[Cryptography-dev] Unsupported platforms?

[Paul Kehrer]

As Donald already mentioned, we're used to provide improved security for people who (for whatever reason) don't have the option to upgrade their Python version. I want barriers to utilization to be as low as possible so I'd prefer not to drop 2.6 support until such time as it becomes a noticeable burden to us (whether that means CI burden or code maintenance). 

I'd be +1 on adding language to our docs that states we strongly discourage the usage of 2.6 and while we continue to support it users should upgrade as soon as possible. However, as a compromise, we could potentially do a significantly longer deprecation timeline for this specific issue. 2.6 until end of 2015 or something of that nature?

BTW, Openstack has removed 2.6 support from kilo so that project will not be negatively affected by this decision.

-Paul
On March 29, 2015 at 12:46:17 AM, Donald Stufft (donald at stufft.io) wrote:

RHEL5 ships with Python 2.4, however you can get Python 2.6 from EPEL.
RHEL6 ships with Python 2.6, however you can get Python 2.7 from SCL.

Dropping support for Python 2.6 will mean dropping support for RHEL5 altogether and dropping support for RHEL6 without using SCL to install Python 2.7.

I don’t feel strongly about if we should drop Python 2.6, I do want to point out one thing though. It’s true that Python 2.6 is no longer getting security updates from python-dev, it is also true however, that Python 2.6 *is* getting support from downstream redistributors. We *are* a security sensitive library so it’s not uncommon to tell people that if they are still stuck on Python 2.6 they can get access to the functionality of the new Python SSL module by installing pyOpenSSL (and by extension cryptography).

Obviously at some point we have to tell those people enough is enough and we’re dropping support and if you want support go talk to your vendor, is this that point? I don’t know. I haven’t started dropping support for Python 2.6 in my own projects because continuing to support Python 2.6 is a minimal amount of effort over Python 2.7. It might finally be time to consider it for real.

I don’t have the numbers immediately available, but I can get them. It takes me awhile to load them up but it’s not too hard to do.

For what it’s worth, I do have cryptography specific numbers from September [1], however that’s a long time ago in the lifetime of cryptography so I’m not sure it’s really relevant to what things look like today.

[1] https://s3.amazonaws.com/f.cl.ly/items/0E0H2A2Y2m0y1z0b0S26/stacked-py-pct.png


On Mar 28, 2015, at 10:24 PM, Terry Chia <terrycwk1994 at gmail.com> wrote:

This essentially involves dropping support for RHEL 5, which IIRC was the primary motivation for 2.6 support in the first place? If we are ok with that this gets a +1 from me as it will make some of my current work like integrating Hypothesis[0] into our test suites easier since Hypothesis does not support 2.6. 

A full deprecation cycle will realistically take 3.5 - 4 months (I'm not as optimistic as Alex about our release timings. :P) so that should be plenty of time to cut a new pyOpenSSL release.

[0]: https://github.com/pyca/cryptography/pull/1773

On Sun, Mar 29, 2015 at 3:52 AM Alex Gaynor <alex.gaynor at gmail.com> wrote:
I think we'd want to do a full deprecation cycle on this:

0.9: PendingDeprecationWarning
1.0: DeprecationWarning
1.1: removed

So that's like, 2.5 months notice or so? (Not sure quite how quickly we've been releasing in past).

Donald: How hard would it be to get download statistics for cryptography and pyOpenSSL from the last few months by Python versoin?

Alex

On Sat, Mar 28, 2015 at 3:48 PM, Jean-Paul Calderone <jean-paul at clusterhq.com> wrote:
Speaking as the pyOpenSSL maintainer, I'd like time to perform one last pyOpenSSL release along with an announcement that it will be the last pyOpenSSL release to support Python 2.6.  Strictly speaking, I could probably retain Python 2.6 support in pyOpenSSL even if the cryptography project drops it but that seems unreasonable for several reasons (pyOpenSSL shares many of cryptography's reasons for wanting to drop Python 2.6 support, requiring that pyOpenSSL continue to work with only cryptography <= 0.8.1 will be a bunch of extra work, etc).

I can't say exactly when the next pyOpenSSL release will be but if the cryptography project lays out its timeline for this then at least I'll know what bounds I have to work with (and I'm clearly long overdue so as long as you don't decide something like "tomorrow" I won't have much room to complain).

Jean-Paul


On Sat, Mar 28, 2015 at 3:29 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
Hi folks,

I'd like to propose we deprecate, with the intention of removing, support for Python 2.6. The reason for this is that Python 2.6 is no longer receiving support for the Python core developers in any form, including security releases.

We provide a piece of security sensitive software, and I claim it would be irresponsible to say it's supported on platforms which are themselves not supported.

This would affect our current downstreams, such as pyOpenSSL, Twisted, and OpenStack, as well as things we'd like to be our downstreams, such as Paramiko/Fabric. So I'm hoping some of them will chime in.

By way of adding data around this: Django's latest release is 2.7/3.x only, however there has been some measure of requests to add additional long term support for a past release which has 2.6 support. I've seen numbers from Donald that (as of the end of last year) 2.6 is ~10-15% of PyPI downloads across the board.

Thoughts?

Alex

--
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev



_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev




--
"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

_______________________________________________  
Cryptography-dev mailing list  
Cryptography-dev at python.org  
https://mail.python.org/mailman/listinfo/cryptography-dev  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20150329/7c950f41/attachment-0001.html>