[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

[Benjamin Peterson]

On Sat, Mar 22, 2014, at 15:40, Martin v. Löwis wrote:
> Am 22.03.14 23:33, schrieb Nick Coghlan:
> > Hard to maintain legacy software is a fact of life, and way too much
> > of it is exposed to the public internet. This PEP is about doing what
> > we can to mitigate the damage caused both by other people's mistakes,
> > and also the inherent challenges of migrating from the error prone
> > POSIX text model to something more reasonable.
> > 
> > I *don't* think its reasonable to expect us to do this without support
> > from the corporate users that caused the problem in the first place
> > (by continuing to deploy older versions of Python without investing
> > adequately in their upkeep), so I'd encourage everyone employed by a
> > commercial user of Python to remind their management chains of the
> > risks of failing to invest development time in any upstream
> > dependencies that they expect to keep pace with the dynamic nature of
> > the internet.
> 
> I hope indeed you are successful in activating resources. However,
> putting them on this backporting project seems like a waste. They
> should rather go into porting stuff to 3.x where people need it.
> 
> As responsible maintainers, we should just advise our users that
> Python 2.7 is a dead horse, and that they should stop riding it.
> More professionally, we should set an official end-of-life date
> for 2.7 (alas, we should have done that two years ago).
> 
> I hope that the language summit can agree to stopping bug fix
> releases for 2.7 in 2014.

As (I believe) previously discussed and documented in PEP 373, this date
currently will be May 2015.