Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

66%
+2 −0
Q&A Why/how can distro support lifetimes exceed the lifetime of their dependencies (such as Python)?

When PSF says Python 3.8 is not supported, they are simply saying they will no longer bother fixing bugs in or adding stuff to that version. It's not like Python 3.8 will start automatically explod...

posted 2mo ago by matthewsnyder‭  ·  edited 2mo ago by matthewsnyder‭

Answer
#4: Post edited by user avatar matthewsnyder‭ · 2024-04-01T22:23:42Z (about 2 months ago)
  • When PSF says Python 3.8 is not supported, they are simply saying they will no longer bother fixing bugs in or adding stuff to that version. It's not like Python 3.8 will start automatically exploding your computer the moment they drop support. They just don't want you to come complain to them if you do find something in it that doesn't work.
  • If Mint devs want to release some Mint 20.3 LTS, and they want to put Python 3.8 into that, the users cannot expect to get help from PSF on problems with that Python. Instead, they will have to ask the Mint devs, since they are the ones who support it.
  • In practice, this is a question that comes down to critical security vulnerabilities that may get discovered in Python 3.8. There might be non-security things, like garden variety usability bugs, but for those your solution would be "deal with it" (or upgrade). It's only really for security issues that "deal with it" is not an option.
  • If it turns out that Python 3.8 has a critical security hole, I would expect the Mint devs to release an update that fixes it. They could try to write their own patch to Python itself. For example, let's say the last "official" version of 3.8 is Python 3.8.10. Mint devs could try to develop `Python 3.8.11mint` and release that in the LTS repos. More practical would be to simply bump Python to 3.9 in the repos. Minor versions of Python are intended to be backwards compatible, so nothing that worked in 3.8 should break in 3.9. But if something does break, it would be up to the Mint devs to fix that too (by bumping the version or writing a patch).
  • However, security is really a problem with servers on the public internet. The moment, say, a security vulnerability becomes known in Python 3.8 then someone could take that vuln and immediately hack a server that is using 3.8 in an applicable way. So keep in mind, for example, if you have a server hosting your personal website using nginx and hand-written HTML, and that server happens to be running Python, that doesn't mean it's vulnerable - vulnerabilities have some specific attack vector that's required to exploit them. If your server doesn't actually have a way for outside visitors to reach Python or run Python code (including running programs that rely on Python under the hood) then it's not actually vulnerable. But in any case, if it is vulnerable then there is a need to urgently fix the vuln with a patch, even if it's running an ancient Python, because it might take too long to upgrade Python. Say you take a day to update Python and then update everything else that depends on the old Python - meanwhile, perhaps hackers read about the vuln and used it to hack your server already.
  • Mint, however, is mostly a distro for use on Desktops and laptops, not servers. These types of machine are not even on the internet - you cannot connect to them even if you know their IP. Routers are not normally configured to forward inbound connections to their ports, and even if they did, they're not usually running any programs that listen on those ports. So even if there was a vuln on this type of PC, it's extremely unlikely that it would be possible to exploit it. The majority of vulns basically don't apply, because by simply not accepting inbound connections from the internet, these machines are already very tightly secured. I suspect this is why Mint is being a bit vague about such things. Server distros will usually pay a bit more attention to details like this.
  • When PSF says Python 3.8 is not supported, they are simply saying they will no longer bother fixing bugs in or adding stuff to that version. It's not like Python 3.8 will start automatically exploding your computer the moment they drop support. They just don't want you to come complain to them if you do find something in it that doesn't work.
  • If Mint devs want to release some Mint 20.3 LTS, and they want to put Python 3.8 into that, the users cannot expect to get help from PSF on problems with that Python. PSF will just tell them to upgrade to Python 3.9. Instead, they will have to ask the Mint devs, since they are the ones who support it.
  • In practice, this is a question that comes down to critical security vulnerabilities that may get discovered in Python 3.8. There might be non-security things, like garden variety usability bugs, but for those your solution would be "deal with it" (or upgrade). It's only really for security issues that "deal with it" is not an option.
  • If it turns out that Python 3.8 has a critical security hole, I would expect the Mint devs to release an update that fixes it. They could try to write their own patch to Python itself. For example, let's say the last "official" version of 3.8 is Python 3.8.10. Mint devs could try to develop `Python 3.8.11mint` and release that in the LTS repos. More practical would be to simply bump Python to 3.9 in the repos. Minor versions of Python are intended to be backwards compatible, so nothing that worked in 3.8 should break in 3.9. But if something does break, it would be up to the Mint devs to fix that too (by bumping the version or writing a patch).
  • However, security is really a problem with servers on the public internet. The moment, say, a security vulnerability becomes known in Python 3.8 then someone could take that vuln and immediately hack a server that is using 3.8 in an applicable way. So keep in mind, for example, if you have a server hosting your personal website using nginx and hand-written HTML, and that server happens to be running Python, that doesn't mean it's vulnerable - vulnerabilities have some specific attack vector that's required to exploit them. If your server doesn't actually have a way for outside visitors to reach Python or run Python code (including running programs that rely on Python under the hood) then it's not actually vulnerable. But in any case, if it is vulnerable then there is a need to urgently fix the vuln with a patch, even if it's running an ancient Python, because it might take too long to upgrade Python. Say you take a day to update Python and then update everything else that depends on the old Python - meanwhile, perhaps hackers read about the vuln and used it to hack your server already.
  • Mint, however, is mostly a distro for use on Desktops and laptops, not servers. These types of machine are not even on the internet - you cannot connect to them even if you know their IP. Routers are not normally configured to forward inbound connections to their ports, and even if they did, they're not usually running any programs that listen on those ports. So even if there was a vuln on this type of PC, it's extremely unlikely that it would be possible to exploit it. The majority of vulns basically don't apply, because by simply not accepting inbound connections from the internet, these machines are already very tightly secured. I suspect this is why Mint is being a bit vague about such things. Server distros will usually pay a bit more attention to details like this.
#3: Post edited by user avatar matthewsnyder‭ · 2024-04-01T22:23:03Z (about 2 months ago)
  • When PSF says Python 3.8 is not supported, they are simply saying they will no longer bother fixing bugs in or adding stuff to that version. It's not like Python 3.8 will start automatically exploding your computer the moment they drop support. They just don't want you to come complain to them if you do find something in it that doesn't work.
  • If Mint devs want to release some Mint 20.3 LTS, and they want to put Python 3.8 into that, the users cannot expect to get help from PSF on problems with that Python. Instead, they will have to ask the Mint devs, since they are the ones who support it.
  • In practice, this is a question that comes down to critical security vulnerabilities that may get discovered in Python 3.8. There might be non-security things, like garden variety usability bugs, but for those your solution would be "deal with it" (or upgrade). It's only really for security issues that "deal with it" is not an option.
  • If it turns out that Python 3.8 has a critical security hole, I would expect the Mint devs to release an update that fixes it. They could try to write their own patch to Python itself. For example, let's say the last "official" version of 3.8 is Python 3.8.10. Mint devs could try to develop `Python 3.8.11mint` and release that in the LTS repos. More practical would be to simply bump Python to 3.9 in the repos. Minor versions of Python are intended to be backwards compatible, so nothing that worked in 3.8 should break in 3.9. But if something does break, it would be up to the Mint devs to fix that too (by bumping the version or writing a patch).
  • When PSF says Python 3.8 is not supported, they are simply saying they will no longer bother fixing bugs in or adding stuff to that version. It's not like Python 3.8 will start automatically exploding your computer the moment they drop support. They just don't want you to come complain to them if you do find something in it that doesn't work.
  • If Mint devs want to release some Mint 20.3 LTS, and they want to put Python 3.8 into that, the users cannot expect to get help from PSF on problems with that Python. Instead, they will have to ask the Mint devs, since they are the ones who support it.
  • In practice, this is a question that comes down to critical security vulnerabilities that may get discovered in Python 3.8. There might be non-security things, like garden variety usability bugs, but for those your solution would be "deal with it" (or upgrade). It's only really for security issues that "deal with it" is not an option.
  • If it turns out that Python 3.8 has a critical security hole, I would expect the Mint devs to release an update that fixes it. They could try to write their own patch to Python itself. For example, let's say the last "official" version of 3.8 is Python 3.8.10. Mint devs could try to develop `Python 3.8.11mint` and release that in the LTS repos. More practical would be to simply bump Python to 3.9 in the repos. Minor versions of Python are intended to be backwards compatible, so nothing that worked in 3.8 should break in 3.9. But if something does break, it would be up to the Mint devs to fix that too (by bumping the version or writing a patch).
