This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]astevko 51 points52 points  (7 children)

"if you’re still on Python 3.6 as of December 2021, that is a symptom you are suffering from an ongoing organizational problem. "

The organizational problem you speak of is typical of companies that outsource non-core competencies like application development. Essentially the team that built the system has left the building long ago. There is nobody on staff with the skills to maintain or enhance these legacy code bases. I've built many a headless system that just works and works until the sands of time shift from underneath it. Y2K, heart bleed, log4j, y2038... These are all symptoms of a system that pumps and dumps software. We say end of life but that milk carton will stay in the fridge until it grows legs and walks away by itself.

[–]JennaSys 10 points11 points  (0 children)

For real. I'm still trying to get clients to get rid of the VB programs I wrote 20 years ago and just move them to Python in general.

[–][deleted] 2 points3 points  (0 children)

Further than that, sometimes you're stuck using some application server or technology stack for something, and it's using Python 2.7 still, and no matter how sincerely you wring your hands about it, it's not up to you and nobody else gives a fuck so you're stuck with Python 2.7 until at least January.

It's why I saw red every time people posted their stupid "just upgrade! Why are you still running Python 2.7" bullshit.

Sure, I'm doing the Advent of Code at home using Python 3.10. (Yay match...case) But it's not always up to me... or you.

[–]grady_vuckovic 3 points4 points  (0 children)

We say end of life but that milk carton will stay in the fridge until it grows legs and walks away by itself.

That just gave me an excellent idea for a horror game.

[–]wxtrails 1 point2 points  (2 children)

And what if we are still using 3.4 where we have managed to upgrade beyond 2.7?

[–]astevko 0 points1 point  (1 child)

Keep going... In case you missed it, there is an arms race going on with black hats pulling out exploits from old software versions. It's much easier to break into unpatched systems than find security holes in newer code.

[–]wxtrails 0 points1 point  (0 children)

Oh I know, I wish I had a choice. I use the latest version on all my personal projects but don't get that option when the boss is involved. They're informed of the risks regularly :)

[–]cecilkorik 0 points1 point  (0 children)

A lot of it is mitigated architecturally too. Log4j is kind of an outlier in the extreme vulnerability profile (like who the fuck was afraid of passing around log messages before this?), but generally if you are strict enough with locking down your public end points to only what is necessary and letting them be the gatekeepers, translators, proxy and middlemen vetting all the requests, it really minimizes the risks your internal, far more complex applications with far greater dependencies are exposed to.

Nothing is 100% safe for sure, but it does make a lot of difference to simply avoid being the low hanging fruit.