People choosing Python 3
Stephan Houben <stephanh42 at gmail.com.invalid>:
> Op 2017-09-10, Marko Rauhamaa schreef <marko at pacujo.net>:
>> I've seen that done for Python and other technologies. It is an
>> expensive route to take. Also, it can be insecure. When
>> vulnerabilities are found, they are communicated to the maintainers
>> of, say, Python. When Python is fixed and released, the vulnerability
>> is revealed, but the version bundled with your product is still
>> broken. You have to be prepared perform an emergency release of your
>> product and hope you don't mess things up.
> To each his own, but this is not different from any other third-party
> package your application depends on.
And that is an argument to minimize the number of 3rd-party dependencies
in a product. However, programming languages are particularly
problematic because they have huge attack surfaces. For example, we need
to rerelease our product four times a year because of Java. No other
3rd-party package gives us such trouble.
(BTW, a former employer of mine chose to package Python with the
application so they could ship the application in a .pyc format.)