Discussion:
problem marketing django to php folk
Kenneth Gonsalves
2005-11-26 07:34:17 UTC
Permalink
hi,
have been talking to some php folk about switching to django, but
they have raised a serious concern: Django website does not have a
page for security alerts and the django team has not released any
security patches - so they feel very uneasy about the whole thing.
Can this defect somehow be rectified?
--
regards
kg

http://www.livejournal.com/users/lawgon
tally ho! http://avsap.org.in
ಇಂಡ್ಲಿನಕ್ಸ வாழ்க!
Tom Tobin
2005-11-26 07:44:26 UTC
Permalink
Post by Kenneth Gonsalves
hi,
have been talking to some php folk about switching to django, but
they have raised a serious concern: Django website does not have a
page for security alerts and the django team has not released any
security patches - so they feel very uneasy about the whole thing.
Can this defect somehow be rectified?
Err... 1.0 isn't even out yet. :-D
Ian Holsman
2005-11-26 07:54:23 UTC
Permalink
There isn't any found yet?

but seriously.. we should have a 'security' page which covers django
'best-practices' in that area.
there has been some recent discussion on the developer list about how
to accept parameters defensively.

There is also a cross site request forgery prevention compoent here:
http://lukeplant.me.uk/resources/csrfmiddleware/

regards
Ian.
Post by Kenneth Gonsalves
hi,
have been talking to some php folk about switching to django, but
they have raised a serious concern: Django website does not have a
page for security alerts and the django team has not released any
security patches - so they feel very uneasy about the whole thing.
Can this defect somehow be rectified?
--
regards
kg
http://www.livejournal.com/users/lawgon
tally ho! http://avsap.org.in
ಇಂಡ್ಲಿನಕ್ಸ வாழ்க!
--
***@Holsman.net -- ++61-3-9877-0909
If everything seems under c
GrumpySimon
2005-11-26 09:57:42 UTC
Permalink
I created 631 ( http://code.djangoproject.com/ticket/631 ) a few months
ago for this very reason :-)

--Simon
Adrian Holovaty
2005-11-26 18:36:06 UTC
Permalink
Post by Kenneth Gonsalves
have been talking to some php folk about switching to django, but
they have raised a serious concern: Django website does not have a
page for security alerts and the django team has not released any
security patches - so they feel very uneasy about the whole thing.
Can this defect somehow be rectified?
Let me get this straight. They're worried that nobody has found
security holes in Django? I guess I don't understand the logic there:
"No security issues have been found; therefore it's insecure"?

But seriously, there haven't been any security-related fixes in Django
since July 19 (http://code.djangoproject.com/changeset/230), when
about 2 people were using it. I guess you could count
http://code.djangoproject.com/changeset/1242, which changed the debug
page's behavior not to display the database password and secret key,
but that's hardly a huge thing.

Jacob has drafted a "Contributing to Django" page, which has a full
section on how we handle security bugs/alerts, but he hasn't posted
that to the site yet. It will have the full scoop on how we handle
security problems if they arise.

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org
Dagur
2005-11-26 22:37:19 UTC
Permalink
I'd be paranoid too if I used php

Continue reading on narkive:
Loading...