How to do Django security updates?

:+1: this. I must admit that I do not monitor the django releases very closely, so I was not aware that a security patch was out. In this particular case, it would require more effort on your part to notify someone from the community, wait for their PR, review and merge it, than simply do the change yourself, so we must find a way to be proactive about this. Are there any other release changes that you expect might occur and that the community could take care of?

EDIT: there are now a number of changes in the ironwood.master branch which are not included in any Ironwood tag. It is inconvenient to track a release branch, as new changes can break a build at any time. Do you think there could be an open-release/ironwood.3 tag?

We don’t watch all the required libraries for security patches, but we do watch Django for two reasons. First, they are very disciplined about announcing their fixes, so it is not hard to follow. Second, since Django’s vulnerabilities might be exploitable by the public, it’s more important to keep them patched.

As for the Ironwood tags, I’m not sure what changes are tag-worthy. Here are the changes to edx-platform since ironwood.2:

 * 9490d8e083 2019-12-19 (HEAD -> open-release/ironwood.master, origin/open-release/ironwood.master) Upgrade Django to 1.11.27 Ned Batchelder
 * 86f4902257 2019-11-14 Latest Django 1.11.x security patch: 1.11.26 Ned Batchelder
 * ba26210099 2019-11-07 Fix invocation of (edx.)HtmlUtils.ensureHtml Silvio Tomatis
 *   54a65f7744 2019-10-11 Merge pull request #21635 from edx/patch-ironwood-reverse-tabnabbing Awais Jibran
 | * 6d826fbc6c 2019-09-12 Pervent reverse tabnabbing Awais Jibran
 *   fe5c627811 2019-09-02 Merge pull request #21396 from edx/asad/prod-471 AsadAzam
 | * ce92954524 2019-08-21 social platform validation asadazam93
 * | 7731c68b91 2019-08-21 Django 1.11.23 Ned Batchelder
 * |   f14ab59d5d 2019-08-21 Merge pull request #21350 from edx/aj/sec_609_customtag_fix Awais Jibran
 |\ \
 | |/
 | * f9689aadb0 2019-08-16 Patch Ironwood: Make CustomTagModule safe (remove Mako) [SEC-609]. Awais Jibran
 * 34149c7a37 2019-07-02 Update the version of matplotlib running in sandboxes. (#20937) Feanil Patel
 * b57df7ad72 2019-06-19 rate limit password reset email requests noraiz-anwar
 *   998f2bd50b 2019-06-27 Merge pull request #20857 from edx/dsheraz/prod-403 Syed Muhammad Dawoud Sheraz Ali
 | * 25e929f169 2019-06-20 fix activation email for incorrect password DawoudSheraz
 *   0edf59df36 2019-06-26 Merge pull request #20904 from edx/azarembok/cert-xss-fix Alan Zarembok
 | * b33db2c548 2019-06-26 Fix XSS vulnerability on certificates support page. Alan Zarembok
 * 441d6384ee 2019-06-04 (tag: open-release/ironwood.2) Updated translation files Ned Batchelder

There’s no point in tagging every change I think, we’d be up to ironwood.13. Let’s talk more about the purpose of the tags.