mirror of
https://github.com/django/django.git
synced 2024-12-26 02:56:25 +00:00
45c7f427ce
All adhoc MAC applications have been updated to use HMAC, using SHA1 to generate unique keys for each application based on the SECRET_KEY, which is common practice for this situation. In all cases, backwards compatibility with existing hashes has been maintained, aiming to phase this out as per the normal deprecation process. In this way, under most normal circumstances the old hashes will have expired (e.g. by session expiration etc.) before they become invalid. In the case of the messages framework and the cookie backend, which was already using HMAC, there is the possibility of a backwards incompatibility if the SECRET_KEY is shorter than the default 50 bytes, but the low likelihood and low impact meant compatibility code was not worth it. All known instances where tokens/hashes were compared using simple string equality, which could potentially open timing based attacks, have also been fixed using a constant-time comparison function. There are no known practical attacks against the existing implementations, so these security improvements will not be backported. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
127 lines
5.9 KiB
Plaintext
127 lines
5.9 KiB
Plaintext
===========================
|
|
Django Deprecation Timeline
|
|
===========================
|
|
|
|
This document outlines when various pieces of Django will be removed, following
|
|
their deprecation, as per the :ref:`Django deprecation policy
|
|
<internal-release-deprecation-policy>`
|
|
|
|
* 1.3
|
|
* ``AdminSite.root()``. This release will remove the old method for
|
|
hooking up admin URLs. This has been deprecated since the 1.1
|
|
release.
|
|
|
|
* Authentication backends need to define the boolean attributes
|
|
``supports_object_permissions`` and ``supports_anonymous_user``.
|
|
The old backend style is deprecated since the 1.2 release.
|
|
|
|
* The :mod:`django.contrib.gis.db.backend` module, including the
|
|
``SpatialBackend`` interface, is deprecated since the 1.2 release.
|
|
|
|
* 1.4
|
|
* ``CsrfResponseMiddleware``. This has been deprecated since the 1.2
|
|
release, in favour of the template tag method for inserting the CSRF
|
|
token. ``CsrfMiddleware``, which combines ``CsrfResponseMiddleware``
|
|
and ``CsrfViewMiddleware``, is also deprecated.
|
|
|
|
* The old imports for CSRF functionality (``django.contrib.csrf.*``),
|
|
which moved to core in 1.2, will be removed.
|
|
|
|
* ``SMTPConnection``. The 1.2 release deprecated the ``SMTPConnection``
|
|
class in favor of a generic E-mail backend API.
|
|
|
|
* The many to many SQL generation functions on the database backends
|
|
will be removed.
|
|
|
|
* The ability to use the ``DATABASE_*`` family of top-level settings to
|
|
define database connections will be removed.
|
|
|
|
* The ability to use shorthand notation to specify a database backend
|
|
(i.e., ``sqlite3`` instead of ``django.db.backends.sqlite3``) will be
|
|
removed.
|
|
|
|
* The ``get_db_prep_save``, ``get_db_prep_value`` and
|
|
``get_db_prep_lookup`` methods on Field were modified in 1.2 to support
|
|
multiple databases. In 1.4, the support functions that allow methods
|
|
with the old prototype to continue working will be removed.
|
|
|
|
* The ``Message`` model (in ``django.contrib.auth``), its related
|
|
manager in the ``User`` model (``user.message_set``), and the
|
|
associated methods (``user.message_set.create()`` and
|
|
``user.get_and_delete_messages()``), which have
|
|
been deprecated since the 1.2 release, will be removed. The
|
|
:doc:`messages framework </ref/contrib/messages>` should be used
|
|
instead.
|
|
|
|
* Authentication backends need to support the ``obj`` parameter for
|
|
permission checking. The ``supports_object_permissions`` variable
|
|
is not checked any longer and can be removed.
|
|
|
|
* Authentication backends need to support the ``AnonymousUser``
|
|
being passed to all methods dealing with permissions.
|
|
The ``supports_anonymous_user`` variable is not checked any
|
|
longer and can be removed.
|
|
|
|
* The ability to specify a callable template loader rather than a
|
|
``Loader`` class will be removed, as will the ``load_template_source``
|
|
functions that are included with the built in template loaders for
|
|
backwards compatibility. These have been deprecated since the 1.2
|
|
release.
|
|
|
|
* ``django.utils.translation.get_date_formats()`` and
|
|
``django.utils.translation.get_partial_date_formats()``. These
|
|
functions are replaced by the new locale aware formatting; use
|
|
``django.utils.formats.get_format()`` to get the appropriate
|
|
formats.
|
|
|
|
* In ``django.forms.fields``: ``DEFAULT_DATE_INPUT_FORMATS``,
|
|
``DEFAULT_TIME_INPUT_FORMATS`` and
|
|
``DEFAULT_DATETIME_INPUT_FORMATS``. Use
|
|
``django.utils.formats.get_format()`` to get the appropriate
|
|
formats.
|
|
|
|
* The ability to use a function-based test runners will be removed,
|
|
along with the ``django.test.simple.run_tests()`` test runner.
|
|
|
|
* The ``views.feed()`` view and ``feeds.Feed`` class in
|
|
``django.contrib.syndication`` have been deprecated since the 1.2
|
|
release. The class-based view ``views.Feed`` should be used instead.
|
|
|
|
* ``django.core.context_processors.auth``. This release will
|
|
remove the old method in favor of the new method in
|
|
``django.contrib.auth.context_processors.auth``. This has been
|
|
deprecated since the 1.2 release.
|
|
|
|
* The ``postgresql`` database backend has been deprecated in favor of
|
|
the ``postgresql_psycopg2`` backend.
|
|
|
|
* The ``no`` language code has been deprecated in favor of the ``nb``
|
|
language code.
|
|
|
|
* 1.5
|
|
* The ``mod_python`` request handler has been deprecated since the 1.3
|
|
release. The ``mod_wsgi`` handler should be used instead.
|
|
|
|
* The ``template`` attribute on :class:`~django.test.client.Response`
|
|
objects returned by the :ref:`test client <test-client>` has been
|
|
deprecated since the 1.3 release. The
|
|
:attr:`~django.test.client.Response.templates` attribute should be
|
|
used instead.
|
|
|
|
* The features of the :class:`django.test.simple.DjangoTestRunner`
|
|
(including fail-fast and Ctrl-C test termination) can now be provided
|
|
by the unittest-native :class:`TextTestRunner`. The
|
|
:class:`~django.test.simple.DjangoTestRunner` will be removed in
|
|
favor of using the unittest-native class.
|
|
|
|
* The undocumented function
|
|
:func:`django.contrib.formtools.utils.security_hash`
|
|
is deprecated, in favour of :func:`django.contrib.formtools.utils.form_hmac`
|
|
|
|
* 2.0
|
|
* ``django.views.defaults.shortcut()``. This function has been moved
|
|
to ``django.contrib.contenttypes.views.shortcut()`` as part of the
|
|
goal of removing all ``django.contrib`` references from the core
|
|
Django codebase. The old shortcut will be removed in the 2.0
|
|
release.
|