Gentoo Archives: gentoo-dev

From: Lars Wendler <polynomial-c@g.o>
To: "Michał Górny" <mgorny@g.o>
Cc: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Python 2 cleanup update
Date: Mon, 28 Sep 2020 09:13:09
Message-Id: 20200928111257.632ed46d@abudhabi.paradoxon.rec
In Reply to: [gentoo-dev] Python 2 cleanup update by "Michał Górny"
1 Hi folks,
2
3 On Sun, 27 Sep 2020 19:45:22 +0200 Michał Górny wrote:
4
5 >Hello, everyone.
6 >
7 >TL;DR: we're nearing the total annihilation of Python 2 software
8 >in Gentoo. Most users could safely disable py2 USE flags today.
9 >Python 2 vulns have been patched recently, the interpreter and a few
10 >packages using Python at build time (with no deps) will stay. Should
11 >we change PYTHON_TARGETS now, or wait some more and just annihilate
12 >the py2 flag from all packages?
13 >
14 >
15 >Long version:
16 >
17 >We're reached the point where the majority of packages relying on py2
18 >have either been ported to py3, removed or masked for removal.
19 >As a result, I've been able to eliminate python2_7 target from the vast
20 >majority of dev-python/* packages. On their next system upgrade, our
21 >users are going to notice most of Python 2.7 modules gone from their
22 >systems.
23 >
24 >However, because of their reverse dependencies a few packages can't
25 >lose their py2.7-iness, and therefore are going to block depcleaning
26 >Python 2.7 for now. These include old versions of setuptools, numpy,
27 >pillow, as well as all versions of cython, nose, pykerberos, pyyaml
28 >and their dependencies. The major blockers for them are:
29 >
30 >- dev-lang/gdl (py entirely optional but the package itself is
31 >seriously broken)
32 >
33 >- dev-db/mongodb (py3 version was just stabilized, need to decide how
34 >to clean old versions up)
35 >
36 >- games-engines/renpy (no py3 version yet)
37 >
38 >- media-tv/kodi (py3 version in alpha)
39 >
40 >We plan to have these packages fixed or removed by the deadline.
41 >
42 >
43 >However, we already know that there are some packages that use Python 2
44 >at build time and that will keep requiring it past the deadline.
45 >The initial list includes:
46 >
47 >- dev-python/pypy* (TODO: need to figure bootstrap out)
48 >
49 >- dev-lang/spidermonkey, www-client/seamonkey, www-client/firefox...
50 >(thank you, Mozilla)
51
52 I've already talked to seamonkey upstream about this and I was told
53 that they will shift to python3 with seamonkey-2.57 release (which will
54 be the followup release to the 2.53.x series) but they could not tell
55 me even an approximate release date.
56 seamonkey upstream only has loose bindings to Mozilla (they still use
57 Mozilla's bugzilla but their development repos are now on gitlab) and
58 their man-power is quite low so I do not expect 2.57 releases before
59 the year 2021. I hope we can keep dev-lang/python:2.7 for the time
60 being.
61
62 >- www-client/chromium, dev-qt/qtwebengine... (thank you, Google)
63 >
64 >Sadly, the big corps are too busy improving their spying functionality
65 >and creating NIH programming languages to take care of such minor
66 >matters as cleaning up.
67 >
68 >The general rule is that py2.7 may remain in packages that use it
69 >at build time only (i.e. don't install anything depending on Python)
70 >and have no dependencies on Python packages (i.e. don't require any
71 >other packages to install py2.7 modules). Or to put it otherwise,
72 >python-r1 and python-single-r1 will lose py2.7 support entirely, while
73 >python-any-r1 will retain minimal support without dependencies.
74 >
75 >
76 >This also implies that we're going to keep Python 2.7 itself for as
77 >long as necessary, and patch it if possible. I should take this
78 >opportunity to remind you that it's quite possible that the
79 >interpreter itself has unknown vulnerabilities. Only recently I've
80 >backported two sec fixes from Python 3 which no other distribution
81 >(including the one promising paid support for Python 2 for next years)
82 >or upstream (including all these boasting that they're going to
83 >maintain Python 2 themselves) has even noticed (to the best of my
84 >knowledge).
85 >
86 >
87 >An open question is whether we should remove python2_7 from
88 >PYTHON_TARGETS now. If we do that, it will permit the vast majority of
89 >Gentoo users to depclean Python 2.7 today, independently of how long
90 >the maintainer of renpy is going to block it, with only a few users
91 >having to enable the flag manually. However, doing this makes sense
92 >only if we're really going to delay the impeding doom long.
93 >
94 >I will probably prepare an updated news item for Python 2.7 removal,
95 >to replace the one from February with the updated plan, current
96 >information and helpful tips.
97 >
98 >
99 >Finally, I would like to thank all the helpful package maintainers,
100 >arch teams and other developers who have made this possible.
101 >
102
103
104 Cheers
105 --
106 Lars Wendler
107 Gentoo package maintainer
108 GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39