Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Establish permanent process for staying up-to-date with Django security patches #296

Closed
nedbat opened this issue Jul 3, 2023 · 4 comments
Assignees
Labels
security Relates to improving to the security posture of the platform

Comments

@nedbat
Copy link
Contributor

nedbat commented Jul 3, 2023

Django has a disciplined process for announcing and releasing security patches: https://docs.djangoproject.com/en/4.2/releases/security/

What can we do to ensure that BTR is aware of these patches, and applies them regularly?

@nedbat nedbat converted this from a draft issue Jul 3, 2023
@magajh
Copy link

magajh commented Jul 6, 2023

Hey @nedbat thanks for bringing this to our attention. I'm currently working on a task related to this issue openedx/wg-security#5. Part of the plan is to establish a process to track new Django updates, particularly the security patches, so we can ensure that no Django patch will be missed in the future

I'll keep everyone updated on the progress and when we can expect this to be live

@magajh magajh self-assigned this Jul 6, 2023
@mariajgrimaldi mariajgrimaldi moved this from Backlog to In progress in Build-Test-Release Working Group Jul 10, 2023
@magajh magajh added the security Relates to improving to the security posture of the platform label Jul 24, 2023
@mariajgrimaldi
Copy link
Member

Hi @magajh, do we have an update on this? I found this PR, but it's still a draft: #300. Let us know what you need from us. Thanks!

@magajh
Copy link

magajh commented Aug 30, 2023

Hi @mariajgrimaldi, thanks for following up. I'll be focusing on testing and improving the PR #300 this week to move it from draft to ready for review. If there are any specific requirements or tests you'd like me to consider, please let me know. Thanks!

@magajh
Copy link

magajh commented Jun 5, 2024

Update: we've now got a process in place to keep Django security patches on our radar

A "security patcher" role has been created within the BTR, thanks to collaboration between @jalondonot and @feanil (Security Working Group lead). This role will ensure security for Open edX releases by collaborating with the Security Working Group, prioritizing patches, leading testing, documenting vulnerabilities, and keeping dependencies secure. This includes making sure Django security fixes are applied regularly.

Additionally, a document outlining the process for identifying and applying security patches has been created: link to document.

This process may evolve further once issue #317 gets fully addressed, but in the meantime, we have a well-defined process in place for regular application of Django security patches.

@magajh magajh closed this as completed Jun 5, 2024
@github-project-automation github-project-automation bot moved this from In progress to Done in Build-Test-Release Working Group Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Relates to improving to the security posture of the platform
Projects
Development

No branches or pull requests

3 participants