Recent Entries

From The Django weblog on Feb. 12, 2019, 10:22 a.m.

Django bugfix release: 2.0.13

Today we've issued the 2.0.13 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Feb. 11, 2019, 2:35 p.m.

Django bugfix releases: 2.1.7, 2.0.12 and 1.11.20

Today we've issued the 2.1.7, 2.0.12 and 1.11.20 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Feb. 11, 2019, 10:52 a.m.

Django 2.2 beta 1 released

Django 2.2 beta 1 is now available. It represents the second stage in the 2.2 release cycle and is an opportunity for you to try out the changes coming in Django 2.2.

Django 2.2 has a salmagundi of new features which you can read about in the in-development 2.2 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 2.2 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around April 1. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all beta and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Feb. 11, 2019, 10:45 a.m.

Django security releases issued: 2.1.6, 2.0.11 and 1.11.19

In accordance with our security release policy, the Django team is issuing Django 1.11.19, Django 2.1.6, and Django 2.0.11. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using scientific notation.

Thanks Sjoerd Job Postmus for reporting this issue.

Affected supported versions

  • Django master branch
  • Django 2.2 (which will be released in a separate blog post later today)
  • Django 2.1
  • Django 2.0
  • Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer supported.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.2, 2.1, 2.0, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Jan. 29, 2019, 2:52 p.m.

The DSF Welcomes Mariusz Felisiak as its Newest Fellow

On December 21, 2018, the DSF made a call for Django Fellow applicants. On behalf of the Django Software Foundation, the DSF Fellowship Committee is pleased to announce Mariusz Felisiak as the newest Django Fellow. Mariusz is replacing Tim Graham who recently announced his retirement as a Django Fellow after four years of service.

Mariusz has been designing and implementing Python/Django applications for the past 11 years. He is an active Django Core Team Member, focusing on the ORM and Oracle back-end along with triaging tickets, reviewing pull requests and backporting changes. In addition, he has contributed to more than a dozen open-source projects and is a coach for Django Girls Heidelberg.

The DSF received 6 applicants, all of which were reviewed by the Fellowship Committee before coming to a consensus decision on Mariusz. The level of talent and professionalism in the applicant pool made the decision process challenging. We are grateful for all who applied and their desire to participate in this important initiative.

The Fellowship program has been a great success and is only possible through generous support of the Django Software Foundation. If you or your organization benefit from Django and the work of the Fellowship program, please consider a donation. Every dollar amount, large or small, makes an impact.

From The Django weblog on Jan. 17, 2019, 2:13 p.m.

Django 2.2 alpha 1 released

Django 2.2 alpha 1 is now available. It represents the first stage in the 2.2 release cycle and is an opportunity for you to try out the changes coming in Django 2.2.

Django 2.2 has a salmagundi of new features which you can read about in the in-development 2.2 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Jan. 13, 2019, 4:39 p.m.

DjangoCon Europe in 2019 - last call for speakers

Call for Participation

We invite all Djangonauts, Pythonistas and people who could make a contribution to our community to attend and share their knowledge and insight.

Our call for proposals remains open for another week, until the 20th January.

We’re looking for speakers of all experience levels and backgrounds, on any topic that could be relevant to our attendees - this includes non-technical talks that shed light on Django and our work with it.

We support our speakers with:

  • free admission to DjangoCon Europe
  • grants to ensure that those who need additional financial support will be given the opportunity to attend (see below)
  • a mentorship programme for speakers who'd like it

Speaker diversity at DjangoCon Europe

We especially want to feature more speakers from the sections of our community that are less well-represented at our events - we know they're there, and we know they're making contributions, but they get to speak less often to our audiences.

Diversity in our community is a goal for us, and with each proposal and each speaker, we feel a real lift in our motivation, because we value the contribution it will make to our conference.

We need to present a balanced roster of speakers, that captures a wealth of experience only possible through diversity of gender, ethnicity, age and other attributes, so we ask you to help us by coming forward with your proposal.

Each year, DjangoCon Europe makes substantial efforts put together a diverse programme, and each year succeeds in bringing some new faces to the stage. We're trying to build on that - please help us. If you could be be a speaker yourself, tell us what you have to share; if you know someone else who has done something or thought something new or interesting - encourage them to put themselves forward.

Opportunity Grants

Our conference opportunity grant programme will provide financial assistance to attendees who'd otherwise find it difficult to attend. We can help with the cost of acommodation, travel and tickets. As usual, this is an important part of our event, and we have allocated substantial resources to supporting it. Please take advantage of it!

Application must be submitted via our Grants page by 20th January.

Accessibility at DjangoCon Europe 2019

You'll be glad to know that:

  • Our venue is wheelchair-friendly.
  • Catering will provide options to suit all dietary requirements (just let us know in advance, by the 26th March).
  • We will have free child-care provision (important - we need to know your requirements by the 19th March.)
  • Our talks will be supported by a live speech-to-text reporting service.
  • There will be quiet spaces at the event where you can take a break from the conference bustle if you need one.
  • We will be glad to hear from you about anything you need in order to make the event more accessible - and we will do our best to provide it. Please don't hesitate to ask.

Social events

Social events will reflect the character of Copenhagen and our venue, and in line with our conference aims will be safe (our Code of Conduct covers all conference-related activities) and suitable for all our attendees.

Tickets

Tickets are on sale, and generously discounted early-bird tickets are available until the end of January.

As usual, tickets to the conference will sell out in advance. Don't leave it until too late!

Sponsorship

DjangoCon Europe is only possible through the contribution of commercial sponsors. We invite you to support us.

We value the generous participation that businesses using Python and Django make to our event, and it's appreciated by our attendees too - they know how vital sponsors are to the event. Sponsors receive recognition in a number of ways.

Please see our Sponsorship page for more information and the sponsorship opportunities available.

From The Django weblog on Jan. 4, 2019, 2:14 p.m.

Django security releases issued: 2.1.5, 2.0.10, and 1.11.18

In accordance with our security release policy, the Django team is issuing Django 1.11.18, Django 2.0.10, and Django 2.1.5. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2019-3498: Content spoofing possibility in the default 404 page

An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.

The URL path is no longer displayed in the default 404 template and the request_path context variable is now quoted to fix the issue for custom templates that use the path.

Affected supported versions

  • Django master branch
  • Django 2.1
  • Django 2.0
  • Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer supported.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.1, 2.0, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, Django's GitHub repositories, or the django-developers list. Please see our security policies for further information.

This issue was publicly reported through a GitHub pull request, therefore we fixed the issue as soon as possible without the usual prenotification process.

From The Django weblog on Dec. 21, 2018, 5:09 p.m.

DSF calls for applicants for a Django Fellow

After ten years of contributing to Django, four of which were paid as part of the Django Fellowship program, Tim Graham has decided to step down as a Django Fellow this spring to explore other things. Tim has made an extraordinary impact as a Django Fellow. The Django Software Foundation is grateful for his service and assistance.

The Fellowship program was started in 2014 as a way to dedicate high-quality and consistent resources to the maintenance of Django. As Django has matured, the DSF has been able to fundraise and earmark funds for this vital role. As a result, the DSF currently supports two Fellows - Tim and Carlton Gibson. With the departure of Tim, the Django Software Foundation is announcing a call for Django Fellow applications. The new Fellow will work alongside Carlton.

The position of Fellow is focused on maintenance and community support - the work that benefits most from constant, guaranteed attention rather than volunteer-only efforts. In particular, the duties include:

  • Answering contributor questions on IRC and the django-developers mailing list
  • Helping new Django contributors land patches and learn our philosophy
  • Monitoring the security@djangoproject.com email alias and ensuring security issues are acknowledged and responded to promptly
  • Fixing release blockers and helping to ensure timely releases
  • Fixing severe bugs and helping to backport fixes to these and security issues
  • Reviewing and merging pull requests
  • Triaging tickets on Trac

Being a Django contributor isn't a prerequisite for this position. We'll consider applications from anyone with a proven history of working with either the Django community or another similar open-source community. Geographical location isn't important either - we have several methods of remote communication and coordination that we can use depending on the timezone difference to the supervising members of Django.

If you're interested in applying for the position, please email us describing why you would be a good fit along with details of your relevant experience and community involvement. Also, please include the amount of time each week you'd like to dedicate to the position (a minimum of 20 hours a week), your preferred hourly rate, and when you'd like to start working. Lastly, please include at least one recommendation.

Applicants will be evaluated based on the following criteria:

  • Details of Django and/or other open-source contributions
  • Details of community support in general
  • Understanding of the position
  • Clarity, formality and precision of communications
  • Strength of recommendation(s)

Applications will be open until 1200 UTC, January 11, 2019, with the expectation that the successful candidate will be notified around January 25, 2019.

From The Django weblog on Dec. 16, 2018, 9:46 p.m.

2018 Malcolm Tredinnick Memorial Prize Nominations

It is that time of year again when we recognize someone from our community in memory of our friend Malcolm.

Malcolm was an early core contributor to Django and had both a huge influence and large impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him.

The DSF Prize page summarizes the prize nicely:

The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

We will take nominations until Sunday, December 23rd AoE and will announce the winner soon after.

Please make your nominations using this google form.

If you have any questions please reach out to the DSF Board at foundation@djangoproject.com.

From The Django weblog on Dec. 10, 2018, 2:21 p.m.

DSF 2019 Board Election Results

I'm pleased to announce the winners of our 2019 DSF Board of Directors election. In order of ranking, they are:

  • Frank Wiles
  • Katie McLaughlin
  • Anna Makarudze
  • James Bennett
  • Jessica 'Deatz' Deaton
  • Ola Tarkowska

Katie, Anna, James, and myself were re-elected for another term and we welcome our new Members, Jessica and Ola. We look forward to working with them in the new year.

I also want to take a moment to sincerely thank our retiring Board Members, Daniele Procida and Rebecca Conley, who have worked very hard over the last few years to advance the DSF. Their presence on the Board will be greatly missed.

This year we had 17 great candidates and while not everyone can get elected each year I hope they all consider running again in the 2020 election.

Another item of note with this election is that our Board is now comprised of two thirds women, which is a first for the DSF.

We will all meet together to certify the election and set offers are our next Board meeting later this month. As always if you have questions about the Django Software Foundation please direct them to foundation@djangorpoject.com.

Happy Holidays!

From The Django weblog on Dec. 3, 2018, 12:50 p.m.

Django bugfix releases: 2.1.4 and 1.11.17

Today we've issued the 2.1.4 and 1.11.17 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Nov. 28, 2018, 5:25 p.m.

Report from PyCon Zimbabwe 2018

The 3rd edition of Pycon Zimbabwe was held from the 19th to the 20th of October, 2018 under the theme: “For the community, by the community”. The conference was hosted at Cresta Oasis Hotel in Harare, Zimbabwe.

Attendees

PyCon Zimbabwe 2018 attracted 80 delegates from around Zimbabwe, the USA and South Africa. The delegates included university students, lecturers, professionals and hobbyists.

