[Twisted-Python] [RFC] Drop support for Python 3.5 sometime after May 2021?
Erik Johnston
erik at matrix.org
Thu May 28 09:31:06 MDT 2020
On 23/05/2020 06:39, Glyph wrote:
>
>> On May 19, 2020, at 1:52 AM, Richard van der Hoff <richard at matrix.org
>> <mailto:richard at matrix.org>> wrote:
>>
>> On 16/05/2020 06:56, Glyph wrote:
>>>
>>>
>>>> On May 15, 2020, at 8:40 PM, Craig Rodrigues
>>>> <rodrigc at crodrigues.org <mailto:rodrigc at crodrigues.org>> wrote:
>>>>
>>>> Maybe it would be OK to do one more release of Twisted and announce
>>>> that as the last release supporting Python 3.5, before
>>>> dropping support?
>>>
>>> Yeah; whenever we drop a Python version we should always support at
>>> least one more release, so that people have some notice before they
>>> lose access to the next set of security updates.
>>>
>>> Any 3.5 users on this list who would want to postpone it longer than
>>> this?
>>>
>> Sadly we have an important customer whose servers run debian
>> oldstable, which means we need to stay compatible with 3.5 until we
>> can persuade them to upgrade, and it's taken a couple of years to get
>> them off python 2.7...
>>
>> I'm not sure that should necessarily affect your plans, but I doubt
>> we're alone in this situation.
>>
> I guess one thing I'm curious about is why your application would need
> to be installed along with the system Python on those OS versions? It
> seems like a packaging strategy that ignored the fossilized versions
> that Debian packages with the system and just built its own Python
> would be more reliable and allow for upgrading at least most Python
> dependencies well beyond what the system would allow by policy. Or,
> for that matter, why not just run in a Docker container?
>
> Matrix is a pretty big user, and so in some sense I care about this
> specific case, but I also find the general question interesting,
> because I have difficulty reasoning about how long to support older
> versions of things in the modern application packaging environment
> where containers, virtualenvs, and associated tooling make it possible
> to effectively ignore the base environment. When & why do you have to
> pay attention to it?
>
> -glyph
I believe in this case its a general desire to keep track of what
packages are running and where they've come from. They basically trust
that packages from official Debian repositories are probably safe from
being tampered with, whereas random tarballs of code from the web are
not safe (unless they're signed by someone they trust or whatever).
Now, I think it would be possible to get a newer version of Python on
their infrastructure if we needed, but I'm sure there would be hoops
that would need to be jumped through and justifications given, etc,
which would undoubtedly take some time. So really it just means extra
faff for them and us, especially since we're only a small part of their
overall infrastructure.
Then there is the fact that they're not unique. While oldstable is,
well, old, its still very much supported and so there's going to be a
bunch of "enterprise" (for want of a better term) customers who will
still be using it, and we'll need to go through the faff each and every
time, which is quite tedious. Come the Autumn when oldstable stops being
supported (or at least, goes into LTS mode), it might become easier to
justify that it really /is/ reasonable for us to require a newer version
of Python (and that they should really really upgrade their debian
version, and its their own fault that they haven't and have to deal with
faff that comes from that).
This would also be easier if debian had newer versions of python in
backports, or someone ran a semi-official package repository which had
them, but as far as I can tell no one does for debian.
(Of course you can argue that all the above is a bit silly from a
security perspective, especially when you start considering virtualenvs
and the like, but I have some sympathy for their outlook even if it is a
pain at times).
In terms of twisted dropping support of 3.5, I guess the question is to
what extent do you want applications to be hassle free to deploy on the
more "enterprise" style environment? Without having followed along with
the thread my bias would be to keep support until stretch support is
ended in the Autumn. Though if 3.5 support is holding things back a lot
then I can completely understand dropping it sooner.
(FWIW in Matrix/Synapse we take the view that we retain compat with
old-but-supported dependencies, such as postgres, until/unless it starts
being too costly in terms of maintenance and opportunity costs)
- Erik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20200528/7573afac/attachment.htm>
More information about the Twisted-Python
mailing list