Latest entries

Django 1.0 released!

No, you’re not hallucinating, it’s really here.

Around three years ago, Adrian, Simon, Wilson and I released some code to the world. Our plan was to hack quietly on it for a bit, release a solid 1.0 release, and then really get the ball rolling.

Well.

What happened, of course, was that an amazing community sprung up literally overnight — our IRC channel had over a hundred people in it the day after release, and it’s never been that “empty” since.

I really can’t stress enough how amazing our community of users and developers are. About half of the code that’s gone into Django over the past three years has been contributed by someone other than a core committer. Since our last stable release, we’ve made over 4,000 code commits, fixed more than 2,000 bugs, and edited, added, or removed around 350,000 lines of code. We’ve also added 40,000 lines of new documentation, and greatly improved what was already there.

Django 1.0 represents a the largest milestone in Django’s development to date: a web framework that a group of perfectionists can truly be proud of. Without this amazing community, though, it would have never happened.

You can download Django 1.0 on the Django downloads page, and read the complete release notes.

For distributors and for verification purposes, a file containing the MD5 and SHA1 checksums of the 1.0 package has been placed on the djangoproject.com server. This file is PGP-signed with the Django release manager’s public key. This key has the ID 0x8C8B2AE1 and can be obtained from, e.g., the MIT PGP keyserver.

Posted by Jacob Kaplan-Moss on September 3, 2008

Django 1.0 release candidate now available

In accordance with the (updated) Django 1.0 release roadmap, today we've released the first release candidate for Django 1.0.

To grab a copy of the release candidate, head over to the Django downloads page, and be sure to read the release notes. Please keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha and beta releases and release candidates will not receive long-term support and will not be updated with security fixes, since their main purpose is to serve as a stepping-stone on the path to the final Django 1.0, due to be released as soon as possible..

For distributors and for verification purposes, a file containing the MD5 and SHA1 checksums of the release candidate package has been placed on the djangoproject.com server. This file is PGP-signed with the Django release manager's public key. This key has the ID 0x8C8B2AE1 and can be obtained from, e.g., the MIT PGP keyserver.

Posted by James Bennett on September 2, 2008

Security fix released

In accordance with our security policy, today the Django project is issuing a set of releases to fix a security vulnerability reported to us. This message contains a description of the vulnerability, a description of the changes made to fix it, and pointers to the patches for each supported version of Django.

Description of vulnerability

The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.

Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.

Affected versions

• Django development trunk
• Django 0.96
• Django 0.95
• Django 0.91

Resolution

As it represents a persistent vector for CSRF attacks, this behavior is being removed from Django; henceforth, attempted posts from users whose sessions have expired will be discarded and the data will need to be re-entered.

This is, then, backwards-incompatible with existing behavior and may be considered a feature removal; however, the Django team feel that the security risks of this feature outweigh its minor utility.

The fix for this issue was applied to the Django repository in changeset 8877, which contains the relevant changes for each affected version

Based on these changes, the Django team is issuing three new releases:

• Django 0.96.3: http://www.djangoproject.com/download/0.96.3/tarball/
• Django 0.95.4: http://www.djangoproject.com/download/0.95.4/tarball/
• Django 0.91.3: http://www.djangoproject.com/download/0.91.3/tarball/

The relevant patch has been applied to Django trunk as well, and so will be included in the forthcoming Django 1.0 release candidate (to be issued later today) and the final Django 1.0 release.

All users of affected Django versions are encouraged to upgrade immediately.

A file containing the MD5 and SHA1 checksums of the new release packages has been placed on the djangoproject.com server. This file is PGP-signed with the Django release manager's public key. This key has the ID 0x8C8B2AE1 and can be obtained from, e.g., the MIT PGP keyserver

Release manager's note

If you are currently maintaining and distributing a packaged version of Django (e.g., for a Linux or other Unix distribution), or if you are a hosting company which officially supports Django as an option for customers, and you did not receive an advance notification of this issue, please contact Django's release manager (James Bennett, james at b-list dot org) as soon as possible so that you can be added to the list of known distributors who receive such notifications.