Talks and Workshops

The first day of the conference was dedicated to talks which covered a variety of subjects that included topics on machine learning, solving financial problems with Python and blockchain technologies among others. The talks included:

  • Python and the AI revolution – Dr Panashe of the University of Zimbabwe took delegates on the future of Machine Learning with Python
  • Bit Mari Smart Contracts with Python – Tongayi Choto shared how they are using block chain technology with python to help small scale farmers in Zimbabwe to access capital.
  • Graphql and Python – Wedzerayi Muyengwa from Steward Bank took the audience through the journey of creating apis with flask and graphl.
  • Geo-spatial Data in Python and PostgreSQL - Nick Doiron of McKinsey and Company conducted a workshop on how to make interactive maps with Python and PostgreSQL database management system.
  • Components and configuration in Reahl - by Iwan Vosloo

The second day of the conference was dedicated to workshops and tutorials. Delegates were taken through practial tutorials on deep learning, data science with Tensorflow and creating interactive maps with Python and Postgresql.

On the final day Bit Mari, a local startup sponsored prices for a hackathon which was held to come up with solutions for small scale traders based in the high density areas of Harare using Python.

Sponsorship

The third edition of PyCon Zimbabwe would not have happened had it not been for the generosity of the Django Software Foundation. With the prevailing, unfavorable economic situation in Zimbabwe, we almost cancelled the conference. We were unfortunate that a financial crisis of high magnitude manifested itself towards the days of the conference and threw our initial plans into disarray as local companies were not keen to support as they wanted the situation to improve first.

Despite this however, with the support we got from the DSF we were able to convene the best conference to date since the inception of PyCon Zimbabwe in 2016. With the financial support we got from the DSF we were able to heavily subsidize the tickets whose value had been eroded overnight by the financial crisis. We also managed to secure a decent venue for the 2 day convention. We were also able to provide financial assistance to some of the delegates who included 15 women.

Takeaways

The Python Zimbabwe community is alive and growing. The 2018 conference was dominated by new comers. More than half of the attendees were people who had never attended the first two conferences in 2016 and 2017. At the conference we discovered other interest groups such as the Harare School of AI and BitMari Inc who are doing amazing things with Python.

Present at the conference was a local fintech startup, Bitmari, who added diversity to the discussions with their activities on block-chain and bitcoin. They sponsored a hackathlon with the hope of working with some of the participants. For us, the organizers this is a success as it achieves one of our goals, which is to expose local python developers to the world and potential recruiters. We also had professionals from a local banking institution, whom we hope to work with next year in organizing the next conference.

The conference also exposed another group of enthusiastic python developers: Geo-spatial data scientists, from the Forestry Commission and some from the University of Zimbabwe who attended Nick Doiron’s workshop.

Finally we would like to thank DSF for partnering with us as we managed to host a very successful PyCon Zimbabwe 2018.

From The Django weblog on Nov. 27, 2018, 7:38 p.m.

The DSF Board elections - what about you?

I'm standing down from my position on the Django Software Foundation Board, having served for three years as the DSF's Vice-President (it's a nice role to have - but not nearly as grand as it sounds).

Unfortunately, people do in fact often think that being on the DSF board is somehow a grand role, an exclusive kind of position for exclusive people, or even that it's only for people who somehow "deserve" to be Board members. Needless to say, that's really not true.

Each one of the six Board members is there because:

  • they put themselves forward as a Board member
  • the DSF membership voted for them

In other words, they are Board members because other people felt they were suited to the role.

We do this each year, and each year we rely on members of our community to step forward in sufficient numbers as candidates, so that six of them can be selected.

Obviously, this only works if people put themselves forward. Less obviously, it only works well if the people who put themselves forward represent all of our community, and are not just ones who are already well-known and visible members of it.

In this respect, we've been moving in the right direction. Last year's election had the biggest-ever number of candidates, and this year's Board reflects a greater diversity.

We'd like to continue in that direction, by encouraging not just more people to consider standing for election, but also to encourage people who might not otherwise have thought they were qualified.

Could you be a useful Board member?

You need:

  • to be able to commit to administrative and clerical tasks, and work through things like grant requests, proposals, email messages and so on
  • to be able to participate in online meetings, sometimes - depending on your timezone - at unattractive hours
  • to be able to follow things up, even sometimes tedious ones
  • to be able to do what you said you were going to do
  • to be able to pay attention to the needs and concerns of the Django community and its stakeholders
  • to have the time and energy to do this (for at least a whole year).

You don't need special skills, just ordinary ones, and to be able to apply them to the work that needs to be done. Nearly everyone has the skills needed.

Do you deserve the honour?

It is an honour to serve on the Board, and it's a position of responsibility that shouldn't be taken lightly. But that doesn't mean that it's given as an honour, as a position that people earn, or deserve - it's a job that they volunteer to take on, and anyone who is prepared to do what the job entails is as fit for it as anyone else.

You will find being voted in to a position helps dispel any doubts you might have about whether you "deserve" to be in. (Even the process of writing a short statement about yourself, why you're standing and what you would like to achieve if elected can make a difference to how you feel about that.)

What is it like to be on the Board?

Please see the article I wrote last year: What it's like to serve on the DSF Board (short version: it's not very mysterious).

It's your turn

I've enjoyed serving on the Board, and I'm very grateful to have had the opportunity. Three years though is enough for me, and it will give me the chance to do some more of the other Django things I've been able to do less of since then.

As well as helping keep the ship on a steady course, I've been able to use the position to make a difference. This is reflected in for example the DSF's sustained support for African Python and Django communities, and our recent call for proposals for the development of a Django Software Foundation membership management system. To be on the Board is to be in a position where you can help get things done.

I hope that there are many other people who also have ideas about things that should be done in the world of Django, and who are prepared to dedicate time and energy to them, and that they will consider putting themselves forward to serve on the Board.

Not everyone who stands will be elected - with only six places on the Board, most people won't be. That shouldn't stop you. It's not a popularity contest, or a matter of being chosen for an honour. It's being chosen to do a job, as a volunteer, and just the act of standing is already performing a service to the Django community.

From The Django weblog on Nov. 21, 2018, 9:50 p.m.

DSF Board Election for 2019

It's that time of year again where we elect the Django Software Foundation Board of Directors.

If you're interested in helping contribute back to Django and the Django Community we encourage you to stand for this years election.

To run this year please fill out this this election form by November 29th, 2018 AoE.

Not sure if you want to be a Board Member?

Being a DSF Board Member is a great way to contribute time rather than code or money. If there is something in our community you would like to change or improve being a Board Member puts you in a position to effect change.

While some of the officer positions do require more of a time commitment the average Member typically spends just a few hours a month helping to direct the DSF. We have one roughly hour-long meeting each month to conduct the main business and correspond via email/Trello/etc for smaller matters.

Typical meetings involve topics such as:

  • Approval/discussion of conferences
  • Awarding grants for events such as the many DjangoGirls events around the world
  • Policy and Process changes to membership, voting, structure, etc.
  • Fundraising
  • Awarding the Malcolm Tredinnick Memorial Prize
  • Board Member lead initiatives

This year, in particular, we are in need of someone interested in taking on the role of Treasurer. One of the more time-consuming officer positions.

If you have any questions about the Board or being a Board Member please do not hesitate to reach out to me directly at frank@djangoproject.com, any of our current Board Members, or all of us at once at foundation@djangoproject.com.

From The Django weblog on Nov. 4, 2018, 5:31 p.m.

DSF Individual membership - call for implementation proposals

The DSF wishes to put in place a system for the nomination, approval and accession of Individual Members.

The DSF wants to expand its membership, not just in number, but also in diversity. The current mechanisms in place for bringing on new members are not wholly satisfactory.

The DSF seeks proposals to design and implement a system to improve the membership nomination system. A budget of USD$5,000 - USD$8,000 has been made available.

Proposals including a timeline and budget should be forwarded to the DSF Board.

Basic requirements

This process and its implementation will include:

  • a web-based system for gathering nominations
  • a mechanism allowing members to comment
  • a system to record formal votes of DSF members
  • a system by which the DSF Board can give final approval
  • a system to ease the administration burden of adding new users

Exactly how all these parts are implemented is open to proposal.

Principles of DSF individual membership

The process and its implementation must be in line with four principles:

  • Membership follows service: Individual Members are appointed by the DSF in recognition of their service to the Django community
  • Membership represents belonging: Membership should represent belonging rather than merely joining. It signifies welcoming of an individual into a group.
  • Membership should empower: Becoming a member should enable the individual to help take charge of the direction of our community, and act within it with more confidence, knowing that their thoughts and ideas will have value in the eyes of others, and that their initiatives are likely to find support. Above all, it should affirm to them their right to participate, take action and disagree.
  • Becoming a member should be meaningful: If membership represents a place in the community rather than simply an administrative or legal entitlement, then becoming a member should have some meaning attached to it.

Membership process

The process therefore needs to:

  • not just allow, but also encourage, nominations that clearly explain the service the individual has made to the community, and the value of that service.

    A mechanism needs to be created by which existing members can be alerted of nominations that are made (e.g. via the DSF email list, or to individual mailboxes, or some other way).

  • encourage and allow existing members to respond in ways that will stand as a record within the DSF (e.g. on its email list), and will in turn help show the nominee why they belong

    All responses and expressions of approval should be visible to newly-elected members, so that they can see that they are valued and welcomed by individuals who have taken the trouble to say so.

  • give new members, some of whom may be less confident of their place in the community than others, reasons to feel that they are entitled to act as members of the community

    The process should reflect the new members’ achievements and contributions back to them at the same time as sharing them with the community, to help make clear to them that they (and their opinions and activities) are positively valued.

  • give new and existing members the sense that it is a matter of significance to be elected to the DSF membership

    New members should feel proud about their nomination and accession, and understand what it means (it should not leave them feeling unsure or baffled about its significance).

Implementation

Engagement of existing members

At present, the DSF membership does not do a very consistent job of nominating new members. The system should prompt and remind members to think of potential nominees (e.g. an automated monthly message).

Self-nomination

The system should allow non-members to nominate themselves, as well as being nominated by others.

In doing so it should make it easy for those people to provide the right kind of information about what they do, so that a person reading it, who doesn’t yet know them, will be in a position to make an informed judgement (and ultimately, an enthusiastic endorsement) of them.

Successfully eliciting this information in a form that fulfills this need is not easy.

In order to avoid creating two tiers of DSF member (those who were enthusiastically nominated, seconded and welcomed by others, and those who had to nominate themselves, with little response or enthusiasm from others) the self-nomination process must make it possible for self-nominated members to enjoy the same kind of reception. Ways to achieve this could include:

  • guiding self-nominees to write strong descriptions and proposals for themselves (e.g. providing an example of a good self-nomination)
  • automatically circulating their names to the membership, so that an existing member who knows them, or may know someone who knows them, is promoted to “sponsor” the nomination
  • advising a self-nominee to contact an existing member they may know, who could sponsor them (this will be especially important for self-nominees with fewer connections)

Ultimately, a self-nominee deserves to be welcomed with the same kind of warmth that other nominees receive, and the system must find ways to overcome the natural difficulties in achieving this.

Administration

As far as possible, the system should reduce the burden of managing nominations. A single interface, as part of the Django Project website, should:

  • prompt and encourage nominations
  • accept nominations
  • allow voting and positive comments
  • share comments with the membership in a way that encourages further engagement
  • allow the DSF board to approve a nomination
  • when approved, add the nominee to the Django Project website, DSF email list or other forum, etc
  • automate some basics of induction/welcome for new members
  • automate a public announcement of their accession on Twitter
Negative flags

Only positive endorsements of a nominee should be circulated by the system amongst the DSF membership. Members however should be able to raise a flag if they have a concern about a particular nomination. This will be referred to the DSF Board, to be dealt with appropriately.

