Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Chris Angelico]

On Mon, Sep 16, 2019 at 4:38 AM Spencer Graves
 wrote:
>
>Is anyone interested in contacting these companies -- or the
> companies from which they buy cybersecurity insurance -- and inviting
> them to provide paid staff to maintain 2.7 and to offer further offer
> consulting services to help these clients inventory what they have and
> how much it would cost to migrate?
>
>
>For example, how much would it cost to write and maintain an
> emulator for 2.7.16 in 3.7.4?
>
>
>The Python Software Foundation does not want to maintain 2.7 for
> free anymore, but if there is sufficient demand, they should be thrilled
> to make a handsome profit off of it -- while providing high quality,
> good paying jobs for smart Pythonistas.
>

That's not really the PSF's job, but if you're looking at this from a
viewpoint of "wouldn't it be nice if there were jobs available
supporting 2.7", then do the rounds of the commercial Python
distributors. Anaconda, Enthought, ActiveState, and possibly folks
like Red Hat, have an interest in making money off Python, and they're
not in any way obliged to stop working with Py2 as of 2020. Each
company is free to make its own commercial decision regarding which
versions they'll support.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Peter J. Holzer]

On 2019-09-14 08:10:50 -0500, Spencer Graves wrote:
>   As I'm thinking about it, the companies that provide cybersecurity
> insurance could be the best points of leverage for this, because they think
> about these kinds of things all the time. Insurance companies for decades

I wouldn't set my hopes too high. Bruce Schneier recently quoted from
https://tylermoore.utulsa.edu/govins20.pdf (which I haven't read yet):

| Cyber insurance appears to be a weak form of governanceat present.
| Insurers writing cyber insurance focus more on organisational
| procedures than technical controls, rarely include basic security
| procedures in contracts, and offer discounts that only offer a
| marginal incentive to in-vest in security.  However, the cost of
| external response services is covered, which suggests insurers believe
| ex-post responses to be more effective than ex-ante mitiga-tion.
| (Alternatively, they can more easily translate the costs associated
| with ex-post responses into manageable claims.)

hp

-- 
   _  | Peter J. Holzer| we build much bigger, better disasters now
|_|_) || because we have much more sophisticated
| |   | h...@hjp.at | management tools.
__/   | http://www.hjp.at/ | -- Ross Anderson 


signature.asc
Description: PGP signature
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Spencer Graves]

On 2019-09-14 07:30, Gene Heskett wrote:

On Saturday 14 September 2019 04:37:14 Larry Martell wrote:


On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro


wrote:

https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has
-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-t
ime/

I doubt this is unusual, and presume JP Morgan is big enough to
handle the change of status, either by managing security releases
in-house or relying on third-party releases (say, Anaconda). When I
retired from Citadel recently, most Python was still 2.7 (though the
group I worked in was well on the way to converting to 3.x, and no
new applications were written against 2.7). Bank of America has an
enterprise-wide system called Quartz. I wouldn't be surprised if it
was still running Python 2.7 (though I don't know for sure).

Yes Quartz is 2.7. As I’ve said before here, I know a lot of companies
running large apps in 2.7 and they have no intention of moving to 3.

And I, Larry, have little doubt that the hackers have a hole into a 2.7
install, all squirreled away, and waiting until 2.7 security support
goes away. It's the nature of the thing.

They will get hacked.  Its like asking if concrete will crack as you are
watching it being poured, will is the wrong question, when is far more
correct.

And it will cost them trillions in the long haul. The courts,
adjudicating damages, will not be kind to the foot dragger's who think
they are saving money.  History sure seems to be pointing in that
direction recently.

Its a puzzle to me, why so-called sane MBA's cannot understand that the
best defense is spending money on the offense by updateing their
in-house operating code. Or the OS under it.



  Is anyone interested in contacting these companies -- or the 
companies from which they buy cybersecurity insurance -- and inviting 
them to provide paid staff to maintain 2.7 and to offer further offer 
consulting services to help these clients inventory what they have and 
how much it would cost to migrate?



  For example, how much would it cost to write and maintain an 
emulator for 2.7.16 in 3.7.4?



  The Python Software Foundation does not want to maintain 2.7 for 
free anymore, but if there is sufficient demand, they should be thrilled 
to make a handsome profit off of it -- while providing high quality, 
good paying jobs for smart Pythonistas.



