leizleiz
commented
8 years ago Probably? If we do Centos, then we'll have to play with the alternative install methods listed in [6] and see what works best for us. Detailed thoughts below.
Scalereg is still on Django 1.4, which is ancient by Django standards, and no longer supported by upstream Django as of October 2015, so we probably need to port to a newer version of Django. The question is, which Linux distro best supports Django? Once we figure that out, and what version of Django we will install, we'll know what version to target.
My main concern with Django is security. [1] is a list of security issues. If you drill down to CVE-2016-6186 [2] You'll see it says "Per our supported versions policy, Django 1.7 and older are no longer receiving security updates." So upstream Django Project currently supports provide support for Django 1.8 and 1.9 and 1.10 release candidates. Looking at [3], 1.8 is a LTS release, so it's probably sensible to pick that. Also note by 2020, we may be forced to use Python 3. -_-
Now that we have an idea of what we would like to use based on Django Project's support, let's look at the distro side:
Debian 8 stable has 1.7.7 packaged, and even though upstream is no longer supporting 1.7.x, the Debian package maintainer has backported the fix. How well will the Debian package maintainers keep up an upstream-unsupported branch? Based on their track record for Debian 7, I felt they did a good job on the python-django package w.r.t. security updates.
On the Centos side, there is no Django package in Centos. Instead, there are a bunch of alternatives. [6]. The first is using the EPEL repo. [7] But that seems out of question as EPEL provides Django 1.6, and the .rpm is 4 months old. Is it affected by CVE-2016-6186? Who knows?! [6] offers other alternatives, like using pip, virtualenv, or downloading a dev version of Django via git. Presumably, we can also download an 1.8 stable release tarball instead of the dev version if we liked. With all of these alternative install methods, whoever admin's the server has the responsibility of keeping Django up to date. Am I going to be the admin here? I don't mind, but it does mean one more thing to keep track of, instead of just a timely apt-get upgrade in Debian land. OTOH, if we go with an alternative install on Centos, we can actually get 1.8.
[1] https://docs.djangoproject.com/en/1.9/releases/security/ [2] https://www.djangoproject.com/weblog/2016/jul/18/security-releases/ [3] https://www.djangoproject.com/download/#supported-versions [4] https://packages.debian.org/jessie/python-django [5] https://www.debian.org/security/2016/dsa-3622 [6] https://www.digitalocean.com/community/tutorials/how-to-install-the-django-web-framework-on-centos-7 [7] https://dl.fedoraproject.org/pub/epel/7/x86_64/p/
irabinovitch
We need to provision a new server for SCALE Reg. @leizleiz let us know when you're ready for this and what you need. We've generally been migrating from Debian to Centos. Is that ok for you?