[python-ldap] older python versions not available anymore

[Jens Vagelpohl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

> I can see the pros and cons but everybody should also note that all
> software is sometimes end-of-life. In case of OpenLDAP version 2.3 is
> not supported anymore by its developers. That's a very strong reason not
> to use it anymore since we as python-ldap developers also won't receive
> security fixes from OpenLDAP anymore.
> 
> Also when using buildout systems which pin down module versions the
> developer is also responsible to rebuild all the stuff when a security
> update of one of the modules is needed. Upgrades of python-ldap provided
> by e.g. Linux distributions or the OS admins do not have any effect.
> Practice with such buildout systems (my customers use Maven etc.) shows
> that most developers are not aware of that fact or most systems are not
> maintained in a responsable fashion leading to insecure systems.

You are totally right on both points. However, it is *not your decision
to make* which versions are used. It's not your responsibility if people
run old and insecure systems. That decision is up to the
developer/integrator and *no one else*! As package developer your role
is advisory only - including advice for people on older versions to
upgrade and come back. Please don't try to force others into decisions,
even if everyone may agree that yours is better. If people want to shoot
themselves in the foot, just let them. Telling them their decision is
stupid is much better than denying them the decision completely.


> 3. I will rethink my PyPI release strategy for future releases.

Thanks - and I hope that means you will just leave things on PyPI....

jens

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk3zeJYACgkQRAx5nvEhZLJB7QCeO73hUw7PntFuKLBIlNjR+OWR
hpwAn3LODVD+48bmZ9JLSfn3bZR/yYK4
=y6KB
-----END PGP SIGNATURE-----