  • However, security is really a problem with servers on the public internet. The moment, say, a security vulnerability becomes known in Python 3.8 then someone could take that vuln and immediately hack a server that is using 3.8 in an applicable way. So keep in mind, for example, if you have a server hosting your personal website using nginx and hand-written HTML, and that server happens to be running Python, that doesn't mean it's vulnerable - vulnerabilities have some specific attack vector that's required to exploit them. If your server doesn't actually have a way for outside visitors to reach Python or run Python code (including running programs that rely on Python under the hood) then it's not actually vulnerable. But in any case, if it is vulnerable then there is a need to urgently fix the vuln with a patch, even if it's running an ancient Python, because it might take too long to upgrade Python. Say you take a day to update Python and then update everything else that depends on the old Python - meanwhile, perhaps hackers read about the vuln and used it to hack your server already.
  • Mint, however, is mostly a distro for use on Desktops and laptops, not servers. These types of machine are not even on the internet - you cannot connect to them even if you know their IP. Routers are not normally configured to forward inbound connections to their ports, and even if they did, they're not usually running any programs that listen on those ports. So even if there was a vuln on this type of PC, it's extremely unlikely that it would be possible to exploit it. The majority of vulns basically don't apply, because by simply not accepting inbound connections from the internet, these machines are already very tightly secured. I suspect this is why Mint is being a bit vague about such things. Server distros will usually pay a bit more attention to details like this.
#2: Post edited by user avatar matthewsnyder‭ · 2024-04-01T22:15:13Z (about 2 months ago)
  • If the situation is:
  • * Python developers (PSF) say they currently do not support Python vX because it is too old
  • * Mint developers say they currently support Mint vY
  • * Mint vY ships with Python vX
  • I think the way to read it is:
  • * If you encounter a problem with Python vX on Mint vY, you shouldn't ask Python developers for help
  • * Instead, you can ask Mint developers for help
  • This is not unreasonable. Just because PSF dropped support for Python vX doesn't mean it will blow up. They are just saying they will make no effort to fix new bugs. But there's a good chance that what worked before will continue to work.
  • What if Python vX has some critical security vulnerability? Well, first of all that's usually relevant for servers. The security situation is much less complicated if you're just running scripts on your personal desktop computer that does not accept inbound connections from the internet to begin with. It is still possible to have vulnerabilities that affect you in that context, but much more rare. In any case, if security is your concern, you would have to ask Mint to provide a third party patch to fix the issue in Python vX. Normally PSF would fix it, but since they abandoned that version as obsolete now, Mint will have to do it as part of their support for Mint vY.
  • In practice, it is not that hard for Mint to simply bump the Python version in Mint vY. There's nothing saying they're not allowed to release updates for LTS versions, ever. It's just extra work to update old versions of a distro, so they'd rather not bother and only update the latest, but for security issues it's worth making an exception.
  • Generally speaking, the word "support" is very figurative in FOSS. Actually, there is no support whatsoever for anything. Most FOSS licenses have a clause saying no warranty whatsoever is provided for the program. You "automatically agree" to this by using the software at all. So you have already "declared" that you will expect no support at all, even with non-LTS, even with non-obsolete versions. When FOSS devs say they support a thing, they are just making an informal statement saying that they're not planning to completely ignore any bugs or issues related to thing, just yet. When they say they're dropping support, they're saying they're gonna stop caring entirely so don't bother asking.
  • If you want real support, you would get a paid plan like what Red Hat sells. The terms of that plan would probably address contradictions like the one you ask about.
  • When PSF says Python 3.8 is not supported, they are simply saying they will no longer bother fixing bugs in or adding stuff to that version. It's not like Python 3.8 will start automatically exploding your computer the moment they drop support. They just don't want you to come complain to them if you do find something in it that doesn't work.
  • If Mint devs want to release some Mint 20.3 LTS, and they want to put Python 3.8 into that, the users cannot expect to get help from PSF on problems with that Python. Instead, they will have to ask the Mint devs, since they are the ones who support it.
  • In practice, this is a question that comes down to critical security vulnerabilities that may get discovered in Python 3.8. There might be non-security things, like garden variety usability bugs, but for those your solution would be "deal with it" (or upgrade). It's only really for security issues that "deal with it" is not an option.
  • If it turns out that Python 3.8 has a critical security hole, I would expect the Mint devs to release an update that fixes it. They could try to write their own patch to Python itself. For example, let's say the last "official" version of 3.8 is Python 3.8.10. Mint devs could try to develop `Python 3.8.11mint` and release that in the LTS repos. More practical would be to simply bump Python to 3.9 in the repos. Minor versions of Python are intended to be backwards compatible, so nothing that worked in 3.8 should break in 3.9. But if something does break, it would be up to the Mint devs to fix that too (by bumping the version or writing a patch).
#1: Initial revision by user avatar matthewsnyder‭ · 2024-04-01T22:02:51Z (about 2 months ago) 
If the situation is:

