Week ending 2026-05-24 (Week 21)

This week was mostly about returning from PyCon , which was quite exhausting. I arrived back on Wednesday, fairly drained (and very hungry ), so I worked during Thu and Fri catching up on a large backlog of email notifications and syncing with the other Fellows.

Triaged

• #37105 (Admin change form actions should only allow applying to object from the change form) – Django - Admin change form actions should only allow applying to object from the change form (accepted)
• #37111 (Add a sprints quickstart guide for contributors) – Django - Add a sprints quickstart guide for contributors (accepted)

Reviewed

• Pre-edits for 6.1a1. by jacobtylerwalls · Pull Request #21336 · django/django · GitHub - Pre-edits for 6.1a1.
• [checklists] Updates after 6.1 alpha by jacobtylerwalls · Pull Request #2631 · django/djangoproject.com · GitHub - [checklists] Updates after 6.1 alpha

Authored

• #37117 (Admin: Change form actions should use ModelAdmin.get_queryset(request)) – Django - Admin: Change form actions should use ModelAdmin.get_queryset(request)
• Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions. by nessita · Pull Request #21344 · django/django · GitHub - Fixed #37117 – Used ModelAdmin.get_queryset() for change form actions.

Security

• Triaged reports,
• Reviewed 5 PRs in preparation for security prenotifications next week.

Other/Misc

• Weekly Fellows meeting.
• Engaged in Proposal: Make file upload permissions respect umask - #10 by nessita.

Week ending 2026-05-31 (Week 22)

My primary focus this week was polishing the upcoming security release . I spent time going deeper into areas I am less familiar with to ensure everything was in good shape for release. As release manager, this included reviewing and completing release notes , preparing backports for all three supported stable branches , and crafting the corresponding CVE metadata so records are ready ahead of disclosure (this is part of our CNA responsibilities).

Reviewed

• [5.2.x] Added executor_class attribute to migrate command for customization. by moaddib666 · Pull Request #21358 · django/django · GitHub - [5.2.x] Added executor_class attribute to migrate command for customization.
• Updated links to severity levels in release notes. by jacobtylerwalls · Pull Request #21371 · django/django · GitHub - Updated links to severity levels in release notes.
• Fixed #37111 -- Added sprints quickstart docs page. by tim-schilling · Pull Request #21338 · django/django · GitHub - Fixed #37111 – Added sprints quickstart docs page.

Authored

• [checklists] Fixed CVE description to include product name and render inline code in HTML. by nessita · Pull Request #2632 · django/djangoproject.com · GitHub - [checklists] Fixed CVE description to include product name and render inline code in HTML.
• Refs #35870, Refs #35514 -- Fixed a couple of issues for deprecation notices in 6.1 docs. by nessita · Pull Request #21362 · django/django · GitHub - Refs #35870, Refs #35514 – Fixed a couple of issues for deprecation notices in 6.1 docs.
• Improved release script by adding git tag commit hash and extra tests. by nessita · Pull Request #21363 · django/django · GitHub - Improved release script by adding git tag commit hash and extra tests.
• Refs #35514 -- Improved docs for MAILERS setting and mailers migration guide. by nessita · Pull Request #21373 · django/django · GitHub - Refs #35514 – Improved docs for MAILERS setting and mailers migration guide.
• [checklists] Expose "discovery" in SecurityIssue admin fields. by nessita · Pull Request #2641 · django/djangoproject.com · GitHub -[checklists] Expose “discovery” in SecurityIssue admin fields.
• [checklists] Remove severity duplication in security release checklist by nessita · Pull Request #2644 · django/djangoproject.com · GitHub - [checklists] Remove severity duplication in security release checklist

Security

• Prepared private security PRs (targeting main and the three supported stable branches) for the five security patches.
• Sent security release pre-notification announcement.

Other/Misc

• Weekly Fellows meeting.
• Attended DSF Office Hours.
• Monthly Online Communities call.

Week ending 2026-06-07 (Week 23)

This week was quite intense, with most of the focus on getting the security release out the door . Issuing the release for the 5 CVEs took a fair amount of coordination and attention to detail, and definitely consumed a good chunk of brain power .

Alongside that, there were a number of meetings throughout the week, so overall it was a mix of high-focus release work and keeping in sync with the different groups . Bonus: the final DEP 0018 for MAILERS was approved, moved to the accepted folder, and merged .

