wg-build-test-release icon indicating copy to clipboard operation
wg-build-test-release copied to clipboard

Published 20 hours ago verified publisher icon openedx

Establish permanent process for staying up-to-date with Django security patches

Open nedbat opened this issue 1 year ago • 3 comments

Django has a disciplined process for announcing and releasing security patches: https://docs.djangoproject.com/en/4.2/releases/security/

What can we do to ensure that BTR is aware of these patches, and applies them regularly?

nedbat avatar Jul 03 '23 15:07 nedbat

Hey @nedbat thanks for bringing this to our attention. I'm currently working on a task related to this issue https://github.com/openedx/wg-security/issues/5. Part of the plan is to establish a process to track new Django updates, particularly the security patches, so we can ensure that no Django patch will be missed in the future

I'll keep everyone updated on the progress and when we can expect this to be live

magajh avatar Jul 06 '23 17:07 magajh

Hi @magajh, do we have an update on this? I found this PR, but it's still a draft: https://github.com/openedx/wg-build-test-release/pull/300. Let us know what you need from us. Thanks!

mariajgrimaldi avatar Aug 16 '23 13:08 mariajgrimaldi

Hi @mariajgrimaldi, thanks for following up. I'll be focusing on testing and improving the PR #300 this week to move it from draft to ready for review. If there are any specific requirements or tests you'd like me to consider, please let me know. Thanks!

magajh avatar Aug 30 '23 13:08 magajh

Update: we've now got a process in place to keep Django security patches on our radar

A "security patcher" role has been created within the BTR, thanks to collaboration between @jalondonot and @feanil (Security Working Group lead). This role will ensure security for Open edX releases by collaborating with the Security Working Group, prioritizing patches, leading testing, documenting vulnerabilities, and keeping dependencies secure. This includes making sure Django security fixes are applied regularly.

Additionally, a document outlining the process for identifying and applying security patches has been created: link to document.

This process may evolve further once issue https://github.com/openedx/wg-build-test-release/issues/317 gets fully addressed, but in the meantime, we have a well-defined process in place for regular application of Django security patches.

magajh avatar Jun 05 '24 13:06 magajh