* Python developers (PSF) say they currently do not support Python vX because it is too old
* Mint developers say they currently support Mint vY
* Mint vY ships with Python vX

I think the way to read it is:

* If you encounter a problem with Python vX on Mint vY, you shouldn't ask Python developers for help
* Instead, you can ask Mint developers for help

This is not unreasonable. Just because PSF dropped support for Python vX doesn't mean it will blow up. They are just saying they will make no effort to fix new bugs. But there's a good chance that what worked before will continue to work.

What if Python vX has some critical security vulnerability? Well, first of all that's usually relevant for servers. The security situation is much less complicated if you're just running scripts on your personal desktop computer that does not accept inbound connections from the internet to begin with. It is still possible to have vulnerabilities that affect you in that context, but much more rare. In any case, if security is your concern, you would have to ask Mint to provide a third party patch to fix the issue in Python vX. Normally PSF would fix it, but since they abandoned that version as obsolete now, Mint will have to do it as part of their support for Mint vY.

In practice, it is not that hard for Mint to simply bump the Python version in Mint vY. There's nothing saying they're not allowed to release updates for LTS versions, ever. It's just extra work to update old versions of a distro, so they'd rather not bother and only update the latest, but for security issues it's worth making an exception.

Generally speaking, the word "support" is very figurative in FOSS. Actually, there is no support whatsoever for anything. Most FOSS licenses have a clause saying no warranty whatsoever is provided for the program. You "automatically agree" to this by using the software at all. So you have already "declared" that you will expect no support at all, even with non-LTS, even with non-obsolete versions. When FOSS devs say they support a thing, they are just making an informal statement saying that they're not planning to completely ignore any bugs or issues related to thing, just yet. When they say they're dropping support, they're saying they're gonna stop caring entirely so don't bother asking.

If you want real support, you would get a paid plan like what Red Hat sells. The terms of that plan would probably address contradictions like the one you ask about.