Triaged

• #37141 (sendtestemail needs a way to specify the MAILERS configuration) – Django - sendtestemail needs a way to specify the MAILERS configuration (accepted)
• #37138 (Outdated docs CSS in local and preview builds) – Django - Outdated docs CSS in local and preview builds (accepted)
• #37137 (Replace raw SQL suggestion in TIME_ZONE docs) – Django - Replace raw SQL suggestion in TIME_ZONE docs (accepted)

Reviewed

• Made PR quality check require tickets for new contributors. by jacobtylerwalls · Pull Request #21302 · django/django · GitHub - Made PR quality check require tickets for new contributors.
• [6.1.x] Updated source translation catalogs. by jacobtylerwalls · Pull Request #21337 · django/django · GitHub - [6.1.x] Updated source translation catalogs.
• [6.0.x] Updated translations from Transifex. by jacobtylerwalls · Pull Request #21404 · django/django · GitHub - [6.0.x] Updated translations from Transifex.
• Refs CVE-2026-6873 -- Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False. by jacobtylerwalls · Pull Request #21413 · django/django · GitHub - Refs CVE-2026-6873 – Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False.

Security

• Polished security patches in preparation for security release.
• Issued security release for 5 CVEs
  • Django security releases issued: 6.0.6 and 5.2.15
• Prepared and published CVE metadata for publishing CVE records for daphne:
  • CVE-2026-44545: Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
  • CVE-2026-44546: Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing
• Prepared and published CVE metadata for publishing CVE records for Django:
  • CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
  • CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
  • CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
  • CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
  • CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
• Triaged new security reports.

Other/Misc

• Monthly Steering Council meeting.
• Biweekly meeting with Fellows and Board Liaison (Jeff Triplett).
• Biweekly meeting with Fellows and Line Manager (Andrew Godwin).
• Weekly Fellows meeting.

Week ending 2026-06-14 (Week 24)

This week had a bit of a reset feel to it . After the previous stretch of PyCon US, security prep, and the security release itself , I spent time going through pending and snoozed items , trying to close loops and get things back to a more manageable state.

We also reviewed and triaged a batch of security reports that were shared by a major AI company, following conversations I had at PyCon US about the growing volume of LLM-generated security submissions and the challenges they create for OSS projects (Django in particular). The reports were generated using an advanced security-focused model against the Django codebase. We evaluated each finding, confirming and addressing valid issues where appropriate and mapping others to existing tickets and prior reports. Overall, Django is in good shape , as the results largely overlapped with known reports, validated our current triage approach, and reinforced confidence in our security stance .

Triaged

• #37150 (Version added/changed text, console tabs missing from RTD preview builds, dirhtml builds, etc.) – Django - Version added/changed text, console tabs missing from RTD preview builds, dirhtml builds, etc. (accepted)
• #37155 (Allow templatetag `querystring` to start from an empty state) – Django - Allow templatetag querystring to start from an empty state (needsnewfeatureprocess)
• #37157 (Document how sphinx-autobuild can be used for nicer, faster, and better doc writing process) – Django - Document how sphinx-autobuild can be used for nicer, faster, and better doc writing process (accepted)
• #37160 (Make admin views consistently raise PermissionDenied (403) when lacking model permissions) – Django - Make admin views consistently raise PermissionDenied (403) when lacking model permissions (accepted)
• #37159 (Implement reproducible artifact builds) – Django - Implement reproducible artifact builds (accepted)
• #37156 (Change async Redis methods implementation to use Redis async primitives) – Django - Change async Redis methods implementation to use Redis async primitives (needsnewfeatureprocess)
• #37161 (Implement a system check for no default MAILERS configuration) – Django - Implement a system check for deprecated mail settings (accepted)
• #37163 (Optimize `@user_passes_test`) – Django - Optimize @user_passes_test (accepted)

