Message 392572 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	mgorny
Recipients	Joel Croteau, Julian, christian.heimes, docs@python, eric.smith, gc2, lukasz.langa, mgorny, ncoghlan, ned.deily, pmoody, serhiy.storchaka, steve.dower, vstinner
Date	2021-05-01.07:36:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1619854611.88.0.022955873997.issue36384@roundup.psfhosted.org>
In-reply-to

Content
> If it takes years for users to get to 3.10, we should reevaluate our > release cycle, not whether we aggressively break maintenance releases. I don't really understand how that would help. The problem is that users have major inertia for switching to newer Python versions. A part of it is that a lot of people just don't care about deprecation warnings, and don't fix stuff until it's actually broken. In the end, your projects are blocked from using new major Python version by broken dependencies with long release cycles. I can't imagine deliberately leaving 3.8 and 3.9 vulnerable when 3.10 isn't going to reach final release in the next half year. Gentoo stable is only switching to 3.9 next month. I'm pretty sure some of our (few) corporate users are still on 3.7 or earlier. Then, there are projects that literally include a vulnerable copy of Python 2.7 to get around distributions removing it. I dare say this has less breakage potential than the &/; change. It should be fixed on all affected versions. If you don't do that, distributions will have to patch it anyway, and this will only lead to incompatibility between different Python package vendors.

> If it takes years for users to get to 3.10, we should reevaluate our 
> release cycle, not whether we aggressively break maintenance releases.

I don't really understand how that would help.  The problem is that users have major inertia for switching to newer Python versions.  A part of it is that a lot of people just don't care about deprecation warnings, and don't fix stuff until it's actually broken.  In the end, your projects are blocked from using new major Python version by broken dependencies with long release cycles.

I can't imagine deliberately leaving 3.8 and 3.9 vulnerable when 3.10 isn't going to reach final release in the next half year.  Gentoo stable is only switching to 3.9 next month.  I'm pretty sure some of our (few) corporate users are still on 3.7 or earlier.  Then, there are projects that literally include a vulnerable copy of Python 2.7 to get around distributions removing it.

I dare say this has less breakage potential than the &/; change.  It should be fixed on all affected versions.  If you don't do that, distributions will have to patch it anyway, and this will only lead to incompatibility between different Python package vendors.

History
Date	User	Action	Args
2021-05-01 07:36:51	mgorny	set	recipients: + mgorny, ncoghlan, vstinner, eric.smith, christian.heimes, ned.deily, pmoody, docs@python, lukasz.langa, Julian, serhiy.storchaka, steve.dower, Joel Croteau, gc2
2021-05-01 07:36:51	mgorny	set	messageid: <1619854611.88.0.022955873997.issue36384@roundup.psfhosted.org>
2021-05-01 07:36:51	mgorny	link	issue36384 messages
2021-05-01 07:36:51	mgorny	create