Django

In accordance with our security release policy, the Django team is issuing Django 1.11.18, Django 2.0.10, and Django 2.1.5. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible. ... [More] CVE-2019-3498: Content spoofing possibility in the default 404 page An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view. The URL path is no longer displayed in the default 404 template and the request_path context variable is now quoted to fix the issue for custom templates that use the path. Affected supported versions Django master branch Django 2.1 Django 2.0 Django 1.11 Per our supported versions policy, Django 1.10 and older are no longer supported. Resolution Patches to resolve the issue have been applied to Django's master branch and the 2.1, 2.0, and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch On the 2.1 release branch On the 2.0 release branch On the 1.11 release branch The following releases have been issued: Django 1.11.18 (download Django 1.11.18 | 1.11.18 checksums) Django 2.0.10 (download Django 2.0.10 | 2.0.10 checksums) Django 2.1.5 (download Django 2.1.5 | 2.1.5 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252. General notes regarding security reporting As always, we ask that potential security issues be reported via private email to [email protected], and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information. This issue was publicly reported through a GitHub pull request, therefore we fixed the issue as soon as possible without the usual prenotification process. [Less]

After ten years of contributing to Django, four of which were paid as part of the Django Fellowship program, Tim Graham has decided to step down as a Django Fellow this spring to explore other things. Tim has made an extraordinary impact as a Django ... [More] Fellow. The Django Software Foundation is grateful for his service and assistance. The Fellowship program was started in 2014 as a way to dedicate high-quality and consistent resources to the maintenance of Django. As Django has matured, the DSF has been able to fundraise and earmark funds for this vital role. As a result, the DSF currently supports two Fellows - Tim and Carlton Gibson. With the departure of Tim, the Django Software Foundation is announcing a call for Django Fellow applications. The new Fellow will work alongside Carlton. The position of Fellow is focused on maintenance and community support - the work that benefits most from constant, guaranteed attention rather than volunteer-only efforts. In particular, the duties include: Answering contributor questions on IRC and the django-developers mailing list Helping new Django contributors land patches and learn our philosophy Monitoring the [email protected] email alias and ensuring security issues are acknowledged and responded to promptly Fixing release blockers and helping to ensure timely releases Fixing severe bugs and helping to backport fixes to these and security issues Reviewing and merging pull requests Triaging tickets on Trac Being a Django contributor isn't a prerequisite for this position. We'll consider applications from anyone with a proven history of working with either the Django community or another similar open-source community. Geographical location isn't important either - we have several methods of remote communication and coordination that we can use depending on the timezone difference to the supervising members of Django. If you're interested in applying for the position, please email us describing why you would be a good fit along with details of your relevant experience and community involvement. Also, please include the amount of time each week you'd like to dedicate to the position (a minimum of 20 hours a week), your preferred hourly rate, and when you'd like to start working. Lastly, please include at least one recommendation. Applicants will be evaluated based on the following criteria: Details of Django and/or other open-source contributions Details of community support in general Understanding of the position Clarity, formality and precision of communications Strength of recommendation(s) Applications will be open until 1200 UTC, January 11, 2019, with the expectation that the successful candidate will be notified around January 25, 2019. [Less]

It is that time of year again when we recognize someone from our community in memory of our friend Malcolm. Malcolm was an early core contributor to Django and had both a huge influence and large impact on Django as we know it today. Besides being ... [More] knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him. The DSF Prize page summarizes the prize nicely: The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps. We will take nominations until Sunday, December 23rd AoE and will announce the winner soon after. Please make your nominations using this google form. If you have any questions please reach out to the DSF Board at [email protected]. [Less]

I'm pleased to announce the winners of our 2019 DSF Board of Directors election. In order of ranking, they are: Frank Wiles Katie McLaughlin Anna Makarudze James Bennett Jessica 'Deatz' Deaton Ola Tarkowska Katie, Anna, James, and myself were ... [More] re-elected for another term and we welcome our new Members, Jessica and Ola. We look forward to working with them in the new year. I also want to take a moment to sincerely thank our retiring Board Members, Daniele Procida and Rebecca Conley, who have worked very hard over the last few years to advance the DSF. Their presence on the Board will be greatly missed. This year we had 17 great candidates and while not everyone can get elected each year I hope they all consider running again in the 2020 election. Another item of note with this election is that our Board is now comprised of two thirds women, which is a first for the DSF. We will all meet together to certify the election and set officers at our next Board meeting later this month. As always if you have questions about the Django Software Foundation please direct them to [email protected]. Happy Holidays! [Less]

