02.02.18 18:18, Guido van Rossum пише:
I'm all for nudging people in the direction of xcrypt. I assume we can't just switch the C-level crypt with xcrypt and leave the Python API unchanged?
However until a usable solution exist (either in the stdlib or as 3rd party) I don't think we should deprecate anything (deprecating things before the replacement is ready is stressful for everyone involved).
I'm also not sure I agree with removing support for old hashes. By all means put in the docs that they are unsafe. But if someone has a database full of old hashes it would be nice to be able to at least read/verify it, right?
Was a release already made with blowfish, extended DES and NT-Hash? (And what's so bad with blowfish? It's mentioned in the heading of the xcrypt project too.)
To clarify, extended DES and NT-Hash were not added. They were removed from my PR after Christians request. Only the Blowfish method was added, and it is so strong as SHA-2 methods. It is the only method supported on OpenBSD. This PR is not a single enhancement made in the crypt module recently. I also extended tests and added support for configuring SHA-2 methods. There is an open PR (not merged before 3.7b1 unfortunately) for using crypt_r() instead of crypt(): https://bugs.python.org/issue28503. If deprecate the crypt module, should modules pwd, grp and spwd be deprecated too? The crypt module is needed for checking password hashes provided by spwd.