Does Guix provide security support for Python2? For how long?

Does Guix provide security support for Python2? For how long?

[Jorge P. de Morais Neto]

Hi.  I use Guix on a foreign distro---Debian buster (current stable).  I
want to upgrade Debian to bullseye (current testing), but bullseye does
not provide security support for Python 2.  I still use Python 2 for
OfflineIMAP.  There is a Python 3 port of OfflineIMAP, but it was done
very recently and I fear it is probably be buggy.  So I would like to
install Guix Python 2 atop Debian bullseye just for OfflineIMAP.  Would
that work fine?  Does Guix, unlike Debian bullseye, still provide
security support for Python 2?  For how long?

Regards

-- 
- <https://jorgemorais.gitlab.io/justice-for-rms/>
- If an email of mine arrives at your spam box, please notify me.
- Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z.
- Free/libre software for Replicant, LineageOS and Android: https://f-droid.org
- [[https://www.gnu.org/philosophy/free-sw.html][What is free software?]]

Re: Does Guix provide security support for Python2? For how long?

[zimoun]

Hi,

On Fri, 15 Jan 2021 at 17:02, Jorge P. de Morais Neto
<jorge+list@disroot.org> wrote:
>
> Hi.  I use Guix on a foreign distro---Debian buster (current stable).  I
> want to upgrade Debian to bullseye (current testing), but bullseye does
> not provide security support for Python 2.  I still use Python 2 for
> OfflineIMAP.  There is a Python 3 port of OfflineIMAP, but it was done
> very recently and I fear it is probably be buggy.  So I would like to
> install Guix Python 2 atop Debian bullseye just for OfflineIMAP.  Would
> that work fine?  Does Guix, unlike Debian bullseye, still provide
> security support for Python 2?  For how long?

As far as I know, Guix provides the security support that upstream releases.

Using the Guix time-machine, the code that works now should work
exactly the same in the future, even if Python 2 is removed in the
future Guix releases.  Does it make sense?


All the best,
simon

Re: Does Guix provide security support for Python2? For how long?

[Jorge P. de Morais Neto]

Hi.

Em [2021-01-15 sex 18:07:40+0100], zimoun escreveu:

> As far as I know, Guix provides the security support that upstream
> releases.

I too suppose so in general.  But I would like a more authoritative
answer for the specific case of Python2.  And, in fact, this should be
publicly documented---in the manual or in the website, as well as the
description of the python2 package and maybe also in the description of
all python2-.* packages.

> Using the Guix time-machine, the code that works now should work
> exactly the same in the future, even if Python 2 is removed in the
> future Guix releases.  Does it make sense?

The problem is that OfflineIMAP is Internet software, and therefore, I
believe, it is important to have security support for it (including its
dependencies).

Regards

-- 
- <https://jorgemorais.gitlab.io/justice-for-rms/>
- If an email of mine arrives at your spam box, please notify me.
- Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z.
- Free/libre software for Replicant, LineageOS and Android: https://f-droid.org
- [[https://www.gnu.org/philosophy/free-sw.html][What is free software?]]

Re: Does Guix provide security support for Python2? For how long?

[dario]

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]

Hi,


I don't know the answer to your question and you are probably
aware of
that option, but I just wanted to mention that you could consider
switching to mbsync, which (I think) also has better performance
than
offlineimap. It's a bit annoying to migrate the configuration, but
it
does not require that much time (I made that switch some time
ago).


Best,

Dario


Jorge P. de Morais Neto <jorge+list@disroot.org> writes:

> Hi.
>
> Em [2021-01-15 sex 18:07:40+0100], zimoun escreveu:
>
>> As far as I know, Guix provides the security support that
>> upstream
>> releases.
>
> I too suppose so in general.  But I would like a more
> authoritative
> answer for the specific case of Python2.  And, in fact, this
> should be
> publicly documented---in the manual or in the website, as well
> as the
> description of the python2 package and maybe also in the
> description of
> all python2-.* packages.
>
>> Using the Guix time-machine, the code that works now should
>> work
>> exactly the same in the future, even if Python 2 is removed in
>> the
>> future Guix releases.  Does it make sense?
>
> The problem is that OfflineIMAP is Internet software, and
> therefore, I
> believe, it is important to have security support for it
> (including its
> dependencies).
>
> Regards

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 519 bytes --]

Re: Does Guix provide security support for Python2? For how long?

