Re: [Django] #31842: django.core.signing.dumps() and loads() not backwards compatible

Wed, 08 Dec 2021 18:01:16 -0800 

#31842: django.core.signing.dumps() and loads() not backwards compatible
-------------------------------------+-------------------------------------
     Reporter:  Markus Holtermann    |                    Owner:  Mariusz
                                     |  Felisiak
         Type:  Bug                  |                   Status:  closed
    Component:  Core (Other)         |                  Version:  3.1
     Severity:  Release blocker      |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Riley Chase):

 Was there a reason the `DEFAULT_HASHING_ALGORITHM` solution was used in
 preference to adding the `algorithm` parameter to the two methods?

 The project I'm working on needs to be able to select the hashing
 algorithm so we can progressively upgrade several systems that all use
 these methods. Updating them all at once is not feasible and we have a
 requirement to maintain compatibility for a short period while the upgrade
 is happening. Exposing the `algorithm` parameter would allow us to do this
 easily and provide the same functionality if the default algorithm changes
 again in the future.

 Exposing the `algorithm` parameter would also allow users to opt into more
 secure hashing algorithms ahead of Django making it the default.

 If possible, I'd like to see this reopened (or another ticket if that's
 the preference) so we can add the `algorithm` parameter to these methods.
 I'd also be willing to put a PR together, I've not contributed to Django
 before but this seems straight forward enough.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/31842#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.361e662d6f32f0b9f4319f9f945ea170%40djangoproject.com.

Reply via email to