[Python-Dev] Deprecate crypt module and revert PR 3854
Dan Stromberg
drsalists at gmail.com
Fri Feb 2 16:25:34 EST 2018
On Fri, Feb 2, 2018 at 12:31 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Fri, 2 Feb 2018 16:23:20 +0100
> Christian Heimes <christian at python.org> wrote:
>> Hi,
>>
>> in PR 3854 [1] Serhiy added blowfish, extended DES and NT-Hash to
>> Python's crypt mdodule. I vetoed against addition of the APIs because
>> all these hashing algorithms are not state of the art. Their quality
>> ranges from old to horribly, horriblye broken beyond any repair.
>>
>> Shortly after the PR has landed, I was made aware that glibc has
>> deprecated crypt(3) API [2] and favor of an external library called
>> libxcrypt [3] from OpenWall Linux. I have patched Python 3.7 [4] to
>> support libxcrypt.
>>
>> In light of deprecation of crypt(3) glibc function and bad quality of
>> hashing algorithms, I'd like to raise the motion to revert 3854 and
>> deprecate the crypt module.
>
> Those are two separate proposals.
>
> On the topic of reverting PR #3854, I don't see the point. Is Blowfish
> more fragile than the other algorithms? If not, it sounds ok to add it.
I'm no cryptographer, but I believe Blowfish's author recommends using
Twofish instead now.
> On the topic of deprecating the crypt module, that doesn't sound like a
> good idea right now. People may need to generate crypt()-compatible
> output for various reasons, such as being able to automate system
> administration tasks.
Encryption algorithms continue to be needed even after the time at
which they should no longer be used in new code. But they probably
should be documented as deprecated and warned about at runtime - after
there are suitable alternatives.
More information about the Python-Dev
mailing list