Packaging Python 2 doesn't mean that Linux distributions support it

March 8, 2021

One of the reasons I've been optimistic about Python 2's continued afterlife for at least a few more years is that various Linux distributions with long term support have packaged it in versions with support that would last for years to come. Those distributions would provide fixes for any security issues that came up, as they do for all of their packages (more or less), and people running Python 2 elsewhere could take those updated versions of Python 2, recompile them, and use them even on platforms without that sort of support. The recent ctypes security issue was the first serious test of my optimistic belief. I'm afraid to report that it has partially failed.

As I write this, most Linux distributions that still provide Python 2 have provided an updated Python 2 package that fixes this issue; for instances, Fedora is updated. The relatively glaring exception that I know of is Ubuntu in 20.04 LTS. Although Ubuntu had an initial stumble in the updates for 16.04 LTS and 18.04 LTS, they have fixed them by now. Unfortunately there's no sign of any update for 20.04 LTS. Ubuntu knows that an update is needed (per their page for CVE-2021-3177), and they have the code update that they need (since they've fixed this in 18.04 and 16.04, including their fixed fix), but they aren't doing anything.

At one level this has surprised me. At another level, it shouldn't have. All of the Linux distributions have been clear that they want to get rid of Python 2 and are only still providing it reluctantly. In retrospect, it was optimistic to assume that despite this reluctance, all of the distributions would always still fix issues in all versions of Python 2 instead of shrugging and pointing out that in general, Python 2 had explicitly reached the end of its life. What's happened in Ubuntu 20.04 so far may be an accident, but it shouldn't surprise me if some day Linux distributions start doing this deliberately.

(Fortunately I don't think this issue is serious for us, so for now I feel that we're okay even on 20.04.)

PS: Not all Linux distributions are likely to stop updating Python 2. Red Hat Enterprise Linux especially has a serious commitment to long term bug fixes, so I do expect them to keep fixing their version of Python 2 for as long as they provide it in a supported RHEL version. Well, probably. Some things involving Red Hat Enterprise Linux have been shaken up recently.

Written on 08 March 2021.
« Some views and notes on ZFS deduplication today
Go version directives in go.mod files: some notes and crude usage numbers »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Mar 8 01:07:01 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.