Posted by James Bennett on September 2, 2008

Django 1.0 beta 2 released!

In accordance with the (updated) Django 1.0 release roadmap, today we've released the second "beta" testing version of Django 1.0.

To grab a copy of 1.0 beta 2, head over to the Django downloads page, and be sure to read the release notes. Please keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha and beta releases will not receive long-term support and will not be updated with security fixes, since their main purpose is to serve as a stepping-stone on the path to the final Django 1.0, due to be released on September 2, 2008.

As of this release, Django is officially in a feature freeze for 1.0; from here on out, we'll only be working on bugs and stability before the final 1.0 release. If you'd like to help out, please review our documentation for contributors and feel free to join in one of the development sprints scheduled for the run up to 1.0.

Posted by James Bennett on August 27, 2008

Django 1.0 release party

Come help us celebrate the release of Django 1.0!

Next week is going to be huge. We’ll be releasing Django 1.0 early in the week, and then the first DjangoCon kicks next Friday.

To celebrate the release of Django 1.0, we’ll be holding a dinner party at the Tied House in Mountain View on Saturday, September 6th at 7pm. The date and time are designed to tie in with DjangoCon, but anyone is invited — especially those who can’t attend DjangoCon.

We’ve reserved the whole restaurant for Django friends and fans. Dinner starts at 7pm, and the festivities should continue until about 10:30 or so. The party’s free, though the dinner and drinks aren’t. Tied House has good food and great beer; come hungry!

To make the night extra fun, we’ll be holding “lightning talks” at the party — five minute presentations on various Django-related topics. We’ll be asking speakers at the conference to present vastly twimmed-down versions of their conference talks, and we’ll be opening the floor up to anyone to present their own cool shit.

Tied House is located in downtown Mountain View (map). For DjangoCon attendees, that’s about 15 minutes away from the conference venue; we’ll caravan over (and provide transportation for folks without cars) right after the day’s talks end.

If you’ll be coming, please RSVP so that we can get an accurate headcount.

We’re also looking for sponsors for the party, so if you’re interested please contact us.

We hope to see you all there!

Posted by Robert Lofthouse & Jacob Kaplan-Moss on August 26, 2008

Django 1.0 beta 1 released!

In accordance with the Django 1.0 release roadmap, tonight we've released the first "beta" testing version of Django 1.0.

To grab a copy of 1.0 beta 1, head over to the Django downloads page, and be sure to read the release notes. Please keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha and beta releases will not receive long-term support and will not be updated with security fixes, since their main purpose is to serve as a stepping-stone on the path to the final Django 1.0 release.

The next step on that path will be the first Django 1.0 release candidate, currently scheduled for August 21. If you'd like to help out, please review our documentation for contributors and feel free to join in one of the development sprints scheduled for the run up to 1.0; the full schedule is available in the Django 1.0 release roadmap.

Posted by James Bennett on August 14, 2008

Django 1.0 alpha 2 released!

In accordance with the Django 1.0 release roadmap, tonight we've released the second "alpha" testing version of Django 1.0.

To grab a copy of 1.0 alpha 2, head over to the Django downloads page, and be sure to read the release notes. Please keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha releases will not receive long-term support and will not be updated with security fixes, since their main purpose is to serve as a stepping-stone on the path to the final Django 1.0 release.

The next step on that path will be the Django 1.0 beta release, currently scheduled for August 14. If you'd like to help out, please review our documentation for contributors and feel free to join in one of the development sprints scheduled for the run up to 1.0; the full schedule is available in the Django 1.0 release roadmap.

Posted by James Bennett on August 8, 2008

DjangoCon & Django 1.0 updates

A couple of quick updates:

DjangoCon tickets

Tickets for DjangoCon will be made available in a couple of batches of 100 tickets each. The first set of tickets will be available at 12:00pm (noon) UTC on Thursday, July 31st, and the second set will be released at 6:00pm UTC on Friday, August 1st. We’ll add a registration link to djangocon.org at those times.

