Jelte Fennema-Nio <postg...@jeltef.nl> writes:
> I totally agree that "security" is not the discussion that we should
> be having here. I think the Python version decision (or really any
> minimum version decision) should be based on some analysis of costs to
> us for maintaining support vs benefits to the users.
[ shrug... ] This thread in itself has already consumed more effort
than we've spent thinking about old-Python problems for the last
several years. (Otherwise, we would probably have updated that
supported-version claim in installation.sgml some time ago.)
So I doubt that there's all that much in cost savings to us that'd
outweigh benefits to users. The fact that Jacob was able to fix
oauth_server.py without (it seemed like) very much work seems to
bear out that opinion.
This calculus might change if we start to rely more heavily on
Python for build and test infrastructure than we do today. But
I think we can have that conversation when it happens.
Worth noting also is that there are different requirements in
different places. For example,
contrib/unaccent/generate_unaccent_rules.py is probably only ever run
by developers, so I doubt anyone is going to make a fuss if it doesn't
work on hoary Pythons. Test infrastructure is more of a problem,
since we want to be able to test on any platform that we consider
supported at all.
Anyway, what I propose that we do for now is replace the
installation.sgml text
The minimum required version is Python 3.2.
with
The minimum supported version is Python 3.6.8.
where I use "supported" advisedly, as in "it might work with
something older, but we don't promise to fix it if not".
regards, tom lane
