holmanb
commented
5 months ago Apparently Eli Collins is back and has a plan for supporting passlib - a 1.7.5 release is expected soon.
Open holmanb opened 7 months ago
holmanb
commented
5 months ago Apparently Eli Collins is back and has a plan for supporting passlib - a 1.7.5 release is expected soon.
TheRealFalcon
commented
5 months ago Sweet. Think we still need this bug?
holmanb
commented
5 months ago Sweet. Think we still need this bug?
I was thinking we can close it once the next release gets published.
zx80
commented
1 month ago In passing about the passlib/crypt issue:
The passlib package can replace all use cases of this module.
Hmmm… is there a chicken-and-egg issue? ISTM that passlib relies on the disappearing Python crypt for the legacy algorithm, so it shoud either regress or reimplement everything for history and compatibility sake?
holmanb
commented
1 month ago Hmmm… is there a chicken-and-egg issue? ISTM that
passlibrelies on the disappearing Pythoncryptfor the legacy algorithm, so it shoud either regress or reimplement everything for history and compatibility sake?
No, I didn't think so. What makes you think that @zx80?
zx80
commented
1 month ago Hmmm… is there a chicken-and-egg issue? ISTM that
passlibrelies on the disappearing Pythoncryptfor the legacy algorithm, so it shoud either regress or reimplement everything for history and compatibility sake?No, I didn't think so. What makes you think that @zx80?
from crypt import … is kind of a clue. If the import fails, then safe_crypt is made to return None. The functions seems to be used for legacy hashing methods. It is then used by des, md5, sha1, sha2 and bcrypt, which are the functions which are/were provided by crypt. There is some effort in the code to test and possiby use alternative implementations so it is unclear what is broken in the end if crypt cannot be loaded, but the dependency is there.
TheRealFalcon
commented
1 month ago @zx80 , Are you essentially referring to this issue? https://foss.heptapod.net/python-libs/passlib/-/issues/148
Yes, passlib itself relies on crypt for certain operations that will be broken in 3.13. This wouldn't be an issue if there was an active maintainer. They could move the needed code from crypt into passlib, but that's part of why this issue exists.
zx80
commented
1 month ago @zx80 , Are you essentially referring to this issue? https://foss.heptapod.net/python-libs/passlib/-/issues/148
Indeed.
Yes, passlib itself relies on crypt for certain operations that will be broken in 3.13. This wouldn't be an issue if there was an active maintainer. They could move the needed code from crypt into passlib, but that's part of why this issue exists.
Sure. The chicken-and-egg issue is that I'm not sure that when people justified removing crypt because passlib could do the job, they had the notion that passlib was actually using crypt under the hood and providing a consistent interface and some features over that.
I agree that the main issue is the unresponsiveness of passlib maintenance, the last commit was 3 years ago, and although there were some announce, nothing is visible a few weeks before 3.13 release.
I removed the mandatory passlib dependency on one of my project by implementing modern password algorithm directly based on the raw python packages which provide these (bcrypt, argon2, scrypt).
ThirVondukr
commented
4 days ago Very weird that people who managed Python 3.13 release didn't notice that passlib depends on crypt, but guess it happens 😅
I forked the library here: https://github.com/ThirVondukr/passlib
and replaced crypt with legacycrypt, though crypt_r is also an option.
There's still a lot of legacy/compatibility things to clean up though.
Python 3.13 will release in September 2024. We added a passlib dependency to Python 3.13 recently in preparation for this release, per the upstream Python recommendation:
However, there is some concern about the maintenance status of passlib. Given the looming release date later in this year, and the activity in the upstream bug, we will want to keep an eye developments in that bug.
I just left a comment on the upstream passlib bug for this issue expressing cloud-init's interest in the outcomes of the issue.
Reference: passlib commits