  As I'm thinking about it, the companies that provide 
cybersecurity insurance could be the best points of leverage for this, 
because they think about these kinds of things all the time. Insurance 
companies for decades and probably well over 100 years have required 
their commercial clients to employ night watch crews, who make the 
rounds of a facility collecting time stamps from different points in the 
facility, which they provide to insurer(s) in exchange for reduced rates 
-- on as a condition of getting insurance in the first place.  This is 
conceptually and practically the same kind of thing.



  Spencer Graves


Cheers, Gene Heskett


--
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Gene Heskett]

On Saturday 14 September 2019 11:46:50 Terry Reedy wrote:

> On 9/14/2019 4:37 AM, Larry Martell wrote:
> > On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro
> > 
> >
> > wrote:
> >> https://www.techrepublic.com/google-amp/article/jpmorgans-athena-ha
> >>s-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in
> >>-time/
> >>
> >> I doubt this is unusual, and presume JP Morgan is big enough to
> >> handle the change of status, either by managing security releases
> >> in-house or relying on third-party releases (say, Anaconda). When I
> >> retired from Citadel recently, most Python was still 2.7 (though
> >> the group I worked in was well on the way to converting to 3.x, and
> >> no new applications were written against 2.7). Bank of America has
> >> an enterprise-wide system called Quartz. I wouldn't be surprised if
> >> it was still running Python 2.7 (though I don't know for sure).
> >
> > Yes Quartz is 2.7. As I’ve said before here, I know a lot of
> > companies running large apps in 2.7 and they have no intention of
> > moving to 3.
>
> This is not JPMorgan.  From the article "JPMorgan's roadmap puts "most
> strategic components" compatible with Python 3 by the end of Q1
> 2020—that is, three months after the end of security patches—with "all
> legacy Python 2.7 components" planned for compatibility with Python 3
> by Q4 2020."  So they must be working on it now.
>
> The 'end of Q1 2020' is about when the final release, 2.7.18, will be
> and Q3 2020 is about when the next release, 2.7.19 would be if we did
> not stop free support.
>
> As far as core developers are concerned, risk judgements are the
> business of private businesses and some of us anticipate 2.7 being
> used for at least another decade.  We *have* nudged some library
> developers a bit, especially in the scientific stack, especially numpy
> and scipy,to release 3.x versions so that new code can be written in
> 3.x.
>
> --
> Terry Jan Reedy

I don't have an oar in this water, Terry, other than my bank no doubt has 
some python in its system, and its track record of bugs in the interface 
I'm being forced to use, which just Wednesday resulted in my calling one 
to their attention but I'd say that nudge needs to be set in a crontab, 
to repeat that nudge often enough to be effective.  I suspect what I 
experienced Wednesday was python3 growing pains, which the fact that 
they are working on it ahead of time, is encouraging.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Terry Reedy]

On 9/14/2019 4:37 AM, Larry Martell wrote:


On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro 
wrote:

https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-time/

I doubt this is unusual, and presume JP Morgan is big enough to handle
the change of status, either by managing security releases in-house or
relying on third-party releases (say, Anaconda). When I retired from
Citadel recently, most Python was still 2.7 (though the group I worked
in was well on the way to converting to 3.x, and no new applications
were written against 2.7). Bank of America has an enterprise-wide
system called Quartz. I wouldn't be surprised if it was still running
Python 2.7 (though I don't know for sure).



Yes Quartz is 2.7. As I’ve said before here, I know a lot of companies
running large apps in 2.7 and they have no intention of moving to 3.


This is not JPMorgan.  From the article "JPMorgan's roadmap puts "most 
strategic components" compatible with Python 3 by the end of Q1 
2020—that is, three months after the end of security patches—with "all 
legacy Python 2.7 components" planned for compatibility with Python 3 by 
Q4 2020."  So they must be working on it now.


The 'end of Q1 2020' is about when the final release, 2.7.18, will be 
and Q3 2020 is about when the next release, 2.7.19 would be if we did 
not stop free support.


As far as core developers are concerned, risk judgements are the 
business of private businesses and some of us anticipate 2.7 being used 
for at least another decade.  We *have* nudged some library developers a 
bit, especially in the scientific stack, especially numpy and scipy,to 
release 3.x versions so that new code can be written in 3.x.


--
Terry Jan Reedy


--
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Gene Heskett]

On Saturday 14 September 2019 04:37:14 Larry Martell wrote:

> On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro
> 
>
> wrote:
> > https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has
> >-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-t
> >ime/
> >
> > I doubt this is unusual, and presume JP Morgan is big enough to
> > handle the change of status, either by managing security releases
> > in-house or relying on third-party releases (say, Anaconda). When I
> > retired from Citadel recently, most Python was still 2.7 (though the
> > group I worked in was well on the way to converting to 3.x, and no
> > new applications were written against 2.7). Bank of America has an
> > enterprise-wide system called Quartz. I wouldn't be surprised if it
> > was still running Python 2.7 (though I don't know for sure).
>
> Yes Quartz is 2.7. As I’ve said before here, I know a lot of companies
> running large apps in 2.7 and they have no intention of moving to 3.