Today we've issued the 2.1.4 and 1.11.17 bugfix releases. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

The 3rd edition of Pycon Zimbabwe was held from the 19th to the 20th of October, 2018 under the theme: “For the community, by the community”. The conference was hosted at Cresta Oasis Hotel in Harare, Zimbabwe. Attendees PyCon Zimbabwe 2018 ... [More] attracted 80 delegates from around Zimbabwe, the USA and South Africa. The delegates included university students, lecturers, professionals and hobbyists. Talks and Workshops The first day of the conference was dedicated to talks which covered a variety of subjects that included topics on machine learning, solving financial problems with Python and blockchain technologies among others. The talks included: Python and the AI revolution – Dr Panashe of the University of Zimbabwe took delegates on the future of Machine Learning with Python Bit Mari Smart Contracts with Python – Tongayi Choto shared how they are using block chain technology with python to help small scale farmers in Zimbabwe to access capital. Graphql and Python – Wedzerayi Muyengwa from Steward Bank took the audience through the journey of creating apis with flask and graphl. Geo-spatial Data in Python and PostgreSQL - Nick Doiron of McKinsey and Company conducted a workshop on how to make interactive maps with Python and PostgreSQL database management system. Components and configuration in Reahl - by Iwan Vosloo The second day of the conference was dedicated to workshops and tutorials. Delegates were taken through practial tutorials on deep learning, data science with Tensorflow and creating interactive maps with Python and Postgresql. On the final day Bit Mari, a local startup sponsored prices for a hackathon which was held to come up with solutions for small scale traders based in the high density areas of Harare using Python. Sponsorship The third edition of PyCon Zimbabwe would not have happened had it not been for the generosity of the Django Software Foundation. With the prevailing, unfavorable economic situation in Zimbabwe, we almost cancelled the conference. We were unfortunate that a financial crisis of high magnitude manifested itself towards the days of the conference and threw our initial plans into disarray as local companies were not keen to support as they wanted the situation to improve first. Despite this however, with the support we got from the DSF we were able to convene the best conference to date since the inception of PyCon Zimbabwe in 2016. With the financial support we got from the DSF we were able to heavily subsidize the tickets whose value had been eroded overnight by the financial crisis. We also managed to secure a decent venue for the 2 day convention. We were also able to provide financial assistance to some of the delegates who included 15 women. Takeaways The Python Zimbabwe community is alive and growing. The 2018 conference was dominated by new comers. More than half of the attendees were people who had never attended the first two conferences in 2016 and 2017. At the conference we discovered other interest groups such as the Harare School of AI and BitMari Inc who are doing amazing things with Python. Present at the conference was a local fintech startup, Bitmari, who added diversity to the discussions with their activities on block-chain and bitcoin. They sponsored a hackathlon with the hope of working with some of the participants. For us, the organizers this is a success as it achieves one of our goals, which is to expose local python developers to the world and potential recruiters. We also had professionals from a local banking institution, whom we hope to work with next year in organizing the next conference. The conference also exposed another group of enthusiastic python developers: Geo-spatial data scientists, from the Forestry Commission and some from the University of Zimbabwe who attended Nick Doiron’s workshop. Finally we would like to thank DSF for partnering with us as we managed to host a very successful PyCon Zimbabwe 2018. [Less]

