The long-term view of Python 2.7

When Python 2.7.9rc1 was released, I shared the news through the +Python Google+ account. Comments on the post ranged from "thanks for keeping Python 2.7 alive!" to "why haven't you just killed off Python 2.7?" To help frame these discussions, realize that Python 2.7.9 has two big themes:

  1. Getting HTTPS/SSL support and security more in line with Python 3
  2. Adding ensurepip so that pip will be installed alongside Python 2.7.9

If you don't know the reasoning behind these changes it might seem like we are suddenly adding features to Python 2.7 to help extend its life and keep it relevant. The truth, though, is more nuanced.

We as the Python development team have decided to support Python 2.7 until 2020 (that was announced at PyCon 2014 so hopefully this isn't news to you). As with other releases of Python, "support" means bugfixes and not new features. So why the heck have we backported the ssl module from Python 3.4 back to Python 2.7 and made these changes to the default security setup?

It boils down to security and backwards-compatibility. The security part is hopefully pretty obvious: you want HTTPS and SSL to be up-to-date and secure whenever possible. Since Python 2.7 didn't secure HTTPS by default, this was an issue. And with Python -- both overall and specifically Python 2 -- being so popular, having insecure software running a large chunk of the internet isn't good. And so the decision was made through PEPs 466 and 476 to make Python 2.7 secure by default when it comes to networking.

The backwards-compatibility part comes into play since this is a change in defaults in the name of security. Since Python 2.7 has been essentially insecure for so long we wanted to give users who want that specific setup a way to opt-out of the new defaults and get back to the way things were.

As for the addition of ensurepip, since that is a side benefit of the installer and not the language or standard library it was not viewed as backwards-incompatible. Plus we want to help move the community towards switching to pip for their project installation needs to unify the community around a single tool (it also helps move the community towards using wheels more).

In other words, these changes are in line with the Python development team's normal dedication to security and backwards-compatibility. This doesn't mean we don't want people to be switching to Python 3 actively (we do and I should have news about that before the year is out), nor does it mean we are going to let Python 2.7 be a security hazard simply because we want people to move on to Python 3. Python 2.7 is still in bugfix-only mode and support will end in 2020 as planned, we just happened to fix a long-standing security issue after we decided we were not going to drop Python 2.7 support in 2015 as originally planned.