And I, Larry, have little doubt that the hackers have a hole into a 2.7 
install, all squirreled away, and waiting until 2.7 security support 
goes away. It's the nature of the thing.

They will get hacked.  Its like asking if concrete will crack as you are 
watching it being poured, will is the wrong question, when is far more 
correct.

And it will cost them trillions in the long haul. The courts, 
adjudicating damages, will not be kind to the foot dragger's who think 
they are saving money.  History sure seems to be pointing in that 
direction recently.

Its a puzzle to me, why so-called sane MBA's cannot understand that the 
best defense is spending money on the offense by updateing their 
in-house operating code. Or the OS under it.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[o1bigtenor]

On Sat, Sep 14, 2019 at 3:39 AM Larry Martell  wrote:
>
> On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro 
> wrote:
>
> > >
> > https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-time/
> >
> > I doubt this is unusual, and presume JP Morgan is big enough to handle
> > the change of status, either by managing security releases in-house or
> > relying on third-party releases (say, Anaconda). When I retired from
> > Citadel recently, most Python was still 2.7 (though the group I worked
> > in was well on the way to converting to 3.x, and no new applications
> > were written against 2.7). Bank of America has an enterprise-wide
> > system called Quartz. I wouldn't be surprised if it was still running
> > Python 2.7 (though I don't know for sure).
>
>
>
> Yes Quartz is 2.7. As I’ve said before here, I know a lot of companies
> running large apps in 2.7 and they have no intention of moving to 3.
>
Likely quite true - - - - - until a security flaw connected to the
older version
is exploited - - - - (not saying its likely) - - - then watch for the
then declared
crucial to do it right now scramble.

Regards
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Larry Martell]

On Fri, Sep 13, 2019 at 1:37 PM Skip Montanaro 
wrote:

> >
> https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-time/
>
> I doubt this is unusual, and presume JP Morgan is big enough to handle
> the change of status, either by managing security releases in-house or
> relying on third-party releases (say, Anaconda). When I retired from
> Citadel recently, most Python was still 2.7 (though the group I worked
> in was well on the way to converting to 3.x, and no new applications
> were written against 2.7). Bank of America has an enterprise-wide
> system called Quartz. I wouldn't be surprised if it was still running
> Python 2.7 (though I don't know for sure).



Yes Quartz is 2.7. As I’ve said before here, I know a lot of companies
running large apps in 2.7 and they have no intention of moving to 3.

>
>
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[tommy yama]

 "35 million lines of python code" it is insane.

On Fri, Sep 13, 2019 at 9:39 PM Skip Montanaro 
wrote:

> >
> https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-time/
>
> I doubt this is unusual, and presume JP Morgan is big enough to handle
> the change of status, either by managing security releases in-house or
> relying on third-party releases (say, Anaconda). When I retired from
> Citadel recently, most Python was still 2.7 (though the group I worked
> in was well on the way to converting to 3.x, and no new applications
> were written against 2.7). Bank of America has an enterprise-wide
> system called Quartz. I wouldn't be surprised if it was still running
> Python 2.7 (though I don't know for sure).
>
> Skip
> --
> https://mail.python.org/mailman/listinfo/python-list
>
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Skip Montanaro]

> https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-time/

I doubt this is unusual, and presume JP Morgan is big enough to handle
the change of status, either by managing security releases in-house or
relying on third-party releases (say, Anaconda). When I retired from
Citadel recently, most Python was still 2.7 (though the group I worked
in was well on the way to converting to 3.x, and no new applications
were written against 2.7). Bank of America has an enterprise-wide
system called Quartz. I wouldn't be surprised if it was still running
Python 2.7 (though I don't know for sure).

Skip
-- 
https://mail.python.org/mailman/listinfo/python-list

TechRepublicDEVELOPERCXO JPMorgan's Athena has 35 million lines of Python code, and won't be updated to Python 3 in time

[Larry Martell]

https://www.techrepublic.com/google-amp/article/jpmorgans-athena-has-35-million-lines-of-python-code-and-wont-be-updated-to-python-3-in-time/
-- 
https://mail.python.org/mailman/listinfo/python-list