Python 2.7.9 brings network security fixes and 3.x backports

The latest bug fix addresses POODLE attack issues and leaks in cross-compatibility changes with the 3.x branch

Python 2.7.9, the latest bugfix release for the 2.x branch of the language, landed earlier today. In keeping with 2.x being in maintenance mode and the 3.x branch as the preference, this version adds no new features. But it lands as the maintainers of the language are trying to get a better idea of how the push to move people from 2.x to 3.x is working out.

Python 2.7.9's fixes address networking problems exposed by the POODLE attack, which set off a general scramble within the IT world to repair infrastructure. In Python's case, the fixes amounted to backporting 3.4's "ssl" module into 2.7.9, turning off SSLv3 by default, and enabling HTTPS certificate validation by default.

Python's creators have been trying to move its base of 2.x users to the 3.x branch of the language for some time now. The 2.x branch is regarded as an LTS release of Python, and there are no plans to release a 2.8 version. (For a laugh, check out the official documentation about this decision; note the document ID number.) But all this has met with limited success, since the core audience for Python 2.x remains large and vocal, so Python 2.x's lifetime for maintenance has been extended to 2020.

Some inertia stems from many developers finding Python 2.x good enough for what they're doing and 3.x having introducing changes that break some of the informal conventions used in 2.x code (such as the way "print" statements are formatted). As a result, many 2.x bug fix releases have included features from the 3.x line. Python 2.7.9, for instance, contains the "ensurepip" module, a Python 3.4 addition. It's backported to 2.7.9 to aid future migrations from 2.x to 3.x, and other Python implementations are backporting the module to better support their own (largely legacy) user bases.

An annual survey published by Python developer Bruno Cauet that tracks Python usage between versions 2 and 3 shows why 2.x is still such a stalwart. The 2.7.9 release comes hot on the heels of the latest edition of this survey, with the previous years' version having garnered 4,700 responses. According to the survey, 2.x usage remains high because of the large remaining legacy base of code dependencies. That said, a majority of respondents (77 percent) didn't feel Python 3.x was "a mistake." The results from the latest survey are scheduled to be published by the end of the year.

Copyright © 2014 IDG Communications, Inc.