[Cryptography-dev] Unsupported platforms?

Sun Mar 29 07:46:07 CEST 2015

RHEL5 ships with Python 2.4, however you can get Python 2.6 from EPEL.
RHEL6 ships with Python 2.6, however you can get Python 2.7 from SCL.

Dropping support for Python 2.6 will mean dropping support for RHEL5 altogether and dropping support for RHEL6 without using SCL to install Python 2.7.

I don’t feel strongly about if we should drop Python 2.6, I do want to point out one thing though. It’s true that Python 2.6 is no longer getting security updates from python-dev, it is also true however, that Python 2.6 *is* getting support from downstream redistributors. We *are* a security sensitive library so it’s not uncommon to tell people that if they are still stuck on Python 2.6 they can get access to the functionality of the new Python SSL module by installing pyOpenSSL (and by extension cryptography).

Obviously at some point we have to tell those people enough is enough and we’re dropping support and if you want support go talk to your vendor, is this that point? I don’t know. I haven’t started dropping support for Python 2.6 in my own projects because continuing to support Python 2.6 is a minimal amount of effort over Python 2.7. It might finally be time to consider it for real.

I don’t have the numbers immediately available, but I can get them. It takes me awhile to load them up but it’s not too hard to do.

For what it’s worth, I do have cryptography specific numbers from September [1], however that’s a long time ago in the lifetime of cryptography so I’m not sure it’s really relevant to what things look like today.

[1] https://s3.amazonaws.com/f.cl.ly/items/0E0H2A2Y2m0y1z0b0S26/stacked-py-pct.png <https://s3.amazonaws.com/f.cl.ly/items/0E0H2A2Y2m0y1z0b0S26/stacked-py-pct.png>

> On Mar 28, 2015, at 10:24 PM, Terry Chia <terrycwk1994 at gmail.com> wrote:
> 
> This essentially involves dropping support for RHEL 5, which IIRC was the primary motivation for 2.6 support in the first place? If we are ok with that this gets a +1 from me as it will make some of my current work like integrating Hypothesis[0] into our test suites easier since Hypothesis does not support 2.6.
> 
> A full deprecation cycle will realistically take 3.5 - 4 months (I'm not as optimistic as Alex about our release timings. :P) so that should be plenty of time to cut a new pyOpenSSL release.
> 
> [0]: https://github.com/pyca/cryptography/pull/1773 <https://github.com/pyca/cryptography/pull/1773>
> On Sun, Mar 29, 2015 at 3:52 AM Alex Gaynor <alex.gaynor at gmail.com <mailto:alex.gaynor at gmail.com>> wrote:
> I think we'd want to do a full deprecation cycle on this:
> 
> 0.9: PendingDeprecationWarning
> 1.0: DeprecationWarning
> 1.1: removed
> 
> So that's like, 2.5 months notice or so? (Not sure quite how quickly we've been releasing in past).
> 
> Donald: How hard would it be to get download statistics for cryptography and pyOpenSSL from the last few months by Python versoin?
> 
> Alex
> 
> On Sat, Mar 28, 2015 at 3:48 PM, Jean-Paul Calderone <jean-paul at clusterhq.com <mailto:jean-paul at clusterhq.com>> wrote:
> Speaking as the pyOpenSSL maintainer, I'd like time to perform one last pyOpenSSL release along with an announcement that it will be the last pyOpenSSL release to support Python 2.6.  Strictly speaking, I could probably retain Python 2.6 support in pyOpenSSL even if the cryptography project drops it but that seems unreasonable for several reasons (pyOpenSSL shares many of cryptography's reasons for wanting to drop Python 2.6 support, requiring that pyOpenSSL continue to work with only cryptography <= 0.8.1 will be a bunch of extra work, etc).
> 
> I can't say exactly when the next pyOpenSSL release will be but if the cryptography project lays out its timeline for this then at least I'll know what bounds I have to work with (and I'm clearly long overdue so as long as you don't decide something like "tomorrow" I won't have much room to complain).
> 
> Jean-Paul
> 
> 
> On Sat, Mar 28, 2015 at 3:29 PM, Alex Gaynor <alex.gaynor at gmail.com <mailto:alex.gaynor at gmail.com>> wrote:
> Hi folks,
> 
> I'd like to propose we deprecate, with the intention of removing, support for Python 2.6. The reason for this is that Python 2.6 is no longer receiving support for the Python core developers in any form, including security releases.
> 
> We provide a piece of security sensitive software, and I claim it would be irresponsible to say it's supported on platforms which are themselves not supported.
> 
> This would affect our current downstreams, such as pyOpenSSL, Twisted, and OpenStack, as well as things we'd like to be our downstreams, such as Paramiko/Fabric. So I'm hoping some of them will chime in.
> 
> By way of adding data around this: Django's latest release is 2.7/3.x only, however there has been some measure of requests to add additional long term support for a past release which has 2.6 support. I've seen numbers from Donald that (as of the end of last year) 2.6 is ~10-15% of PyPI downloads across the board.
> 
> Thoughts?
> 
> Alex
> 
> --
> "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
> 
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org <mailto:Cryptography-dev at python.org>
> https://mail.python.org/mailman/listinfo/cryptography-dev <https://mail.python.org/mailman/listinfo/cryptography-dev>
> 
> 
> 
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org <mailto:Cryptography-dev at python.org>
> https://mail.python.org/mailman/listinfo/cryptography-dev <https://mail.python.org/mailman/listinfo/cryptography-dev>
> 
> 
> 
> 
> --
> "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org <mailto:Cryptography-dev at python.org>
> https://mail.python.org/mailman/listinfo/cryptography-dev <https://mail.python.org/mailman/listinfo/cryptography-dev>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150329/680d9639/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150329/680d9639/attachment-0001.sig>