Establish permanent process for staying up-to-date with Django security patches #296
Comments
|
Hey @nedbat thanks for bringing this to our attention. I'm currently working on a task related to this issue openedx/wg-security#5. Part of the plan is to establish a process to track new Django updates, particularly the security patches, so we can ensure that no Django patch will be missed in the future I'll keep everyone updated on the progress and when we can expect this to be live |
magajh
added
the
security
|
Hi @mariajgrimaldi, thanks for following up. I'll be focusing on testing and improving the PR #300 this week to move it from draft to ready for review. If there are any specific requirements or tests you'd like me to consider, please let me know. Thanks! |
|
Update: we've now got a process in place to keep Django security patches on our radar A "security patcher" role has been created within the BTR, thanks to collaboration between @jalondonot and @feanil (Security Working Group lead). This role will ensure security for Open edX releases by collaborating with the Security Working Group, prioritizing patches, leading testing, documenting vulnerabilities, and keeping dependencies secure. This includes making sure Django security fixes are applied regularly. Additionally, a document outlining the process for identifying and applying security patches has been created: link to document. This process may evolve further once issue #317 gets fully addressed, but in the meantime, we have a well-defined process in place for regular application of Django security patches. |
Django has a disciplined process for announcing and releasing security patches: https://docs.djangoproject.com/en/4.2/releases/security/
What can we do to ensure that BTR is aware of these patches, and applies them regularly?
The text was updated successfully, but these errors were encountered: