This tutorial explains the security risks of using Python 2 past End of Life (EOL). Also, explore ways to secure Python 2 past End of Life (EOL) with ActiveState:
The Python 2 programming language is no longer supported by the Python Software Foundation (PSF). As such, the majority of third-party packages and libraries are no longer supported or actively updated by the open source Python community.
However, organizations continue to have extensive Python 2 code in production even years after Python 2 EOL.
In this article, we shall look at the ramifications of the sunsetting of Python 2 in general, and what it means for organizations still running Python 2 code today, in particular.
What You Will Learn:
What is Python 2 EOL
Python 2.0 was first released in 2000. Shortly thereafter (in 2006), work began on Python 3.0, which introduced breaking changes in order to address some of the fundamental shortcomings in Python 2. As a result, the PSF has been maintaining and publishing both Python 2 and Python 3 for almost 15 years, splitting its resources between both generations.
Many dates were announced by the PSF to sunset Python 2 in favor of Python 3, notably in 2015 and 2020. But the final date was kept: January 1st, 2020.
In April 2020, Python 2.7.18 was released, which was the last version released by the PSF for Python 2. As of this writing, Python 2 is no longer maintained by the PSF and there will be no more releases under Python 2.
Hence, Python 2 is now End of Life (EOL).
Security Risks For Using Python 2 Past EOL
What becomes of the future of Python 2 after its EOL? What does it mean for organizations that are still running a Python 2 codebase?
- No more security patches or bug fixes will be provided by the creators (PSF) or open source community, even as new vulnerabilities emerge over time. If any security issues are reported in Python 3, they won’t be addressed in Python 2.
- Most popular third-party projects have already abandoned Python 2 support in favor of Python 3. Meaning, in order to use their new features and also benefit from new security patches and bug fixes, you’ll need to be using Python 3.
- Platform support for Python 2 will diminish. Linux distributions, macOS, and most cloud service providers are moving toward Python 3. Though a few of them still provide support for Python 2, they do not guarantee it to last for long.
- All resources are diverted to Python 3, including new books, online tutorials, coding academies, etc. As a result, it will be difficult to find help on issues found in Python 2.
While each organization should evaluate its risk with respect to Python 2 applications, that risk can only continue to grow over time.
Ways To Manage Python 2 Past EOL
Now that Python 2 is EOL, bugs and security issues will no longer be fixed by the PSF or open source community. As a result, organizations currently running Python 2 code have four choices:
- Do nothing
- Migrate from Python 2 to 3
- Use an alternative interpreter
- Go for commercial support
Let us understand these in detail below:
#1) Do Nothing
Many companies invoke the adage, “if it ain’t broken, don’t fix it” in order to justify sticking with deprecated technologies. Others cite the cost (both in terms of dollars and opportunity costs) of migrating or rewriting the application.
As a result, Python applications that aren’t exposed to the public, but are rather used internally by the company, may still be running legacy code. In these cases, depending on your risk profile, “do nothing” might be an attractive option.
However, you will still be affected by diminished support for your packages and platforms over time, leading to increased maintenance costs. Other organizations running Python 2 in public-facing applications will certainly require a more proactive solution.
#2) Port Python 2 Code to Python 3
Migration is an option recommended by the creators of Python, who have provided a guide to help with porting code. Based on the codebase size and number of external dependencies, the cost of porting can vary.
The idea here is to check any line of code that is Python 2 dependent and convert it to Python 3. For example, in Python 2 we have a print statement while in Python 3 it was changed to a print function.
Example 1: Print in Python 2 and Python 3
>>> print "Hello World!" # Python 2 - Print statement Hello World! >>> print("Hello World!") # Python 3 - Print function Hello World!
Sometimes, however, your codebase may depend on a library that is not currently available for Python 3. In these cases, you may be able to find alternative dependencies that will provide the same functionality. However, most popular libraries like TensorFlow, scikit-learn, etc. support Python 3 already.
To see if your application is easily portable to Python 3, the PSF recommends caniusepython3. It takes in a set of dependencies and then figures out which of them may hold you back from porting to Python 3.
(Note of caution: caniusepython3 is no longer actively developed).
#3) Run an Alternative Python 2 Interpreter
If transitioning to Python 3 is not an option, you may run your codebase on a third-party Python 2 runtime that offers support for Python 2 beyond EOL. Some options include Tauthon, PyPy, and IronPython.
While none of these options offer commercial support or Service-Level Agreement (SLA) terms, they may be a good enough solution depending on your risk profile.
#4) Get Extended Python 2 Support from Commercial Vendors
The Python.org site lists some vendors who provide commercial support services for Python 2, either just to help with migration, or else provide ongoing support for running Python 2 applications beyond EOL. Among these vendors is ActiveState.
In the next section, we shall look at ActiveState, the most prominent vendor in this space.
Secure Python 2 with ActiveState
If you are still running Python 2 and require commercial support including security updates, or you want a smooth migration plan to Python 3, then ActiveState is your best vendor choice.
As a founding member of the Python Software Foundation, and with over 20 years of providing Python 2 and 3 commercial support, ActiveState has extensive experience supporting Python across various industries.
Notably, ActiveState actively monitors and fixes known vulnerabilities that emerge over time, including those that impact Python 2 directly and those that affect Python 3 and consequently affect Python 2.
As part of their Python 2 support initiatives, ActiveState conducted a survey to understand how organizations were preparing for Python 2 EOL.
Amongst their key findings are:
- Over 50% of organizations did not have a plan for Python 2 EOL or were not sure if they did.
- Package vulnerabilities, bug fixing, and core Python 2 vulnerabilities were the most cited challenges for supporting Python 2.
- 54% said that finding replacement packages for Python 2 that haven’t been rewritten in Python 3 was the main challenge of migration.
ActiveState Extended Support for Python 2
ActiveState has been providing extended support for Python 2 for organizations that are currently unable or not ready to migrate to Python 3.
As part of their Python 2 support, ActiveState provides:
- Python 2 Security Updates: ActiveState has been continually monitoring and fixing Python 2 vulnerabilities. Patches are developed in several ways, including backporting patches from Python 3 libraries, working with community contributors, and development work from ActiveState’s own Python experts.
- Python 2 Technical Support: ActiveState’s Python experts provide SLA-backed support via phone, email, and chat for major operating systems like Windows, Linux, macOS, and other legacy operating systems.
- Updated Packages: New versions of third-party Python 2 packages and libraries may be provided as needed.
You can request a free assessment to see whether you have existing vulnerabilities and how ActiveState can secure and support your Python 2 applications.
Python 2 Migration Support
ActiveState can help you create a smooth migration plan from Python 2 to Python 3. Some of the areas ActiveState can provide guidance, including:
- Which third-party Python 2 packages and libraries have suitable migration targets, and which are no longer supported, and/or have modified their licensing terms.
- Migration tooling advice, depending on your approach.
- Which Python 3 packages are well-maintained and suitably licensed for commercial use.
Managed Python Distributions
With over 20 years of experience supporting Fortune 500 enterprises, ActiveState can provide customized and managed Python distributions so that you can focus on creating real business value.
Frequently Asked Questions
Q #1) Is Python 2 finally dead?
Answer: Python 2 reached End Of Life on January 1st, 2020. As of this writing, Python 2 is no longer maintained by the Python Software Foundation and most popular packages have already migrated to Python 3.
Q #2) Why is Python 2.7 still used?
Answer: A survey carried out by ActiveState tells us that some enterprises still use Python 2 because:
- Some key libraries and packages have no equivalent in Python 3 or have yet to be ported.
- Large codebases require a large investment to port from v2 to v3, which some organizations can’t afford at this time.
- Some organizations are simply willing to live with the risk, even as Python 2 security threats continue to emerge.
Q #3) Is Python 2 still supported?
Answer: Official support and maintenance for Python 2 ended on January 1, 2020. The Python Software Foundation no longer offers bug fixes and security patches. However, some alternative Python 2 implementations (such as Tauthon and IronPython) continue to provide support.
Additionally, some commercial vendors continue to provide extended support for Python 2, such as ActiveState.
Q #4) Is Python 2 or 3 better?
Answer: Python 2 is outdated and no longer maintained by the Python Software Foundation. Python 3 is more powerful, reliable, and highly recommended. Unlike Python 2, Python 3 is actively maintained by the Python Software Foundation, so free bug fixes and security patches are made available.
Q #5) Should I use Python 2?
Answer: It is recommended to use Python 3 and not Python 2 as it is outdated and no longer supported by the core creators. However, if you are still running Python 2, you can purchase Python 2 extended support from vendors like ActiveState in order to decrease the security risks associated with running a Python 2 application.
Q #6) How is ActiveState’s Python 2 extended support priced?
Answer: ActiveState provides Python 2 support with their Enterprise tier licensing. Pricing varies based on customer requirements.
In this article, we looked at what Python 2 End of Life is all about, and the security risk it may expose for those organizations still running Python 2 applications.
We also looked at ways to mitigate the risk of running an increasingly vulnerable Python 2 codebase.
Finally, we discussed how ActiveState’s extended support for Python 2 can help decrease the risk of running Python 2 in your organization with continuing support and security updates.