On Mon, Jan 4, 2010 at 12:34 PM, Simon Willison <[email protected]> wrote: > We do however need to consider the places in Django that are already > using hmac / md5 / sha1 (contrib.formtools and middleware.csrf for > example). Even if we don't add the signed cookies feature to 1.2, > fixing any problems with our existing use of crypto should not be > affected by the feature freeze. There's not much point in implementing > this logic in several different places, so I think we should keep > targeting the django.utils.signed module for 1.2.
Agreed - I see no issues with targeted it for the beta (but using it for signed cookies probably has to slip to 1.3). It's certainly an improvement to have a single place where this sensitive code lives. >From a worst-case-scenario standpoint, it'd make a security fix much easier to only have a single place to fix it. Jacob -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
