Python 2 fast approaching EOL, poses future security risks

Python 2 fast approaching EOL

UK’s cybersecurity organization NCSC issued a warning that Python 2 is fast approaching its end-of-life (EOL) on January 1, 2020. After that time, organizations will no longer be able to get bug fixes or security patches.

On Thursday, the National Cyber Security Centre (NCSC) wrote in a blog post that the time is now to upgrade to Python 3, if you’re still using 2.x. To add, organizations can reduce risk of older dependencies and also take advantage of new features with Python 3.

Another alarming risk is most of the Python package downloads are still written in Python 2. For instance, Python 2 packages Colorama (82.07%), botocore (72.86%), urllib3 (64.14%) and Requests (53.37%) all make up most of the Python downloads.

See figure below, as provided by NCSC as of June 2019:

“Even if only a portion of these downloads are being used in live projects, the Python 2 EOL could potentially affect the security of millions of systems,” the NCSC warned in a blog post.

In addition, the NCSC highlights multiple risks with Python 2 after the EOL date:

  • Dependencies: many popular projects (such as NumPy, Requests and TensorFlow) have either already dropped support or will drop support for 2.x by 2020.
  • Holding developers back: by continuing to maintain/support older libraries, organization hold back developers from upgrading to Python 3.
  • Missing Features: missing out on new features in Python 3 (such as ‘yield from’ expressions, unicode strings, and ‘multi-with’ statement, to name a few).

There are also multiple good resources to help developers in the migration to Python 3, such as ‘Can I Use Python 3‘, ‘2to3‘, ‘Supporting Python 3: An in-depth guide‘ and the Python website.

In short, organizations and developers should start planning for migration to Python 3 before hackers develop the next wave of malware to exploit older versions.