Steve D'Aprano wrote: > Chris Angelico wrote: > > [...] > > > > > > Yet look at your answer; "upgrade". For a person working > > > on a server there's usually no economic choice to do. The > > > OS python must stay in place and the newly installed > > > upgrade must be personally maintained, updated, and > > > tested when security patches come out. For one desktop > > > that's not an issue. For dozens, or hundreds, or > > > thousands, its not likely to happen. > > > > Until you get hit by a vulnerability that was patched four > > years ago, but you didn't get the update. Now your server > > is down - or, worse, has been compromised. What's the > > economic cost of that? > > Chris, that's what your subscription to RHEL pays for: > backports of security fixes that the free Python 2.6 > doesn't contain. You'll probably get them on Centos and > Fedora too, the community editions of RHEL. You *won't* get > them from the Python website. That's the whole point of the > ten year support for RHEL (longer if you pay more). > > > > > You might choose to accept that risk, but you have to at > > least be aware that you're playing with fire. Laziness is > > not the cheap option in the long run. > > You're making unjustified assumptions about the attack > surface here. Maybe any attacker has to break through three > firewalls *and* get root on the server before they can > attack the Python app -- in which case they've got bigger > problems than the Python vulnerability. It's one thing to > mention in a friendly way the advantages of upgrading. > It's another to continue to brow-beat the poster about the > (supposed) necessity to give up their paid RHEL support and > security patches in favour of taking their chances with the > free, but more recent, version where they have to monitor > the Python website or mailing lists themselves and manually > upgrade each time there's an security patch. Feel free to > continue to talk in general terms about the costs and > benefits of upgrading, but stop badgering Leam. Not > everyone values being on the bleeding edge, and Red Hat > customers as a rule value stability and long term support > over the latest shiny new features.
Great reply! And nice to know that not every Pythonista here has gone tin-foil-hat crazy over Python3. -- https://mail.python.org/mailman/listinfo/python-list
