Week ending 2026-05-24 (Week 21)

This week was mostly about returning from PyCon , which was quite exhausting. I arrived back on Wednesday, fairly drained (and very hungry ), so I worked during Thu and Fri catching up on a large backlog of email notifications and syncing with the other Fellows.

Triaged

• #37105 (Admin change form actions should only allow applying to object from the change form) – Django - Admin change form actions should only allow applying to object from the change form (accepted)
• #37111 (Add a sprints quickstart guide for contributors) – Django - Add a sprints quickstart guide for contributors (accepted)

Reviewed

• Pre-edits for 6.1a1. by jacobtylerwalls · Pull Request #21336 · django/django · GitHub - Pre-edits for 6.1a1.
• [checklists] Updates after 6.1 alpha by jacobtylerwalls · Pull Request #2631 · django/djangoproject.com · GitHub - [checklists] Updates after 6.1 alpha

Authored

• #37117 (Admin: Change form actions should use ModelAdmin.get_queryset(request)) – Django - Admin: Change form actions should use ModelAdmin.get_queryset(request)
• Fixed #37117 -- Used ModelAdmin.get_queryset() for change form actions. by nessita · Pull Request #21344 · django/django · GitHub - Fixed #37117 – Used ModelAdmin.get_queryset() for change form actions.

Security

• Triaged reports,
• Reviewed 5 PRs in preparation for security prenotifications next week.

Other/Misc

• Weekly Fellows meeting.
• Engaged in Proposal: Make file upload permissions respect umask - #10 by nessita.

Week ending 2026-05-31 (Week 22)

My primary focus this week was polishing the upcoming security release . I spent time going deeper into areas I am less familiar with to ensure everything was in good shape for release. As release manager, this included reviewing and completing release notes , preparing backports for all three supported stable branches , and crafting the corresponding CVE metadata so records are ready ahead of disclosure (this is part of our CNA responsibilities).

Reviewed

• [5.2.x] Added executor_class attribute to migrate command for customization. by moaddib666 · Pull Request #21358 · django/django · GitHub - [5.2.x] Added executor_class attribute to migrate command for customization.
• Updated links to severity levels in release notes. by jacobtylerwalls · Pull Request #21371 · django/django · GitHub - Updated links to severity levels in release notes.
• Fixed #37111 -- Added sprints quickstart docs page. by tim-schilling · Pull Request #21338 · django/django · GitHub - Fixed #37111 – Added sprints quickstart docs page.

Authored

• [checklists] Fixed CVE description to include product name and render inline code in HTML. by nessita · Pull Request #2632 · django/djangoproject.com · GitHub - [checklists] Fixed CVE description to include product name and render inline code in HTML.
• Refs #35870, Refs #35514 -- Fixed a couple of issues for deprecation notices in 6.1 docs. by nessita · Pull Request #21362 · django/django · GitHub - Refs #35870, Refs #35514 – Fixed a couple of issues for deprecation notices in 6.1 docs.
• Improved release script by adding git tag commit hash and extra tests. by nessita · Pull Request #21363 · django/django · GitHub - Improved release script by adding git tag commit hash and extra tests.
• Refs #35514 -- Improved docs for MAILERS setting and mailers migration guide. by nessita · Pull Request #21373 · django/django · GitHub - Refs #35514 – Improved docs for MAILERS setting and mailers migration guide.
• [checklists] Expose "discovery" in SecurityIssue admin fields. by nessita · Pull Request #2641 · django/djangoproject.com · GitHub -[checklists] Expose “discovery” in SecurityIssue admin fields.
• [checklists] Remove severity duplication in security release checklist by nessita · Pull Request #2644 · django/djangoproject.com · GitHub - [checklists] Remove severity duplication in security release checklist

Security

• Prepared private security PRs (targeting main and the three supported stable branches) for the five security patches.
• Sent security release pre-notification announcement.

Other/Misc

• Weekly Fellows meeting.
• Attended DSF Office Hours.
• Monthly Online Communities call.

Week ending 2026-06-07 (Week 23)

This week was quite intense, with most of the focus on getting the security release out the door . Issuing the release for the 5 CVEs took a fair amount of coordination and attention to detail, and definitely consumed a good chunk of brain power .

Alongside that, there were a number of meetings throughout the week, so overall it was a mix of high-focus release work and keeping in sync with the different groups . Bonus: the final DEP 0018 for MAILERS was approved, moved to the accepted folder, and merged .

Triaged

• #37141 (sendtestemail needs a way to specify the MAILERS configuration) – Django - sendtestemail needs a way to specify the MAILERS configuration (accepted)
• #37138 (Outdated docs CSS in local and preview builds) – Django - Outdated docs CSS in local and preview builds (accepted)
• #37137 (Replace raw SQL suggestion in TIME_ZONE docs) – Django - Replace raw SQL suggestion in TIME_ZONE docs (accepted)

Reviewed

• Made PR quality check require tickets for new contributors. by jacobtylerwalls · Pull Request #21302 · django/django · GitHub - Made PR quality check require tickets for new contributors.
• [6.1.x] Updated source translation catalogs. by jacobtylerwalls · Pull Request #21337 · django/django · GitHub - [6.1.x] Updated source translation catalogs.
• [6.0.x] Updated translations from Transifex. by jacobtylerwalls · Pull Request #21404 · django/django · GitHub - [6.0.x] Updated translations from Transifex.
• Refs CVE-2026-6873 -- Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False. by jacobtylerwalls · Pull Request #21413 · django/django · GitHub - Refs CVE-2026-6873 – Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False.

Security

• Polished security patches in preparation for security release.
• Issued security release for 5 CVEs
  • Django security releases issued: 6.0.6 and 5.2.15
• Prepared and published CVE metadata for publishing CVE records for daphne:
  • CVE-2026-44545: Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service
  • CVE-2026-44546: Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing
• Prepared and published CVE metadata for publishing CVE records for Django:
  • CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
  • CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
  • CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
  • CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
  • CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
• Triaged new security reports.

Other/Misc

• Monthly Steering Council meeting.
• Biweekly meeting with Fellows and Board Liaison (Jeff Triplett).
• Biweekly meeting with Fellows and Line Manager (Andrew Godwin).
• Weekly Fellows meeting.