From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: add DEPRECATION grace period: the upcoming Great Python2
	=?utf-8?Q?Purge=E2=84=A2?=
Date: Thu, 27 Dec 2018 23:52:06 +0800
Message-ID: <87wonvklw9.fsf@gmail.com>
References: <20181226093812.GR2581@macbook41> <87pnto8o76.fsf@fastmail.com>
	<20181226133355.5hqv35f3y5tm3gnk@thebird.nl>
	<20181227044713.GB2903@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([208.118.235.92]:40064)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1gcXxO-0002il-PE
	for guix-devel@gnu.org; Thu, 27 Dec 2018 10:52:23 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1gcXxL-0005zt-Js
	for guix-devel@gnu.org; Thu, 27 Dec 2018 10:52:22 -0500
Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]:35314)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
	id 1gcXxJ-0005vq-KC
	for guix-devel@gnu.org; Thu, 27 Dec 2018 10:52:18 -0500
Received: by mail-pl1-x633.google.com with SMTP id p8so8920811plo.2
	for <guix-devel@gnu.org>; Thu, 27 Dec 2018 07:52:16 -0800 (PST)
In-Reply-To: <20181227044713.GB2903@jasmine.lan> (Leo Famulari's message of
	"Wed, 26 Dec 2018 23:47:13 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain

Hello everyone!

Leo Famulari <leo@famulari.name> writes:

> On Wed, Dec 26, 2018 at 02:33:55PM +0100, Pjotr Prins wrote:
>> A lot of software outside Guix still depends on Python2, for better or
>> worse. I don't believe EOL means they are going to drop security
>> updates. Leaf packages may well be in use today.
>
> I do think it means that the current Python team at python.org will stop
> issuing security updates for Python 2. [0]
>
> Previously, Guido van Rossum said "The way I see the situation for 2.7
> is that EOL is January 1st, 2020, and there will be no updates, not even
> source-only security patches, after that date. Support (from the core
> devs, the PSF, and python.org) stops completely on that date." [1]
>
> Well, Guido is no longer involved with Python, so maybe the situation
> has changed. In any case, I think we can expect third parties like Red
> Hat to keep maintaining Python 2 for some years, and we can use their
> work.
>
I suggest everyone to read these two LWN articles[0][1]. IMO, we should
start deprecating all python 2 packages which are already available in
python 3 and are not dependencies of python-2-only packages(*). Also, we
should not create python 2 definition for new python packages
anymore. Of course, we can make an exception if there's a demand for
it. This way, we can start warning everybody that python 2 is going EOL
and support is going to be dropped gradually. Right now,
'guix refresh -l python2' shows there're 1692 packages depending on
python 2.

For security updates, as Guido has mentioned python devs will no longer
provide security updates after 1/1/2020, which others seemed to
agree. You can read the whole thread here[2]. However, centos and debian
will still be supporting python 2 past that date. Centos will support
python 2 until 2024 and I suspect Debian will have to support it for
even longer since their next stable release (Debian 10 on 2020) will
include python 2.

Cheers,
Alex

(*): Should we make a new construct that does it? Also, I think we
should mention it in the guix blog, so others can learn about the
deprecation.

[0]: https://lwn.net/Articles/756628/
[1]: https://lwn.net/Articles/750833/
[2]: https://www.mail-archive.com/python-dev@python.org/msg100031.html

>> Is there a way we mark packages as DEPRECATED? I think we should not
>> just remove packages without a grace period. Deprecate for, say, 3
>> months or even 6 months is the way to do this. A deprecation tag
>> should include a time stamp that gives the (planned) removal time.
>
> Not exactly, although there is a 'deprecated-package' procedure that
> accepts a replacement package to supersede the deprecated package. It
> doesn't do what you suggest.
>

> [0] Already, the status of Python 2 is 'bugfix'. If it reaches "end
> of life", the bugfixing activity will presumably cease, although they do
> describe another 'security' status that seems lesser than 'bugfix':
> https://devguide.python.org/#status-of-python-branches
>
> [1]
> https://mail.python.org/pipermail/python-dev/2018-March/152348.html

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXCT1JgAKCRBh71Au9gJS
8tMpAQDYZypMSQxouvoJCFWwWYa8da9axRT1FyET/UvVG604VwEAt9tCt1SHi2Lw
R+GiLMaBS0hkkZWSPNYCL0WbWOl6ug0=
=iBHo
-----END PGP SIGNATURE-----
--=-=-=--