-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability roundup 84: python-2.7.18: 4 advisories #88384
Comments
Python 2.7.18 is EOL. The only solutions are to mark it as insecure or to remove it. |
There are some distributions that still guarantee support of Python 2 for a few years (say, RHEL), so if someone from our community is sufficiently motivated, it shouldn't be too hard to piggyback on their fixes. In any case, we should try to migrate everything away from it, but I suspect in some cases it will still be very hard. |
@vcunat Agree. But we should have a clear statement in the docs stating that Python 2.7.18 gets some maintenance until it can be dropped, but that we can not guarantee timely fixes for security vulns and porting of patches from other distros. |
Yes, I agree with marking it as insecure unless/until someone steps up and promises to do this work. EDIT: but we'll need to check how many packages gets killed by that step – most may be just from "safe" build-time-only dependencies (possibly transitive ones). And 20.03 release may be a problem. |
By summoning the powers of Nix it should be possible to produce a list of packages that specifically depend on python2. Of course, 20.03 hast to keep python2. But given that the EOL did nor come as a surprise (but after 20.03 was released), we have to keep it in, but can give porting fixes lower priority than making it disposable before 20.09. |
Too bad
(I won't even post the |
That is because most Python stuff is built against all available versions. We need those packages, that specifically request python2 or have sth. like |
That is not the main reason. |
Yes, but still I think/hope that most of these would not break if they had only python3 available - unless there is a huge pile of old unmaintained stuff in Nixpkgs. |
That's possible. It's also possible that majority is caused by a very small handful of packages (I don't know how to check easily). |
A quick grep shows only a few hundred direct references to |
What we see here is for some part not a problem specific to NixOS, but one of the Python community at large. Even 10+ years after the initial release of Python 3, there is still a lot of Python 2 stuff floating around that seems not to get migrated to Python 3. This problem is too large to be solved entirely inside NixOS. What we could do is this:
A first step for 20.09 would be to change the default alias, move as many packages as possible to Python 3 and issue a warning for the remaining ones. |
This has already been discussed here: https://discourse.nixos.org/t/upcoming-python-breakage/7554/3?u=wamserma |
This comment has been minimized.
This comment has been minimized.
None of the mentioned CVEs have a fix for Python2 readily available (and one is Windows only). Let's close this. |
Actually, we should keep this open until python2 is marked as insecure in master. |
search, files
Scanned versions: nixos-20.03: 82b5f87; nixos-unstable: 0f5ce2f. May contain false positives.
The text was updated successfully, but these errors were encountered: