Description of problem: On CentOS Stream 8, I'm unable to install the latest python3-django3 RPM build (python3-django3-3.2.15-2.el8.noarch.rpm) because it requires a newer python-asgiref than is currently available in EPEL. Steps to Reproduce: Attempt to install django3-python3: # yum install python3-django3 Actual results: # yum install python3-django3 Last metadata expiration check: 0:15:22 ago on Thu 13 Oct 2022 07:12:51 AM MST. Error: Problem: conflicting requests - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.15-2.el8.noarch (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) Expected results: python3-django3 and required dependencies are successfully installed. Additional info: Version bump in python-django3 made recently (python-django3): * Fri Oct 07 2022 Michel Alexandre Salim <salimma> 3.2.15-1 - Update to 3.2.15 It's not clear if this should be a bug against python-django3 or python-asgiref?
It looks like python-django3-3.2.15-2.el8 was published [0] without checking that it actually installs. I think there are three possible solutions. 1. Downgrade python-django3 with an epoch to a version that is compatible with python-asgiref-3.2.10-1.el8. This would probably make python-django3 vulnerable to CVE-2022-34265 again, unless a backport fix can be sorted out. 2. Validate that django 3.2.15 actually does work with asgiref 3.2.10, and patch python-django3 to allow them to be installed together. I checked the commit that sets that minimum version [1], and it doesn't mention a specific reason. The validation is key here, but if those versions work together this would probably be the least disruptive option. 3. Update python-asgiref from 3.2.10 to at least version 3.3.2 to satisfy the dependency. According to the upstream changelog [2], 3.3.0 introduces a change to the default for thread-sensitive mode [3]. I believe this change may be why they incremented to 3.3.0 instead of continuing with 3.2.11. This makes me nervous if such an update would be in line with the EPEL updates policy [4], as it may be a disruptive change for users. Since python3-django3 is the package that doesn't install, I think this bug should be moved to that component. The python-djagno3 maintainer has access to python-asgiref via the python-packagers-sig if he decides that option 3 is the best course of action. [0] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-0793e00396 [1] https://github.com/django/django/commit/011b92ce9893f32bc06ca0857b426a2dc54edfea [2] https://github.com/django/asgiref/blob/3.3.2/CHANGELOG.txt [3] https://github.com/django/asgiref/commit/7becc9daca2628c46af1cb7e46b4c47c1ea27adf [4] https://docs.fedoraproject.org/en-US/epel/epel-policy-updates/
Apologies, this is indeed an oversight during testing (the package was tested in Fedora). Let me see what's the best course of action here.
FEDORA-EPEL-2022-2ffbbfa61c has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ffbbfa61c
FEDORA-EPEL-2022-2ffbbfa61c has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-2ffbbfa61c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-2ffbbfa61c has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.