Security support of Indico version 2

Dear Indico developers,

I have a question regarding the support of Indico 2.

Can you estimate how long you will support Indico 2 (latest version) in case of important security fixes? Of course we plan to migrate to Indico 3 as soon as possible after the official release. But we might want to wait for some month since we currently have a shortage of staff and also would like to wait for the stable release of Debian Bullseye, since Bullseye will include the recommended versions of Python and PostgreSQL in its official repository and we also will have longer support until we again need to migrate.

Thank you and best regards,


We currently have no plans to stop providing security fixes for version 2.3, should any significant issues show up. My guess would be that we officially declare Indico v2 “EOL” once 3.1 is out, since that’s similar to what we did with previous versions (2.2 out → 2.0 EOL) - but if a security problem is significant and we see there are still some instances out there with a good reason for not updating, we might create release a fixed version nonetheless

Regarding Indico 3 and Bullseye, please note that you can certainly wait for your distro to have Python 3.9, but one of the main reasons for going for pyenv was that we want to keep the option open to bump the Python requirement with future updates (e.g. Indico 3.1 or 3.2 going for Python 3.10) since otherwise we are stuck with 3.9 for years waiting for all the distros to update to the next version. So there’s no guarantee that you don’t need to switch to a custom Python package (or pyenv) at some point…

PS: If you plan to install Indico 3 on Bullseye, this comment may be useful to you (even though I hope it won’t be necessary once it’s fully released)