The Incredible Growth of Python (stackoverflow.blog)

Steve D'Aprano steve+python at pearwood.info
Tue Sep 12 08:07:21 EDT 2017 

On Tue, 12 Sep 2017 09:40 pm, Chris Angelico wrote:

[...]
>> Yet look at your answer; "upgrade". For a person working on a server there's
>> usually no economic choice to do. The OS python must stay in place and the
>> newly installed upgrade must be personally maintained, updated, and tested
>> when security patches come out. For one desktop that's not an issue. For
>> dozens, or hundreds, or thousands, its not likely to happen.
> 
> Until you get hit by a vulnerability that was patched four years ago,
> but you didn't get the update. Now your server is down - or, worse,
> has been compromised. What's the economic cost of that?

Chris, that's what your subscription to RHEL pays for: backports of security
fixes that the free Python 2.6 doesn't contain.

You'll probably get them on Centos and Fedora too, the community editions of
RHEL. You *won't* get them from the Python website. That's the whole point of
the ten year support for RHEL (longer if you pay more).


> You might choose to accept that risk, but you have to at least be
> aware that you're playing with fire. Laziness is not the cheap option
> in the long run.

You're making unjustified assumptions about the attack surface here. Maybe any
attacker has to break through three firewalls *and* get root on the server
before they can attack the Python app -- in which case they've got bigger
problems than the Python vulnerability.

It's one thing to mention in a friendly way the advantages of upgrading.

It's another to continue to brow-beat the poster about the (supposed) necessity
to give up their paid RHEL support and security patches in favour of taking
their chances with the free, but more recent, version where they have to
monitor the Python website or mailing lists themselves and manually upgrade
each time there's an security patch.

Feel free to continue to talk in general terms about the costs and benefits of
upgrading, but stop badgering Leam. Not everyone values being on the bleeding
edge, and Red Hat customers as a rule value stability and long term support
over the latest shiny new features.



-- 
Steve
“Cheer up,” they said, “things could be worse.” So I cheered up, and sure
enough, things got worse.

More information about the Python-list mailing list