Security: create up-to-date tagged release

[lucasgonze]

There has not been a tagged release since Apr 28, 2021. As a result most users of this package cannot access the security fix in #2581.

There has been a lot of work and many merges since then, but that is out of scope for me personally and for this ticket.

[bt]

@benoitc - Is this something you'd be able to comment on? Is there something that needs to happen before we can tag a new release?

[lucasgonze]

@benoitc Do you need assistance from contributors? Can we help lighten your load?

[naktinis]

@benoitc is there something preventing a new release? If you are currently busy with other things, maybe contributors could help?

[lucasgonze]

Pinged on Twitter: https://twitter.com/lucas_gonze/status/1563217351608115200

[mball-agathos]

@benoitc If a full-release is too burdensome, it would be highly useful to have a point-release (e.g., 20.1.1) containing just a cherry-pick of #2581 (and any other high-priority fixes). I could help by creating a pull-request with the cherry-pick, but we'd need you or another maintainer to generate the release from this update. Would this be easier than doing another major release? Thanks for your help in maintaining this very useful open-source package!

[riptusk331]

Any traction on this??

[binaryDiv]

@benoitc I really understand that maintaining an open-source project is a lot of voluntary work, and I appreciate all the work that went into this project.

However, this is a project with a lot of contributors, and it is widely used in production. It cannot take a full year (or even longer) to just make a patch release with very critical fixes (that are already done and merged, just not released).

If you don't have the time or energy (or simply don't want) to maintain this repository, this is absolutely fine and understandable. But in that case there should be at least a co-maintainer who can accept pull requests and release new versions.

From the comments above it appears like there are multiple people who would love to help with that.

[fabswt]

Spent over 3 hours today in dependency hell, so here's a quick recap for anyone new to the 'party' who needs gunicorn+eventlet+dnspython:

Got things working with this:

gunicorn @ git+https://github.com/benoitc/gunicorn.git@792edf6
eventlet==0.33.3
dnspython==2.3.0

I hope this'll save someone some time.

Detailed notes here

[NeilujD]

Thanks for the hint @fabswt !
Which version of Python are you using ?

[fabswt]

@NeilujD I was on Python 3.9 but, with eventlet and dnspython now up-to-date, will be able to switch back to 3.10. I realize the "detailed notes" link broke after I moved the file, I just fixed it – it includes details about the Python versions.

[lars1264]

Thanks @fabswt,
works for me. Installed it via
pip install -I gunicorn git+https://github.com/benoitc/gunicorn.git@792edf6

[bt]

Hi @benoitc, this issue is open.

[benoitc]

@bt f you want to help, please test master and report any issue you still have or comment current opened issue. This will be much appreciated.

[benoitc]

I am closing this issue since a release is about to land. Master already include the needed change.

Also while I understand the frustration, this is not the proper way to handle "security" issues. Please drop a mail to security@ next time. Or directly to me if you want to.

[fabswt]

I'm confused, why is this closed?

• The README still says to install with pip install gunicorn but PyPi is still offering 20.1.0 (from Apr 28, 2021) which does not include the security fix mentioned in the OP and just won't work with recent versions of eventlet.
  -AFAIK using a hash/patch (gunicorn @ git+https://github.com/benoitc/gunicorn.git@792edf6) is still the only way to get gunicorn to run.

Closing this only adds to the confusion.

[devopstales]

@benoitc Why this issue is closed? There is no new release since 20.1.0 (from Apr 28, 2021) not on PyPi nor on the repo.

[lanmaster53]

I am closing this issue since a release is about to land.

From May 7th. Any updates @benoitc?