Proposals

Proposals for implementing a system should be forwarded to the DSF Board.

Please include as much detail as you feel able to in an initial proposal. Your proposal should include:

  • a timeline for implementation
  • a budget

The Board will also welcome questions and requests for clarification.

From The Django weblog on Nov. 1, 2018, 1:36 p.m.

Django bugfix release: 2.1.3

Today we've issued the 2.1.3 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Oct. 21, 2018, 7:15 p.m.

DjangoCon Europe 2019 Announcement & Call for volunteers

We are happy to announce that the 2019 DjangoCon Europe will be held in Copenhagen, Denmark. An early announcement has been posted on https://2019.djangocon.eu/ and more details will follow. We are a small local group who are eager to engage with more people to make this happen!

There is a lot to do, but it's very much worth it – DjangoCon Europe is an extremely friendly, open, inclusive, and informative (for beginners and advanced users alike) conference.

Here are some themes and examples of activities responsibilities that we seek help with:

  • Communications – Press, community relations, announcements, social media, attendee tools, volunteer coordination
  • Support and hospitality – Helpdesk, attendee support contact, visa help, travel management, chat support for attendees, on-site volunteer organization, speaker support
  • Financial Aid – Setup, grant selection, aid organization
  • Sponsors – Outreach to companies, organizing their logistics at the event and other types of visibility
  • Program – Committee work, talk selection, scheduling, session chairs, sprint/open space/keynote/lightning talks session organization
  • Code of Conduct – Drafting documents, handling of requests and issues
  • Diversity advocate – Accessibility considerations, outreach on-site
  • Team – Venue contacts, child care, social events planning, on-site logistics

During a November kick-off meeting in Copenhagen (TBA), we will do the final plan of teams and tentative time schedules for all the preparations. Not least, our internal communication tools.

Join us regardless of your prior experience: this is also an opportunity to learn! In other words, you don't have to be an expert to join in. Neither are we experts in hosting such a big event... yet!

Your location prior to the event is not significant (we can do all things that need to be done in Copenhagen itself) – the only important thing is that you have the energy and free time to help organize a wonderful DjangoCon Europe. All teams will be coordinating through online channels, even though some may also meet and work in Copenhagen if possible. The official language of all these prior activities will be English, as well as the conference itself.

Drop us a line and say hello: 2019@djangocon.eu

For general updates about the conference, follow @djangoconeurope on Twitter. To keep updated with our preparations in Copenhagen, the kick-off meeting and further physical and virtual organizing meetings, follow @djangocph or reach out to us on Freenode IRC #djangocph.

Emil Kjer, Benjamin Bach, Sarah Braun, Víðir Valberg Guðmundsson, Sean Powell, Thomas Steen Rasmussen

From The Django weblog on Oct. 12, 2018, 9:26 p.m.

Support framework of a strong relationship. 30% off PyCharm and 100% to Django

Support framework of a strong relationship. 30% off PyCharm and 100% to Django

In summer 2017, JetBrains PyCharm partnered with the Django Software Foundation for the second year in a row to generate a big boost to the Django fundraising campaign. The campaign was a huge success. We raised a total of $66,094 USD for the Django Software Foundation!

This year we really hope to repeat this success of the previous year. For the next three weeks, buy a new individual license for PyCharm Professional Edition at 30% OFF, and all the money raised will go to the DSF’s general fundraising and the Django Fellowship program.

Promotion details

Up until November 1, you can effectively donate to Django by purchasing a New Individual PyCharm Professional annual subscription at 30% off. It’s very simple:

  1. When buying a new annual PyCharm subscription in our e-store, on the checkout page, сlick “Have a discount code?”.
  2. Enter the following 30% discount promo code:
    IDONATETODJANGO

Alternatively, just click this shortcut link to go to the e-store with the code automatically applied

  1. Fill in the other required fields on the page and click the “Place order” button.

All of the income from this promotion code will go to the DSF fundraising campaign 2018 – not just the profits, but actually the entire sales amount including taxes, transaction fees – everything! The campaign will help the DSF to maintain the healthy state of the Django project and help them continue contributing to their different outreach and diversity programs.

Read more details on the special promotion page.

“Django has grown to be a world-class web framework, and coupled with PyCharm’s Django support, we can give tremendous developer productivity,” says Frank Wiles, DSF President. “Last year JetBrains was a great partner for us in support of raising money for the Django Software Foundation, on behalf of the community, I would like to extend our deepest thanks for their generous help. Together we hope to make this a yearly event!”

If you have any questions, get in touch with Django at fundraising@djangoproject.com or JetBrains at sales@jetbrains.com.

From The Django weblog on Oct. 1, 2018, 10:26 a.m.

Django security release issued: 2.1.2

In accordance with our security release policy, the Django team is issuing Django 2.1.2. This release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2018-16984: Password hash disclosure to "view only" admin users

If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but not change) permission to the user model were displayed the entire hash. While it's typically infeasible to reverse a strong password hash, if your site uses weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.

Thanks Phithon Gong for reporting this issue.

Affected versions

  • Django master development branch
  • Django 2.1

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.1 release branche. The patches may be obtained from the following changesets:

The following release has been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Oct. 1, 2018, 10:26 a.m.

Django bugfix releases: 2.0.9 and 1.11.16

Today we've issued the 2.0.9 and 1.11.16 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Aug. 31, 2018, 8:57 a.m.

Django bugfix release: 2.1.1

Today we've issued the 2.1.1 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on Aug. 1, 2018, 3:46 p.m.

DjangoCon US 2018 Schedule Is Live

We are almost two months away from DjangoCon US in San Diego, CA, and we are pleased to announce that our schedule is live! We received many phenomenal proposals, and the reviewers and program team had a difficult job choosing the final talks and tutorials. We think you will love them as much as we do. Thank you to everyone who submitted a proposal or helped to review.

Tickets for the conference are still on sale. There are a small handful of early-bird tickets left, so pick one up before they sell out! Check out our website for more information on which ticket type to select. We have also announced our tutorials. They are $195 each, and may be purchased at the same place as the conference tickets.

DjangoCon US will be held October 14-19 at the lovely San Diego Marriott Mission Valley. Our hotel block rate expires September 13, but rooms are going fast, so reserve your room today!

From The Django weblog on Aug. 1, 2018, 3:44 p.m.

Django 2.1 released

The Django team is happy to announce the release of Django 2.1.

The release notes cover the smorgasbord of new features in detail, the model “view” permission is a highlight that many will appreciate.

You can get Django 2.1 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

With the release of Django 2.1, Django 2.0 has reached the end of mainstream support. The final minor bug fix release (which is also a security release), 2.0.8, was issued today. Django 2.1 will receive security and data loss fixes until April 2019. All users are encouraged to upgrade before then to continue receiving fixes for security issues.

See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog on Aug. 1, 2018, 3:25 p.m.

Django security releases issued: 2.0.8 and 1.11.15

In accordance with our security release policy, the Django team is issuing Django 1.11.15 and Django 2.0.8. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2018-14574: Open redirect possibility in CommonMiddleware

If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Thanks Andreas Hug for reporting this issue.

Affected supported versions

  • Django master branch
  • Django 2.1 (which will be released in a separate blog post later today)
  • Django 2.0
  • Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer supported.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.1, 2.0, and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on July 18, 2018, 4:38 p.m.

Django 2.1 release candidate 1 released

Django 2.1 release candidate 1 is the final opportunity for you to try out the smorgasbord of new features before Django 2.1 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 2.1 will be released on or around August 1. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on July 15, 2018, 2:36 a.m.

DjangoCon AU 2018: Tickets on sale

DjangoCon Australia, the cute little sibling conference to DjangoCons EU and US, is on again next month in sunny Sydney.

A one-day event packed full of content, DjangoCon AU is run as a Specialist Track – a dedicated one-day, one track “mini conference” – inside PyCon AU.

Tickets for DjangoCon AU and PyCon AU are now on sale. If you can only join us for one day, you can get a ticket for just DjangoCon AU for only AU$150. But, if you’d like to make a long weekend of it, tickets for the full event – DjangoCon AU on the Friday, and PyCon AU on the Saturday and Sunday – are available starting from AUD$440. As part of our ongoing commitment to ensuring as many people can get to PyCon AU as possible, there are generous discounts for students, and Contributor ✨ Tickets that directly help fill the financial assistance pool of funds.

The talks lists for DjangoCon AU and all of PyCon AU are already live, so take a look at what we have in store.

Buy your tickets by August 7 2018 to ensure you get the a coveted PyCon AU t-shirt. Shirts for DjangoCon AU will be revealed and details announced on the day.

We hope to see you in Sydney next month!

Katie McLaughlin, PyCon AU Conference Director, DSF Board

From The Django weblog on July 2, 2018, 8:14 a.m.

Django bugfix releases: 2.0.7 and 1.11.14

Today we've issued the 2.0.7 and 1.11.14 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on June 19, 2018, 12:58 a.m.

Django 2.1 beta 1 released

Django 2.1 beta 1 is now available. It represents the second stage in the 2.1 release cycle and is an opportunity for you to try out the changes coming in Django 2.1.

Django 2.1 has a smorgasbord of new features which you can read about in the in-development 2.1 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 2.1 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around August 1. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all beta and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on June 7, 2018, 6:36 p.m.

DjangoCon Europe 2018 - thank you

On behalf of the everyone who benefits from the Django Project, the DSF would like to thank the organisers of DjangoCon Europe 2018 for the oustanding efforts they made to ensure that the event was a success for the whole community.

The organising team, and above all Raphael Michel and Tobias Kunze, who led the event every step of the way from the moment it was first proposed a year ago, gave us a DjangoCon that could not have been bettered.

It's important to remember that all the organisers were unpaid volunteers, who gave their time and energy freely and with generosity. During the event they were assisted by other volunteers, who performed a valuable role taking care of conference necessities such as networking and video recording.

As we have now come to expect from a DjangoCon Europe, the venue was an ideal setting (the beautiful Stadthalle on the Neckar), the catering and hospitality were of a very high standard and the conference programme met every requirement for a keystone event.

We're especially grateful for the unstinting and thoughtful care that was put into all the small details of the conference, and which helped guarantee it was going to be a DjangoCon that everyone could remember for the right reasons.

We are proud to have our community represented by events of this kind.

The next DjangoCons in Europe

The DSF Board is considering bids for DjangoCon Europe 2019-2020. If you're interested in hosting the event in one of these years, we'd like to hear from you as soon as possible.

From The Django weblog on June 1, 2018, 4:32 p.m.

Django bugfix release: 2.0.6

Today we've issued the 2.0.6 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog on May 18, 2018, 2:11 a.m.

Django 2.1 alpha 1 released

Django 2.1 alpha 1 is now available. It represents the first stage in the 2.1 release cycle and is an opportunity for you to try out the changes coming in Django 2.1.

Django 2.1 has a smorgasbord of new features which you can read about in the in-development 2.1 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on May 10, 2018, 3:52 p.m.

DjangoCon Europe 2019 - where will it be?

Each year, a new volunteer team in the European Django community plans, organises and hosts a DjangoCon Europe.

Hosting a DjangoCon is an ambitious undertaking. It's hard work, but each year it has been successfully run by a team of community volunteers, not all of whom have had previous experience - more important is enthusiasm, organisational skills, the ability to plan and manage budgets, time and people - and plenty of time to invest in the project.

You'll find plenty of support on offer from previous DjangoCon organisers, so you won't be on your own.

