{"id":6273,"date":"2019-08-29T08:20:49","date_gmt":"2019-08-29T08:20:49","guid":{"rendered":"https:\/\/gtechbooster.com\/?p=6273"},"modified":"2023-04-01T01:36:50","modified_gmt":"2023-04-01T01:36:50","slug":"security-threatened-by-python-2-end-of-life","status":"publish","type":"post","link":"https:\/\/gtechbooster.com\/security-threatened-by-python-2-end-of-life\/","title":{"rendered":"Security threatened by Python 2 end of life"},"content":{"rendered":"\n

Python 2’s end of life is fast approaching and the UK’s National Cyber Security Centre has issued a warning to developers still clinging on to Python 2 of risks they will face as a result of no more bug fixes or security updates.<\/p>\n\n\n\n

\"\"<\/a><\/div><\/div>

Much to the dismay of Python 3 adherents, Python 2, was given a stay \nof execution by Guido van Rossum in 2014. While being adamant that there\n would be no Python 2.8 and that the time had come to move to Python \n3.4, he announced at PyCon that instead of facing end of support in 2015\n as originally planned, Python 2 was being granted an extra 5 years to \n2020. This was in order to give time for numerous libraries relied on by\n existing projects to add Python 3 support.<\/p>\n\n\n\n

In March 2018 it was agreed that Python 2.7, the only version still \nsupported, would be completely dead on January 1st 2020, meaning no \nupdates, not even source-only security patches, after that date. And if \nyou think 2020 is still a long way off – you are wrong:<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

In view of this looming deadline, the National Cyber Security Centre \n(NCSC) has repeated the “time to move Python 3” message, saying:<\/p>\n\n\n\n

So, if you’re still using 2.x, it’s \ntime to port your code to Python 3. If you continue to use unsupported \nmodules, you are risking the security of your organisation and data, as \nvulnerabilities will sooner or later appear which nobody is fixing.<\/em><\/p>\n\n\n\n

Given that Python 3.0 was released in December 2008 and wasn’t backward compatible with the 2.x line of releases, this advice seems long overdue. But the Python community has been highly resistant to change. It took, four years, until January 2013, i.e. 4 years, for the number of monthly downloads of the latest Python 3 to exceed that of its Python 2 counterpart.<\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

The main barrier to switching existing code from Python 2 to Python 3\n was their dependencies on third party packages. At the time of Python \n2’s EOL extension there were still a substantial number of widely used \nlibraries that didn’t support Python 3.x. This situation was monitored \nby on a website initially called the Python 3 Wall of Shame as it \ndisplayed in red the names of PyPi packages that were not compatible \nPython using green for those that did. It was renamed the Python 3 Wall \nof Superpowers as more and more green entries replaced red ones and, \nhaving achieved over 95% compatibility, stopped the exercise in April \n2018.<\/p>\n\n\n\n

Even so some users still cling to Python 2.x. Figures from the 2018 Python Developers Survey conducted jointly by the Python Software Foundation and JetBrains.show that almost a fifth of Python developers engaged in DevOps are stuck there, with almost as many web developers in the same situation. The outlook is much better for Data Science, where only 10% have yet to upgrade. <\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n

These figures look reasonably reassuring, but a different picture is revealed by June 2019 stats of downloads of popular packages from the Python Package Index collated by NCSC: <\/p>

\"\"<\/a><\/div><\/div>\n\n\n\n
\"\"<\/a><\/figure><\/div>\n\n\n\n

The four of the packages listed at the top of the table had more \ndownloads for Python 2 than Python 3 and even where Python 3 is more \npopular a substantial proportion are still for Python 2. To force this \nsituation to improve many projects including NumPy, Requests, and \nTensorFlow have pledged to drop support for 2.x by 2020 and some already\n have. As NCSC points out,<\/p>\n\n\n\n

This means that if you want to use the latest features of your favourite modules, you\u2019ll need to be using Python 3. The longer you wait to update, the more the Python 3 versions of your dependencies will have changed, and the more difficult updating will become.<\/em><\/p><\/blockquote>\n\n\n\n

Another point raised by NCSC is that failure to move on is holding other developers back, stating:<\/p>\n\n\n\n

If you maintain a library that other developers depend on, you may be preventing them from updating to 3. By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others.<\/em><\/p><\/blockquote>\n\n\n\n

It also has some recommendations to assist in the process of porting Python 2.x code to Python 3, mentioning: <\/p>\n\n\n\n

Can I Use Python 3<\/a> – a program that checks your project dependencies to see if any are preventing you from using Python 3. <\/p>\n\n\n\n

2to3<\/a> –\n a Python program, usually installed with the Python interpreter as a \nscript, that attempts to convert 2.x source code into 3. Note that this \nisn\u2019t perfect, you may still have to fix some code manually.<\/p>\n\n\n\n

There are plenty of features in Python 3 to reward those who make the\n move and in doing so you will also have the opportunity to improve how \nyou manage your software dependencies and minimize your security debt.<\/p>\n\n\n\n

Dropbox migrated its codebase to Python 3 in 2018 and gave details of the experience in a blog post<\/a>.\n The move was motivated by the fact that as Python 2 aged, the set of \ntoolchains initially compatible for deploying it had largely become \nobsolete, leading to a growing maintenance burden:<\/p>\n\n\n\n