-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(integrity check): update hash + handle collectstatic #10241
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kiblik : I don't have enough insights into the release process, but maybe it makes sense to add automatic recalculation for the release process.
Let's assume hash changes in both bugfix and dev branches. Then, the new release should have new hash codes automatically recalculated and commited for all branches. Is this automatically possible somehow?
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The changes in this pull request focus on improving the security and integrity of the Django application's configuration settings. The key changes include:
Files Changed:
Powered by DryRun Security |
This reverts commit 6fed567.
This should probably wait until after this PR is merged to get the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit confused about why we have to create an exception for collectstatic
since I can't see any reason the hash of settings.dist.py
file would differ from our expected value in that step, but in the interest of getting this fixed quickly we can leave it for now.
@cneill please see my comment on #10212 - the integrity checker wrongly stopped the build process when running ./dc-build.sh when running in debug mode. Thanks @kiblik for looking into this so quickly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Right, I can see that it has been failing at that step in our unit tests runs, but taking this branch and removing the |
@cneill it's all about when developing and testing things. When preparing a fix for an Issue e.g. for dedupe, this behavior hinders contributor to correctly test their stuff. Skipping the file is the best way to provide a smooth access for contributor to change Hash fields as well as other stuff there and test it correctly. Please see this as a Hotfix, until the hash code is created during release. It is really annoying right now. |
This PR fix:
collectstatic
(during any build): identified in feat(settings): Add integrity checker #10212 (comment)