Message 162850 - Python tracker

Message162850

Author	hynek
Recipients	arigo, christian.heimes, fijall, hynek, loewis, ncoghlan, pitrou
Date	2012-06-15.07:08:32
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<F432E3FD-4D58-4535-90B9-A3B6C4B978E5@ox.cx>
In-reply-to	<4FDAD8DC.8020106@v.loewis.de>

Content
>> Why not write a C function which can be more secure than Python code? > For Unicode strings, it's impossible to write a time-independent > comparison function even in C Really? Some comments sounded different. That's too bad but also what I suspected in the first place – it seems to complex. However, this function seems only useful to bytes anyway so why not strip it down if it _is_ possible with bytes? Am I missing something? >> I would argue that would be an general asset for the stdlib > I would argue that it's not. No actual use case for this function > has been demonstrated so far. Well, one example: https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py and any other place that compares passwords, tokens, …

Content

>> Why not write a C function which can be more secure than Python code?
> For Unicode strings, it's impossible to write a time-independent
> comparison function even in C

Really? Some comments sounded different. That's too bad but also what I suspected in the first place – it seems to complex.

However, this function seems only useful to bytes anyway so why not strip it down if it _is_ possible with bytes? Am I missing something?

>> I would argue that would be an general asset for the stdlib
> I would argue that it's not. No actual use case for this function
> has been demonstrated so far.

Well, one example: https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py and any other place that compares passwords, tokens, …

History
Date	User	Action	Args
2012-06-15 07:08:33	hynek	set	recipients: + hynek, loewis, arigo, ncoghlan, pitrou, christian.heimes, fijall
2012-06-15 07:08:32	hynek	link	issue15061 messages
2012-06-15 07:08:32	hynek	create