Should non-security 2.7 bugs be fixed?

Terry Reedy tjreedy at
Mon Jul 20 00:54:56 CEST 2015

On 7/19/2015 1:53 AM, dieter wrote:
> Mark Lawrence <breamoreboy at> writes:
>> ...
>>> If the vast majority of Python programmers are focused on 2.7, why are
>>> volunteers to help fix 2.7 bugs so scarce?
> I have not done much work related to Python bug fixing. But, I had
> bad experience with other open source projects: many of my patches
> (and bug reports) have been ignored over decades. This caused me
> to change my attitude: I now report bugs (sometimes with patches)
> and publish a potential solution in a separate package
> (--> "dm.zopepatches.*", "dm.zodbpatches.*"). This way, affected
> people can use a solution even if the core developpers don't care.

Patches uploaded to the cpython tracker are public and can be and 
sometimes are used by other people without or before being officially 
applied.  Separate packages are fine too.

>  From my point of view: if you want help with fixing bugs,
> you must ensure that there is a high probability that those contributions
> really find their way into the main development lines.
> As I understand from other messages in this thread, this is also
> a problem with Python bug fixing.

Yes.  There are two competing proposals (PEPs) for improvement waiting 
for a decision from an appointed judge.

>>> Does they all consider it perfect (or sufficient) as is?
> I have not much blame for Python 2.7. I see a few minor points
>    *  "pdb" is quite weak - but I could fix some (but
>       by far not all) aspects in "dm.pdb".

This is not a security issue, so enhancements cannot go in 2.7.

>    *  "https" has been weakly handled in earlier versions,
>       but someone has done the Python 3 backport work in
>       an external package before the backport finally arrived in
>       Python 2.7.

This was determined to be an internet security fix.

>>> Should the core developers who do not personally use 2.7 stop
>>> backporting, because no one cares if they do?
> I am grateful that the above mentioned "https" backport
> was finally integrated into Python 2.7 -- even though
> I find it acceptable to use an external package to get it.
> Thus, there are people who care. Of course, I will not tell
> core developers that they must do backporting. If they don't
> more external packages will come into existence which contain
> (unofficial) backports.

Some core developers have backported new modules they wrote as external 
packages.  Thank you for your comments.

Terry Jan Reedy

More information about the Python-list mailing list