How to apply

If you're interested, we'd love to hear from you.

If you're ready to submit a proposal

If you're ready to submit a proposal, please do so. The more detailed and complete your proposal, the better. Things you should consider, and that we'd like to know about, are:

  • dates
  • numbers of attendees
  • venue(s)
  • accommodation
  • transport links
  • budgets and ticket prices
  • committee members

We'd like to see (if you have these already):

  • timelines
  • pictures
  • prices
  • draft agreements with providers
  • alternatives you have considered

They will all help show that your plans are serious and thorough, and that you have the organisational capacity to make it a success.

Find out and tell us more.

If you're thinking about it

If you're still considering the feasibility, don't hesitate to get in touch with us to discuss your ideas. We can help in numerous ways, including by putting you in touch with others who'd like to be involved.

Just drop us a line.

From The Django weblog on May 9, 2018, 3 p.m.

DjangoCon US 2018 Update: CFP Open, Financial Aid App Open, and Tickets On Sale!

In case you missed the news, DjangoCon US 2018 will take place in sunny San Diego, California, from October 14-19, 2018! We’re pleased to announce the following items.

Early Bird Tickets On Sale

Early bird tickets are on sale now! You can also pre-register for tutorials and register for (free!) sprints. If you need to buy several tickets and assign them to your employees later, check out the Corporate Concierge Service. Early bird tickets are gone when they’re gone, so don’t wait to get yours.

Call for Proposals (CFP)

Our CFP for talks and tutorials is now open! The deadline for submissions is June 3, 2018. We’re looking for speakers of all experience levels and backgrounds. Talk and tutorial presenters also receive free admission to DjangoCon US.

Financial Aid Application

Grants to assist with travel and lodging expenses are available as well. Our Financial Aid application is also now open. The deadline is June 3, 2018.

You can still sponsor!

We have some great sponsorship opportunities available and plenty of room for your organization. Take a look at our sponsorship opportunities or email us at sponsors@djangocon.us so we can craft a special package for you.

See you in San Diego!

From The Django weblog on May 2, 2018, 3:05 a.m.

Django bugfix releases: 2.0.5 and 1.11.13

Today we've issued the 2.0.5 and 1.11.13 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on April 3, 2018, 4:09 a.m.

Django bugfix releases: 2.0.4 and 1.11.12

Today we've issued the 2.0.4 and 1.11.12 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on March 6, 2018, 2:44 p.m.

Django security releases issued: 2.0.3, 1.11.11, and 1.8.19

In accordance with our security release policy, the Django team is issuing Django 1.8.19, Django 1.11.11 and Django 2.0.3. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters

The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (one regular expression for Django 1.8). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Thanks James Davis for reporting this issue.

CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Thanks James Davis for reporting this issue.

Affected supported versions

  • Django master branch
  • Django 2.0
  • Django 1.11
  • Django 1.8

Per our supported versions policy, Django 1.10, 1.9, and Django 1.7 and older are no longer supported.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.0, 1.11, and 1.8 release branches. The patches may be obtained from the following changesets:

On the development master branch:

On the 2.0 release branch:

On the 1.11 release branch:

On the 1.8 release branch:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Feb. 1, 2018, 3:11 p.m.

Django security releases issued: 2.0.2 and 1.11.10

In accordance with our security release policy, the Django team is issuing Django 1.11.10 and Django 2.0.2. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2018-6188: Information leakage in AuthenticationForm

A regression in Django 1.11.8 made django.contrib.auth.forms.AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn't overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked.

Thanks Jack Cushman for reporting this issue.

Affected supported versions

  • Django master branch
  • Django 2.0 and 2.0.1
  • Django 1.11.8 and 1.11.9

Per our supported versions policy, Django 1.10 and 1.9 are no longer supported (but aren't affected). Django 1.8 LTS (for which security support ends on April 1) is unaffected.

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 2.0 and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Jan. 22, 2018, 10:53 p.m.

2017 Malcolm Tredinnick Memorial Prize awarded to Claude Paroz

The Board of the Django Software Foundation is pleased to announce that the 2017 Malcolm Tredinnick Memorial Prize has been awarded to Claude Paroz.

Claude has been a contributor to Django since 2012. He was selected for the prize by the board from amongst the nominees on the basis of his long-term, consistent contribution. Claude has given service to Django though code and also by enabling others to contribute effectively.

His work represents a less-visible but essential aspect of contribution to Django. It's not the kind of work that will be publicly applauded at a conference, or stand out as news, but it's of enormous importance to the project. Claude is owed a debt of thanks for it.

Tim Graham wrote in his nomination:

I nominate Claude Paroz for five years of tireless and unheralded contributions to Django, including shepherding the GeoDjango project and serving as the Django translations manager. He's the primary answering authority on the geodjango and django-i18n mailing lists.

While his contributing began in 2012, Claude is the most active volunteer contributor based on number of commits since 2008. He regularly offers his expertise by triaging tickets and reviewing pull requests. If I ask Claude for some advice in an area of Django in which I'm less versed, his responses are quick, respectful, and helpful.

Several other people were also nominated for this prize. The Malcom Tredinnick prize could once again have deservedly been awarded several times over. It is an enduring pleasure to observe that there is no shortage of members of our community who, like Claude, exemplify the spirit of generosity and support that the prize celebrates.

The other nominees were:

  • Ifunanya Ikemma, for her work teaching and encouraging women in to programming, through PyLadies and Django Girls in Nigeria
  • Katie McLaughlin, for her work in open source projects as a contributor and mentor
  • Melanie Crutchfield, for her work with PyLadies and Django Girls
  • Jeff Triplett, for his huge contribution to the running of DjangoCon US, and the consistently warm, supportive attitude he brings to this and to his other work in the world of Django
  • Veronica Munro, for her work organising Django Girls events in Australia
  • Lacey Williams Henschel, for her work in DEFNA, DjangoCon US, and helping to build the Django community in the US
  • Tim Graham, for being an ever-responsive and valuable point of technical contact for Django.

Many congratulations to Claude, and our sincere thanks to all the nominees for their continued work in Django. Thanks are also due to all who took the trouble to nominate someone.

From The Django weblog on Jan. 12, 2018, 5:07 p.m.

The DSF Welcomes Carlton Gibson as its Newest Fellow

On November 16, 2017, the DSF made a call for Django Fellow applicants. On behalf of the Django Software Foundation, the DSF Fellowship Committee is pleased to announce Carlton Gibson as the newest Django Fellow. Carlton is joining Tim Graham who recently announced his scale back of hours. Tim will be transitioning to part-time but remaining as a Fellow.

Carlton has been involved in the Django community since 2009. He has been a core team member of the Django REST Framework for several years. He's a major contributor to Django Filter, Django Crispy Forms and Django AppConf as well as Django Compressor and many others. He is also an instructor for Django Girls in Barcelona.

The DSF received 15 applicants, all of which were reviewed by the Fellowship Committee before coming to a consensus decision on Carlton. The level of talent and professionalism in the applicant pool made the decision process a difficult one. We are grateful for all who applied and their desire to participate in this important initiative.

The Fellowship program has been a great success for the past three years and is only possible through generous support of the Django Software Foundation. If you or your organization benefit from Django and the work of the Fellowship program, please consider a donation. Every dollar amount, large or small, makes an impact.

From The Django weblog on Jan. 6, 2018, 9:27 a.m.

Results of the DSF Board election

The DSF membership elected a new board last month. The six elected directors of the DSF for 2018 are (in alphabetical order):

  • James Bennett
  • Daniele Procida
  • Rebecca Conley
  • Anna Makarudze
  • Katie McLauglin
  • Frank Wiles

There were 39 candidates this year. Last year, there were just six.

We had multiple candidates from each of: North and South America, Europe, Australia, India and Africa.

This year, half of the board is from outside of the USA; previously the USA has been heavily over-represented.

53 people voted, compared with 12 last year.

Half of our board members are women, and we have our first African director of the DSF (Anna Makarudze).

Many thanks to all who participated - both those who voted, and especially those who put themselves forward to serve on the board. Thanks are also due to the outgoing Board.

From The Django weblog on Jan. 2, 2018, 1:08 a.m.

Django bugfix releases: 2.0.1 and 1.11.9

Today we've issued the 2.0.1 and 1.11.9 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Dec. 18, 2017, 3 p.m.

DjangoCon Europe 2018 Update: Early Bird Tickets, CFP, and Opportunity grants are open!

In case you missed the news, DjangoCon Europe 2018 will take place in beautiful Heidelberg, Germany, from May 23-27, 2018! We've started selling early bird tickets, and opened the Call for Participation and Opportunity Grant applications. We are also looking for sponsors.

Early Bird Tickets

Early Bird Tickets are now available for a reduced price. Early Bird tickets are currently planned to be available until end of January, so be sure to get yours soon!

Buying an Early Bird Ticket isn’t just great for you, it also helps us estimate the amount of attendees we will have, and to give us more time to handle any special requirements you may have.

You will notice that our ticket pricing allows you to input a ticket price of your choice. With the additional money, we are able to make it a more inclusive conference by investing in accessibility improvements as well as our opportunity grant program, helping people with little resources, and/or a lack of representation in our community to participate in DjangoCon Europe 2018. Please choose to give more if you can – you’ll have a very direct impact on how wonderful our conference and our community will be.

Call for Participation (CFP)

Our CFP for talks and tutorials is now open! The deadline for submissions is February 1, 2018. We’re looking for speakers of all experience levels and backgrounds, and are currently working on our (opt-in) speaker mentoring program. Talk and tutorial presenters receive free admission to DjangoCon Europe. You can edit your submission until the deadline, so there's no need to wait. If you need additional financial support, please apply to the Opportunity Grant program, where speakers are given special consideration.

Opportunity Grant Application

We are very proud of our opportunity grant program – this is what you may know from other or previous conferences as the financial aid program. If (either as an attendee or a speaker) paying acommodations and travelling expenses would be difficult for you, especially if you belong to a marginalized or underrepresented group in tech, please check it out.

You have until February 1st to submit your request, to give us sufficient time to go through requests, which in turn gives you sufficient time to plan your journey, handle visa applications, and answer all questions you may have.

Sponsor opportunities

We are only able to run this conference with the support of sponsors that share our goal to create a wonderful, diverse and insightful event. If you are interested in sponsoring DjangoCon Europe 2018, please see our sponsorship page and brochure.

Sponsoring is a great opportunity to market developer-focused products, recruit developers, and to give back to the community if you use Django to build your products. DjangoCon Europe has a great track record in supporting diversity in tech. We are committed to continue this tradition and we need strong partners to make this possible.

Your own employees can profit a lot from attending DjangoCon Europe. Not only does the conference provide valuable education in form of talks and workshops that improve their professional and technical skills, it is also the single best place to start building a network within a community of potential future partners. Many sponsorship packages include a number of tickets.

From The Django weblog on Dec. 12, 2017, 4:37 p.m.

DSF travel grants available for PyCon Namibia 2018

About PyCon Namibia

PyCon Namibia held its first edition in 2015.

The conference has been held annually since then, and has been at the heart of a new open-source software movement in Namibia. In particular, through PyNam, the Namibian Python Society, Python has become the focus of self-organised community volunteering activity in schools and universities.

In the last two years, assisted greatly by Helen Sherwood-Taylor, Django Girls has become an important part of the event too.

