Back in my day, we had to write code in the awful Python 2 language (and pay t’mill owner for permission to come to work). But obviously everyone’s migrated to Python 3 by now, right?

Oh dear. Apparently not. The National Cyber Security Centre, part of GCHQ—the UK equivalent of the NSA—has issued a dire warning of infosec Armageddon unless people get off their backsides and update their code. (Beautiful plumage.)

You see, over 10 years ago, Python 2’s end-of-life date was set at 2015. It was later extended to 1/1/2020—and that’s only four months away, procrastination fans. (Fetch the comfy chair.)

Nudge-nudge, wink-wink. In this week’s Security Blogwatch, we say no more.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: EOBIM.

Bloody Vikings

What’s the craic? Carly Page turns to NCSC warns devs to shed Python 2 over fears of WannaCry-style incident:

The UK's National Cyber Security Centre [has] sounded the alarms over the impending end of life (EOL) of Python 2 … on 1 January 2020, after which there will be no more bug fixes or security updates. … The NCSC is urging devs to port their code to Python 3.

…

It notes that many popular projects such as NumPy, Requests, and TensorFlow have pledged to drop support … and some already have. … It’s also urging devs who maintain a library that others rely on to take heed of its warning.

Python? Catalin “Monty” Cimpanu tells us why we should care—UK cybersecurity agency warns devs to drop Python 2:

The reason the NCSC is warning companies … is because of the language's success. Since its creation in the mid-90s, Python has conquered the programming world, being one of today's most in demand languages, best paid, most studied, and most talked about.

…

[It’s] widely used in production environments, in places such as Google, Facebook, and Netflix. [It’s] predicted to overtake both C and Java in the coming years.

…

The agency is urging companies and developers alike to migrate their code to the newer Python version. [It] warns that companies who don't invest in migrating their Python 2.x code might end up in the same position as Equifax or the WannaCry victims.

Who is this shadowy government organization? A suspiciously pseudonymous “Rich M.” puns it up—Don’t constrict yourself, Python 2 slithers off into the sunset:

The end of life (EOL) date … has been a long time coming, but it's finally in sight. … So, if you're still using 2.x, it's time to port your code to Python 3. If you continue to use unsupported modules, you are risking the security of your organisation and data.

…

Stats from the Python Package Index, a repository of software developed and shared by the Python community, [show popular packages are each] downloaded millions of times per month. [But] most of the package downloads are still for Python 2.x versions. … Even if only a portion of these downloads are being used in live projects, the Python 2 EOL could potentially affect the security of millions of systems.

…

Improving the performance … and enhancing security [can both] be achieved by upgrading to Python 3. … This is an opportunity to improve how you manage your software dependencies and minimise your security debt.

…

Porting Python 2.x code to Python 3 can be … a daunting process. … The longer you wait to update … the more difficult updating will become.

But it’s been on the cards for 10 years! Sam Friedman—@blindspotgame—is all, like, mind.blown:

As a relatively new Python developer it still blows my mind that an entire developer base has been procrastinating on something this major for this long.

Nevertheless, Tim Erlin practices professional stoicism:

The widespread use and adoption of Python makes a migration like this nearly impossible to get right. … Popularity comes at a price, in this case. … Despite years of transition time and dual support for both versions, the EOL date will still come with a very large base of Python 2 code being used in production.



The effort to get developers to migrate to Python 3 has been underway for years, but Python 2 is deeply entrenched. Unfortunately, it’s likely to take a significant security incident to drive the last mile of migration.

Isn’t there some way we can blame Google? I hear that’s quite popular these days. Raymond Chee—@rchomium—tweets in disbelief:

I can't believe it's $CURRENT_YEAR and Google still returns Python 2 results when I search for Python documentation.

Can we learn from others? Dropbox’s Max Bélanger and Damien DeVille clue us in, in How we rolled out one of the largest Python 3 migrations ever:

Though we’ve relied on Python 2 for many years (most recently, we used Python 2.7), we began moving to Python 3 back in 2015. … If you’re using Dropbox today, the application is powered by a Dropbox-customized variant of Python 3.5.

…

As Python 2 has aged, the … toolchains [have] largely become obsolete. [So] continued use of Python 2 [had] a growing maintenance burden [which] made deploying native code [and] using new APIs more costly.

…

Our first step was to stop using the freezer scripts. Both bbfreeze and pywin32 lacked Python 3 support at this stage, leaving us little choice.

…

Successfully making a transition … at our scale … would require a gradual process. … There would have to be a way to expose a small/growing number of users to Python 3 in order to detect and fix bugs early.

And Dmytro Vdovychynskyi … is easy for you to say:

Preply just migrated to Python 3. It would have been much easier to do so in 2014.

…

We prefer speed over perfection. That’s why we had Python 2.X up till now. [But] hiring talent became harder — people want to work with the newest technology stack, which we were lacking.

…

Average server response time has decreased from 113 ms to 90 ms. Our users and crawlers are now a little happier too.

Why is this upgrade so darn hard? Jeremy Friesner explainifies:

Quick summary is that the Python devs thought it would be better to break backwards compatibility with Python 2, so as to have a "clean" language (unencumbered by awkward/obsolete ways of doing things) going forward with Python 3.

…

The benefit of that is that everything in Python 3 is "correct" (in the sense that a number of baked-in design mistakes discovered only after Python 1's public release were finally ripped out and redone). The drawback is a partial lack of backwards compatibility, requiring every Python program in the universe to be at least partially rewritten.



They decided to incur a lot of short-term developer pain in the hope of realizing a long-term gain in language quality. Regarding whether that was the right decision or not, I won't speculate.

Meanwhile, a slightly sarcastic @guyzmo will miss Python 2’s laughable Unicode support:

What will I do if I don't have to try:

s.encode().decode().encode().decode()

except UnicodeDecodeError:

… all the strings?

The moral of the story?

Are you using any Python 2 code? Are you sure?

And finally

Ige Ais





You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest website s… so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Daniel Stroud (cc:by-sa)

Keep learning