Home Original page

[Python-Dev] Deprecate crypt module and revert PR 3854

Serhiy Storchaka storchaka at gmail.com
Fri Feb 2 12:05:43 EST 2018 
02.02.18 18:18, Guido van Rossum пише:
> I'm all for nudging people in the direction of xcrypt. I assume we can't 
> just switch the C-level crypt with xcrypt and leave the Python API 
> unchanged?
> 
> However until a usable solution exist (either in the stdlib or as 3rd 
> party) I don't think we should deprecate anything (deprecating things 
> before the replacement is ready is stressful for everyone involved).
> 
> I'm also not sure I agree with removing support for old hashes. By all 
> means put in the docs that they are unsafe. But if someone has a 
> database full of old hashes it would be nice to be able to at least 
> read/verify it, right?
> 
> Was a release already made with blowfish, extended DES and NT-Hash? (And 
> what's so bad with blowfish? It's mentioned in the heading of the xcrypt 
> project too.)

To clarify, extended DES and NT-Hash were not added. They were removed 
from my PR after Christians request. Only the Blowfish method was added, 
and it is so strong as SHA-2 methods. It is the only method supported on 
OpenBSD.

This PR is not a single enhancement made in the crypt module recently. I 
also extended tests and added support for configuring SHA-2 methods. 
There is an open PR (not merged before 3.7b1 unfortunately) for using 
crypt_r() instead of crypt(): https://bugs.python.org/issue28503.

If deprecate the crypt module, should modules pwd, grp and spwd be 
deprecated too? The crypt module is needed for checking password hashes 
provided by spwd.
More information about the Python-Dev mailing list