Django Weblog: DjangoCon Australia 2019: Tickets on sale 🎟️

For the 7th year running, DjangoCon Australia is coming up on August 2nd. Just like last year, the sibling conference to DjangoCons EU and US, is on in Sydney at the International Convention Centre.

DjangoCon Australia is a one-day event, organized as a specialist track as part of PyCon AU. Packed with talks about best practices, communities, contributions, and the present and future of Django, DjangoCon Australia 2019 will be bigger than ever.

There are still tickets available for DjangoCon Australia and PyCon AU. You can join for one day with tickets starting at AU$ 150 for just the DjangoCon AU day, or AU$ 490 for all three days. We also have significant discounts for student attendees, and we also have Contributor ✨ tickets for those who want to help financially support the conference.

The schedule for DjangoCon Australia and all of PyCon AU is already live, so take a look at what we have in store.

Buy your ticket before July 9 to ensure you get one of the famous PyCon AU t-shirts in a size that fits you. Shirts for DjangoCon Australia will be revealed and details announced on the day.

We hope to see you in Sydney next month!

Leigh Brenecki, Markus Holtermann, DjangoCon Australia organizers

Planet Python

Django Weblog: Unauthenticated Remote Code Execution on djangoci.com

Yesterday the Django Security and Operations teams were made aware of a remote code execution vulnerability in the Django Software Foundation’s Jenkins infrastructure, used to run tests on the Django code base for GitHub pull requests and release branches. In this blog post, the teams want to outline the course of events.

Impact

The Django Security and Operations teams want to assure that at no point was there any risk about issuing or uploading malicious releases of Django to PyPI or the Django Project website. Official Django releases have always been issued manually by releasers. Neither was there any risk to any user data related to the Django Project website or the Django bug tracker.

Timeline

On May 14th, 2019 at 07:48 UTC the Django Security team was made aware by Ai Ho through its HackerOne project that the Django’s Continuous Integration service was susceptible to a remote code execution vulnerability, allowing unauthenticated users to execute arbitrary code.

At 08:01 UTC, the Django Security team acknowledged the report and took immediate steps to mitigate the issue by shutting down the primary Jenkins server. The Jenkins master server was shut down by 08:10 UTC.

At 08:45 UTC, the Operations team started provisioning a new server. In cases of a compromised server, it is almost always impractical to clean it up. Starting with a fresh, clean installation is a considerably better and safer approach.

At 14:59 UTC, the new Jenkins master server was up and running again, with some configuration left to do to get Jenkins jobs working again. About 10 minutes later, at 15:09 UTC, that was the case.

At 15:44 UTC, Jenkins started running tests against GitHub pull requests again.

At 16:00 UTC, the Operations team discussed the necessity of revoking various Let’s Encrypt certificates or keys. However, since there was no indication that either the account or the certificate’s private key was exposed, it was deemed sufficient to rely on the auto-expiration of the Let’s Encrypt certificate. However, a new private key for the djangoci.com certificate was generated during the bootstrapping of the new Jenkins master server.

At 16:50 UTC, the Jenkins Windows nodes were working again and started to process jobs.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com or HackerOne, and not via Django’s Trac instance or the django-developers list. Please see our security policies for further information.

Planet Python

Gocept Weblog: Celebration: Zope 4 final release

TL;DR: Zope 4 beta phase ended, final version released!

After hard, long years of preparation Earl Zope now finally made it to get a permanent license for the Python 3 wonderland: In September 2016 almost 20 people started with the reanimation of Zope at the Zope Resurrection sprint. This marked the beginning of a wonderful journey for Earl Zope himself for the people who helped him. In August 2017 Earl Zope became aware that his Python 2 country will irreversibly be destroyed by 2020. Earl Zope was successfully applying for for a beta permission for the Python 3 wonderland in September 2017. This beta permission has been extended 9 times to give Earl Zope time to become a good citizen in his new home country.

Earl Zope says a big thank you to all who:

  • contributed to the Python 3 migration even before the resurrection sprint
  • wrote bug reports
  • fixed bugs
  • contributed time and/or money for the migration process
  • encouraged the developers
  • tested beta versions or even used them in production

To be welcome in the Python 3 wonderland many nuts had to be cracked:

  • porting of the code of Zope and its dependencies to Python 3
  • rewrite of RestrictedPython from scratch
  • develop a migration strategy for the ZODB contents aka Data.fs
  • polish the user interface of the Zope management interface (ZMI)
  • and many more…

Earl Zope is looking forward to a happy future in the Python 3 wonderland. Currently he did not yet give up his settling in the Python 2 land. This is planned to happen shortly before or after the Python 2 sunset in the beginning of 2020 when the son of Earl Zope IV becomes the new Earl Zope V. See the roadmap for details.

Planet Python

Gocept Weblog: Zope Spring Cleaning: Last minute information

As the beta permission of Earl Zope in Python 3 wonderland was extended in October 2018, gocept invites Zope developers to the upcoming sprint from 08.05. till 10.05.2019 in Halle (Saale), Germany, to continue together on the work, which is still left.

We aim to polish the last dusty spots on Earl Zope for the final permission to Python 3 wonderland aka the final 4.0 release. As Plone and other applications based on Zope have finally found a way to migrate a ZODB Data.fs created with Python 2 to Python 3, the obstacles for this final permit are almost gone.

So if you have questions concerning migrating databases, it is a good time to join or open an issue on GitHub. As many people are working on Zope during these days, the probability of a quick answer is high.

As organizational tool to coordinate the work, we use GitHub projects again, as it allows cross-repository tracking of issues.

Our current schedule:

  • Wednesday
    • 8:15 Breakfast at gocept kitchen
    • 9:00 Welcome at gocept office and start sprinting afterwards
    • 12:30 Lunch
    • 13:30 Happy sprinting
    • between 15:00 and 16:00 coffee break
    • 18:00 Lights out
    • Going to a local pub
  • Thursday:
    • 8:15 Breakfast
    • 9:00 Standup
    • 12:30 Lunch
    • 13:30 Happy sprinting
    • between 15:00 and 16:00 coffee break
    • 17:00 A game of boules if the weather permits it
    • Going to a local pub
  • Friday:
    • 8:15 Breakfast
    • 9:00 Standup
    • 12:30 Lunch
    • 13:30 Happy sprinting
    • 15:00 Closing meeting
    • 16:00 Lights out

Parking: As Saltlabs in located in a pedestrian zone, the availability of parking spots is rather low. Please use one of the parking decks nearby.

One last hint: The location of the sprint is Leipziger Str. 70, Halle (Saale), Germany.

Planet Python