Upgrading to new software versions is work, and work that doesn’t benefit your software’s users.
Users care about features and bug fixes, not how up-to-date you are.
But there is only so much time you can delay upgrading, and for Python 3.6, the time to upgrade is right now.
Python 3.6 is reaching its end of life as of December 2021.
No more bug fixes.
No more security fixes.
As of mid-December 2021, 15% of packages downloaded from PyPI were for Python 3.6.
That’s a lot of people and a lot of organizations, all of whom should be upgrading ASAP.
Upgrading may involve some amount of other change as well, so we’ll go over some of the issues involved, in particular focusing on long-term-support Linux distributions.
I’ll be relying throughout on the very useful endoflife.date website for end-of-life dates.
What does end-of-life mean?
Python 3.6 was released in December 2016, 5 years before I wrote this article.
As you can see in PEP 494:
- Bug fix and security fix sub-releases happened every 3 months for the first two years.
- After that, releases happened as needed.
- Releases will stop 5 years after 3.6 is released.
Which is to say, Dec 2021 is the last month there will be any Python 3.6 releases.
Starting January 2022, if there is a critical security bug, it won’t get fixed by the Python development team.
“I don’t need to upgrade, I’m on long-term-support Linux!”
Some Linux distributions guarantee long-term support for a known period of time, including security bug fixes.
If you’re using one of those distributions, and it includes Python 3.6, you can rely on the distribution to provide security fixes even if the Python development team won’t.
So in theory, you don’t need to upgrade quite yet.
In practice, there are caveats.
First, older distribution releases will eventually stop getting support.
- Ubuntu 18.04 stops getting security updates in April 2023.
- RHEL 7 stops getting security updates in June 2024.
Second, while you will get security updates, you won’t necessarily get other bug fixes.
Both Ubuntu 18.04 and RHEL 7 are limited to security updates only at this point.
Third, your dependencies will stop getting updates.
Third-party Python libraries and frameworks are going to start dropping Python 3.6 support.
And that means if those libraries have a critical bug, the fix might not be available on Python 3.6, and your Linux distribution is very much not in the business of doing backports for every single Python library in existence.
This is playing out in the Java world, where upgrading to a version of
log4j that has a critical security bug is only possible if you have a new enough version of Java.
If you haven’t upgraded, you’re in trouble:
The patched version of log4j 2.15.0 requires a minimum of Java 8. If you are on Java 7 you will need to upgrade to Java8
When there is active exploitation and you need to patch fast it is beneficial if you have been updating your other dependencies over time.
— Chris Wysopal (@WeldPond) December 10, 2021
“But I’m on Ubuntu 20.04/RHEL 8, I’ve got plenty of time!”
It’s true that if you’re on a newer long-term stable Linux distribution, you have that many more years of both security fixes and bug fixes to Python 3.6.
There are still two problems:
- Reduced support:The teams at these distributions have a limited amount of time, and limited expertise compared to the Python development team.
I’m sure critical fixes will get backported, but random annoyances won’t.
- Third-party dependencies will stop getting updates.
See above; using a longer-term supported Linux distribution won’t help in this case except unless you’ve limited yourself to using distribution-packaged dependencies.
Thing is, both Ubuntu 20.04 and RHEL 8 package Python 3.9 these days.
That means you can upgrade without changing your Linux distribution or the way you install Python.
Just switch to
apt-get install python3.9 or
dnf install python39.
(They also package Python 3.8, which might be useful as an intermediate step.)
Upgrading: the short-term
In the short-term, your goal is to switch to maintained versions of your dependencies as soon as possible.
In general, Python 3 releases are fairly backwards compatible.
So in theory you can just upgrade to 3.7, fix any bugs, then upgrade to 3.8, repeating until you hit Python 3.9 or after January 2022, Python 3.10.
The problem you will encounter is that libraries you will depend on will stop supporting older versions of Python.
Let’s take Django as an example (using the supported version table and endoflife.date/django):
- Django 2.2 (long-term-support) has security fixes until April 2022, and supports Python 3.5-3.9.
- Django 3.2 (long-term-support) has security fixes until April 2024, and supports Python 3.6-3.10.
- Django 4.0 (the latest release) supports Python 3.8-3.10.
If you’re on Django 2.2, you’re in trouble; you have 3 months to switch to Django 3.2.
And if you’re still on Python 3.5, you’re in even more trouble, since Django 3.2 doesn’t support it.
If you’re on Django 3.x, just make sure you’re on Django 3.2 and you’re good for now.
Upgrading: the long-term
Eventually, Python 3.9 will stop getting updates.
Eventually, Django 3.2 will stop getting updates.
Eventually, Ubuntu 20.04 and RHEL 8 will stop getting updates.
If you put off updates to the last minute, upgrading is going to be a pain, because you will have to make a large number of major changes at the same time.
And if you’re still on Python 3.6 as of December 2021, that is a symptom you are suffering from an ongoing organizational problem.
So your next should be to setup an ongoing process to update your dependencies regularly.