The 18th Open edX community release will be named Redwood. It will be released Jun 9th, 2024. The open-release/redwood.master branches will be created two months earlier, on April 9th. Code on master/main as of April 9th will be part of Redwood. Code merged after that will need special handling to be part of Redwood.
Put stuff here that we have to remember when we start packaging up Redwood. Especially important is information that system installers or operators will need to know. Please include your name when you add an item, so that we can get back to you with questions.
The default minimum password length has been updated from 2 characters to 8 characters. (PR)
If you have an existing password, this change along will not force you to update it. However if you reset your password or go to change it, you'll have to conform to the new guidelines. If you would like to force people to update their password, you'll probably want to take a look at the password_policy plugin and its settings.
[@Tim McCormack] Deployers must ensure that their JWT_AUTH['JWT_PRIVATE_SIGNING_JWK'] Django setting in LMS contains the full complement of private key numbers.
Background: In LMS, we are switching from the pyjwkest library to PyJWT for signing JWTs. (pyjwkest is now unmaintained.) However, PyJWT has stricter requirements for the private key in JWT_PRIVATE_SIGNING_JWK. Before you upgrade to Redwood, you will need to update this key using a script. Otherwise, JWT signing will fail, and users will be unable to log in.
Locate JWT_PRIVATE_SIGNING_JWK in your deployment configuration.
Check if the JSON contains all of the following params: p, q, dp, dq, and qi. If it does, you don’t need to do anything further. Otherwise, continue.
In your edx-platform virtualenv, run python3 scripts/jwk-precompute-params.py and follow the prompts. (It will ask you to paste in the current JSON.)
Update your config’s JWT_AUTH['JWT_PRIVATE_SIGNING_JWK'] with the output of the script.
You may wish to compare the contents of the private key before and after running the script, and verify that the only changes it has made to the contents of the JSON are that the p, q, dp, dq, and qi params have been added. (Some or all may already have been present.)
This should be done while you are still running Quince—it is safe to do ahead of the upgrade, and should not have any visible effect at that time.
This key must be handled very carefully. Anyone in possession of the key may impersonate users.
The following requirements update into credentials might have implications for anyone who has a massive usersocialauth table. This is because that table grows endlessly, and the migrations on the table caused by updating the social-auth-app-django package can run out of memory. If maintainers have migration failures on this upgrade, they should run the management command truncate_social_auth.
This will remove all entries from the usersocialauth table that haven't been updated in 90 days, which makes the size of the table tractable for the dependency's migration. This is harmless in the Credentials IDA.
[Feanil] The scripts related to user retirement across all services have been moved to the edx-platform repository. If you’ve been using the `tubular repo to run retirement scripts you should update your code.