Reviewed

• Run tests in postgis container by smithdc1 · Pull Request #20746 · django/django · GitHub - Run tests in postgis container
• Made check-commit-suffix job check only relevant commits. by jacobtylerwalls · Pull Request #21408 · django/django · GitHub - Made check-commit-suffix job check only relevant commits.
• Fixed #37141 -- Added --using option to sendtestemail command. by NagaKartheekReddy · Pull Request #21419 · django/django · GitHub - Fixed #37141 – Added --using option to sendtestemail command.
• https://github.com/django/django/pull/21421 - Doc’d security standards in howto-release-django.txt.
• Fixed #37150 -- Made djangodocs Sphinx extension work with any html builder. by medmunds · Pull Request #21440 · django/django · GitHub - Fixed #37150 – Made djangodocs Sphinx extension work with any html builder.
• Refs #37150 -- Synced docs/make.bat with Makefile. by medmunds · Pull Request #21446 · django/django · GitHub - Refs #37150 – Synced docs/make.bat with Makefile.
• Fixed #37157 -- Documented sphinx-autobuild for documentation live-reloading by SnippyCodes · Pull Request #21456 · django/django · GitHub - Fixed #37157 – Documented sphinx-autobuild for documentation live-reloading
• Updated link to release roadmap. by jacobtylerwalls · Pull Request #2656 · django/djangoproject.com · GitHub - Updated link to release roadmap.
• [checklists] Added PyPI token revocation to checklist. by jacobtylerwalls · Pull Request #2648 · django/djangoproject.com · GitHub - [checklists] Added PyPI token revocation to checklist.

Authored

• Refs CVE-2026-48587 -- Added helper to properly split header values. by nessita · Pull Request #21438 · django/django · GitHub - Refs CVE-2026-48587 – Added helper to properly split header values.
• #37152 (EmailMessage should block `bcc` in `extra_headers` and docs should not suggest `bcc` is a header) – Django - EmailMessage should block bcc in extra_headers and docs should not suggest bcc is a header

Security

• Triaged multiple security reports, including a batch of 11 reports (shared with prior approval) by a single source. In roughly equal proportions, the outcomes were:
  • a small number of actionable security fixes (some already known and in progress),
  • duplicates of existing public tickets,
  • correctness concerns rather than security issues, and
  • new issues that did not meet the bar for a security vulnerability, for which we created public tickets.
• Work on a patch for a new confirmed vulnerability.

Other/Misc

• Weekly Fellows meeting.
• Monthly Ops Team meeting.
• Monthly Security Team meeting.
• Prepared and sent invoice for May hours.

Week ending 2026-06-21 (Week 25)

Lots of preparation for the upcoming 6.1 βeta, with the goal of stabilizing recent changes and ensuring overall readiness . I also spent time digging into Django’s async behavior, reviewing recent changes and following through on related optimizations and documentation updates . I also looked more closely at packaging and reproducibility, especially around artifact builds, to improve our consistency in the release process .

Triaged

• https://code.djangoproject.com/ticket/37170 - No-argument form of @sensitive_post_parameters() doesn’t cleanse request.POST (accepted)
• https://code.djangoproject.com/ticket/37174 - Template fragment cache key collision for vary_on values containing “:” (accepted)
• https://code.djangoproject.com/ticket/37176 - Action should be importable from django.contrib.admin. (accepted)

Reviewed

• https://github.com/django/django/pull/21456 - Fixed #37157 – Doc’d sphinx-autobuild for documentation auto-reloading.
• https://github.com/django/django/pull/21469 - Fixed typo in Configuring email docs.
• https://github.com/django/django/pull/21418 - Refs #28586 – Doc’d writing a custom fetch mode.
• https://github.com/django/django/pull/21460 - Fixed #37163 – Optimized @user_passes_test async checking.
• https://github.com/django/django/pull/21459 - Refs #36532 – Optimized CSP decorator async checking.
• https://github.com/django/django/pull/21489 - Fixed #37159 – Implemented reproducible artifact builds.
• https://github.com/django/django/pull/21448 - Fixed #37152 – Raised ValueError for Bcc in EmailMessage headers.
• https://github.com/django/django/pull/21465 - Fixed #37165 – Updated Async Support topic doc.
• https://github.com/django/djangoproject.com/pull/2665 - Handle corporate member SVG logos

Authored

• https://github.com/django/django/pull/21493 - Refs #37142 – Removed docs for django.utils.warnings.django_file_prefixes().
• https://github.com/django/django/pull/21506 - Refs #36560, CVE-2026-35193 – Recognized qualified cache-control directives.
• https://github.com/django/django/pull/21511 - Fixed #37160 – Made admin views raise PermissionDenied consistently.
• https://github.com/django/djangoproject.com/pull/2666 - Fixed #2647 – Reduced billboard banner height on small screens.

Security

• Triaged new reports.
• Polished patches after round of reviews for confirmed vulnerabilities.

Other/Misc

• Weekly Fellows meeting.
• Biweekly meeting with Fellows and Line Manager (Andrew Godwin).
• Code research and options analysis for https://code.djangoproject.com/ticket/37161 - Implement a system check for no default MAILERS configuration.
• Packaging tools research for https://code.djangoproject.com/ticket/37159 - Implement reproducible artifact builds.