Posted
about 15 years
ago
I think most people have already seen the news, but EuroDjangoCon 2009 is a go! DjangoCon 2008 was such a blast that we're doing it again, this time in Europe.
EuroDjangoCon 2009 will be held in Prague, Czech Republic from May 4th to May
... [More]
6th. The conference will be followed by two days of development sprints (May 7th and 8th).
Robert Lofthouse is once again the organizer and conference chair; he's got an awesome set of speakers lined up. Keynoters will be Blaine Cook (Osmosoft), Joe Stump (Digg), Leah Culver (Six Apart), and (ahem) yours truly. Tickets are now on sale, and you can find out all the rest of the details over at http://euro.djangocon.org/.
Hope to see you there! [Less]
|
Posted
over 15 years
ago
Shortly after last week's Django 1.0.1 release, several people noted that the packaging script used to produce the release omitted several directories from the Django source tree; mostly this affected some unit tests, but at least one of the omitted
... [More]
directories affected the use of Django itself (specifically, of django.contrib.gis). So tonight we're issuing Django 1.0.2, which is built around an updated packaging script and should resolve these problems.
This is a recommended upgrade for anyone using or targeting Django 1.0 or Django 1.0.1; to obtain a copy, swing by the downloads page, and don't forget to read the release notes. For the security conscious, a signed file containing the package's checksums is, as always, available. [Less]
|
Posted
over 15 years
ago
Following the previously-announced schedule, today the Django team
has released Django 1.0.1. This is a bugfix-only release containing fixes and improvements to the Django 1.0 codebase, and is a recommended upgrade for anyone using or targeting
... [More]
Django 1.0.
For full details, check out the 1.0.1 release notes, and to grab a copy of Django 1.0.1, visit the downloads page. For the security-conscious, a file containing checksums of the 1.0.1 package, signed with the release manager's key, is available.
And with Thanksgiving coming up in the US, your friendly local release manager would like to pause for a moment and express thanks, on behalf of myself and the Django development team, for all the work put in by all the members of our community to help keep the releases coming, the tickets triaged and the bugs fixed. We wouldn't be able to do it without all of you, so give yourselves a big pat on the back and see if you can't sneak an extra slice of pie come Thanksgiving dinner.
We'll see you again in a few months, for either Django 1.0.2 or Django 1.1. Happy holidays! [Less]
|
Posted
over 15 years
ago
Following the previously-announced schedule, today the Django team
has released Django 1.0.1 beta 1; this is a preview of the upcoming
Django 1.0.1 release, which consists solely of bugfixes and other
improvements to the Django 1.0 codebase. This
... [More]
package also follows
our policy of maintaining compatibility in the 1.0 release series.
Though it's labeled a "beta", this package is considered to be of
production quality; we're releasing it as a preview of Django 1.0.1,
and the primary goal of this package is to give users of Django 1.0 an
idea of what's been fixed in the codebase since the 1.0 release. If
there's a particular issue you're interested in which doesn't seem
to be resolved in Django 1.0.1 beta, please consider helping the
Django team to fix it by working to develop a patch (see the
contribution guidelines for details); Django 1.0.1 is currently
scheduled for release on November 14, 2008, which provides a roughly
two-week window for submitting patches (and please keep in mind that
patches intended for inclusion in 1.0.1 should be against the 1.0.X
branch and not trunk).
As such, this release is mostly of interest to developers who want to help out with the Django development process; the final Django 1.0.1 release next month, however, will be a recommended upgrade for all users of Django 1.0.
Also, this beta release does not contain release notes, as there are
no new features, only bugfixes. When the final Django 1.0.1 release is
issued next month, a list of resolved issues since 1.0 will be
included in lieu of release notes.
For verification purposes, a file containing the MD5 and SHA1
checksums of the 1.0.1 beta package has been placed on the
djangoproject.com server. The file is PGP-signed with the Django
release manager's key; this key has the ID 0x8C8B2AE1 and can be
obtained from, e.g., the MIT PGP keyserver. [Less]
|
Posted
over 15 years
ago
With Django 1.0 out the door and a successful inaugural DjangoCon
behind us, it's time to look ahead to the future, which includes two
releases:
Django 1.1, currently targeted for release in March 2009.
Django 1.0.1, currently targeted for
... [More]
release next month.
Both of these releases, of course, will follow our policy of maintaining compatibility in the 1.0 release series.