Update: tickets are sold out.

We’re very sorry that we couldn’t accommodate more attendees; we’re limited by a tight schedule and a limited budget. The good news is that all the talks will be videotaped and made available online for those who can’t attend.

Django 1.0 release schedule

We’ve been plowing ahead towards Django’s 1.0 release in early September. Since last week’s 1.0 alpha release we’ve continued to make some pretty nice improvements, including more flexible syntax for admin registration, support for custom cache backends, and “else” option for the “ifchanged” tag, and — the biggie — support for intermediary models in many-to-many relations.

We plan to release Django 1.0 beta in about a week. This first beta release will mark feature-freeze for 1.0, so this weekend’s sprint will be critical in getting the final features for 1.0 wrapped up and out the door. We’d love to have your help this weekend!

Posted by Jacob Kaplan-Moss on July 29, 2008

Django 1.0 alpha released!

In accordance with the Django 1.0 release roadmap, tonight we've released the first "alpha" testing version of Django 1.0. This release includes all of the major features due for inclusion in the final Django 1.0, though some lower-priority items are still scheduled to be included before the 1.0 feature freeze, which will occur with the first beta release next month.

To grab a copy of the 1.0 alpha, head over to the Django downloads page, and be sure to read the release notes. Please keep in mind, though, that this release is not meant for production use, and is intended primarily for developers who are interested in checking out the new features in 1.0 and helping to identify and resolve bugs prior to the final release. The 1.0 alpha will not receive long-term support and will not be updated with security fixes, since its main purpose is to serve as a stepping-stone on the path to the final Django 1.0 release.

The next step on that path will be the first Django 1.0 beta release, currently scheduled for August 5. If you'd like to help out, please review our documentation for contributors and feel free to join in one of the development sprints scheduled for the run up to 1.0; the full schedule is available in the Django 1.0 release roadmap.

Posted by James Bennett on July 21, 2008

Incoming!

This is a quick PSA for Django users following Django’s development version.

At today’s sprint in Sausalito we’ll be making a series of backwards-incompatible changes with an eye towards the 1.0 alpha release next week. These changes have been planned for some time, but today we’ll be making them all at once.

So expect some big changes over the course of the day. We’ll post a summary of the results of the sprint tonight.

Of course, if you aren’t too busy today, come join the sprint!

Posted by Jacob Kaplan-Moss on July 18, 2008

Django at OSCON

Next week is OSCON in Portland, Oregon. As in past years, Django will be well represented there. If you’re attending the conference, there’s some pretty solid-looking talks in the Python and Web Applications tracks (including a couple by Yours Truly).

The real fun at OSCON begins after the microphones get turned of, though, and this year’s no exception. For anyone at OSCON, or anybody who’ll be in the Portland area next week, we’ve got some awesome Django-related meetups and events scheduled:

• Tuesday, July 22nd, at 7pm: Django drinkup at Jax Bar. Come meet other Djangonauts at OSCON and the area on the Jax Bar rooftop patio. Getting to Jx Bar from the OSCON is easy: take any MAX train downtown and get off at Morrison/SW 3rd Avenue, then walk a tiny bit south and you’re there. Jax is on the east (river) side of the street on 2nd in between Yamhill and Taylor (Google Street View).

• Wednesday, July 23, 6pm: FOSCON. FOSCON is Ruby gathering, but this year they’re holding a friendly competition among Rails, Django, and CakePHP developers; one team per framework. If you’d like to participate in the competition, get in touch with Michael Richardson at richardson.michael.t -at- gmail.

• Thursday, July 24, 8pm: Beerforge! Not a Django event per-se, but Beerforge one of the main OSCON parties, and you can expect to see a lot of Djangonauts there.

[Thanks to Michael Richardson for writing up this event list.]

Of course, even if you can’t make these events, if you’re at OSCON please come say hi! I’ll be there all week, as will Simon; we love hanging out and talking with fellow Django users.

See you in Portland!