PyCons in Africa

The conference has also been the direct prompt for further new PyCons across Africa; Zimbabwe in 2016, Nigeria in 2017 and a planned PyCon Ghana next year. In each case, PyCon attendees from another country have returned home to set up their own events.

An important aspect of these events is the opportunity to establish relationships with the international community. Numerous people have travelled from other corners of the world to meet African programmers in their own countries, and many have returned multiple times.

Be a Pythonista, not a tourist

There is enormous value in this exchange, which gives Python/Django programmers from beyond Africa a unique opportunity to encounter African programmers in their own country, and to visit not as passing tourists but as Pythonistas and Djangonauts who will form long-term relationships with their African counterparts. This helps ensure that the international Python community meaningfully includes its members, wherever in the world they may be, and represents a chance like no other to understand them and what Python might mean in Africa.

There is probably no better way to understand what Python might mean in Namibia, for example, than having lunch with a group of Namibian high-school pupils and hearing about their ideas and plans for programming.

This exchange enriches not only the PyCon itself, but also the lives of the Pythonistas that it embraces, from both countries, and the communities they are a part of.

About the travel fund

In order to help maintain this valuable exchange between international Python communities, the Django Software Foundation has set aside a total of US$1500 to help enable travellers from abroad to visit Namibia for next year's PyCon, 20th-22nd February.

The DSF seeks expressions of interest from members of the international Django community who'd like to take advantage of these funds.

Please get in touch with us by email. We'd like to know:

  • who you are
  • why you'd like to participate
  • where you are travelling from and how much you estimate you will need

PyCon Namibia will benefit most from attendees who are interested in developing long-term relationships with its community and attendees.

See the conference website for information about travel and more.

From The Django weblog on Dec. 7, 2017, 2:27 p.m.

What it's like to serve on the DSF Board

I am currently the Vice-President of the Django Software Foundation, and have served as a member of the DSF Board for two years. This article is intended to help give a clearer picture of what's involved in being on the DSF Board, and might help some people decide whether they wish to stand for election.

What we do

Each month we - the six directors - have a board meeting, via Hangout. This lasts about an hour. We follow an agenda, and discuss questions that have arisen, have report on the state of our finances, and vote on any questions that have come up.

Each month a number of the questions we vote on are about grant applications for events (conferences, Django Girls and so on) and nominations for new members.

Mostly it's fairly routine business, and doesn't require much deliberation.

Occasionally there are trickier questions, for example that might concern:

  • matters where we are not sure what the best way forward is
  • legal questions about what the DSF is and isn't allowed to do
  • disagreements or contentious questions within the DSF or Django community

On the whole we find that when it's a matter of judgement about something, that we come to agreement pretty quickly.

At each meeting we'll each agree to take on certain administrative tasks that follow on from the discussion.

During the month a number of email messages come in that need to be answered - mostly enquiries about support for events, use of the Django logo, and so on, and also several for technical help with Django that we refer elsewhere.

Any one of us will answer those, if we can.

Some members of the board have special duties or interests - for example the Treasurer and Secretary have official duties, while I often take up enquiries about events.

Overall, it's a few hours' work each month.

What you need to be a board member

The board members are officially "Directors of the Django Software Foundation", which might make it sound more glamorous and/or difficult than it really is. It's neither...

If you can:

  • spare a few hours each month
  • spare some personal energy for the job
  • take part in meetings and help make decisions
  • answer email
  • read proposals, requests, applications and other documents carefully
  • help write documents (whether it's composing or proof-reading)
  • listen to people and voices in the Django community

then you probably have everything that's required to make a genuine, valuable contribution to Django by serving on the board.

Obviously, to serve as the Treasurer or Secretary requires some basic suitable skills for those roles - but you don't need to be a qualified accountant or have formal training.

In any case, no-one is born a DSF board member, and it's perfectly reasonable that in such a role you will learn to do new things if you don't know them already.

What it's like

I can only speak for myself - but I enjoy the work very much. Everyone on the board has a common aim of serving Django and its community, and the way the board works is friendly, collaborative and supportive. There's room for a variety of skills, special knowledge and experience. Different perspectives are welcomed.

There's also a very clear Django ethos and direction, that aims at inclusivity and generosity. The sustainability of the project and the well-being of people involved in it are always concerns that are visibly and explicitly on the table in board discussions.

It's a very good feeling each month to have our board meeting and be reminded how true the "boring means stable" equation is. Django is a big ship, and it sails on month after month, steadily. It requires some steering, and a shared vision of the way ahead, but progresses without big dramas. As a member of the board, this makes me feel that I am involved in something safe and sustainable.

I've been on the DSF board for nearly two years. Serving on the board does require some extra energy and time in my life, but it very rarely, if ever, feels like wasted or useless expenditure of energy. What we do makes sense, and has actual, tangible, useful results.

If you have some energy that you would like to do something useful with to help Django and all the individuals and organisations involved in it, I think that serving as DSF board member is an excellent way to use it, because the DSF is a machine that works well and your time and energy won't be wasted.

All of this discussion has been wholly from my own perspective, and even then it's quite incomplete. I'm just one board member of six, and other board members might have things they feel are important to add that I have not mentioned. Even so, I hope this account reassures anyone who had any doubts that:

  • they don't need special skills or credentials to be a board member
  • being a board member is a rewarding way to spend their time and energy
  • serving on the board makes a genuine contribution to Django

Daniele Procida

From The Django weblog on Dec. 6, 2017, 9:14 p.m.

Results of the Django/PyCharm Promotion 2017

We’re happy to report that our second iteration of the Django/PyСharm fundraising campaign - which we ran this summer - was a huge success. This year we helped raise a total of $66,094 USD for the Django Software Foundation! Last year (2016) we ran a similar campaign which resulted in a collective contribution of $50,000 USD to the cause. We’re happy we could raise even more money this year for the Django community!

If you missed the campaign here’s the essence of the past promotion: For 3 weeks this summer, Django developers could effectively donate to Django Software Foundation by purchasing a new individual PyCharm Professional annual subscription at 30% off, with all proceeds from the sales going to the Django Software Foundation. Read more details here.

All the money raised goes toward Django outreach and diversity programs: supporting DSF, the Django Fellowship program, Django Girls workshops, sponsoring official Django conferences, and other equally incredible projects.

We want to say huge thanks to the DSF for their active collaboration and making this fundraiser happen. We hope that in 2018 we’ll be able to make this yearly event even more successful!

The DSF general fundraising campaign is still on-going, and we encourage everyone to contribute to the success of Django by donating to DSF directly.

If you have any questions, get in touch with us at fundraising@djangoproject.com or JetBrains at pycharm-support@jetbrains.com.

From The Django weblog on Dec. 2, 2017, 3:32 p.m.

Django 2.0 released

The Django team is happy to announce the release of Django 2.0.

This release starts Django’s use of a loose form of semantic versioning, but there aren’t any major backwards incompatible changes (except that support for Python 2.7 is removed) that might be expected of a 2.0 release. Upgrading should be a similar amount of effort as past feature releases.

The release notes cover the assortment of new features in detail, but a few highlights are:

You can get Django 2.0 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

With the release of Django 2.0, Django 1.11 has reached the end of mainstream support. The final minor bug fix release, 1.11.8, was issued today. As a long-term support release, Django 1.11 will receive security and data loss fixes until April 2020.

Django 1.10 has reached the end of extended support. All Django 1.10 users are encouraged to upgrade to Django 1.11 or later to continue receiving fixes for security issues.

See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog on Nov. 16, 2017, 2:18 p.m.

DSF calls for applicants for a Django Fellow

After three years of full-time work as the Django Fellow, I'd like to scale back my involvement to part-time. That means it's time to hire another Fellow who would like to work on Django 20-40 hours per week. The position is ongoing - the successful applicant will have the position until they choose to step down.

The position of Fellow is primarily focused on housekeeping and community support - you'll be expected to do the work that would benefit from constant, guaranteed attention rather than volunteer-only efforts. In particular, your duties will include:

  • monitoring the security@djangoproject.com email alias and ensuring security issues are acknowledged and responded to promptly
  • fixing release blockers and helping to ensure timely releases
  • fixing severe bugs and helping to backport fixes to these and security issues
  • reviewing and merging pull requests
  • triaging tickets on Trac
  • answering user questions on IRC and the django-developers mailing list
  • helping new Django contributors land patches and learn our philosophy

Being a committer isn't a prerequisite for this position; we'll consider applications from anyone with a proven history of working with either the Django community or another similar open-source community.

Your geographical location isn't important either - we have several methods of remote communication and coordination that we can use depending on the timezone difference to the supervising members of Django.

You'll be expected to post a weekly report of your work to the django-developers mailing list.

If you don't perform the duties to a satisfactory level, we may end your contract. We may also terminate the contract if we're unable to raise sufficient funds to support the Fellowship on an ongoing basis (unlikely, given the current fundraising levels).

Compensation isn't competitive with full-time salaries in big cities like San Francisco or London. The Fellow will be selected to make best use of available funds.

If you're interested in applying for the position, please email us with details of your experience with Django and open-source contribution and community support in general, the amount of time each week you'd like to dedicate to the position (a minimum of 20 hours a week), your hourly rate, and when you'd like to start working. The start date is flexible and will be on or after January 1, 2018.

Applications will be open until 1200 UTC, December 18, 2017, with the expectation that the successful candidate will be announced around December 22.

Successful applicants will not be an employee of the Django Project or the Django Software Foundation. Fellows will be contractors and expected to ensure that they meet all of their resident country's criteria for self-employment or having a shell consulting company, invoicing the DSF on a monthly basis and ensuring they pay all relevant taxes.

If you or your company is interested in helping fund this program and future DSF activities, please consider becoming a corporate member to learn about corporate membership, or you can make a donation to the Django Software Foundation.

From The Django weblog on Nov. 15, 2017, 11:54 p.m.

Django 2.0 release candidate 1 released

Django 2.0 release candidate 1 is the final opportunity for you to try out the assortment of new features before Django 2.0 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 2.0 will be released on or around December 1. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Nov. 10, 2017, 4:12 p.m.

Nominations for the Malcolm Tredinnick Memorial Prize 2017

Malcolm Tredinnick was an early member of Django's core team. He contributed a great deal of code to the Django Project, and a vast amount of his time helping and encouraging others.

Malcolm died young, in March 2013. In his memory, the Malcolm Tredinnick Memorial Prize is awarded annually. It is intended to recognise someone who participates in the Django community in the same spirit as Malcolm: welcoming, nurturing and suppporting newcomers and helping other people.

You can read more about Malcolm and his contribution to Django, and about the prize.

We invite your nominations for this year's prize. Please drop us a line at foundation@djangoproject.com, telling us whom you'd like to nominate and why you think their contribution is a worthy continuation of Malcolm's work for the Django community.

Anyone is welcome to nominate a candidate.

Nominations will remain open for two weeks (until Friday 24th November 2017).

From The Django weblog on Nov. 8, 2017, 3:33 a.m.

2018 DSF Board Election Application

It is that time of year again to think about next year’s Django Software Foundation’s Board of Directors!

As you know, the Board guides the direction of the marketing, governance and outreach activities of the Django community. We provide funding, resources, and guidance to Django events on a global level. Further we provide support to the Django community with an established Code of Conduct and make decisions and enforcement recommendations for violations. We work closely with our corporate and individual members to raise funds to help support our great community.