Django 1.1 timeline
At the moment, we're aiming to release Django 1.1 on or around March
16, 2009, or roughly six months following the release of Django
1.0. As covered in our release process documentation, the 1.1
release cycle will consist of three phases: feature proposal, feature
work and bugfixing/polishing. Since Django 1.1 is happening on a
six-month schedule, that means two months for each phase of
development; the relevant dates for 1.1 have already been discussed on
the django-developers mailing list, but here's the quick breakdown
(these dates are still rough estimates, and may change as needed):
November 10, 2008: A draft feature list for 1.1 will be posted.
November 15, 2008: The 1.1 feature list will be finalized, and
no new feature proposals will be accepted for 1.1.
January 15, 2009: All major features must be merged into Django
trunk, trunk will go into the initial 1.1 feature freeze and work
will shift to bugfixes.
March 16, 2009: Django 1.1 will be released. As with 1.0, Django
1.1 will be preceded by several pre-release packages to help focus
development effort and isolate bugs.
March is still quite a ways off, of course, but keep in mind that the
feature-proposal window will be closing in a couple of weeks; if
there's something you'd really like to see in Django 1.1 and you
haven't already started a discussion of it on the django-developers
list, you'll want to do so quickly.
Django 1.0.1 timeline
In the much more immediate future, we're preparing to release Django
1.0.1, which will consist solely of bugfixes and similar improvements
to the Django 1.0 codebase. Django 1.0.1 will be a recommended upgrade
for anyone who's currently using or migrating to Django 1.0.
Because 1.0.1 will only involve bugfixes, with no feature additions to
propose or test, the release process for it will be somewhat
abbreviated. Here are the key dates:
October 31, 2008: Django 1.0.1 beta. Though it will be called a
"beta" release, this will mainly serve as a preview of 1.0.1, and
will be production-quality; its primary purpose will be to give
folks an idea of what's been fixed since the 1.0 release and a last
opportunity to submit patches for any fixes they'd like to see make
into into 1.0.1 final.
November 14, 2008: Django 1.0.1 will be released.
From an administrative perspective, the 1.0.1 release will not
involve any special categorization or milestones in the ticket
tracker; with a release of this type, administrivia in Trac is far less
important than simple working code, and any bug is a candidate for
fixing up until the day of the release. So if there's a particular
issue you'd like to see solved for 1.0.1, the best way to ensure the
fix makes it into the release is to provide a working patch. As
always, preferential treatment will be given to patches which match
our contribution guidelines, especially to patches which include
unit tests that both demonstrate the bug and demonstrate the success
of the solution. Also, remember that patches for 1.0.1 should be
created against the 1.0.X release branch, rather than against
trunk. [Less]
|
Posted
over 15 years
ago
No, you’re not hallucinating, it’s really here.
Around three years ago, Adrian, Simon, Wilson and I released some code to the
world. Our plan was to hack quietly on it for a bit, release a solid 1.0
release, and then really get the ball rolling.
... [More]
Well.
What happened, of course, was that an amazing community sprung up literally
overnight — our IRC channel had over a hundred people in it the day after
release, and it’s never been that “empty” since.
I really can’t stress enough how amazing our community of users and developers
are. About half of the code that’s gone into Django over the past three years
has been contributed by someone other than a core committer. Since our last
stable release, we’ve made over 4,000 code commits, fixed more than 2,000 bugs,
and edited, added, or removed around 350,000 lines of code. We’ve also added
40,000 lines of new documentation, and greatly improved what was already there.
Django 1.0 represents a the largest milestone in Django’s development to date: a
web framework that a group of perfectionists can truly be proud of. Without this
amazing community, though, it would have never happened.
You can download Django 1.0 on the Django downloads
page, and read the complete release
notes.
For distributors and for verification purposes, a file containing the MD5 and
SHA1 checksums of the 1.0 package has been placed on the djangoproject.com
server. This file
is PGP-signed with the Django release manager’s public key. This key has the ID
0x8C8B2AE1 and can be obtained from, e.g., the MIT PGP
keyserver. [Less]
|
Posted
over 15 years
ago
In accordance with the (updated) Django 1.0 release roadmap, today we've released the first release candidate for Django 1.0.
To grab a copy of the release candidate, head over to the Django downloads page, and be sure to read the release notes.
... [More]
Please keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha and beta releases and release candidates will not receive long-term support and will not be updated with security fixes, since their main purpose is to serve as a stepping-stone on the path to the final Django 1.0, due to be released as soon as possible..
For distributors and for verification purposes, a file containing the MD5 and SHA1 checksums of the release candidate package has been placed on the djangoproject.com server. This file is PGP-signed with the Django release manager's public key. This key has the ID 0x8C8B2AE1 and can be obtained from, e.g., the MIT PGP keyserver. [Less]
|
Posted
over 15 years
ago
In accordance with our security policy, today the Django project is
issuing a set of releases to fix a security vulnerability reported to
us. This message contains a description of the vulnerability, a
description of the changes made to fix it
... [More]
, and pointers to the patches
for each supported version of Django.
Description of vulnerability
The Django administration application, as a convenience for users
whose sessions expire, will attempt to preserve HTTP POST data from an
incoming submission while re-authenticating the user, and will -- on
successful authentication -- allow the submission to continue without
requiring data to be re-entered.
Django developer Simon Willison has presented the Django development
team with a proof-of-concept cross-site request forgery (CSRF) which
exploits this behavior to perform unrequested deletion/modification of
data. This exploit has been tested and verified by the Django team,
and succeeds regardless of whether Django's bundled CSRF-protection
module is active.
Affected versions
Django development trunk
Django 0.96
Django 0.95
Django 0.91
Resolution
As it represents a persistent vector for CSRF attacks, this behavior
is being removed from Django; henceforth, attempted posts from users
whose sessions have expired will be discarded and the data will need
to be re-entered.
This is, then, backwards-incompatible with existing behavior and may
be considered a feature removal; however, the Django team feel that
the security risks of this feature outweigh its minor utility.
The fix for this issue was applied to the Django repository in
changeset 8877, which contains the relevant changes for each affected
version
Based on these changes, the Django team is issuing three new releases:
Django 0.96.3: http://www.djangoproject.com/download/0.91.3/tarball/
Django 0.95.4: http://www.djangoproject.com/download/0.95.4/tarball/
Django 0.91.3: http://www.djangoproject.com/download/0.96.3/tarball/
The relevant patch has been applied to Django trunk as well, and so
will be included in the forthcoming Django 1.0 release candidate (to
be issued later today) and the final Django 1.0 release.
All users of affected Django versions are encouraged to upgrade
immediately.
A file containing the MD5 and SHA1 checksums of the new release
packages has been placed on the djangoproject.com server.
This file is PGP-signed with the Django release manager's public
key. This key has the ID 0x8C8B2AE1 and can be obtained
from, e.g., the MIT PGP keyserver
Release manager's note
If you are currently maintaining and distributing a packaged version
of Django (e.g., for a Linux or other Unix distribution), or if you
are a hosting company which officially supports Django as an option
for customers, and you did not receive an advance notification of
this issue, please contact Django's release manager (James Bennett,
james at b-list dot org) as soon as possible so that you can be added
to the list of known distributors who receive such notifications. [Less]
|
Posted
over 15 years
ago
In accordance with the (updated) Django 1.0 release roadmap, today we've released the second "beta" testing version of Django 1.0.
To grab a copy of 1.0 beta 2, head over to the Django downloads page, and be sure to read the release notes. Please
... [More]
keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha and beta releases will not receive long-term support and will not be updated with security fixes, since their main purpose is to serve as a stepping-stone on the path to the final Django 1.0, due to be released on September 2, 2008.
As of this release, Django is officially in a feature freeze for 1.0; from here on out, we'll only be working on bugs and stability before the final 1.0 release. If you'd like to help out, please review our documentation for contributors and feel free to join in one of the development sprints scheduled for the run up to 1.0. [Less]
|
Posted
over 15 years
ago
Come help us celebrate the release of Django 1.0!
Next week is going to be huge. We’ll be releasing Django 1.0 early in the week, and then the first DjangoCon kicks next Friday.
To celebrate the release of Django 1.0, we’ll be holding a dinner
... [More]
party at the Tied House in Mountain View on Saturday, September 6th at 7pm. The date and time are designed to tie in with DjangoCon, but anyone is invited — especially those who can’t attend DjangoCon.
We’ve reserved the whole restaurant for Django friends and fans. Dinner starts at 7pm, and the festivities should continue until about 10:30 or so. The party’s free, though the dinner and drinks aren’t. Tied House has good food and great beer; come hungry!
To make the night extra fun, we’ll be holding “lightning talks” at the party — five minute presentations on various Django-related topics. We’ll be asking speakers at the conference to present vastly twimmed-down versions of their conference talks, and we’ll be opening the floor up to anyone to present their own cool shit.
Tied House is located in downtown Mountain View (map). For DjangoCon attendees, that’s about 15 minutes away from the conference venue; we’ll caravan over (and provide transportation for folks without cars) right after the day’s talks end.
If you’ll be coming, please RSVP so that we can get an accurate headcount.
We’re also looking for sponsors for the party, so if you’re interested please contact us.
We hope to see you all there! [Less]
|