Date: Fri, 19 Nov 2021 22:41:10 UTC
On 2021-11-18 0:43, Eugene Grosbein wrote: > 17.11.2021 17:16, Rene Ladan wrote: >> On Wed, Nov 17, 2021 at 12:37:07AM -0800, Maxim Sobolev wrote: >>> P.S. AFAIK our documented criteria for removing a port is when one of the >>> following is true: >>> o Port lacks maintaintership; >>> o Port has issues building on supported releases; >>> o Port clearly has no users/use; >>> o Port has some serious security issues. >>> >>> The lang/python27 did not belong to either of those bins, IMHO. >> >> "Unmaintained upstream" is also a criterion, and Python 2.7 fits there. > > This is bad criterion for open source software and should not be considered without other reasons > like "unfetchable" or "has known critical vulnerabilities". It very likely has known critical vulnerabilities. For example, CVE-2021-3177 is a potential RCE bug in Python 3.x. It was officially fixed upstream, and the backported fix is found in Python 2.7 LTS contracts.