In order to for our community to continue to grow and advance the Django Web framework, we need your help. The Board of Directors consists of volunteers who are elected to one year terms. This is an excellent opportunity to help advance Django. We can’t do it without volunteers, such as yourself. For the most part, the time commitment is a few of hours per month. There has been some confusion on this in the past, but anyone including current Board members, DSF Members, or the public at large can apply to the Board. It is open to all.

If you are interested in helping to support the development of Django we’d enjoy receiving your application for the Board of Directors. Please fill out the application form by 9 December 2017 to be considered. If it is still 9 December somewhere in the world, applications will remain open.

If you have any questions about applying, the work, or the process in general please don’t hesitate to reach out via email to foundation@djangoproject.com and one of us will get back with you shortly.

Thank you for your time and we look forward to working with you in 2018.

The 2017 DSF Board of Directors

From The Django weblog on Nov. 2, 2017, 1:39 a.m.

Django bugfix release: 1.11.7

Today we've issued the 1.11.7 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Oct. 17, 2017, 3:09 a.m.

Django 2.0 beta 1 released

Django 2.0 beta 1 is an opportunity for you to try out the assortment of new features in Django 2.0.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 2.0 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around December 1. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Oct. 5, 2017, 9:01 p.m.

Django bugfix release: 1.11.6

Today we've issued the 1.11.6 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Sept. 22, 2017, 7:32 p.m.

Django 2.0 alpha 1 released

Django 2.0 alpha 1 is now available. It represents the first stage in the 2.0 release cycle and is an opportunity for you to try out the changes coming in Django 2.0.

Django 2.0 has an assortment of new features which you can read about in the in-development 2.0 release notes.

This alpha milestone marks a complete feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Sept. 5, 2017, 5:25 p.m.

Django security releases issued: 1.11.5 and 1.10.8

In accordance with our security release policy, the Django team is issuing Django 1.11.5 and Django 1.10.8. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page

In older versions, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with DEBUG = True (which makes this page accessible) in your production settings.

Thanks Charles Bideau for reporting this issue.

Affected supported versions

  • Django master development branch
  • Django 1.11
  • Django 1.10

Per our supported versions policy, Django 1.9 is no longer supported. Django 1.8 is unaffected.

Resolution

Patches to resolve the issues have been applied to Django's master development branch and the 1.11 and 1.10 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Aug. 15, 2017, 3:38 p.m.

Support a Great Partnership: PyCharm and Django Team up Again

Last June (2016) JetBrains PyCharm partnered with the Django Software Foundation to generate a big boost to Django fundraising. The campaign was a huge success. Together we raised a total of $50,000 for the Django Software Foundation!

This year we hope to repeat that success. During the two-week campaign, buy a new PyCharm Professional Edition individual license with a 30% discount code, and all the money raised will go to the DSF’s general fundraising and the Django Fellowship program.

Promotion details

Up until Aug 28th, you can effectively donate to Django by purchasing a New Individual PyCharm Professional annual subscription at 30% off. It’s very simple:

  1. When buying a new annual PyCharm subscription in our e-store, on the checkout page, сlick “Have a discount code?”.
  2. Enter the following 30% discount promo code:
    IDONATETODJANGO

Alternatively, just click this shortcut link to go to the e-store with the code automatically applied

Fill in the other required fields on the page and click the “Place order” button.

All of the income from this promotion code will go to the DSF fundraising campaign 2017 – not just the profits, but actually the entire sales amount including taxes, transaction fees – everything. The campaign will help the DSF to maintain the healthy state of the Django project and help them continue contributing to their different outreach and diversity programs.

Read more details on the special promotion page.

“Django has grown to be a world-class web framework, and coupled with PyCharm’s Django support, we can give tremendous developer productivity,” says Frank Wiles, DSF President. “Last year JetBrains was a great partner for us in support of raising money for the Django Software Foundation, on behalf of the community, I would like to extend our deepest thanks for their generous help. Together we hope to make this a yearly event!”

If you have any questions, get in touch with Django at fundraising@djangoproject.com or JetBrains at sales@jetbrains.com.

From The Django weblog on Aug. 1, 2017, 1:47 p.m.

Django bugfix release: 1.11.4

Today we've issued the 1.11.4 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on July 2, 2017, 12:38 p.m.

DjangoCon Europe 2018 Call for volunteers

2018's DjangoCon Europe will be held in beautiful Heidelberg, from the 23rd to the 27th May.

There is a lot to do, but it's very much worth it – DjangoCon Europe is an extremely friendly, open, inclusive, and informative (for beginners and advanced users alike) conference.

We're looking for support in the following areas, but if you have other interests and want to help out, please contact us:

  • Sponsors – Contacts, logistics, room/booth assignment
  • Communications – Press, community relations, announcements, social media, attendee tools, volunteer coordination
  • Support – Helpdesk, attendee support contact, visa help, travel management, chat support for attendees, on-site volunteer organization, speaker support
  • Financial Aid – Setup, grant selection, aid organisation
  • Marketing/Design – Brochures, advertisements, banners, flyers, travel guide, t-shirts, lanyards, badges, panels, logo
  • Program – Talk selection, scheduling, session chairs, sprint/openspace/keynote/lightning talks/poster session organization
  • Code of Conduct – Drafting documents, handling of requests and issues
  • Diversity advocate – Accessibility considerations, outreach On-site
  • Team – Catering contacts, child care, social events planning, on-site logistics

Of course, we're happy about everyone joining us who has prior experience in one of these areas, but if you don't, that's fine as well! We'll work something out and you'll be experienced in that area afterwards.

Your location is not important, either (we can do all things that need to be done in Heidelberg itself) – the only important thing is that you have the energy and free time to help organize a wonderful DjangoCon Europe. You do not need to speak German - all team and attendee communication is in English and we have German-speaking people on board for venue contacts and the like.

Don't be shy - drop us a line at 2018@djangocon.eu, because we're looking forward to hearing from you!

Tobias Kunze and Raphael Michel

From The Django weblog on July 2, 2017, 12:42 a.m.

Django bugfix release: 1.11.3

Today we've issued the 1.11.3 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on June 22, 2017, 6:46 p.m.

DjangoCon US Schedule Is Live

We are less than two months away from DjangoCon US in Spokane, WA, and we are pleased to announce that our schedule is live! We received an amazing number of excellent proposals, and the reviewers and program team had a difficult job choosing the final talks. We think you will love them. Thank you to everyone who submitted a proposal or helped to review them.

Tickets for the conference are still on sale! Check out our website for more information on which ticket type to select. We have also announced our tutorials. They are $150 each, and may be purchased at the same place as the conference tickets.

DjangoCon US will be held August 13-18 at the gorgeous Hotel RL in downtown Spokane. Our hotel block rate expires July 11, so reserve your room today!

https://dthvd5fu2buwu.cloudfront.net/AIDAJDK733UNHWQSJZ5EM/cms/cache/1920x1080/02/11317-02de00a78ad68221f671639b63599170.jpg https://dthvd5fu2buwu.cloudfront.net/AIDAJDK733UNHWQSJZ5EM/cms/cache/900x620/bb/11312-bbd452778592aa86f5c141e6bdfa125e.jpg https://dthvd5fu2buwu.cloudfront.net/AIDAJDK733UNHWQSJZ5EM/cms/cache/900x620/08/11315-082c45fc9e8922b6b17487d9a2cf7a15.jpg https://dthvd5fu2buwu.cloudfront.net/AIDAJDK733UNHWQSJZ5EM/cms/cache/900x620/84/11319-845dc5b6b92cf6093c9b670ebf1bacde.jpg

From The Django weblog on June 1, 2017, 5:51 p.m.

Django bugfix release: 1.11.2

Today we've issued the 1.11.2 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on May 6, 2017, 2:48 p.m.

Django bugfix release: 1.11.1

Today we've issued the 1.11.1 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on April 25, 2017, 10:05 a.m.

DjangoCon Europe 2017 in retrospect

DjangoCon Europe 2017 upheld all the traditions established by previous editions: a volunteer-run event, speakers from all sections of the community and a commitment to stage a memorable, enjoyable conference for all attendees.

Held in a stunning Art Deco cinema in the centre of the city, this year's edition was host to over 350 Djangonauts.

The team of always-smiling and willing volunteers, led by Emanuela Dal Mas and Iacopo Spalletti under the auspices of the Fuzzy Brains association, created a stellar success on behalf of all the community.

Of note in this year's conference was an emphasis on inclusion, as expressed in the conference's manifesto. The organisers' efforts to expand the notion of inclusion was visible in the number of attendees from Africa and south Asia, nearly all of whom were also given a platform at the event. This was made possible not only by the financial assistance programme but also through the considerable logistical help the organisers were able to offer.

The conference's opening keynote talk by Anna Makarudze and Humphrey Butau on the growing Python community in Zimbabwe, and an all-woman panel discussing their journeys in technology, were just two examples of a commitment to making more space for voices and stories that are less often heard.

DjangoCon Europe continues to thrive and sparkle in the hands of the people who care about it most, and who step forward each year as volunteers who commit hundreds of hours of their time to make the best possible success of it. Once again, this care has shone through.

On behalf of the whole Django community, the Django Software Foundation would like to thank the entire organising team and all the other volunteers of this year's DjangoCon Europe, for putting on a superb and memorable production.

The next DjangoCons in Europe

The DSF Board is considering bids for DjangoCon Europe 2018-2020. If you're interested in hosting the event in one of these years, we'd like to hear from you as soon as possible.

From The Django weblog on April 4, 2017, 5:04 p.m.

Django 1.11 released

The Django team is happy to announce the release of Django 1.11.

This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2017.

As always, the release notes cover the medley of new features in detail, but a few highlights are:

You can get Django 1.11 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

With the release of Django 1.11, Django 1.10 has reached the end of mainstream support. The final minor bugfix release (1.10.7) was issued today. Django 1.10 will receive security and data loss fixes for another eight months until December 2017.

Django 1.9 has reached the end of extended support. The final security release (1.9.13) was issued today. All Django 1.9 users are encouraged to upgrade to Django 1.10 or later.

See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog on April 4, 2017, 4:24 p.m.

Django security releases issued: 1.10.7, 1.9.13, and 1.8.18

In accordance with our security release policy, the Django team is issuing Django 1.10.7, Django 1.9.13 and 1.8.18. These release addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master and stable/1.11.x branches are also updated. The Django 1.11 release is forthcoming shortly in a separate blog post.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs

Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) "safe" when they shouldn't be.

Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()

A maliciously crafted URL to a Django site using the django.views.static.serve() view could redirect to any other domain. The view no longer does any redirects as they don't provide any known, useful functionality.

Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.

Thanks Phithon Gong for reporting this issue.

Affected supported versions

  • Django master development branch
  • Django 1.11 (at release candidate status, final release forthcoming)
  • Django 1.10
  • Django 1.9
  • Django 1.8

Per our supported versions policy, Django 1.7 and older are no longer receiving security updates. Also, Django 1.9.x has reached end-of-life -- this is the final release of that series.

Resolution

Patches to resolve the issues have been applied to Django's master development branch and the 1.11, 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following changesets:

On the development master branch:

On the 1.11 release branch:

On the 1.10 release branch:

On the 1.9 release branch:

On the 1.8 release branch:

The following releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on March 30, 2017, 7:41 p.m.

DjangoCon US 2017 Update

Tickets are on sale for DjangoCon US 2017 in Spokane, WA! We’re also looking for reviewers for our talk and tutorial proposals, and our CFP and financial aid application are closing soon.

Tickets Are on Sale

Tickets are now on sale! DjangoCon US has tiered pricing, and we put together a blog post with more details. We hope to see you in Spokane August 13-18.

Call for Reviewers

We’re looking for volunteers to help review talk and tutorial proposals. This will require a few hours of time from now until April 24. Reviewing talks only takes a couple of minutes per talk. Reviewers don’t need to review all talks and tutorials and don’t need to review them all in one day. Most people find that reviewing talks for 30 minutes at a time, once or twice a week, gets them through the talks pretty quickly. If you’re interested, please email hello@djangocon.us. Thank you to all of the awesome volunteers who have already signed up!

Call for Proposals Deadline

Our Call for Proposals (CFP) deadline is quickly approaching! April 10 at midnight Anywhere on Earth is the deadline to submit a talk or tutorial proposal. We would love to see a few more tutorial proposals (tutorials are compensated!). Please get in touch with us or our wonderful speaker mentors if you need help refining or expanding on an idea.

Financial Aid Deadline

The DjangoCon US financial aid application also closes on April 10. We have more information and FAQs about financial aid on our website. The application is short and sweet, so please apply today!

From The Django weblog on March 21, 2017, 11:03 p.m.

Django 1.11 release candidate 1 released

Django 1.11 release candidate 1 is the final opportunity for you to try out the medley of new features before Django 1.11 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, 1.11 final will be issued on or around April 4. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on March 1, 2017, 1:25 p.m.

Django bugfix release: 1.10.6

Today we've issued the 1.10.6 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Feb. 20, 2017, 11:27 p.m.

Django 1.11 beta 1 released

Django 1.11 beta 1 is an opportunity for you to try out the medley of new features in Django 1.11.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 1.11 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate about a month from now with the final release to follow about two weeks after that around April 1. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Feb. 13, 2017, 4:13 p.m.

DjangoCon US 2017 Update: Call for Proposals, Mentorship, and Financial Aid Are Open!

In case you missed the news, DjangoCon US 2017 will take place in beautiful Spokane, Washington, from August 13-18, 2017! We’ll have more information on the venue and ticket sales soon, but we’re pleased to announce the following items.

Call for Proposals (CFP)

Our CFP for talks and tutorials is now open! The deadline for submissions is April 10, 2017. We’re looking for speakers of all experience levels and backgrounds. Talk and tutorial presenters also receive free admission to DjangoCon US.

Financial Aid Application

Grants to assist with your travel and lodging expenses are available as well. Our Financial Aid application is also now open. The deadline is April 10, 2017.

Seeking Speaker Mentors

Preparing and giving a talk at a conference is no small task, and it can be even more intimidating to first-time presenters. We're looking for encouraging people with talk or tutorial experience to volunteer to be mentors for this year's DjangoCon US 2017 speakers. Mentors provide encouragement and advice to participating presenters on an informal basis.

A good mentor should:

  • have previous speaking experience
  • ...or have previous experience giving tutorials
  • be familiar with how to propose a talk or tutorial
  • be able to help construct an effective, engaging talk
  • encourage first-time speakers, non-native English speakers, or anyone needing a little boost
  • be able to provide critique, advice, or refinements on a presentation

This is a strictly volunteer position with a small time commitment. It's so rewarding to help someone else kick off their speaking career!

If you'd like to help out as a mentor, please contact us and include a quick description of yourself, your speaking experience, and why you'd like to help.

From The Django weblog on Jan. 25, 2017, 6:45 p.m.

Call for Volunteers - Code of Conduct Committee

Happy New Year to the Django Community! As we begin 2017, many of us are reflecting on how to maintain safe, inclusive spaces within our communities. One meaningful way to do that is to serve on the Django Code of Conduct committee. In 2013, with input from the community, Django Core members and the DSF board developed a code of conduct, the purpose of which was explained by Alex Gaynor and Jacob Kaplan Moss:

“Why do we need a code of conduct? To best keep with some of our core values: documentation and 'explicit is better than implicit.' We want to maintain a vibrant, diverse, and technically excellent community, and we believe that a part of that is writing down the standards of behavior we hold ourselves to.”

As of May 2016, Committee members serve a six month fixed term. You will serve in a rotation of being “on-call” (via email) for a week at a time in order to respond to reports from the community. This is a great service to the Django community, particularly to those who are most at risk, and it is made more manageable when shared.

If you are interested in volunteering to serve a six-month term, please review the online documentation and procedures regarding the CofC Committee, then email conduct@djangoproject.com. Thank you for reading, and all the best in 2017!

From The Django weblog on Jan. 18, 2017, 1:16 a.m.

Django 1.11 alpha 1 released

Django 1.11 alpha 1 is now available. It represents the first stage in the 1.11 release cycle and is an opportunity for you to try out the changes coming in Django 1.11.

Django 1.11 has a medley of new features which you can read about in the in-development 1.11 release notes.

This alpha milestone marks a complete feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Jan. 7, 2017, 6:49 p.m.

2017 DSF Board Election Results

We're happy to announce the winners of the DSF Board elections for 2017.

Frank Wiles, Daniele Procida, and James Bennett were re-elected for another term. Our new Board members are Kenneth Love, Ken W. Alger, and Rebecca Conley.

Rebecca, as you may be aware, served as Board Secretary during 2016 to fill a vacancy but will be returning again this year.

We wish to thank Christophe Pettus and Karen Tracey who did not run again this year for their service and the wisdom they brought to us.

The Board will be having our first meeting in the coming days to ratify the slate of officers at which time we'll update the website accordingly.

We look forward to another great year of helping further Django and the Django Community.

From The Django weblog on Jan. 4, 2017, 7:42 p.m.

Django bugfix release: 1.10.5

Today we've issued the 1.10.5 bugfix release. Happy New Year!

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Dec. 28, 2016, 8:02 p.m.

Django Fellowship Program: 2016 retrospective

2016 concludes my second year working full-time to support the development of Django. Here are some highlights from my weekly summaries published on the django-developers mailing list.

On the infrastructure front, I keep Django's continuous integration servers running smoothly, including the pull request checks that help keep code quality high and allow reviewers to focus on less trivial concerns. I also upgraded the djangoproject.com website to Django 1.10 and contributed several patches to third-party dependencies. I moved two under-maintained community sites, Django People and Django Snippets, to the djangoproject GitHub organization and upgraded them to supported versions of Django.

In Django's ticket tracker, I triage around 10-15 new tickets each week. A working knowledge of the 1000+ accepted tickets allows me to quickly identify duplicate and related issues and steer contributors in the right direction.

I coordinate security releases by preparing patches and backporting them to all supported versions of Django. In 2016, seven security issues were promptly fixed over five releases.

Django 1.10 marked the third consecutive on-time major release. As the release manager, I send regular email updates on the status of release blockers to django-developers, and I fix blockers when no one else has time or interest.

The Django 1.11 alpha is scheduled for mid-January with the final release scheduled for April 1. Following the 1.11 alpha release, the master development branch will target Django 2.0 and drop support for Python 2.7. I'm excited to see the simplifications and improvements we'll be able to make as a result.

Over the Python 3.6 prerelease period, I ensured compatibility with the Django master branch, including contributing several fixes and improvements for Python.

I co-mentored a Google Summer of Code project by Akshesh Doshi to add support for class-based indexes. This work is included in Django 1.11. I also made the final push to finish the template-based widget rendering patch that Preston Timmons started several years ago, and this is also included in 1.11.

While working toward the 1.11 feature release, we've had monthly bug fix releases for the 1.10 branch that have fixed over 40 regressions or bugs in new features.

On the code review front, I review an average of fifteen non-trivial patches a week from community members. Providing timely code reviews helps prevent would-be contributors from abandoning us.

I hope that gives you a good taste of what I've been doing. As always, please encourage your employer to become a corporate member of the Django Software Foundation and consider a gift to the Django Software Foundation to allow the fellowship to continue. I'm grateful for this opportunity and for the community's support. Thank you!

From The Django weblog on Dec. 22, 2016, 4:29 p.m.

DSF announces winner of the 2016 Malcolm Tredinnick Memorial Prize

The Django Software Foundation (DSF) is proud to announce the winner of the 2016 Malcolm Tredinnick Memorial Prize: Aisha Bello!

Aisha (@AishaXBello) joined the Django community when she attended a Django Girls workshop during EuroPython in 2015. From that point on, Aisha's trajectory in the Django world was unstoppable.

She is not only a talented developer but her desire to keep learning and sharing her knowledge with others is simply inspiring.

She organized or helped organize a huge number of Django Girls workshop in her home country of Nigeria. Thanks to her, Nigeria is on its way to be the world-record holder of most Django Girls events organized.

She's coached at other Django Girls events, introducing even more people to our community.

She's spoken at several conferences (including PyCon Namibia and DjangoCon US) sharing her unique knowledge and insight with the rest of us.

You can read more about her and her history at Your Django Story: Meet Aisha Bello.

She embodies the values of the Malcolm Tredinnick prize and we can't wait to see what she will achieve in the future.

Congratulations Aisha!

From The Django weblog on Dec. 4, 2016, 10:03 p.m.

Presenting DjangoCon Europe 2017

2017’s DjangoCon Europe takes place against the gorgeous backdrop of Florence in the springtime. Once again the event will be organised by a local committee of volunteers on behalf of the global Django community.

The event will be held in the historic Odeon Cinema in the centre of the city. It’s an architectural gem, an Art Deco interior in a Renaissance palace.

Key points

Ticket sales are now open. Early-bird rates are available until the 17th January.

The call for proposals is open too, until the 31st December.

Generous financial assistance packages are offered, to help ensure that everyone who will benefit has the opportunity to attend.

The conference can even offer discounted public transport passes (see the tickets page) valid for the duration of the event, to help you get around the city.

The call for proposals

The programme of talks will represent the vibrant diversity of interests and endeavours across the Django community, including some that you had not only never heard of, but would not have imagined. The speaker roster will also feature some of the best-known names in the world of Django. There’ll be talks from those who are leading its development into the future, and about its deepest internals - discussions on the highest technical level.

The organisers invite proposals from all. Whatever your level of technical or speaking experience, you are invited to share what you know or have done with Django with your friends and colleagues in the community.

Both the speaker line-up and the selection of talks will be curated to offer a wide and representative balance, so the platform created by DjangoCon Europe 2017 will have room for everyone.

And just in case five days in Florence are not enough, PyCon Italia immediately follows DjangoCon Europe. You’re invited to submit your talk proposal to PyCon Italia too, in the same process, by ticking a single box on the form.

The ambitions of DjangoCon Europe 2017

The conference

Each successive DjangoCon Europe has advanced new ideas about how a conference should be run and has set new standards for itself. Just measuring up to past editions is challenge enough, but the organisers of 2017’s event have ambitions for it of their own, that also extend beyond this gathering of nearly 400 Djangonauts.

The Italian context

The organisers consider DjangoCon Europe 2017 an opportunity for the whole Italian Django community to use it as a launching pad for future organisation, development and activity, so that it makes a tangible and material difference to the open-source software community and industry in Italy.

The social context

The organisers want the event to harness the energy, know-how and organisation skills in the community, and put them to work in local organisations that work to advance social inclusion, in particular, amongst women from immigrant communities, who are disproportionately marginalised and excluded socially, technologically, economically and educationally.

