Drop support for Python < 2.7.9 #4350
Comments
|
Your query isn't totally correct, |
|
Ah right, I blame doing this early in the morning :) |
|
Ok, updated the query and results in my first post to reflect the real numbers. Still not enough to drop support for it yet, but the numbers look a lot better this way. |
|
Does RedHat/CentOS 7 Python 2.7.5 count in those stats and also as having "bad TLS"? I'm a CentOS noob, but supposedly the RH-packaged Python has some fixes backported, i.e. are you talking about TLS 1.2? Is your plan about denying $ cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)
$ python -V
Python 2.7.5
$ python -c "import json, urllib2; print json.load(urllib2.urlopen(\
'https://www.howsmyssl.com/a/check'))['tls_version']"
TLS 1.2 |
|
@nickstenning Those statistics count whatever is returned by To be clear, this is not a short term issue. It is a place holder mostly to track how >=2.7.9 adoption is going to make a decision about when it is the right time to drop support. That is unlikely to be before it gets into single digit usage. |
|
True, I guess I'm just alluding to how RHEL versions are super-clingy (10-year support, so 7, which has 2.7.5, might be around in reasonable numbers until 2024). That might keep the "<2.7.9" number artificially high, while not truly being reflective of the users you'd disrupt. |
|
is there a reasonable/reliable way to identify the actual distribution of linux that's being used? |
|
Here are today's numbers:
|
|
Please let me know if I'm way off-base and looking at the wrong thing... To examine that <2.7.9 group a bit:
* depends on patch level Query (full results): SELECT
details.python as python_version,
details.distro.name as distro_name,
details.distro.version as distro_version,
COUNT(*) AS download_count,
FROM
TABLE_DATE_RANGE( [the-psf:pypi.downloads], DATE_ADD(CURRENT_TIMESTAMP(), -31, "day"), DATE_ADD(CURRENT_TIMESTAMP(), -1, "day") )
WHERE
details.installer.name = 'pip'
AND REGEXP_MATCH(details.python, r'2\.7\.[0-8]($|[^\d])')
GROUP BY
python_version, distro_name, distro_version
ORDER BY
download_count DESC
LIMIT
100"
From a thread on Python-Dev and it pointing to https://github.com/ouspg/trytls/tree/shootout-0.2/shootout I'm not sure if there's a problem with the functionality (insecure as it may be, but then older TLS are insecure anyways?) of TLS in older distros/Python 2.7.x's, or if it would actually break things. |
|
Oh, looks like the TLS protocol is logged to the DB:
I guess I'm now even more confused as most of the old TLS connections (in number and proportion) are made by Python ≥2.7.9. |
|
@nicktimko I think that is macOS. |
|
I was curious how this compared over time, so here are the percent of downloads using
Gotten using this query: SELECT
STRFTIME_UTC_USEC(timestamp, "%Y-%m") AS yyyymm,
ROUND(100 * SUM(CASE
WHEN REGEXP_MATCH(details.python, r"2\.7\.(9|\d\d)") THEN 0
WHEN REGEXP_MATCH(details.python, r"2\.7\.") THEN 1
ELSE 0 END) / COUNT(*), 1) AS percent_lt279,
COUNT(*) AS download_count
FROM
TABLE_DATE_RANGE(
[the-psf:pypi.downloads],
DATE_ADD(CURRENT_TIMESTAMP(), -1, "year"),
CURRENT_TIMESTAMP()
)
WHERE
details.installer.name = 'pip'
GROUP BY
yyyymm
ORDER BY
yyyymm DESC
LIMIT
100 |
|
What's the change that wants to be made that would break <2.7.9? |
|
@nicktimko Remove the need to continue to support emulation for SSLContext objects, which would also free up the ability to start trusting the platform network store on Linux machines and to allow Python to start validating the hostname instead of having to copy that functionality into requests. It also will allow us to start mandating TLSv1.2+ on the client side. |
|
I'm curious as to what dropping this support would look like: will the current warning be changed into a fatal-error message and pip aborting or it'll be allow albeit requiring jumping through hoops to make it possible for the end-user? I think it should be the former.
It looks to me like it'll be another 6 months+ till the amount of requests from Python < 2.7.9 will stay significant? |
|
@pradyunsg It's not entirely defined, but if we do it like we've done the other ones, we'll just drop support, update the We could add a install time check in |
Sounds good. |
pradyunsg
added
kind: backwards incompatible
We're now 6 months on, how are the numbers looking now? |
|
Running the query @dstufft posted above (#4350 (comment)):
It's receded slower than I'd anticipated. |
|
Thanks for running the query. Here's the same numbers with deltas, combined with the earlier numbers from #4350 (comment):
And charted:
And with a trendline:
|
|
Thanks @hugovk! ^.^ Looking at the general trend, I think we should come back to this in ~4/5 months from now. I propose 14 June 2018. :P |
I know that AppVeyor jobs for Python < 2.7.9 (also 3.4.0 but not 3.4.1+), installed using msi Windows installers, all started to fail because of the TLS issue and pip not being able to communicate with PyPI. I don't know about Linux or source compiled installations though. |
|
Today's numbers look like:
|
|
Charted:
With trendline:
|
|
That linear trendline is misleading; it will be an exponential with a tail that will never go to 0 (until it's forced to) |
|
Yeah, it does demonstrate that the decline slowing. |
|
Running this BigQuery again, for the past 6 months:
It's less than 5% now, so I'm happy to completely drop support in our next release. |
|
/cc @dstufft ^ |
|
@pradyunsg general follow up to what I was on about way earlier: is this about removing TLS 1.0 support or explicitly checking and rejecting Python <2.7.9? If the former, can you query against the TLS version used rather than the Python version reported? |
|
Charted, this time with a polynomial trendline:
|
|
@nicktimko I think the biggest thing is just simply reducing the surface area of support we have. Generally we decide this on an X.Y basis, because that draws the cleanest lines around major changes. However, due to 2.7's age, 2.7.9 is a bit of a special case in that it introduced a backported ssl module from Python 3. This work would effectively allow us to better take advantage on the capabilities of that back ported SSL module, for instance we can use the configuration settings so that pip itself will not function with older versions of TLS, we can possibly start relying on the platform trust stores in more situations, etc. But really the biggest thing is narrowing the supported configurations. To @pradyunsg I think sub 5% is a perfectly fine point to drop support for older versions of 2.7. |
|
Filed #7362, where we can discuss the how we'd do the removal. If someone wants to discuss if, when or why, please continue to do so in this issue. |
|
For some reason GitHub gives me a 500 error on #7362, so I can't see the close reason. Anyway, do you think this should be swept into the general Python 2.7.* removals after pip 20.3 is released in October 2020? If so, close this? |
lock
bot
added
the
auto-locked
Older versions of Python 2.7 (prior to 2.7.9) don't have the capability to have a good TLS configuration, and thus it would be great to drop support for them. We're not currently at the point that we can do that, but I wanted to open this issue to both track that we should do that at some point, and also take notes about the current state and how to query in the future.
Results:
The results can be queried with:
The text was updated successfully, but these errors were encountered: