On 16 June 2016 at 13:09, Barry Warsaw <barry@python.org> wrote:
On Jun 16, 2016, at 01:01 PM, David Mertz wrote:
It seems to me that backporting 'secrets' and putting it on Warehouse would be a lot more productive than complaining about 3.5.2 reverting to (almost) the behavior of 2.3-3.4.
Very wise suggestion indeed. We have all kinds of stdlib modules backported and released as third party packages. Why not secrets too? If such were on PyPI, I'd happily package it up for the Debian ecosystem. Problem solved <wink>.
The secrets module is just a collection of one liners pulling together other stdlib components that have been around for years - the main problem it aims to address is one of discoverability (rather than one of code complexity), while also eliminating the "simulation is in the standard library, secrecy requires a third party module" discrepancy in the long term. Once you're aware the problem exists, the easiest way to use it in a version independent manner is to just copy the relevant snippet into your own project's utility library - adding an entire new dependency to your project just for those utility functions would be overkill. If you *do* add a dependency, you'd typically be better off with something more comprehensive and tailored to the particular problem domain you're dealing with, like passlib or cryptography or itsdangerous. Cheers, Nick. P.S. Having the secrets module available on PyPI wouldn't *hurt*, I just don't think it would help much. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia