DEV Community

Discussion on: Python Security: Top 5 Best Practices

Collapse
jpeyret profile image
jpeyret • Edited on

This so wrong it's not even funny.

Python 2.7, God bless its soul, is now end-of-life-d. There are no new security patches coming out. With a little bit of luck, there will be no huge security holes in the language itself until people have migrated off from it, but it's far from certain this will be the case. However, worse than that, 3rd party libraries will most likely not put in any great amount of effort to back-patch releases that are 2.7 only. And that's going to be a much bigger issue.

Django 2.x is Python 3 only, for example. And as a webserver, a Django 1.x is going to be front and center as far as exposure goes. Plus, the attacker knows that all the other libraries on a Django 1 site are 2.7-based, even if Django itself was secure.

Python 2-to-3 migration is not that big of a deal. 40K LOC took me 3 weeks, less than a year ago, starting with a very high unittest coverage and the longtime habit of writing idiomatic 3.x code in 2.7 i.e. print(x) rather than print x. Then again, I had been thinking about it for a while, not just digging my head in the sand, pretending it wasn't a problem.

Please know what you are talking about before posting security advice, because this type of claim, if believed, would put many people at risk.