Responsibility and sustainability

The Django community has always generally been conscious that its technology exists in a social context and not a vacuum.

The overall themes of this DjangoCon Europe are responsibility and sustainability: responsibility to others in our industry and of our industry’s responsibility to the wider world, and the sustainability - economic, personal and social - of the industry itself.

The conference invites its attendees to participate in these discussions, and to consider how our technology’s long-term viability depends on them as much as it does on the technical brilliance of its technologists.

A Django festival of ideas and collaboration

These are ambitions and aspirations. Their vehicle will be the international festival of community that each DjangoCon Europe represents, and reinvests with new energy each year. The organisers give you Florence in the springtime, a magnificent capital of history, culture, beauty and food, and the perfect foundation for building the future with Django.

Don’t miss it.

From The Django weblog on Dec. 1, 2016, 11:53 p.m.

Django bugfix release issued: 1.10.4, 1.9.12, 1.8.17

Today we've issued the 1.10.4, 1.9.12, and 1.8.17 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Nov. 21, 2016, 7:11 p.m.

Security advisory: Vulnerability in password reset (master branch only)

Today, Florian Apolloner, a member of the Django security team, discovered and fixed a critical security issue in the new PasswordResetConfirmView that was added to the Django master branch on July 16th, 2016. The view didn't validate the password reset token on POST requests and therefore allowed anyone to reset passwords for any user.

This issue doesn't affect any released versions of Django. Per our security policy, security issues in master, but not present in any released version, are disclosed and fixed in public without pre-notification.

The issue demonstrates the complexity of class-based generic views, and the Django team advises caution when using them for security-sensitive functionality. We'll consider removing the class-based authentication views that are in the master branch, planned for Django 1.11. The discussion for this will take place publicly on the django-developers mailing list.

From The Django weblog on Nov. 1, 2016, 2:38 p.m.

Django security releases issued: 1.10.3, 1.9.11 and 1.8.16

In accordance with our security release policy, the Django team released Django 1.10.3, Django 1.9.11, and 1.8.16. These releases addresses two security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2016-9013: User with hardcoded password created when running tests on Oracle

When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings TEST dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect.

This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb option or if the user has an active session (such as an attacker's connection).

A randomly generated password is now used for each test run.

Thanks Marti Raudsepp for reporting the issue.

CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True

Older versions of Django don't validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack.

While Django doesn't ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there's no development instance, for example. If a project uses a package like the django-debug-toolbar, then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account.

settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following variations of localhost are allowed ['localhost', '127.0.0.1', '::1']. If your local settings file has your production ALLOWED_HOSTS value, you must now omit it to get those fallback values.

Thanks Aymeric Augustin for reporting the issue.

Security Advisory: Social media fingerprinting

Along with the above security issues, we want to inform you about a "social media fingerprinting" information leakage technique that was recently disclosed.

If you enable redirect_authenticated_user on the login views, other websites will be able to determine if their visitors are authenticated on your site by requesting redirect URLs to image files on your website. To avoid this, host all images and your favicon on a separate domain that is not part of the ALLOWED_HOSTS.

Affected supported versions

  • Django master development branch
  • Django 1.10
  • Django 1.9
  • Django 1.8

Per our supported versions policy, Django 1.7 and older are no longer receiving security updates.

Resolution

Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches. The patches may be obtained from the following commits:

The following new releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Oct. 13, 2016, 10 p.m.

Result of JetBrains/PyCharm Promotion

I'm happy to report that the JetBrains/PyCharm promotion we ran in June and July was a rousing success! The final numbers are in and this raised a total of $50,000.00 USD for the Django Software Foundation!

JetBrains has been a great partner with us on this and on behalf of the community, I would like to extend our deepest thanks for their generous help in raising this money. Together we hope to make this a yearly event!

These monies will be used in general to support the DSF, the Django Fellow, and a portion will be used to fund the support for type hints in a future release of Django. This goes a long way to helping the DSF fulfill its mission, but we have not quite reached our stretch goals for the year. Please consider helping to fund Django today.

From The Django weblog on Oct. 1, 2016, 9:06 p.m.

Django bugfix release issued: 1.10.2

Today we've issued the 1.10.2 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Sept. 26, 2016, 7:41 p.m.

Django security releases issued: 1.9.10 and 1.8.15

In accordance with our security release policy, the Django team is issuing Django 1.9.10 and 1.8.15. These release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2016-7401: CSRF protection bypass on a site with Google Analytics

An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

Thanks Sergey Bobrov for reporting the issue.

Affected supported versions

  • Django 1.9
  • Django 1.8

Django 1.10 and the master development branch are not affected.

Per our supported versions policy, Django 1.7 and older are no longer receiving security updates.

Resolution

Patches to resolve the issue have been applied to Django's 1.9 and 1.8 release branches. The patches may be obtained from the following changesets:

The following new releases have been issued:

The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog on Sept. 9, 2016, 3:40 p.m.

Channels adopted as an official Django project

The Django team is pleased to announce that the Channels project is now officially part of the Django project, under our new Official Projects program. Channels is the effort to bring WebSockets, long-poll HTTP, and other non-request-response protocol and business logic handling to Django, as part of our ongoing effort to establish what makes a useful web framework in 2016.

Official projects, like Channels, do not merge into the core django repository but instead remain as separate repositories and packages, living under the Django organization on GitHub. They have their own release schedule and backwards compatibility policies, but fall under the main Django security policy and oversight, and are guaranteed to work with the currently supported versions of Django.

While the Channels project was initially targeted to be included in Django 1.10, it didn't make it for a variety of reasons. We decided that the best move would be to bring it under the Django umbrella, but keep it separate from the core repository, and so DEP 7 and the Official Projects track was born to enable this. DEP 7 describes what it means to maintain a Django package, so we can make sure they stay updated, have security issues patched, and work with current Django releases.

Whether Channels continues as a separate package or is merged into the core repository in the future isn't yet decided, but you can expect to see a 1.0 release very soon, and with that, a stable platform to build applications against, though we'll be keeping backwards compatibility (or, if needed, implementing clear deprecation warnings) for code written against existing Channels releases.

The five packages now under the Django project are:

  • Channels, the Django integration layer
  • Daphne, the HTTP and Websocket termination server
  • asgiref, the base ASGI library/memory backend
  • asgi_redis, the Redis channel backend
  • asgi_ipc, the POSIX IPC channel backend

There's still plenty of work to be done, both on the Channels side, to fix bugs, implement features, and improve our documentation, and on the Django side, to help weave mentions of Channels into the main documentation and make sure people are aware of their options. If you're interested in contributing at all, please read the Channels contribution documentation.

If you're interested in learning more about Channels and what it can do, take a read of the documentation, or have a look through some well-commented example projects.

From The Django weblog on Sept. 2, 2016, 12:19 a.m.

Django bugfix release issued: 1.10.1

Today we've issued the 1.10.1 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

From The Django weblog on Aug. 17, 2016, 3:34 p.m.

Welcome to the new members of the Django Software Foundation

Please welcome our new members. Some were nominated in recognition of their contributions to Django's code, some for their service on Django committees and work in other community organisations, and some in recognition of their contributions to the development of the international Django community.

All were seconded by the existing members of the DSF, and their election approved by the DSF Board.

Nominated 10th June

  • Sergey Fedoseev (Russia)
  • Berker Peksag (Turkey)
  • Alasdair Nicol (UK)
  • Jon Dufresne (Canada)
  • Marten Kenbeek (Netherlands)
  • Daniel Wiesmann (Portugal)
  • Alex Hill (Australia)
  • Michal Petrucha (Slovakia)

All are active technical contributors to Django's code base, with over 300 commits between them, not to mention the help they have offered to others on our support channels.

Jon Dufresne is also the newest member of the Django core development team.

Nominated 19th July

  • Paul Hallett (UK)
  • Lucie Daeye (France)

Both have made substantial contributions to the Django community, through their work on Django Girls and by taking on roles in Django community organisation. Lucie works for the Django Girls Foundation and Paul serves on the Django Project Code of Conduct committee. Both have worked hard to make the Django community ever more inclusive and good to be part of.

Nominated 1st August

  • Helen Sherwood-Taylor (UK)
  • Aisha Bello (Nigeria)
  • Anna Makarudze (Zimbabwe)
  • Humphrey Butau (Zimbabwe)
  • Jessica Upani (Namibia)
  • Loek van Gent (Netherlands)

All have been active in the Django community around the world, and were an important part of the success of PyCon Namibia this year. They're all continuing to work on the community's development, and are involved in efforts to bring new community conferences to fruition in Africa (in Zimbabwe and Nigeria just to name two).

Expanding our membership

The new members represent a substantial increase in the membership, of about 16%.

They also represent the way the Django Software Foundation is starting to recognise a more diverse community of people who can contribute in many different ways, and a genuinely global membership, including five more African members.

Thanks to those who nominated these new Django Software Foundation members, and thanks to our new members too, for their past, present and future contributions.

From The Django weblog on Aug. 1, 2016, 7:52 p.m.

Django 1.10 released

The Django team is happy to announce the release of Django 1.10.

As always, the release notes cover the panoply of new features in detail, but a few highlights are:

You can get Django 1.10 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

Django 1.10 will receive fixes for security issues, data loss bugs, crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for eight months until April 2017. Fixes for security issues and data loss bugs will be provided for another eight months until December 2017.

With the release of Django 1.10, Django 1.9 has reached the end of mainstream support. The final minor bugfix release (1.9.9) was issued today. Django 1.9 will receive security and data loss fixes for another eight months until April 2017. See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog on July 25, 2016, 3:35 p.m.

Registration for Django: Under the Hood 2016 is now open!

Django: Under the Hood is back for its third edition!

DUTH is an annual Django conference that takes place in Amsterdam, the Netherlands. On 3rd - 6th November this year, we're going to see 9 deep dive talks into topics of Django channels, testing, Open Source funding, JavaScript, Django forms validation, debugging and many more.

Django: Under the Hood also gives the opportunity to bring many Django core developers to work together and shape the future of Django with a group of 300 passionate Django developers attending the conference.

This year, the registration process for the conference became a lottery to avoid mad rush and tickets selling out in minutes.

Registration

You can register now, and the lottery is only open until 26th of July at noon Amsterdam time.

If you want to make sure that tickets for your team are reserved and set aside, Django: Under the Hood still has few sponsorship opportunities open. Please get in touch on hello@djangounderthehood.com.

From The Django weblog on July 19, 2016, 3 p.m.

DSF Code of Conduct committee releases transparent documentation

Almost exactly three years ago Django community adopted a Code of Conduct, we were one of the first communities to do so in the tech industry. Since then, we have come a long way and learned about how to effectively enforce the Code of Conduct.

Today we're proud to open source the documentation that describes how the Django Code of Conduct committee enforces our Code of Conduct. This documentation covers the structure of Code of Conduct committee membership, the process of handling Code of Conduct violations, our decision making process, record keeping, and transparency.

In addition, we're also publishing summarized statistics about Code of Conduct issues handled by the committee thus far. We're hoping this is just the beginning of making our work more transparent to the wider community.

We believe this documentation will help keep ourselves accountable to the Django community, as well as offer an insight into how decisions are made and issues are dealt with. We also hope that sharing our experiences is going to help other communities to not only adopt, but also implement and enforce the Code of Conduct.

The DSF Code of Conduct committee looks forward to your feedback and contributions!