Re: python 2.3

[Steve Langasek <vorlon@debian.org>]

On Thu, Dec 21, 2006 at 02:21:40PM -0800, Thomas Bushnell BSG wrote:
> On Wed, 2006-12-20 at 19:51 -0800, Steve Langasek wrote:
> > On Tue, Dec 19, 2006 at 11:17:03AM -0800, Thomas Bushnell BSG wrote:
> > > The python team has apparently decreed that python 2.3 will not be in
> > > etch.  This forces every package to use the new version.  Surely it is
> > > too late in the release cycle to be risking regressions in this way?

> > The python team has expressed concern about the security supportability of
> > python2.3 in etch.  Extension packages built with the current version of
> > python-all-dev and friends already have no support for python2.3; shipping
> > python2.3 in stable for the benefit of a handful of reverse dependencies is
> > a genuine concern, particularly when those reverse-deps work just fine with
> > python 2.4.

> And yet, this isn't the only case.  Users actually use the programs in
> Debian, not just other parts of Debian.  Why is python 2.3 some sort of
> security nightmare?  And what suddenly happened to make it one?

$ du -sh p/python2.3/python2.3_2.3.5.orig.tar.gz
8.2M    p/python2.3/python2.3_2.3.5.orig.tar.gz
$

That much code is always a security nightmare, it just now happens to be one
that we can feasibly get rid of. :)

> What about users who are depending on Python 2.3?  Do they just lose?

Users who depend on obsolete software always lose when the bar moves.  I
don't find that a compelling reason to keep python2.3 around for another
release cycle, when it's going to be dropped later anyway.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/