From humble beginnings at an MSP, I've adventured through life as a sysadmin, into an engineer, and finally landed as a developer focused on fixing problems with automation.
The problem is that Python 2.7 and older versions do not have the same security updates as Python 3.
This is factually wrong. As long as they are maintained versions, they are getting security updates. Use the latest patch version (x.x.*)
I have no feedback otherwise as I haven't heard of those tools but OWASP makes good, open-source tools for web apps and Snyk is big when it comes to static analysis.
Python 2.7, God bless its soul, is now end-of-life-d. There are no new security patches coming out. With a little bit of luck, there will be no huge security holes in the language itself until people have migrated off from it, but it's far from certain this will be the case. However, worse than that, 3rd party libraries will most likely not put in any great amount of effort to back-patch releases that are 2.7 only. And that's going to be a much bigger issue.
Django 2.x is Python 3 only, for example. And as a webserver, a Django 1.x is going to be front and center as far as exposure goes. Plus, the attacker knows that all the other libraries on a Django 1 site are 2.7-based, even if Django itself was secure.
Python 2-to-3 migration is not that big of a deal. 40K LOC took me 3 weeks, less than a year ago, starting with a very high unittest coverage and the longtime habit of writing idiomatic 3.x code in 2.7 i.e. print(x) rather than print x. Then again, I had been thinking about it for a while, not just digging my head in the sand, pretending it wasn't a problem.
Please know what you are talking about before posting security advice, because this type of claim, if believed, would put many people at risk.
2.7.18 is the last release of 2.x, based on the code from January 1st 2020 - no more changes/updates will be accepted and the code is frozen. They will make one more official release of 2.x based on the January 1st 2020 code (2.7.18) and that release will be more ceremony than anything else.
From humble beginnings at an MSP, I've adventured through life as a sysadmin, into an engineer, and finally landed as a developer focused on fixing problems with automation.
From humble beginnings at an MSP, I've adventured through life as a sysadmin, into an engineer, and finally landed as a developer focused on fixing problems with automation.
This is factually wrong. As long as they are maintained versions, they are getting security updates. Use the latest patch version (
x.x.*
)I have no feedback otherwise as I haven't heard of those tools but OWASP makes good, open-source tools for web apps and Snyk is big when it comes to static analysis.
This so wrong it's not even funny.
Python 2.7, God bless its soul, is now end-of-life-d. There are no new security patches coming out. With a little bit of luck, there will be no huge security holes in the language itself until people have migrated off from it, but it's far from certain this will be the case. However, worse than that, 3rd party libraries will most likely not put in any great amount of effort to back-patch releases that are 2.7 only. And that's going to be a much bigger issue.
Django 2.x is Python 3 only, for example. And as a webserver, a Django 1.x is going to be front and center as far as exposure goes. Plus, the attacker knows that all the other libraries on a Django 1 site are 2.7-based, even if Django itself was secure.
Python 2-to-3 migration is not that big of a deal. 40K LOC took me 3 weeks, less than a year ago, starting with a very high unittest coverage and the longtime habit of writing idiomatic 3.x code in 2.7 i.e.
print(x)
rather thanprint x
. Then again, I had been thinking about it for a while, not just digging my head in the sand, pretending it wasn't a problem.Please know what you are talking about before posting security advice, because this type of claim, if believed, would put many people at risk.
It's not factually wrong: python.org/dev/peps/pep-0373/#main...
2.7.18 is the last release of 2.x, based on the code from January 1st 2020 - no more changes/updates will be accepted and the code is frozen. They will make one more official release of 2.x based on the January 1st 2020 code (2.7.18) and that release will be more ceremony than anything else.
Reading comprehension. as long as they are maintained versions
Sorry, I wasn't clear on what I meant. Maybe this is clearer: python.org/doc/sunset-python-2/
Perfectly clear, I just can't tell if you're being obtuse or struggle with English in general.