On 06/21/2014 02:48 PM, Ethan Furman wrote:
> On 06/21/2014 02:37 PM, M.-A. Lemburg wrote:
>>
>> My answers to these are: 1. We should use dynamic linking
>> instead and not let OpenSSL bugs trigger Python releases; 2.
>> It's not a big problem; 3. Yes, please, since it is difficult
>> for people to develop and debug their extensions with a
>> 2008 compiler, when the rest of the world has long moved on.
>
> +1 (assuming not incredibly difficult and those that can are willing ;)

Revising this to:

+1, -0, -1

It seems to me the intention of supporting 2.7 for so long was not to give ourselves additional nightmares, but to
provide a basic level of support for those who are needing longer time before migrating. One of the reasons to migrate
is to avoid future pain (pain is an excellent motivator -- it's why we don't go to the doctor when we're healthy, right?
;) If getting new or updated modules becomes more painful then that's motivation to upgrade -- not motivation for us to
make both our lives (with the extra work) and everyone's else lives (why isn't this module working? oh, wrong compiler)
more difficult.

--
~Ethan~

On Jun 21, 2014, at 6:00 PM, Steve Dower <***@microsoft.com> wrote:

> We can always lie about the version in sys.version. Existing code is unaffected and new code will have to use version_info (Windows developers will know that Windows pulls tricks like this every other version... doesn't make it a great idea, but it works).
>
> Changing compiler without changing at least the install directory and preventing in place upgrades is a really bad idea, and with those mitigations is only pretty bad. I'm torn here, because I know the current situation hurts, but it'd probably only move to VC10 which will hurt just as much in a few years... there are better tooling solutions (yes, I'm working on some behind the scenes).
>
> A separate distro of _ssl and _hashlib wouldn't be too hard and has the same effect as a dynamically linked OpenSSL. Maybe we can make these PyPI updateable?

Stuff from PyPI installs later on in the sys.path than the stdlib. I wish it were different but it means without sys.path shenanigans you can’t replace the stdlib with something from PyPI.

>
> Top-posted from my Windows Phone
> From: M.-A. Lemburg
> Sent: ý6/ý21/ý2014 14:38
> To: Chris Angelico
> Cc: Python-Dev
> Subject: Re: [Python-Dev] Python 2.7 patch levels turning two digit
>
> On 21.06.2014 22:34, Chris Angelico wrote:
> > On Sun, Jun 22, 2014 at 2:57 AM, M.-A. Lemburg <***@egenix.com> wrote:
> >> On 21.06.2014 12:51, Nick Coghlan wrote:
> >>> Such code has an easy fix available, though, as sys.version_info has
> >>> existed since 2.0, and handles two digit micro releases just fine. The
> >>> docs for sys.version also have this explicit disclaimer: "Do not
> >>> extract version information out of it, rather, use version_info and
> >>> the functions provided by the platform module."
> >>
> >> I don't think that's a good argument. Of course, there are
> >> better ways to figure out the version number, but fact is,
> >> existing code, even in the stdlib, does use and parse
> >> the sys.version string version.
> >>
> >> During Python's lifetime, we've always avoided two digit
> >> version numbers, so people have been relying on this, even
> >> if it was never (AFAIK) documented anywhere.
> >
> > It's going to be a broken-code-breaking change that's introduced in a
> > point release, but since PEP 404 implicitly says that there won't be a
> > 2.10.0, there's no way around that. Although actually, a glance at the
> > stdlib suggests that 2.10.0 (or 3.10.0) would break a lot more than
> > 2.7.10 would break - there are places where sys.version[:3] is used
> > (or equivalents like "... %.3s ..." % sys.version), or a whole-string
> > comparison is done against a two-part version string (eg: sys.version
> >> = "2.6"), and at least one place that checks sys.version[0] for the
> > major version number, but I didn't find any that look at
> > sys.version[:5] or equivalent. Everything that cares about the
> > three-part version number seems to either look at
> > sys.version.split()[0] or sys.version_info. Do you know where this
> > problematic code is?
> >
> > I checked this in the 2.7.3 stdlib as packaged on my Debian Wheezy
> > system, for what it's worth.
>
> There are no places in the stdlib that parse sys.version in a
> way that would break wtih 2.7.10, AFAIK. I was just referring
> to the statement that Nick quoted. sys.version *is* used for
> parsing the Python version or using parts of it to build
> e.g. filenames and that's really no surprise.
>
> That said, and I also included this in my answers to the questions
> that Nick removed in his reply, I don't think that a lot of
> code would be affected by this. I do believe that we can use
> this potential breakage as a chance for improvement. See the last
> question (listed here again)...
>
> 1. Is it a good strategy to ship to Python releases for every
> single OpenSSL security release or is there a better way to
> handle these 3rd party issues ?
>
> 2. Should we try to avoid two digit patch level release numbers
> by using some other mechanism such as e.g. a release date
> after 2.7.9 ?
>
> 3. Should we make use of the potential breakage with 2.7.10
> to introduce a new Windows compiler version for Python 2.7 ?
>
> My answers to these are: 1. We should use dynamic linking
> instead and not let OpenSSL bugs trigger Python releases; 2.
> It's not a big problem; 3. Yes, please, since it is difficult
> for people to develop and debug their extensions with a
> 2008 compiler, when the rest of the world has long moved on.
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source (#1, Jun 21 2014)
> >>> Python Projects, Consulting and Support ... http://www.egenix.com/
> >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
> 2014-06-17: Released eGenix PyRun 2.0.0 ... http://egenix.com/go58
> 2014-06-09: Released eGenix pyOpenSSL 0.13.3 ... http://egenix.com/go57
> 2014-07-02: Python Meeting Duesseldorf ... 11 days to go
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
> _______________________________________________
> Python-Dev mailing list
> Python-***@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve.dower%40microsoft.com
> _______________________________________________
> Python-Dev mailing list
> Python-***@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

