Evalai: Insecure requirement: Django version insecure

Created on 1 Jan 2020 · 15Comments · Source: Cloud-CV/EvalAI

Current:

The Django version currently in use for EvalAI (1.11.23) is now being marked as insecure by requires.io. While 1.11.23 was a security release and is much safer than its previous versions, it can still be a major trouble in the future as Django will end support for all 1.x versions in April 2020.
django-insecure

Proceeding:

The Django version should be updated to 2.2 so that we won't have to make major changes urgently in the API when a new vulnerability is discovered in Django.
However, this can be a big change, many dependencies will have to be updated to support the new version. Along with API updates for Django, the API for these dependencies will also have to be updated.
I think the best way to proceed would be to:

Research and enumerate the required changes
Formulate a plan (e.g. which dependencies will have to be updated first and which should be kept for later)
Add modular changes in steps according to the plan (reference: #2505)

Edit:

Latest 1.11 release is Django 1.11.28 It could be considered a short term solution. But extended support will end for 1.11 in April 2020.
Instead of upgrading to 3.0, it should be upgraded to 2.2 LTS (extended support till April 2022). Edited the above message accordingly.
Reference:
https://djangoproject.com/download/

Please test and make sure to verify the validity and compatibility of suggestions with EvalAI current master branch.

GSoC-2020 medium-difficulty priority-high

Source

nikochiko

All 15 comments

@nikochiko is this issue open?
i would like to work on this.

adrijshikhar on 22 Jan 2020

Yes, the issue is open!

But heads up, the maintainers haven't shared their opinions yet. And as it will be a big decision to bump django this is only a "spike" task for now.

nikochiko on 24 Jan 2020

@adrijshikhar Would you still like to work on it?

RishabhJain2018 on 14 Feb 2020

Can I take this up?

devanshbatra04 on 18 Feb 2020

@devanshbatra04 I don't think @adrijshikhar or anyone else is working on this so you can take it. But it will be a lot of work. :+1:

Suryansh5545 on 18 Feb 2020

👀1

@devanshbatra04 Sure!

RishabhJain2018 on 18 Feb 2020

👍1

@Rishabhjain2018 I think this issue is free as @devanshbatra04 is working on other issue #2686 . So can I take it?

Suryansh5545 on 23 Feb 2020

@Suryansh5545 please go ahead, I have my exams so won't be able to work on either issues this week.

devanshbatra04 on 23 Feb 2020

Hey @nikochiko @RishabhJain2018 I think porting complete backend from Django 1.11 to 2.2 is in itself a big task and would take time. So can we break it small tasks so that multiple people would be able to work on it?

apoorvkhare07 on 1 Mar 2020

👍1

@apoorvkhare07
Yes, the first task is to update Django form 1.11.23 to 1.11.28, I think @Suryansh5545 is already working on it.
I want to add that the official docs mention this:

If you’re upgrading through more than one feature version (e.g. 2.0 to 2.2), it’s usually easier to upgrade through each feature release incrementally (2.0 to 2.1 to 2.2) rather than to make all the changes for each feature release at once. For each feature release, use the latest patch release (e.g. for 2.1, use 2.1.15).

The same incremental upgrade approach is recommended when upgrading from one LTS to the next.

So we can have separate tasks for testing and adding changes for each move (1.11 -> 2.0 and 2.0 -> 2.1 and so on).
@RishabhJain2018, your input?

nikochiko on 1 Mar 2020

@nikochiko in previous issue I discussed with @RishabhJain2018 and there is a plan to upgrade from 1.11 . Also @apoorvkhare07 At this time I am unable to work on this issue so if you want then you can take this issue. After 3 march my exam will be finish then I will be able to work on it. If someone doesn't take it

Suryansh5545 on 1 Mar 2020

hey @Suryansh5545 can I take this issue.If you are not working on this issue.