[Jorge P. de Morais Neto]

Hi.

Em [2021-01-15 sex 19:17:41+0100], dario escreveu:

> I don't know the answer to your question and you are probably aware of
> that option, but I just wanted to mention that you could consider
> switching to mbsync, which (I think) also has better performance than
> offlineimap.  It's a bit annoying to migrate the configuration, but it
> does not require that much time (I made that switch some time ago).

Continuing in OfflineIMAP would have the advantage of not having to
redownload 1.6GB of email, but I thank you for the recommendation.  In
fact, a few minutes ago I have asked for mail fetcher recommendations on
the notmuch mailing list.  I want to hear many recommendations and make
a final decision.  I will take into account yours and any others I
receive in this thread.

Regards

-- 
- <https://jorgemorais.gitlab.io/justice-for-rms/>
- If an email of mine arrives at your spam box, please notify me.
- Please adopt free/libre formats like PDF, ODF, Org, LaTeX, Opus, WebM and 7z.
- Free/libre software for Replicant, LineageOS and Android: https://f-droid.org
- [[https://www.gnu.org/philosophy/free-sw.html][What is free software?]]

Re: Does Guix provide security support for Python2? For how long?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]

On Fri, Jan 15, 2021 at 02:18:09PM -0300, Jorge P. de Morais Neto wrote:
> Em [2021-01-15 sex 18:07:40+0100], zimoun escreveu:
> 
> > As far as I know, Guix provides the security support that upstream
> > releases.
> 
> I too suppose so in general.  But I would like a more authoritative
> answer for the specific case of Python2.  And, in fact, this should be
> publicly documented---in the manual or in the website, as well as the
> description of the python2 package and maybe also in the description of
> all python2-.* packages.

Because Python 2 is not supported upstream — at <https://python.org> —
we do not offer any security support for it.

If some other organization began supporting it, we might consider
switching to that source. But for now, the plan is to remove Python 2
from Guix before very long.

In general, Guix provides no security support for packages besides what
upstream provides. There may be exceptions but they are exceptional. I
don't agree that we should specifically document how much we support
certain packages. For every package, the best we can offer is what the
upstream developers provide. Guix is a distributor, and therefore we do
not do software development of packages.

Regarding offlineimap, if they do not port the software to Python 3, I
recommend switching to mbsync, from the isync package.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Does Guix provide security support for Python2? For how long?

[zimoun]

Hi,

On Fri, 15 Jan 2021 at 18:18, Jorge P. de Morais Neto
<jorge+list@disroot.org> wrote:
> Em [2021-01-15 sex 18:07:40+0100], zimoun escreveu:
>
> > As far as I know, Guix provides the security support that upstream
> > releases.
>
> I too suppose so in general.  But I would like a more authoritative
> answer for the specific case of Python2.  And, in fact, this should be
> publicly documented---in the manual or in the website, as well as the
> description of the python2 package and maybe also in the description of
> all python2-.* packages.

As far I know, Python 2 is End Of Life and not supported upstream.
Therefore, if your question is: will Guix people fix Python 2
security?  Then the answer is no.
However, please indicate if an organization is still maintaining
Python 2 and maybe Guix could package their release.


> > Using the Guix time-machine, the code that works now should work
> > exactly the same in the future, even if Python 2 is removed in the
> > future Guix releases.  Does it make sense?
>
> The problem is that OfflineIMAP is Internet software, and therefore, I
> believe, it is important to have security support for it (including its
> dependencies).

In this case, please consider to switch from OfflineIMAP to something else.
Guix is about packaging, not supporting security from deprecated upstream.

All the best,
simon