[21:50] <diddledan__> ok, referencing bug #1372124, and merge 302107 and merge 302109, for the loco-team-portal, those two merges update individually from django 1.3 to 1.4 and 1.5 respectively. I'm now looking at moving-on to 1.6 but there is a blocker in the openid dependency being incompatible because of session serialisation changing from pickle to json in 1.6
[21:53] <diddledan__> ideally we don't want to retain the pickle serialiser to continue with the openid module we're using (that is an option) because it is known to be potentially exploitable if the encryption key became known. an attacker who discovers the encryption key will automatically gain remote-code-execution if we continue with pickle serialisation