[issue33604] HMAC default to MD5 marked as to be removed in 3.6
Gregory P. Smith
report at bugs.python.org
Tue Oct 15 12:43:50 EDT 2019
Gregory P. Smith <greg at krypto.org> added the comment:
Thanks for the feedback. Better late than never. :)
A default algorithm is a bad thing when it comes to authentication. Explicit is better than implicit. A default regularly becomes obsolete as math and cryptanalysis methods move forward and need to be changed every unpredictable N years. MD5 was _already_ a bad choice of default when hmac was added in 2.2.
That said, we managed this deprecation and API evolution poorly.
As it has shipped this way in 3.8, I'm first going to fix the documentation and the exception type (both suitable for 3.8). First PR sent.
In 3.9 we could introduce a better named keyword only digest parameter, leaving digestmod supported as a legacy positional & alternate name for backwards incompatibility. (minor code gymnastics required to do that, but within reason)
i wouldn't want to remove the digestmod positional/name support until after 3.8 is no longer relevant in the world.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33604>
_______________________________________
More information about the Python-bugs-list
mailing list