On Sun, Jun 22, 2014 at 8:00 AM, Steve Dower <***@microsoft.com> wrote:
> We can always lie about the version in sys.version. Existing code is
> unaffected and new code will have to use version_info (Windows developers
> will know that Windows pulls tricks like this every other version... doesn't
> make it a great idea, but it works).

I'd prefer a change of format to an outright lie. Something like
"2.7._10" which will sort after "2.7.9". But ideally, nothing at all -
just go smoothly to "2.7.10" and let broken code be broken. It'll
think it's running on 2.7.1, and if anything needs to distinguish
between 2.7.1 and 2.7.x, hopefully it's using version_info.

ChrisA

On Jun 23, 2014, at 4:31 PM, Martin v. Löwis <***@v.loewis.de> wrote:

>>
>> Would that mitigate the pain, assuming that
>> Steve (or someone else) would be willing to build the additional
>> installers for the transition period? I've done something similar on a
>> smaller scale with the OS X 32-bit installer for 2.7.x but that impact
>> is much less as the audience for that installer is much smaller.
>
> Well, the question really is whether precompiled extension modules
> available from PyPI would work on both compilers. I understand that
> for OSX, you typically don't have precompiled binaries for the extension
> modules, so installation compiles the modules from scratch. This is
> easier, as it can use the ABI of the Python which will be installed
> to.
>
> If you go the "parallel ABIs" route, extension authors have to provide
> two parallel sets of packages as well. Given 32-bit and 64-bit packages,
> this will make actually two additional packages - just as if they had
> to support another Python version.

As far as I know, stuff on OSX is generally built for “X compiler or later”
so binary compatibility is kept as long as you’re using an “or later” but
I could be wrong about that. Using binary packages on OSX is a much
less frequent thing I think though since getting a working compiler toolchain
is easier there.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

On Jun 23, 2014, at 4:31 PM, Barry Warsaw <***@python.org> wrote:

> On Jun 23, 2014, at 04:20 PM, Donald Stufft wrote:
>
>> At the risk of getting Guido to post his slide again, I still think the
>> solution to the old compiler is to just roll a 2.8 with minimal changes.
>
> No. It's not going to happen, for all the reasons discussed previously.
> Python 2.8 is not a solution to anything.
>
> If a new, incompatible compiler suite is required, why can't there just be
> multiple Windows downloads on https://www.python.org/download/releases/2.7.7/
> ? Well, on reason is that you'd have to convince MvL or someone else to take
> over the work that would require, but that's gotta be *much* lighter weight
> than releasing a Python 2.8.

As far as I am aware, a 2.7 with a different compiler, even if it’s just an option
is an attractive nuisance. None of the tooling right now differentiates between
binary compatibility by anything other than “CPython 2.7”.

