Raise minimum Python version?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Raise minimum Python version?

Manuel Jacob
Hi,

The issue came up in a reply to a patch I've sent a few days ago. I'm
sending a new mail to discuss this topic more generally.

Mercurial is not usable on Python versions prior to 2.7.4. The issue was
raised in
https://www.mercurial-scm.org/pipermail/mercurial/2020-May/051937.html.
I've sent a patch fixing it (that I didn't really propose for inclusion,
for reasons described in the patch):
https://www.mercurial-scm.org/pipermail/mercurial-devel/2020-May/141666.html.
Instead of committing the patch, I propose that the minimum Python
version should be raised to Python 2.7.4 in the stable branch.

Some security features of Python 3.x were backported to Python 2.7.9
(see PEP 466). If we require at least Python 2.7.9, we can make raise
the minimum security standard of Mercurial (quote from
mercurial.sslutil: "Depending on the version of Python being used,
SSL/TLS support is either modern/secure or legacy/insecure. Many
operations in this module have separate code paths depending on support
in Python."). Therefore, I propose to raise the minimum Python version
to 2.7.9 in the default branch.

Alternatively, we could drop Python 2 support completely.

-Manuel
_______________________________________________
Mercurial-devel mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Reply | Threaded
Open this post in threaded view
|

Re: Raise minimum Python version?

Augie Fackler-2


> On May 19, 2020, at 09:20, Manuel Jacob <[hidden email]> wrote:
>
> Hi,
>
> The issue came up in a reply to a patch I've sent a few days ago. I'm sending a new mail to discuss this topic more generally.
>
> Mercurial is not usable on Python versions prior to 2.7.4. The issue was raised in https://www.mercurial-scm.org/pipermail/mercurial/2020-May/051937.html. I've sent a patch fixing it (that I didn't really propose for inclusion, for reasons described in the patch): https://www.mercurial-scm.org/pipermail/mercurial-devel/2020-May/141666.html. Instead of committing the patch, I propose that the minimum Python version should be raised to Python 2.7.4 in the stable branch.
>
> Some security features of Python 3.x were backported to Python 2.7.9 (see PEP 466). If we require at least Python 2.7.9, we can make raise the minimum security standard of Mercurial (quote from mercurial.sslutil: "Depending on the version of Python being used, SSL/TLS support is either modern/secure or legacy/insecure. Many operations in this module have separate code paths depending on support in Python."). Therefore, I propose to raise the minimum Python version to 2.7.9 in the default branch.

I'm a fan of doing that.

> Alternatively, we could drop Python 2 support completely.

I suspect this is still premature, given the Windows Py3 situation is (as far as I know) a bit rough. I'd like to do so before the end of the year though.

>
> -Manuel
> _______________________________________________
> Mercurial-devel mailing list
> [hidden email]
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

_______________________________________________
Mercurial-devel mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Reply | Threaded
Open this post in threaded view
|

Re: Raise minimum Python version?

Gregory Szorc
In reply to this post by Manuel Jacob
On Tue, May 19, 2020 at 6:24 AM Manuel Jacob <[hidden email]> wrote:
Hi,

The issue came up in a reply to a patch I've sent a few days ago. I'm
sending a new mail to discuss this topic more generally.

Mercurial is not usable on Python versions prior to 2.7.4. The issue was
raised in
https://www.mercurial-scm.org/pipermail/mercurial/2020-May/051937.html.
I've sent a patch fixing it (that I didn't really propose for inclusion,
for reasons described in the patch):
https://www.mercurial-scm.org/pipermail/mercurial-devel/2020-May/141666.html.
Instead of committing the patch, I propose that the minimum Python
version should be raised to Python 2.7.4 in the stable branch.

I think this is reasonable, given how old Python 2.7.3/2.7.4 are. Python 2.7 support in Mercurial is effectively end-of-life anyway.
 

Some security features of Python 3.x were backported to Python 2.7.9
(see PEP 466). If we require at least Python 2.7.9, we can make raise
the minimum security standard of Mercurial (quote from
mercurial.sslutil: "Depending on the version of Python being used,
SSL/TLS support is either modern/secure or legacy/insecure. Many
operations in this module have separate code paths depending on support
in Python."). Therefore, I propose to raise the minimum Python version
to 2.7.9 in the default branch.

As the author of the code in mercurial.sslutil, I'm in favor of dropping support for Python versions that don't support `ssl.SSLContext`. This is because we simply don't have the control over connection security that we need to ensure security without those APIs. I worded that qualification specifically because some Linux distributions backported Python 2.7.9's modern `ssl` features to older Python versions. IIRC RHEL/CentOS 7 ship a Python 2.7.5 that has these features.

I think a reasonable course of action is to require 2.7.4+ and `ssl.SSLContext`.
 

Alternatively, we could drop Python 2 support completely.

I'd love to do this too. But Python 3 on Windows is still a bit shaky and we probably need another release before we can drop Python 2 completely. I really, really, really wish this weren't the case.

I'll try to find time in the next week to work on patches to the stable branch so we can publish working Python 3 Windows installers. Hopefully if we get 5.4.1 working on Windows on Python 3 we can drop support for Python 2 after the 5.5 release (making 5.6 the first Python 3 only release).

_______________________________________________
Mercurial-devel mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
Reply | Threaded
Open this post in threaded view
|

Re: Raise minimum Python version?

Pierre-Yves David-2
In reply to this post by Augie Fackler-2


On 5/19/20 8:13 PM, Augie Fackler wrote:

>
>
>> On May 19, 2020, at 09:20, Manuel Jacob <[hidden email]> wrote:
>>
>> Hi,
>>
>> The issue came up in a reply to a patch I've sent a few days ago. I'm sending a new mail to discuss this topic more generally.
>>
>> Mercurial is not usable on Python versions prior to 2.7.4. The issue was raised in https://www.mercurial-scm.org/pipermail/mercurial/2020-May/051937.html. I've sent a patch fixing it (that I didn't really propose for inclusion, for reasons described in the patch): https://www.mercurial-scm.org/pipermail/mercurial-devel/2020-May/141666.html. Instead of committing the patch, I propose that the minimum Python version should be raised to Python 2.7.4 in the stable branch.
>>
>> Some security features of Python 3.x were backported to Python 2.7.9 (see PEP 466). If we require at least Python 2.7.9, we can make raise the minimum security standard of Mercurial (quote from mercurial.sslutil: "Depending on the version of Python being used, SSL/TLS support is either modern/secure or legacy/insecure. Many operations in this module have separate code paths depending on support in Python."). Therefore, I propose to raise the minimum Python version to 2.7.9 in the default branch.
>
> I'm a fan of doing that.
>
>> Alternatively, we could drop Python 2 support completely.
>
> I suspect this is still premature, given the Windows Py3 situation is (as far as I know) a bit rough. I'd like to do so before the end of the year though.

On that topic, the OpenVMS is in the process of porting their Mercurial
(yeah it is a thing, I told them to send their patch upstream) from
Python2 to Python 3 (3.5 IIRC). Their hope to be done with that by the
end of the year too (they hurried up their plan after I told them about
our pending drop of python2 support).

--
Pierre-Yves David
_______________________________________________
Mercurial-devel mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel