On Fri, Feb 2, 2018 at 12:31 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Fri, 2 Feb 2018 16:23:20 +0100 > Christian Heimes <christ...@python.org> wrote: >> Hi, >> >> in PR 3854 [1] Serhiy added blowfish, extended DES and NT-Hash to >> Python's crypt mdodule. I vetoed against addition of the APIs because >> all these hashing algorithms are not state of the art. Their quality >> ranges from old to horribly, horriblye broken beyond any repair. >> >> Shortly after the PR has landed, I was made aware that glibc has >> deprecated crypt(3) API [2] and favor of an external library called >> libxcrypt [3] from OpenWall Linux. I have patched Python 3.7 [4] to >> support libxcrypt. >> >> In light of deprecation of crypt(3) glibc function and bad quality of >> hashing algorithms, I'd like to raise the motion to revert 3854 and >> deprecate the crypt module. > > Those are two separate proposals. > > On the topic of reverting PR #3854, I don't see the point. Is Blowfish > more fragile than the other algorithms? If not, it sounds ok to add it.
I'm no cryptographer, but I believe Blowfish's author recommends using Twofish instead now. > On the topic of deprecating the crypt module, that doesn't sound like a > good idea right now. People may need to generate crypt()-compatible > output for various reasons, such as being able to automate system > administration tasks. Encryption algorithms continue to be needed even after the time at which they should no longer be used in new code. But they probably should be documented as deprecated and warned about at runtime - after there are suitable alternatives. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
