Re: python3.5 + oldstable dilemma
On 01.03.2021 04:15, Bailey, Josh wrote:
I'm a maintainer for a python based SDN network controller, FAUCET. One
of the platforms we've been supporting to-date is python3.5/oldstable.
Of course, now, python3.5 is EOL. To some degree we can keep building
our package under python3.5, but now not all of our dependencies (like
pyyaml) build or are even released for 3.5 anymore. That's an issue as
there are security vulnerabilities that are now difficult to address.
Given that oldstable will be around until 2022, does that mean python3
as python3.5 will live on in oldstable until then? I can understand the
case for not adding a newer python3 version, but also OTOH addressing
security vulnerabilities over the LTS window will probably only get harder.
Probably Debian can support Python 3.5 and some Debian packages until
official support of LTS ends, but there is no guarantee. I expect good
chances for Python, less for many python packages: the support is always
as "best effort" and it depends on availability of people which know the
old version code. For some packages it may be too difficult to find a
way to correct a bug (e.g. if upstream changed design/architecture to
solve the problem). And support quality changes: LTS may prioritize
important packages/network server (vulnerabilities) instead of generic
packages.
Debian checks about new vulnerabilities, but vulnerabilities on old
versions may not be reported anymore.
So, try to upgrade if you can (upgrading from 3.5 should not be so
difficult) and/or try to implement mitigation measures (stricter
firewalls, stricter database access, proxy access, run on a special
purpose virtual machine, etc.).
ciao
cate
Reply to: