes to solve it.

Claude

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/e911f152-a427-4c92-b3ab-db72a5c23ba4%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Mariusz Felisiak
In reply to this post by Mariusz Felisiak
I think we should also address:


as release blocker, because more and more installations will have GDAL 3 by default and the backwards compatibility issues are serious. I'll try to prepare a patch ASAP. As this is only affecting GeoDjango projects, we might make an exception to the rule and fix it between alpha and beta, depending on the time it takes to solve it.

Agreed, I will check it on Monday.

Best,
Mariusz

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d229d084-33d4-4603-bd3e-58fb8f54394b%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Mariusz Felisiak
In reply to this post by Mariusz Felisiak
Hi y'all,

The feature freeze was yesterday, so we've branched stable/3.1.x today and Claude has updated the translations catalogs. We're planning to do the alpha release in this week, after fixing two confirmed regressions:

https://code.djangoproject.com/ticket/31566
https://code.djangoproject.com/ticket/31568

Best,
Mariusz

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/4934ec99-a50b-4c64-a129-7c2783c72777%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

James Bennett
I've been working on documentation updates to get the DEP 10
governance listed in the docs, but it's unlikely I'll be able to PR it
until this weekend. How do people feel about that also being included
in 3.1? It's not exactly a feature change, and it arguably corrects a
bug in that the docs as they exist now don't correctly describe the
way Django is governed...

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg_J2X3%3DguTDDdDVaotjNAgFo6Yx4tp%3DRfhstxL_4E5FmQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Mariusz Felisiak
In reply to this post by Mariusz Felisiak
Hi James,

  To the first release candidate (July 20) we will backport doc fixes and even cleanups, so you have time to finish this change. Documentation fixes generally are generally more freely backported even to the last release branch.

Best,
Mariusz

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/40278bcd-771b-4e5f-980f-89d34c03a9da%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Mariusz Felisiak
Markus reported a release blocker #31842 related with running an app on multiple servers with different versions of Django (3.0.x or 3.1). Signatures created on servers with Django 3.1 are not valid on Django 3.0, it's not only about signing.loads()/dumps but also about sessions etc. (see #27468). We have several possible approaches:
  • revert commits related with #27468,
  • change the default hashing algorithm to SHA-1,
  • add the new setting for the default hashing algorithm,
  • add the "algorithm" parameter to signing.dumps()/loads() (PR13260) and ignore the rest of the problem (it's probably not an option),
  • add the new setting "MIN_DJANGO_VERSION" and change the default hashing algorithm if it's 3.0 or less.
  • ... (ideas are welcome)
Best,
Mariusz

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2a3d706d-6f78-406e-b7a9-3bba3ea9b7e6n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Markus Holtermann
Thank you for summarizing our IRC discussion, Mariusz. To be clear, the problem occurs during the upgrade process where more than 1 server is involved. That might be the case in small deployments with just 2 servers, where the time of two Django versions running simultaneously is likely small, or on huge deployments of the course of days or weeks, when a staged rollout occurs.

Cheers, Markus

On Fri, Jul 31, 2020, at 11:28 AM, Mariusz Felisiak wrote:

> Markus reported a release blocker #31842
> <https://code.djangoproject.com/ticket/31842> related with running an
> app on multiple servers with different versions of Django (3.0.x or
> 3.1). Signatures created on servers with Django 3.1 are not valid on
> Django 3.0, it's not only about signing.loads()/dumps but also about
> sessions etc. (see #27468
> <https://code.djangoproject.com/ticket/27468>). We have several
> possible approaches:
>  * revert commits related with #27468,
>  * change the default hashing algorithm to SHA-1,
>  * add the new setting for the default hashing algorithm,
>  * add the "algorithm" parameter to signing.dumps()/loads() (PR13260
> <https://github.com/django/django/pull/13260>) and ignore the rest of
> the problem (it's probably not an option),
>  * add the new setting "MIN_DJANGO_VERSION" and change the default
> hashing algorithm if it's 3.0 or less.
>  * ... (ideas are welcome)
> Best,
> Mariusz
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/2a3d706d-6f78-406e-b7a9-3bba3ea9b7e6n%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/2a3d706d-6f78-406e-b7a9-3bba3ea9b7e6n%40googlegroups.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d8d56bc4-98a4-460b-ac8c-3b194b11daa4%40beta.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Carlton Gibson-3
In reply to this post by Mariusz Felisiak
It looks like we need to add the algorithm to the function signatures, as per the PR, but also add a (immediately deprecated) migration setting, so folks can opt-in to the new algorithm when they’re updated.

Add the new setting default to sha1.
Raise a DeprecationWarning unless it’s set to sha256 (so folks can opt-in to the future.)
Remove setting, and change default to sha256, when 4.0?

Does that sound right? (Grrr.)

