Hi guys, I’m keen to hear if there are currently any plans to bump Django to the current stable or LTS release?
Mainly coming from a security perspective here – Django 1.6.x has been out of extended support for close to 2 years and is not receiving security fixes anymore. Considering that Sentry can hold sensitive information about servers and application environments, I feel slightly uncomfortable running a production instance on an unsupported web framework.
So my question, is there some sort of roadmap for upgrading Django in the near future? Not an immediate feature request, but I’d like to hear how you guys feel about this. I know upgrading Django from 1.6 & South can be painful, but I haven’t come across any major breaking changes since 1.8 LTS (which is still in support until April 2018). I feel like the longer Sentry depends on Django 1.6, the harder it will get to keep up with security patches in the future?
We maintain security patches and most of Django security stuff is implemented on our side. So we don’t see a major rush for doing this.
At least I am personally still involved and pay attention to new Django issues and security releases to determine if they apply to us and we need to do something to mitigate for ourselves. Unfortunately for now, this is much easier than upgrading to 1.8 or beyond.
There’s not. We typically have our own implementations of things entirely. We don’t apply patches from Django directly. Sometimes we backport modules from newer Django. For example: https://github.com/getsentry/sentry/blob/master/src/sentry/auth/password_validation.py Granted, not a security patch, but it’s an example of pulling things that are useful for us.
There has not been a recent Django security issue that has actually affected us to point you to something. But if there were, we’d be patching it on our side and work around it.