[python-ldap] older python versions not available anymore

Michael Ströder michael at stroeder.com
Fri Jun 10 21:09:33 CEST 2011


Jens Vagelpohl wrote:
> @Michael: Like everyone else on this thread I am asking you: Please do
> not remove packages from PyPI. Simply uploading later versions will put
> everyone who has not made the conscious decision to stick with a
> specific version on your latest release. Those who have made the
> conscious decision will know to either not bother you, or they simply
> cannot complain when you tell them to, well, "sod off".

I can see the pros and cons but everybody should also note that all software 
is sometimes end-of-life. In case of OpenLDAP version 2.3 is not supported 
anymore by its developers. That's a very strong reason not to use it anymore 
since we as python-ldap developers also won't receive security fixes from 
OpenLDAP anymore.

Also when using buildout systems which pin down module versions the developer 
is also responsible to rebuild all the stuff when a security update of one of 
the modules is needed. Upgrades of python-ldap provided by e.g. Linux 
distributions or the OS admins do not have any effect.
Practice with such buildout systems (my customers use Maven etc.) shows that 
most developers are not aware of that fact or most systems are not maintained 
in a responsable fashion leading to insecure systems.

This all is not new. The same problems applys to packaging policies of Linux 
distros as well.

But for the peace in the Python world here's my suggestion for now:

1. Everybody who MUST support old OpenLDAP libs 2.3 MUST upgrade to 2.3.13. 
But I won't apply fixes therein, won't release more 2.3.x versions and I won't 
re-enable releases prior 2.3.13.

2. Everybody else SHOULD upgrade to 2.4.0. For most applications it behaves 
exactly like version 2.3.13 except in very rare cases where an application 
uses more complex LDAPv3 ext. controls. In the latter case the developers will 
definitely appreciate/need the improvements and upgrade anyway.

3. I will rethink my PyPI release strategy for future releases.

Ok?

Ciao, Michael.


More information about the python-ldap mailing list