Title: When Will Python 2 End: An Update

Author: Bob Schmidt

Date: 07 July 2020 17:10:11 +01:00 or Tue, 07 July 2020 17:10:11 +01:00

Summary: Silas S. Brown warns of some of the risks with unsupported software.

Body: 

In CVu 30.6 (January 2019) I said that, although Python 2 upstream support (i.e. security patching) was due to stop in January 2020, Ubuntu had indirectly promised to support their version until 2028.

A few things have happened since then, so my article needs an update.

Firstly, Ubuntu have clarified that their 10-year support plan for 18.04 will be only for paying customers. Support for the free version ends in 2023. It’s not yet clear how Ubuntu will implement pushing out patches to paying customers only; the Python license certainly allows for this, although as ‘security through obscurity’ has been shown to be inadvisable, they might choose a more open approach, perhaps publishing source packages for all but binary packages for paying customers only. We don’t know yet.

Unexpectedly, though, Ubuntu also included Python 2 in their April 2020 release of Ubuntu 20.04 LTS, meaning they undertook to support the free version until 2025 or paid until 2030. (Equally unexpectedly, upstream issued a ‘final’ release of Python 2.7 in April 2020 although they said they’d stop in January.)

Meanwhile, Red Hat Enterprise Linux 8 was released in May 2019 based on Fedora 28, which still had Python 2, and is expected to receive security maintenance until 2029 (which also benefits its Oracle and CentOS derivatives).

So the answer to the question ‘when will Python 2 end’ is now: 2025 on Ubuntu, 2029 on CentOS.

The Fedora distribution (which acts as Red Hat’s ‘cutting edge’ guinea pig) has already dropped Python 2, and frankly I’m not very impressed at how the transition was handled. Fedora 30 pushed all packages to use Python 3 instead of Python 2 or be deleted. (Fedora 31 followed up by making the ‘python’ command refer to Python 3 by default, and Fedora 32 dropped Python 2.) That push in Fedora 30, for packages to switch to Python 3 or be deleted, unfortunately seems to have made some package maintainers do a ‘rush job’, marking Python 2 scripts as being ‘Python 3’ when they weren’t. I know this happened in at least two (unrelated) packages, one of which involved my own script. To their credit, the maintainers were able to update the scripts when I raised bug reports, but I hope there weren’t others I missed.

It’s funny that, of all the programs I’ve carefully crafted, the one that actually ended up in every Linux distribution was the humble little script that performs a quick calculation of LaTeX paper-size settings for arbitrary zooming, and outputs the result using print. This script had been accepted by CTAN and from there it was noticed by the maintainers of TexLive, and that’s how it got into every distro’s texlive-extras package. But it wasn’t Python 3 compatible, because I hadn’t used parentheses on my Python-2 style print statement. The Fedora package maintainer must have been under a lot of pressure to label that script ‘Python 3’ when any attempt to run it under Python 3 would crash immediately with a syntax error. I didn’t receive any requests for a Python-3 compatible version (although when I realised what happened, I updated the version on my home page and sent a fix to CTAN, and asked the Fedora maintainers to update to that). The moral of this one is probably don’t use Fedora unless you like being at the ‘bleeding edge’ which sometimes hurts a bit.

It’s still possible to install Python 2 on Fedora 32 if you compile it by hand: you can get both Python 2 and Pip 2 into /usr/local by compiling with:

  ./configure \
    --with-ensurepip=install \
    --enable-optimizations
  make
  make install

but you will then be on your own as far as security maintenance is concerned (perhaps look out for advisories from Ubuntu and Red Hat until 2025 and 2029, and take appropriate precautions depending on what they found).

The Python package repository ‘Pip’ have announced they will drop support for Python 2.7 by January 2021 (Pip 21). The announcement did not say how long the older versions of Pip will continue to be supported by their package servers after that. So if you do want to continue with Python 2 into 2021, you’d better have already done any pip2 install commands you need by then.

Ideally you should try to add Python 3 compatibility to your legacy Python 2 code (I wrote about this in C Vu 32.1, March 2020) but that can be a big ‘ask’ for a large legacy codebase that gets only occasional use. I have added Python 3 compatibility to about 80% of my code, but I still have two major scripts that require Python 2, one of which is difficult to convert because it relies on specific behaviour of Python 2’s email libraries for handling mislabelled character sets, and the other hardly ever gets used anymore (and when it is, it’s given 100% trusted data that I produced myself, so security is not a concern); it doesn’t seem justified to take out a couple of working weeks to add Python 3 compatibility to these. But I wouldn’t encourage the continued use of Python 2 unless you know what you’re doing.

Silas S. Brown Silas is a partially-sighted Computer Science post-doc in Cambridge who currently works in part-time assistant tuition and part-time for Oracle. He has been an ACCU member since 1994.

Notes: 

More fields may be available via dynamicdata ..