[Python-Dev] Continuing 2.x

[David Malcolm]

On Fri, 2010-10-29 at 09:11 +0200, Antoine Pitrou wrote:
> On Fri, 29 Oct 2010 02:55:55 -0400
> Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
> > 
> > Let's say that 20% of the code on PyPI is just junk;
> > it's unfair to expect 100% of all code ever to get ported.  But,
> still:
> > with this back-of-the-envelope estimate of the rate of porting, it
> will
> > take over 50 years before a decisive majority of Python code is on
> > Python 3.
> 
> Well, no. A decisive majority would be much smaller than that. There
> are probably between 2% and 5% of the CheeseShop entries which are
> widely used dependencies. When these 2 to 5% all get ported, you have
> a
> decisive majority.
> 
> Yes, perhaps more than 50% of 2.x code will never get ported. But,
> perhaps more than 50% of 1.5.2 code never got upgraded either. That
> doesn't make it any decisive; just dead (or pining for security fixes
> in some old rusty "RedHat Enterprise Linux" server, if you prefer).

Ouch!  Having spent much of the last week doublechecking fixes for CVEs
in the builds of python 2.2, 2.3 and 2.4 in the various older RHEL
releases, that cuts deep :)

Red Hat's security team monitors vulnerabilities in Python, and we do
continue to support these releases in the context of our products, even
though they're no longer supported by the wider Python development
community.  As with the the security work done by python-dev on the more
up-to-date Python releases, it's tedious and painstaking work (we do
have customers paying us to do it, though)

If you have concerns about specific security flaws that may affect the
older releases of python that are no longer supported by python.org but
are within a product supported by Red Hat, please email
secalert at redhat.com

See:
https://www.redhat.com/security/team/contact/
for more information.

Hope this is helpful
Dave