Re: python3.5 + oldstable dilemma

[Giacomo Catenazzi <cate@debian.org>]

On 01.03.2021 04:15, Bailey, Josh wrote:
> I'm a maintainer for a python based SDN network controller, FAUCET. One 
> of the platforms we've been supporting to-date is python3.5/oldstable.
>
> Of course, now, python3.5 is EOL. To some degree we can keep building 
> our package under python3.5, but now not all of our dependencies (like 
> pyyaml) build or are even released for 3.5 anymore. That's an issue as 
> there are security vulnerabilities that are now difficult to address.
>
> Given that oldstable will be around until 2022, does that mean python3 
> as python3.5 will live on in oldstable until then? I can understand the 
> case for not adding a newer python3 version, but also OTOH addressing 
> security vulnerabilities over the LTS window will probably only get harder.

Probably Debian can support Python 3.5 and some Debian packages until 
official support of LTS ends, but there is no guarantee. I expect good 
chances for Python, less for many python packages: the support is always 
as "best effort" and it depends on availability of people which know the 
old version code. For some packages it may be too difficult to find a 
way to correct a bug (e.g. if upstream changed design/architecture to 
solve the problem). And support quality changes: LTS may prioritize 
important packages/network server (vulnerabilities) instead of generic 
packages.

Debian checks about new vulnerabilities, but vulnerabilities on old 
versions may not be reported anymore.

So, try to upgrade if you can (upgrading from 3.5 should not be so 
difficult) and/or try to implement mitigation measures (stricter 
firewalls, stricter database access, proxy access, run on a special 
purpose virtual machine, etc.).

ciao
    cate