I'm standing down from my position on the Django Software Foundation Board, having served for three years as the DSF's Vice-President (it's a nice role to have - but not nearly as grand as it sounds). Unfortunately, people do in fact often think that ... [More] being on the DSF board is somehow a grand role, an exclusive kind of position for exclusive people, or even that it's only for people who somehow "deserve" to be Board members. Needless to say, that's really not true. Each one of the six Board members is there because: they put themselves forward as a Board member the DSF membership voted for them In other words, they are Board members because other people felt they were suited to the role. We do this each year, and each year we rely on members of our community to step forward in sufficient numbers as candidates, so that six of them can be selected. Obviously, this only works if people put themselves forward. Less obviously, it only works well if the people who put themselves forward represent all of our community, and are not just ones who are already well-known and visible members of it. In this respect, we've been moving in the right direction. Last year's election had the biggest-ever number of candidates, and this year's Board reflects a greater diversity. We'd like to continue in that direction, by encouraging not just more people to consider standing for election, but also to encourage people who might not otherwise have thought they were qualified. Could you be a useful Board member? You need: to be able to commit to administrative and clerical tasks, and work through things like grant requests, proposals, email messages and so on to be able to participate in online meetings, sometimes - depending on your timezone - at unattractive hours to be able to follow things up, even sometimes tedious ones to be able to do what you said you were going to do to be able to pay attention to the needs and concerns of the Django community and its stakeholders to have the time and energy to do this (for at least a whole year). You don't need special skills, just ordinary ones, and to be able to apply them to the work that needs to be done. Nearly everyone has the skills needed. Do you deserve the honour? It is an honour to serve on the Board, and it's a position of responsibility that shouldn't be taken lightly. But that doesn't mean that it's given as an honour, as a position that people earn, or deserve - it's a job that they volunteer to take on, and anyone who is prepared to do what the job entails is as fit for it as anyone else. You will find being voted in to a position helps dispel any doubts you might have about whether you "deserve" to be in. (Even the process of writing a short statement about yourself, why you're standing and what you would like to achieve if elected can make a difference to how you feel about that.) What is it like to be on the Board? Please see the article I wrote last year: What it's like to serve on the DSF Board (short version: it's not very mysterious). It's your turn I've enjoyed serving on the Board, and I'm very grateful to have had the opportunity. Three years though is enough for me, and it will give me the chance to do some more of the other Django things I've been able to do less of since then. As well as helping keep the ship on a steady course, I've been able to use the position to make a difference. This is reflected in for example the DSF's sustained support for African Python and Django communities, and our recent call for proposals for the development of a Django Software Foundation membership management system. To be on the Board is to be in a position where you can help get things done. I hope that there are many other people who also have ideas about things that should be done in the world of Django, and who are prepared to dedicate time and energy to them, and that they will consider putting themselves forward to serve on the Board. Not everyone who stands will be elected - with only six places on the Board, most people won't be. That shouldn't stop you. It's not a popularity contest, or a matter of being chosen for an honour. It's being chosen to do a job, as a volunteer, and just the act of standing is already performing a service to the Django community. Submit yourself as a candidate You only have a couple of days left in which to submit yourself as a candidate - the form will be available only until the end of the 29th November. [Less]

It's that time of year again where we elect the Django Software Foundation Board of Directors. If you're interested in helping contribute back to Django and the Django Community we encourage you to stand for this years election. To run this year ... [More] please fill out this this election form by November 29th, 2018 AoE. Not sure if you want to be a Board Member? Being a DSF Board Member is a great way to contribute time rather than code or money. If there is something in our community you would like to change or improve being a Board Member puts you in a position to effect change. While some of the officer positions do require more of a time commitment the average Member typically spends just a few hours a month helping to direct the DSF. We have one roughly hour-long meeting each month to conduct the main business and correspond via email/Trello/etc for smaller matters. Typical meetings involve topics such as: Approval/discussion of conferences Awarding grants for events such as the many DjangoGirls events around the world Policy and Process changes to membership, voting, structure, etc. Fundraising Awarding the Malcolm Tredinnick Memorial Prize Board Member lead initiatives This year, in particular, we are in need of someone interested in taking on the role of Treasurer. One of the more time-consuming officer positions. If you have any questions about the Board or being a Board Member please do not hesitate to reach out to me directly at [email protected], any of our current Board Members, or all of us at once at [email protected]. [Less]