The end result of having a 2.7 which is built with the old compiler, and a 2.7 built
with the new compiler is that you’ll end up with binary distributions which work
sometimes if you’re lucky and the creator of the binary distribution and you
happened to pick the same “variant” of 2.7. Most likely result is all the binary
distributions will *mostly* still depend on using the old compiler because of the
corpus of existing binary packages that depend on that. Which means that the
2.7 with new compiler will exist entirely to act as a footgun to anyone who picks
it and also wants to use binary packages.

>
> -Barry
> _______________________________________________
> Python-Dev mailing list
> Python-***@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Am 23.06.14 22:31, schrieb Barry Warsaw:
> On Jun 23, 2014, at 04:20 PM, Donald Stufft wrote:
>
>> At the risk of getting Guido to post his slide again, I still think the
>> solution to the old compiler is to just roll a 2.8 with minimal changes.
>
> No. It's not going to happen, for all the reasons discussed previously.
> Python 2.8 is not a solution to anything.
>
> If a new, incompatible compiler suite is required, why can't there just be
> multiple Windows downloads on https://www.python.org/download/releases/2.7.7/
> ? Well, on reason is that you'd have to convince MvL or someone else to take
> over the work that would require, but that's gotta be *much* lighter weight
> than releasing a Python 2.8.

See my other message. It's actually heavier, since it requires changes
to distutils, PyPI, pip, buildout etc., all which know how to deal with
Python minor version numbers, but are unaware of the notion of competing
ABIs on Windows (except that they know how to deal with 32-bit vs. 64-bit).

Regards,
Martin

Am 23.06.14 22:31, schrieb Barry Warsaw:
> Well, on reason is that you'd have to convince MvL or someone else to take
> over the work that would require, but that's gotta be *much* lighter weight
> than releasing a Python 2.8.

Just to point this out in a separate message: it will have to be
somebody else. I stepped down as the Windows release maintainer for 2.7
when I learned about the extended life of 2.7, much because I feared
that exactly the thing would happen that we see happen now - and I
didn't want to be the one who would have to deal with it. It is a mess,
and it will get bigger the more time passes.

Playing-the-role-of-Cassandra-ly y'rs,
Martin

On Jun 23, 2014, at 5:07 PM, M.-A. Lemburg <***@egenix.com> wrote:

> On 23.06.2014 22:20, Donald Stufft wrote:
>>
>> On Jun 23, 2014, at 3:27 PM, M.-A. Lemburg <***@egenix.com> wrote:
>>
>>> On 23.06.2014 18:09, Donald Stufft wrote:
>>>>
>>>> On Jun 23, 2014, at 2:09 AM, Martin v. Löwis <***@v.loewis.de> wrote:
>>>>
>>>>>>
>>>>>> * Should we make use of the potential breakage with 2.7.10
>>>>>> to introduce a new Windows compiler version for Python 2.7 ?
>>>>>
>>>>> Assuming it is a good idea to continue producing Windows binaries
>>>>> for 2.7, I think it would be a bad idea to switch compilers. It will
>>>>> cause severe breakage of 2.7 installations, much more problematic
>>>>> than switching to two-digit version numbers.
>>>>
>>>> I agree with this, we’ve just finally started getting things to the point where
>>>> it makes a lot of sense for binary distributions for Windows. Breaking all
>>>> of them on 2.7 would be very bad.
>>
>> Err, sorry that “We” was with my pip hat on.
>>
>>>
>>> Not sure what you mean. We've had binary wininst distributions
>>> for Windows for more than a decade, and egg and msi distributions
>>> for 8 years :-)
>>
>> Nonetheless, changing the compiler will not only break pip, but every
>> automated installer tool (easy_install, buildout) that i’m aware of. The
>> blow back for binary installation is going to be huge I think.
>>
>>> But without access to the VS 2008 compiler that is needed to
>>> compile those extensions, it will become increasingly difficult
>>> for package authors to provide such binary packages, so we have to
>>> ask ourselves:
>>>
>>> What's worse: breaking old Windows binaries for Python 2.7
>>> or not having updated and new Windows binaries for Python 2.7
>>> at all in a few years ?
>>
>> At the risk of getting Guido to post his slide again, I still think the
>> solution to the old compiler is to just roll a 2.8 with minimal changes.
>> It could even be a good place to move to the ssl backport changes
>> too since they were the riskier set of changes in PEP466.
>>
>> But either way, if a compiler does change in a 2.7 release we’ll need
>> to update a lot of tooling to cope with that, so any plan to do that should
>> include that and a timeline for adoption of that.
>
> Sure, and we'd need to hash out possible solutions to minimize
> breakage, but first we'll have to see whether we want to consider
> this step or not.
>
>
> BTW: It's strange that I'm arguing for breaking things. I'm usually
> on the other side of such arguments :-)

Ok. I’m just making sure that any proposal to do this includes how
it plans to work around/minimize that. I agree with Martin (I think)
that trying to fix the entire ecosystem to cope with that change is
going to be far more work than folks realize and that it needs to
be an explicit part of the discussion when deciding how to solve
the problem.

Normally when I see someone suggest that switching compilers
in 2.7.x is likely to be less work than releasing a 2.8 It normally
appears to me they haven’t looked at the impact on the packaging
tooling.

>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source
>>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Not being a Python developer, I normally just lurk on Py-Dev, but I figured
I'd throw this out there for this thread:

Recent version of Maya embed Python 2.x, and the newer version of Maya (I
believe 2012 was the first version) embeds a Python 2.7 compiled with VS
2010. From my experience, most C extensions work across compiler versions,
however when they don't, it's generally a fairly difficult to debug issue -
at least unless you know what to look for in the call stacks, and have
access to the symbol files.



Chris


On Mon, Jun 23, 2014 at 2:07 PM, M.-A. Lemburg <***@egenix.com> wrote:

> On 23.06.2014 22:20, Donald Stufft wrote:
> >
> > On Jun 23, 2014, at 3:27 PM, M.-A. Lemburg <***@egenix.com> wrote:
> >
> >> On 23.06.2014 18:09, Donald Stufft wrote:
> >>>
> >>> On Jun 23, 2014, at 2:09 AM, Martin v. Löwis <***@v.loewis.de>
> wrote:
> >>>
> >>>>>
> >>>>> * Should we make use of the potential breakage with 2.7.10
> >>>>> to introduce a new Windows compiler version for Python 2.7 ?
> >>>>
> >>>> Assuming it is a good idea to continue producing Windows binaries
> >>>> for 2.7, I think it would be a bad idea to switch compilers. It will
> >>>> cause severe breakage of 2.7 installations, much more problematic
> >>>> than switching to two-digit version numbers.
> >>>
> >>> I agree with this, we’ve just finally started getting things to the
> point where
> >>> it makes a lot of sense for binary distributions for Windows. Breaking
> all
> >>> of them on 2.7 would be very bad.
> >
> > Err, sorry that “We” was with my pip hat on.
> >
> >>
> >> Not sure what you mean. We've had binary wininst distributions
> >> for Windows for more than a decade, and egg and msi distributions
> >> for 8 years :-)
> >
> > Nonetheless, changing the compiler will not only break pip, but every
> > automated installer tool (easy_install, buildout) that i’m aware of. The
> > blow back for binary installation is going to be huge I think.
> >
> >> But without access to the VS 2008 compiler that is needed to
> >> compile those extensions, it will become increasingly difficult
> >> for package authors to provide such binary packages, so we have to
> >> ask ourselves:
> >>
> >> What's worse: breaking old Windows binaries for Python 2.7
> >> or not having updated and new Windows binaries for Python 2.7
> >> at all in a few years ?
> >
> > At the risk of getting Guido to post his slide again, I still think the
> > solution to the old compiler is to just roll a 2.8 with minimal changes.
> > It could even be a good place to move to the ssl backport changes
> > too since they were the riskier set of changes in PEP466.
> >
> > But either way, if a compiler does change in a 2.7 release we’ll need
> > to update a lot of tooling to cope with that, so any plan to do that
> should
> > include that and a timeline for adoption of that.
>
> Sure, and we'd need to hash out possible solutions to minimize
> breakage, but first we'll have to see whether we want to consider
> this step or not.
>
>
> BTW: It's strange that I'm arguing for breaking things. I'm usually
> on the other side of such arguments :-)
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source
> >>> Python/Zope Consulting and Support ... http://www.egenix.com/
> >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
> _______________________________________________
> Python-Dev mailing list
> Python-***@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/ckaynor%40zindagigames.com
>