[python-ldap] older python versions not available anymore
michael at stroeder.com
Fri Jun 10 21:09:33 CEST 2011
Jens Vagelpohl wrote:
> @Michael: Like everyone else on this thread I am asking you: Please do
> not remove packages from PyPI. Simply uploading later versions will put
> everyone who has not made the conscious decision to stick with a
> specific version on your latest release. Those who have made the
> conscious decision will know to either not bother you, or they simply
> cannot complain when you tell them to, well, "sod off".
I can see the pros and cons but everybody should also note that all software
is sometimes end-of-life. In case of OpenLDAP version 2.3 is not supported
anymore by its developers. That's a very strong reason not to use it anymore
since we as python-ldap developers also won't receive security fixes from
Also when using buildout systems which pin down module versions the developer
is also responsible to rebuild all the stuff when a security update of one of
the modules is needed. Upgrades of python-ldap provided by e.g. Linux
distributions or the OS admins do not have any effect.
Practice with such buildout systems (my customers use Maven etc.) shows that
most developers are not aware of that fact or most systems are not maintained
in a responsable fashion leading to insecure systems.
This all is not new. The same problems applys to packaging policies of Linux
distros as well.
But for the peace in the Python world here's my suggestion for now:
1. Everybody who MUST support old OpenLDAP libs 2.3 MUST upgrade to 2.3.13.
But I won't apply fixes therein, won't release more 2.3.x versions and I won't
re-enable releases prior 2.3.13.
2. Everybody else SHOULD upgrade to 2.4.0. For most applications it behaves
exactly like version 2.3.13 except in very rare cases where an application
uses more complex LDAPv3 ext. controls. In the latter case the developers will
definitely appreciate/need the improvements and upgrade anyway.
3. I will rethink my PyPI release strategy for future releases.
More information about the python-ldap