The DSF wishes to put in place a system for the nomination, approval and accession of Individual Members. The DSF wants to expand its membership, not just in number, but also in diversity. The current mechanisms in place for bringing on new members ... [More] are not wholly satisfactory. The DSF seeks proposals to design and implement a system to improve the membership nomination system. A budget of USD$5,000 - USD$8,000 has been made available. Proposals including a timeline and budget should be forwarded to the DSF Board. Basic requirements This process and its implementation will include: a web-based system for gathering nominations a mechanism allowing members to comment a system to record formal votes of DSF members a system by which the DSF Board can give final approval a system to ease the administration burden of adding new users Exactly how all these parts are implemented is open to proposal. Principles of DSF individual membership The process and its implementation must be in line with four principles: Membership follows service: Individual Members are appointed by the DSF in recognition of their service to the Django community Membership represents belonging: Membership should represent belonging rather than merely joining. It signifies welcoming of an individual into a group. Membership should empower: Becoming a member should enable the individual to help take charge of the direction of our community, and act within it with more confidence, knowing that their thoughts and ideas will have value in the eyes of others, and that their initiatives are likely to find support. Above all, it should affirm to them their right to participate, take action and disagree. Becoming a member should be meaningful: If membership represents a place in the community rather than simply an administrative or legal entitlement, then becoming a member should have some meaning attached to it. Membership process The process therefore needs to: not just allow, but also encourage, nominations that clearly explain the service the individual has made to the community, and the value of that service. A mechanism needs to be created by which existing members can be alerted of nominations that are made (e.g. via the DSF email list, or to individual mailboxes, or some other way). encourage and allow existing members to respond in ways that will stand as a record within the DSF (e.g. on its email list), and will in turn help show the nominee why they belong All responses and expressions of approval should be visible to newly-elected members, so that they can see that they are valued and welcomed by individuals who have taken the trouble to say so. give new members, some of whom may be less confident of their place in the community than others, reasons to feel that they are entitled to act as members of the community The process should reflect the new members’ achievements and contributions back to them at the same time as sharing them with the community, to help make clear to them that they (and their opinions and activities) are positively valued. give new and existing members the sense that it is a matter of significance to be elected to the DSF membership New members should feel proud about their nomination and accession, and understand what it means (it should not leave them feeling unsure or baffled about its significance). Implementation Where membership-related activity takes place At present, the key forum for DSF member interaction is the email list (in the future, there could also be a Slack/IRC/Telegram channel or something else). Whatever the main point of contact for the worldwide DSF membership is, the nomination, discussion and the entry of new members should be highlighted on it. The canonical list of DSF members is held on the Django Project website. The system should be integrated into this. Engagement of existing members At present, the DSF membership does not do a very consistent job of nominating new members. The system should prompt and remind members to think of potential nominees (e.g. an automated monthly message). Self-nomination The system should allow non-members to nominate themselves, as well as being nominated by others. In doing so it should make it easy for those people to provide the right kind of information about what they do, so that a person reading it, who doesn’t yet know them, will be in a position to make an informed judgement (and ultimately, an enthusiastic endorsement) of them. Successfully eliciting this information in a form that fulfills this need is not easy. In order to avoid creating two tiers of DSF member (those who were enthusiastically nominated, seconded and welcomed by others, and those who had to nominate themselves, with little response or enthusiasm from others) the self-nomination process must make it possible for self-nominated members to enjoy the same kind of reception. Ways to achieve this could include: guiding self-nominees to write strong descriptions and proposals for themselves (e.g. providing an example of a good self-nomination) automatically circulating their names to the membership, so that an existing member who knows them, or may know someone who knows them, is prompted to “sponsor” the nomination advising a self-nominee to contact an existing member they may know, who could sponsor them (this will be especially important for self-nominees with fewer connections) Ultimately, a self-nominee deserves to be welcomed with the same kind of warmth that other nominees receive, and the system must find ways to overcome the natural difficulties in achieving this. Administration As far as possible, the system should reduce the burden of managing nominations. A single interface, as part of the Django Project website, should: prompt and encourage nominations accept nominations allow voting and positive comments share comments with the membership in a way that encourages further engagement allow the DSF board to approve a nomination when approved, add the nominee to the Django Project website, DSF email list or other forum, etc automate some basics of induction/welcome for new members automate a public announcement of their accession on Twitter Negative flags Only positive endorsements of a nominee should be circulated by the system amongst the DSF membership. Members however should be able to raise a flag if they have a concern about a particular nomination. This will be referred to the DSF Board, to be dealt with appropriately. Proposals Proposals for implementing a system should be forwarded to the DSF Board. Please include as much detail as you feel able to in an initial proposal. Your proposal should include: a timeline for implementation a budget The Board will also welcome questions and requests for clarification. [Less]

Today we've issued the 2.1.3 bugfix release. The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.