• Small Batches
  • Posts
  • What version of Python should I currently be using?

What version of Python should I currently be using?

Uh oh. We just got hacked because we’re using an obsolete version of Python...

Author

Russell 🐿️
August 23, 2024

[rating: intermediate]

Most of the time, from a language perspective the specific Python release you are currently using doesn’t matter that much, since Python is very good at maintaining compatibility of older features.

It is, however quite important to continually evaluate your Python version in the context of the quite hostile security environment. Once a Python release has reached end-of-life status, then it will no longer receive patches or any other kind of security update.

Python release status is maintained at this URL:

As you can see in my screencap below from that page, since Python 3.2, the supported lifetime of a release is 5 years.

Python release status in August 2024

The blue vertical line represents “now” when the screencap was taken, in August 2024.

It should be apparent that Python 3.8 is just about to reach end-of-life. Python 3.12 is the current “actively maintained” release, receiving both bug fixes & security fixes.

So what does this mean?

  • If your product is currently specifying anything earlier than Python 3.8 it should almost certainly not use it any more. There are no bug fixes for end of life releases, although some OS vendors such as Redhat, Canonical & others, may provide their own security fixes for an earlier release if they still include it in their products. Note that security fixes only apply to the base Python package in the OS, not to any packages downloaded from a public repository such as PyPI. Which segues into the next point.

  • Actively maintained projects will be migrating their Python release dependency forward to be able to drop their support of end of life Python releases. Relieves some maintenance burden for them. This means that over time you will find it harder to use these projects as dependencies in your own projects.

  • If you’re starting a brand new project in August 2024, then aim for a Python release newer than Python 3.8. Keeping in mind that you could be using language features that are only available on newer releases, so your CI system should be testing for that, right?

My advice, overall?

Keep up with actively maintained Python releases if you can.

Find ways to research & evaluate the security & other risks your business is exposed to by not working with current Python releases. If you have an OS platform release problem such as an older release of Linux that has a correspondingly older release of Python, then using containers can help immensely to free your application run time context from the OS platform context.

Python documentation:

Reply

or to participate.