stacker icon indicating copy to clipboard operation
stacker copied to clipboard

Published 20 hours ago verified publisher icon cloudtools

Drop support for Python 2.7-3.6 and upgrade to recent dependencies

Open theister opened this issue 3 years ago • 6 comments

Working in a team that relies on stacker for most of our IaC code, keeping our dependency set up to date has been harder and harder over the last years, due to more and more dependencies of stacker dropping python 2.7 support in major version releases, which caused them to be pinned down in stacker dependency constraints.

This gets Python 3 users stuck on more than two years old versions of multiple dependencies, some of which even have CVE vulnerabilities registered with them.

As a resolution, I'd like to propose to release a new major version 2.0.0 that drops support for python 2.7, 3.5 and 3.6, all of which are no longer officially supported as of January 2022. At the same time, I propose to update the range of tested versions to the currently supported releases 3.7-3.10. This allows for removing the upper pinning for all dependency constraints of stacker, and keeps it easily usable for people on more recent and future versions of python. Since troposphere has also dropped support for python <3.6.

As an outsider to Remind, I unfortunately can't really judge what the current development status of stacker is and if such a change is welcome, or if a relevant group of companies using stacker is still caught up in the python2 ecosystem.

I hope this PR addresses all of these things. If there are things i've missed kindly point me towards what I can do to resolve this or what additional testing you'd like to se. Also if you'd like me to split certain parts off into separate PRs/Issues.

theister avatar Feb 04 '22 00:02 theister

Hey @theister - thanks for this. Unfortunately, much of the community of maintainers of stacker have moved on for various reasons, including myself (I, unfortunately, rarely get to write code these days and that means I'm not great at being able to judge/deal with these sorts of PRs). I've reached out to a couple of the folks that I know that have been heavily engaged in the past, but they too have moved on to other things.

So at this point, I think stacker, in this repo, is effectively EOL. If someone in the community would like to take over maintenance of it, I can work with them to get that setup. Let me know if you are interested/have the time to take over the project, or know of someone who does. Thanks!

phobologic avatar Feb 13 '22 23:02 phobologic

Bad ass! Thanks @Lowercases

russellballestrini avatar Apr 01 '22 18:04 russellballestrini

Could this be merged/released?

danieljamesscott avatar May 18 '22 08:05 danieljamesscott

@russellballestrini @Lowercases

Ah, I didn't even notice there were newer answers on this PR.

What is the current status, are there still plans on merging this PR and creating the two releases? Then we wouldn't need to go ahead with our forking plans.

The suggested release path sounds good to me, although I'd rather use call the release 2.0.0rc1 instead of 1.9.9, to use proper semver, since I assume people would normally pin stacker<2.0.0 in their requirements sets. That said, we can handle either, and as long as there is some release eventually, I'd be super grateful 🙂 .

theister avatar Jul 21 '22 15:07 theister

@theister I think the 2.0.0rc1 point is a good one.

We've been testing this internally for a while (actually with some further commits from our own) and we're all for merging. So unless @phobologic (or anybody else) has strong objections I'm all for merging this to master.

Lowercases avatar Jul 21 '22 15:07 Lowercases

Hi @Lowercases & @russellballestrini !

It's been five weeks, and it seems there haven't been any objections to your suggested release (candidate) plan. I feel this should be enough to call a silent consensus.

If you find the time (and assuming you have the appropriate rights on this repo and on pypi), I'd be very grateful if one of you could take care of a release.

Please let me know if I can support in any way.

theister avatar Aug 29 '22 15:08 theister

@russellballestrini @Lowercases It's been another month, any updates on a release?

theister avatar Oct 07 '22 14:10 theister

Unfortunately I haven't got the ability to merge here.

@phobologic thoughts on doing a release? Or blessing me so I could? Thanks

Lowercases avatar Oct 07 '22 15:10 Lowercases

please release the update soon. python3.10 compatibility would be much appreciated @phobologic can you do another release or grant @Lowercases permissions to do so or something like that?

Nookyx avatar Oct 13 '22 13:10 Nookyx

@Lowercases @russellballestrini you both should have the ability to merge this, correct? As I shared before, I'm unlikely to be of much use in this project at this point - it's been well over a year since I wrote any code.

I can share access to pypi as well - I'll go dig into that now.

phobologic avatar Feb 20 '23 23:02 phobologic

@Lowercases can you share your pypi user with me and I'll add you as an admin.

phobologic avatar Feb 20 '23 23:02 phobologic

@phobologic thank you! I haven't got the ability to merge, I think I'm not part of cloudtools (or maybe just not the permissions). Regarding pypi, you can add nachexnachex. Thanks!!

Lowercases avatar Feb 21 '23 21:02 Lowercases

Ok, you were part of collaborators - I just made you part of the core collaborators. I've also sent you an invite to the pypi repo. Let me know if any of that isn't working!

phobologic avatar Feb 22 '23 01:02 phobologic

Merging, will tag this as release candidate before following the steps outlined in https://github.com/cloudtools/stacker/pull/773#pullrequestreview-929246136.

Lowercases avatar Aug 15 '23 16:08 Lowercases