Django14 Retirement From EPEL 6
Running Pulp on EL6 depends on the Django14
package provided by the Extra Packages for Enterprise
Linux (EPEL) 6. It was recently decided that this package will be retired no earlier than Jan 1 2017
and no later than March 31, 2017.
This was decided at a EPEL steering commitee meeting on Nov 9. It did not make the offical minutes but it is in the full log.
Please give feedback via pulp-list in this thread.
Impact on Pulp EL6 Users
Once Django14
is removed from EPEL6, Pulp EL6 packages will no longer install without the
Django14
package being manually installed first. This will mostly affect new installations since
existing EL6 installations already have the Django14
from before it was retired. Users can receive
the reitred Django14
bits directly from
the Koji build.
At some point, upstream Pulp will stop being built for EL6. This will be discussed on pulp-list to identify a coordinated timeline with the Pulp user community. When this occurs, running Pulp on EL6 will be unsupported.
Pulp will continue to support managing packages for EL6, but the Pulp Server cannot itself be run on EL6.
Why is it being retired?
It’s being retired due to support and security concerns:
-
Upstream Django is no longer maintaining Django 1.4.z. When an upstream community stop supporting an EPEL package, the responsibility falls to the EPEL maintainer to decide if they want to support it. The
Django14
package maintainer recommends retiring the package due to security concerns. -
There are several CVEs against Django 1.4 that are unfixed. Additionally, since it’s no longer supported there are likely additional CVEs that are applicable but not being tracked.
Preparation
Proactively upgrading your Pulp server OS to EL7 is the recommendation.