Bug 2134524

Summary: python3-django3 on epel8 requires newer python-asgiref
Product: [Fedora] Fedora EPEL Reporter: Greg Bailey <gbailey>
Component: python-django3Assignee: Michel Lind <michel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: epel8CC: carl, davide, epel-packagers-sig, michel, ngompa13, python-packagers-sig
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-django3-3.2.15-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-20 16:12:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Greg Bailey 2022-10-13 14:33:10 UTC 
Description of problem:

On CentOS Stream 8, I'm unable to install the latest python3-django3 RPM build (python3-django3-3.2.15-2.el8.noarch.rpm) because it requires a newer python-asgiref than is currently available in EPEL.

Steps to Reproduce:

Attempt to install django3-python3:

# yum install python3-django3

Actual results:

# yum install python3-django3
Last metadata expiration check: 0:15:22 ago on Thu 13 Oct 2022 07:12:51 AM MST.
Error: 
 Problem: conflicting requests
  - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.15-2.el8.noarch
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Expected results:

python3-django3 and required dependencies are successfully installed.

Additional info:

Version bump in python-django3 made recently (python-django3):
* Fri Oct 07 2022 Michel Alexandre Salim <salimma> 3.2.15-1
- Update to 3.2.15

It's not clear if this should be a bug against python-django3 or python-asgiref?
Comment 1 Carl George 🤠 2022-10-18 04:16:53 UTC 
It looks like python-django3-3.2.15-2.el8 was published [0] without checking that it actually installs.  I think there are three possible solutions.

1. Downgrade python-django3 with an epoch to a version that is compatible with python-asgiref-3.2.10-1.el8.  This would probably make python-django3 vulnerable to CVE-2022-34265 again, unless a backport fix can be sorted out.

2. Validate that django 3.2.15 actually does work with asgiref 3.2.10, and patch python-django3 to allow them to be installed together.  I checked the commit that sets that minimum version [1], and it doesn't mention a specific reason.  The validation is key here, but if those versions work together this would probably be the least disruptive option.

3. Update python-asgiref from 3.2.10 to at least version 3.3.2 to satisfy the dependency.  According to the upstream changelog [2], 3.3.0 introduces a change to the default for thread-sensitive mode [3].  I believe this change may be why they incremented to 3.3.0 instead of continuing with 3.2.11.  This makes me nervous if such an update would be in line with the EPEL updates policy [4], as it may be a disruptive change for users.

Since python3-django3 is the package that doesn't install, I think this bug should be moved to that component.  The python-djagno3 maintainer has access to python-asgiref via the python-packagers-sig if he decides that option 3 is the best course of action.


[0] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0793e00396
[1] https://github.com/django/django/commit/011b92ce9893f32bc06ca0857b426a2dc54edfea
[2] https://github.com/django/asgiref/blob/3.3.2/CHANGELOG.txt
[3] https://github.com/django/asgiref/commit/7becc9daca2628c46af1cb7e46b4c47c1ea27adf
[4] https://docs.fedoraproject.org/en-US/epel/epel-policy-updates/
Comment 2 Michel Lind 2022-10-19 01:12:02 UTC 
Apologies, this is indeed an oversight during testing (the package was tested in Fedora). Let me see what's the best course of action here.
Comment 3 Fedora Update System 2022-10-19 02:23:30 UTC 
FEDORA-EPEL-2022-2ffbbfa61c has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ffbbfa61c
Comment 4 Fedora Update System 2022-10-19 09:28:02 UTC 
FEDORA-EPEL-2022-2ffbbfa61c has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ffbbfa61c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2022-10-20 16:12:43 UTC 
FEDORA-EPEL-2022-2ffbbfa61c has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.