DEV Community

Discussion on: Python Security: Top 5 Best Practices

Collapse
mburszley profile image
Maximilian Burszley • Edited on

The problem is that Python 2.7 and older versions do not have the same security updates as Python 3.

This is factually wrong. As long as they are maintained versions, they are getting security updates. Use the latest patch version (x.x.*)

I have no feedback otherwise as I haven't heard of those tools but OWASP makes good, open-source tools for web apps and Snyk is big when it comes to static analysis.

Collapse
jpeyret profile image
jpeyret • Edited on

This so wrong it's not even funny.

Python 2.7, God bless its soul, is now end-of-life-d. There are no new security patches coming out. With a little bit of luck, there will be no huge security holes in the language itself until people have migrated off from it, but it's far from certain this will be the case. However, worse than that, 3rd party libraries will most likely not put in any great amount of effort to back-patch releases that are 2.7 only. And that's going to be a much bigger issue.

Django 2.x is Python 3 only, for example. And as a webserver, a Django 1.x is going to be front and center as far as exposure goes. Plus, the attacker knows that all the other libraries on a Django 1 site are 2.7-based, even if Django itself was secure.

Python 2-to-3 migration is not that big of a deal. 40K LOC took me 3 weeks, less than a year ago, starting with a very high unittest coverage and the longtime habit of writing idiomatic 3.x code in 2.7 i.e. print(x) rather than print x. Then again, I had been thinking about it for a while, not just digging my head in the sand, pretending it wasn't a problem.

Please know what you are talking about before posting security advice, because this type of claim, if believed, would put many people at risk.

Collapse
evanepio profile image
Evan Porter

It's not factually wrong: python.org/dev/peps/pep-0373/#main...

2.7.18 is the last release of 2.x, based on the code from January 1st 2020 - no more changes/updates will be accepted and the code is frozen. They will make one more official release of 2.x based on the January 1st 2020 code (2.7.18) and that release will be more ceremony than anything else.

Collapse
mburszley profile image
Maximilian Burszley

Reading comprehension. as long as they are maintained versions

Thread Thread
evanepio profile image
Evan Porter

Sorry, I wasn't clear on what I meant. Maybe this is clearer: python.org/doc/sunset-python-2/

As of January 1st, 2020 no new bug reports, fixes, or changes will be made to Python 2, and Python 2 is no longer supported.

Thread Thread
mburszley profile image
Maximilian Burszley

Perfectly clear, I just can't tell if you're being obtuse or struggle with English in general.