Most of my work is creating websites in Django (a Python web framework) and deploying them to my own or clients' servers. I work from a virtualenv to separate site from system packages and have perhaps 60-80 packages installed in there and that lot is shared between two-dozen sites.
This obvious limitation to this approach is needing to test every site if I upgrade a package it uses. I consider that a fair trade-off for not needing to keep on top of umpteen separate virtualenvs.
And that is essentially my whole problem. How on earth are you supposed to keep on top of virtualenv deployments? People just seem to treat them like a dumping ground but if the programming universe has learnt anything this past week from the Ruby on Rails explosion, using old versions of software is unacceptable.
I have a simple script that attempts to check for current package versions with the latest pip counterpart but it's quite inacurrate. It also doesn't differentiate between security upgrades and feature upgrades (which require days of testing and fixing).
I am looking for something better. I am looking for something that can let me know if Django has a new security release out, or if something is end-of-life. I want something to help me (and other Python devops) not become the next batch of people crying after a wave of kids with scanners and scripts convert our servers into a botnet.
Does such a thing exist?
Best Answer
Major GNU/Linux distributions have specialized security teams responsible for keeping all packages in the distribution secure. If you cannot afford it to spend enough resources to match up with these teams, then (if the highest security is the goal) the best solution is probably to rely on their work and use packages from the distributions. Distributions with staged releases (such as Debian) try to patch packages, such that their dependencies do not break.
Of course, if you use the distribution's packages, you lose the flexibility of the Python virtual environment. So, this seems to be another tradeoff triangle: high security, low costs, installation flexibility. Pick two.