The Incredible Growth of Python (stackoverflow.blog)
Rick Johnson
rantingrickjohnson at gmail.com
Tue Sep 12 10:11:04 EDT 2017
Steve D'Aprano wrote:
> Chris Angelico wrote:
>
> [...]
> > >
> > > Yet look at your answer; "upgrade". For a person working
> > > on a server there's usually no economic choice to do. The
> > > OS python must stay in place and the newly installed
> > > upgrade must be personally maintained, updated, and
> > > tested when security patches come out. For one desktop
> > > that's not an issue. For dozens, or hundreds, or
> > > thousands, its not likely to happen.
> >
> > Until you get hit by a vulnerability that was patched four
> > years ago, but you didn't get the update. Now your server
> > is down - or, worse, has been compromised. What's the
> > economic cost of that?
>
> Chris, that's what your subscription to RHEL pays for:
> backports of security fixes that the free Python 2.6
> doesn't contain. You'll probably get them on Centos and
> Fedora too, the community editions of RHEL. You *won't* get
> them from the Python website. That's the whole point of the
> ten year support for RHEL (longer if you pay more).
>
> >
> > You might choose to accept that risk, but you have to at
> > least be aware that you're playing with fire. Laziness is
> > not the cheap option in the long run.
>
> You're making unjustified assumptions about the attack
> surface here. Maybe any attacker has to break through three
> firewalls *and* get root on the server before they can
> attack the Python app -- in which case they've got bigger
> problems than the Python vulnerability. It's one thing to
> mention in a friendly way the advantages of upgrading.
> It's another to continue to brow-beat the poster about the
> (supposed) necessity to give up their paid RHEL support and
> security patches in favour of taking their chances with the
> free, but more recent, version where they have to monitor
> the Python website or mailing lists themselves and manually
> upgrade each time there's an security patch. Feel free to
> continue to talk in general terms about the costs and
> benefits of upgrading, but stop badgering Leam. Not
> everyone values being on the bleeding edge, and Red Hat
> customers as a rule value stability and long term support
> over the latest shiny new features.
Great reply! And nice to know that not every Pythonista here
has gone tin-foil-hat crazy over Python3.
More information about the Python-list
mailing list