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJwKpyTM41tJ3mO_rs4%2B9moBPmw_G-6vQmK%2Bx6JV4i0081VLRA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Raffaele Salmaso-2
On Fri, Jul 31, 2020 at 11:47 AM Carlton Gibson <[hidden email]> wrote:
Add the new setting default to sha1.
Raise a DeprecationWarning unless it’s set to sha256 (so folks can opt-in to the future.)
Remove setting, and change default to sha256, when 4.0?

Does that sound right? (Grrr.)
I think this just move the migration problem from 3.2 to 4.0.
What about the other way: add a migration setting set to new algorithm, so who really need sha1 can opt-in to old algorithm?

--

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABgH4Jt0xXzXrFO8vAFFbF_zabF6xhFGnnTS1rJi_iWAT9fJRg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Carlton Gibson-3
> I think this just move the migration problem from 3.2 to 4.0. 

My thought was the instant warning helped with that... BUT...

What about the other way: add a migration setting set to new algorithm, so who really need sha1 can opt-in to old algorithm?

Yes, perhaps: default to the future sounds better. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJwKpySb-cyEhQwJVETef_UJ2Kuagyty%2BYcLMAZrMK9xaOzHNg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

אורי
In reply to this post by Mariusz Felisiak


On Fri, Jul 31, 2020 at 12:28 PM Mariusz Felisiak <[hidden email]> wrote:
Markus reported a release blocker #31842 related with running an app on multiple servers with different versions of Django (3.0.x or 3.1).

I think it might be related to an issue I reported - #31592. Django 3.0 can't handle sessions created by Django 3.1.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeGYZGjH2k48Rr%3DT1NwbYzjq%2Bs94Bw-4uZ0H%3Dmw7bK-vQQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Raffaele Salmaso-2
In reply to this post by Carlton Gibson-3
On Fri, Jul 31, 2020 at 12:12 PM Carlton Gibson <[hidden email]> wrote:
Yes, perhaps: default to the future sounds better. 
What about:

django 3.2
* add a global settings set to sha1
* configure settings template to use sha256 so a new project will start with new algorithm
* add a warning to sha1 usage and instruction how to upgrade
django 4.0
* remove setting

--

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABgH4JtZhcQASb%3DPnaxr%3DzqvAn2XhJJAvNOu%2BQez7E%3DHyTCKWw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Markus Holtermann
In reply to this post by Raffaele Salmaso-2
No, it won't move the problem to 3.2. The problem is that 3.0 only knows about sha1. 3.1 and later know about sha1 and sha256. Meaning, any >=3.1,<4.0 version can decode and verify signed data from 4.0 and before.

Cheers

Markus
 
On Fri, Jul 31, 2020, at 12:08 PM, Raffaele Salmaso wrote:

> On Fri, Jul 31, 2020 at 11:47 AM Carlton Gibson
> <[hidden email]> wrote:
> > Add the new setting default to sha1.
> > Raise a DeprecationWarning unless it’s set to sha256 (so folks can opt-in to the future.)
> > Remove setting, and change default to sha256, when 4.0?
> >
> > Does that sound right? (Grrr.)
> I think this just move the migration problem from 3.2 to 4.0.
> What about the other way: add a migration setting set to new algorithm,
> so who really need sha1 can opt-in to old algorithm?
>
> --
> | Raffaele Salmaso
> | https://salmaso.org
> | https://bitbucket.org/rsalmaso
> | https://github.com/rsalmaso
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CABgH4Jt0xXzXrFO8vAFFbF_zabF6xhFGnnTS1rJi_iWAT9fJRg%40mail.gmail.com <https://groups.google.com/d/msgid/django-developers/CABgH4Jt0xXzXrFO8vAFFbF_zabF6xhFGnnTS1rJi_iWAT9fJRg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1b35a40d-c3e3-4aab-a856-078f2efad7c4%40beta.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Raffaele Salmaso-2
On Fri, Jul 31, 2020 at 12:34 PM Markus Holtermann <[hidden email]> wrote:
No, it won't move the problem to 3.2. The problem is that 3.0 only knows about sha1. 3.1 and later know about sha1 and sha256. Meaning, any >=3.1,<4.0 version can decode and verify signed data from 4.0 and before.
Sorry, s/3.2/3.1/ in all emails 😰

--

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABgH4JsQ23qQQUctCzVPkhfS-U2zWJHfrKBQ%2B59g1ivzj5ohcg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Raffaele Salmaso-2
In reply to this post by Raffaele Salmaso-2
On Fri, Jul 31, 2020 at 12:23 PM Raffaele Salmaso <[hidden email]> wrote:
On Fri, Jul 31, 2020 at 12:12 PM Carlton Gibson <[hidden email]> wrote:
What about:
retry 😅

django 3.1
* add a global settings set to sha1
* configure settings template to use sha256 so a new project will start with new algorithm
* add a warning to sha1 usage and instruction how to upgrade
django 3.2
* set global setting set to sha256
django 4.0
* remove setting

--

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABgH4JtF%3DB2sX%3Dv%2B3twh0BMHpQcXGCvxnnNzuZFU7B%2BYSH5PVw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Carlton Gibson-3
In reply to this post by אורי
Hi Uri. 

On 31 Jul 2020, at 12:11, ⁨אורי⁩ <⁨[hidden email]⁩> wrote:

On Fri, Jul 31, 2020 at 12:28 PM Mariusz Felisiak <[hidden email]> wrote:
Markus reported a release blocker #31842related with running an app on multiple servers with different versions of Django (3.0.x or 3.1). 

I think it might be related to an issue I reported - #31592. Django 3.0 can't handle sessions created by Django 3.1.

Yes, it’s related. Your issue was downgrading IIRC. This is “can’t upgrade piecemeal” — but a solution may allow your use-case too. 

C.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/AEC8D4F2-E042-4A6B-9E9D-7D0584BB42B4%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

אורי
Hi Carlton,

I think a possible solution can be if Django 3.0 will be patched to handle sessions created by 3.1. This will allow both downgrading Django and running Django on several servers with 3.0 and 3.1 in parallel. If this is too late now to do it before releasing 3.1, maybe you can postpone this change (of hashing algorithm, if I understand correctly) to Django 3.2. And then of course, patch 3.0 and 3.1 to handle sessions created by 3.2.

On Fri, Jul 31, 2020 at 2:13 PM Carlton Gibson <[hidden email]> wrote:
Hi Uri. 

On 31 Jul 2020, at 12:11, ⁨אורי⁩ <⁨[hidden email]⁩> wrote:

On Fri, Jul 31, 2020 at 12:28 PM Mariusz Felisiak <[hidden email]> wrote:
Markus reported a release blocker #31842related with running an app on multiple servers with different versions of Django (3.0.x or 3.1). 

I think it might be related to an issue I reported - #31592. Django 3.0 can't handle sessions created by Django 3.1.

Yes, it’s related. Your issue was downgrading IIRC. This is “can’t upgrade piecemeal” — but a solution may allow your use-case too. 

C.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/AEC8D4F2-E042-4A6B-9E9D-7D0584BB42B4%40gmail.com.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeEVhj2T0Yq0q%3DESvKjEHfXddiTNtgo_M%2B%2BxDvSKs5xRYw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Carlton Gibson-3
Hey Uri. 

We’re not going to patch 3.0 now. (Risk of regression is too high — it’s why we have the backporting policy.) 

It’s 3.1’s job to be “forward compatible” - folks should be able to update. This is a difficult case in that it requires allowing running the old version at the same time as the new one, which isn’t something I’d like to encourage, but I agree with Simon on the issue, we need to provide a path.

Kind  regards,
Carlton

On Fri, 31 Jul 2020 at 17:31, אורי <[hidden email]> wrote:
Hi Carlton,

I think a possible solution can be if Django 3.0 will be patched to handle sessions created by 3.1. This will allow both downgrading Django and running Django on several servers with 3.0 and 3.1 in parallel. If this is too late now to do it before releasing 3.1, maybe you can postpone this change (of hashing algorithm, if I understand correctly) to Django 3.2. And then of course, patch 3.0 and 3.1 to handle sessions created by 3.2.

On Fri, Jul 31, 2020 at 2:13 PM Carlton Gibson <[hidden email]> wrote:
Hi Uri. 

On 31 Jul 2020, at 12:11, ⁨אורי⁩ <⁨[hidden email]⁩> wrote:

On Fri, Jul 31, 2020 at 12:28 PM Mariusz Felisiak <[hidden email]> wrote:
Markus reported a release blocker #31842related with running an app on multiple servers with different versions of Django (3.0.x or 3.1). 

I think it might be related to an issue I reported - #31592. Django 3.0 can't handle sessions created by Django 3.1.

Yes, it’s related. Your issue was downgrading IIRC. This is “can’t upgrade piecemeal” — but a solution may allow your use-case too. 

C.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/AEC8D4F2-E042-4A6B-9E9D-7D0584BB42B4%40gmail.com.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeEVhj2T0Yq0q%3DESvKjEHfXddiTNtgo_M%2B%2BxDvSKs5xRYw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJwKpyRKgSEmUH%2BZmtyC-6SFyZmTXNR7i3FVcoy5ik1azLjg3g%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Status of 3.1 release blockers.

Mariusz Felisiak
I've created a draft PR13262  with the new setting for the default hashing algorithm.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c3b3025f-3830-464a-8c8c-883ec606720an%40googlegroups.com.
12