Fix #501: add -fno-semantic-interposition and --with-lto

[blopker]

PR with the proposed changes from #501.

[itamarst]

Just wanted to ping maintainers about this. Given this is an image that is probably installed on tens of thousands, if not more, machines, this tiny change can save a lot of people a lot of money, not to mention reduce a lot of carbon emissions.

[blopker]

Obsolete with 3.10

[itamarst]

This is not obsolete. Stats from PyPI show the majority of Python users are still on 3.7 (https://mayeut.github.io/manylinux-timeline/). It will be years before 3.10 is the default. Add up all the millions of people using this image and that's a lot of money and a lot of CO2 being wasted.

[blopker]

I don't disagree, however I'm happy that the change is there going forward. That being said, I'm not even much of a Python user anymore. I'm going to bow out at this point and let someone else pick up the work here if they need it.

[emhagman]

I'd like to +1 backporting this to < 3.10. We currently use the latest security Python release at work which is 3.8 and can't get the benefits of this without switching to a different image.

[blopker]

I'm curious, what's a security release? This seems to imply that newer versions of Python are less secure than older ones.

[emhagman]

@blopker I just mean the releases of Python not still in bugfix mode, listed on their website. security meaning they only get patches merged back in for security reasons (sort of like an LTS). It doesn't mean they are less secure, but simply more "stable" from a production software standpoint. If 3.8 has bugs, they won't fix them but that is predictable in a way.

[blopker]

Fair enough. I don't know anything about the stuff you work on, but it seems to me that the security status only means it's not getting any non-security changes and not that it's more reliable. Django's LTS releases include data loss issues for instance. According to https://devguide.python.org/devcycle/ the change in maintenance status is actually kinda of arbitrary, decided by one release manager without any hard criteria other than one bugfix release.

Anyway, my point is updating to 3.10 shouldn't sacrifice stability any more than updating to another 'security' release. I get that there are other compatibility considerations when jumping 2 releases (I personally updated a million+ line codebase from 2.7 to 3.8, bleh). However, that may be worth it if the project is performance critical. Plus you get all the new goodies in 3.10, which does include even more performance enhancements than just this one.

Maybe I'm weird, but I generally like challenging company policies :)