Posted by Jacob Kaplan-Moss on July 17, 2008

Support the Django Software Foundation

A short while ago, we announced the creation of the Django Software Foundation, a non-profit organization that exists (among other reasons) to sponsor Django coding sprints and other events for our community.

Now, we're kick-starting the foundation by holding a fundraising drive.

With Django 1.0 around the corner, our immediate goal is to raise enough money to support the upcoming pre-1.0 coding sprints, which bring developers together in the real world for highly productive design and programming sessions. After the 1.0 release, we're planning to fund regularly scheduled sprints, user meet-ups and other community events.

It sounds a bit cheesy, but: with your help, we can make these things happen.

If you enjoy using Django and believe in our mission and goals, please consider making a donation:

$

For more information, see our donation FAQ or our more general foundation FAQ. Please don't hesitate to contact us if you have more questions.

And, attention companies! We're also forming a corporate sponsorship program. If you represent a business that would like to join the DSF as a sponsor member, please let us know.

We now return you to your regularly scheduled program(ming). Thanks for tolerating this fundraising announcement; we'll try to keep these to a minimum.

Posted by Adrian Holovaty & Jacob Kaplan-Moss on July 14, 2008

DjangoCon 2008

For the past year or so, people have been asking for us to hold a conference all about Django. Putting together a conference is an imense amount of work, so it took us a while to get the ball rolling. However, over the past couple of months we've found a few good volunteers who've taken on the task of planning a "DjangoCon," and now the dream is a reality!

For the details, I'll turn this space over to Robert Lofthouse, the conference chair:

I am pleased to announce that DjangoCon will be held on the 6th and 7th of September, 2008 at the Google headquarters in Mountain View. This will tie in with the 1.0 release of Django, and so we'll be also having a 1.0 release party on Saturday September 6th.

All the details including a schedule of speakers will be made available when we launch the conference website on Friday. Space will be limited to about 200 attendees, so we'll be releasing tickets in batches to give everyone a chance to come to the conference. Admission will be free, but we'll be asking for an optional donation to the Django Software Foundation to help cover our costs.

Thanks to everyone who has been helping out, and also thanks to Google for working so hard to get everything done!

I look forward to seeing those that can make it! It's going to rock!

— Robert Lofthouse, Conference Chair

Posted by Jacob Kaplan-Moss on July 13, 2008

Sprinting to the finish

Django 1.0 is about two months away — time to get cracking!

Update July 15: added details about the August 1st sprint, which will be in Washington, DC.

To help get everything done by the deadline, we'll be holding a series of sprints. Over the next six weeks we'll hold sprints in Sausalito, Lawrence, Austin, Washington, DC, and Portland, and virtually all over the world.

Each sprint day we'll devote at least 24 hours of focused work. Each sprint will be on a Friday, though work will likely continue at a fair clip into the weekend.

Anybody is invited to participate and contribute. If you've never contributed to Django before, this is a perfect way to start.

If you're interested, check out our page all about Django development sprints, and check out the details of each particular sprint:

• July 18: Sausalito, CA
• August 1: Washington, DC
• August 8: Lawrence, KS
• August 15: Austin, TX
• August 22: Portland, OR

We hope you'll join us — in person, or virtually!

Posted by Jacob Kaplan-Moss on July 11, 2008

Announcing the Django Software Foundation

It seemed only fitting to give the scoop to the Lawrence Journal-World:

Django, started nearly five years ago by programmers affiliated with The World Company, now joins a lineup of pervasive computer languages and systems — including Mozilla, Apache and Linux — to be overseen by a nonprofit organization.

We're still breaking this baby in, so we're a little light on details for now. You can read a bit about our goals now, and as you can imagine we'll be talking a lot about this in the days and weeks to come.

Suffice to say that we're amazingly excited about the opportunities this next step brings. When we started thinking about releasing Django (three years ago!) we never expected this level of success.

We certainly couldn't have gotten here without the amazing support and contributions from our community of users and developers. To everyone who's used or contributed to Django: thanks!

Posted by Jacob Kaplan-Moss on June 17, 2008