Open holmanb opened 7 months ago
Apparently Eli Collins is back and has a plan for supporting passlib - a 1.7.5 release is expected soon.
Sweet. Think we still need this bug?
Sweet. Think we still need this bug?
I was thinking we can close it once the next release gets published.
In passing about the passlib/crypt issue:
The passlib package can replace all use cases of this module.
Hmmm… is there a chicken-and-egg issue? ISTM that passlib
relies on the disappearing Python crypt
for the legacy algorithm, so it shoud either regress or reimplement everything for history and compatibility sake?
Hmmm… is there a chicken-and-egg issue? ISTM that
passlib
relies on the disappearing Pythoncrypt
for the legacy algorithm, so it shoud either regress or reimplement everything for history and compatibility sake?
No, I didn't think so. What makes you think that @zx80?
Hmmm… is there a chicken-and-egg issue? ISTM that
passlib
relies on the disappearing Pythoncrypt
for the legacy algorithm, so it shoud either regress or reimplement everything for history and compatibility sake?No, I didn't think so. What makes you think that @zx80?
from crypt import …
is kind of a clue. If the import fails, then safe_crypt
is made to return None. The functions seems to be used for legacy hashing methods. It is then used by des
, md5
, sha1
, sha2
and bcrypt
, which are the functions which are/were provided by crypt
. There is some effort in the code to test and possiby use alternative implementations so it is unclear what is broken in the end if crypt
cannot be loaded, but the dependency is there.
@zx80 , Are you essentially referring to this issue? https://foss.heptapod.net/python-libs/passlib/-/issues/148
Yes, passlib itself relies on crypt for certain operations that will be broken in 3.13. This wouldn't be an issue if there was an active maintainer. They could move the needed code from crypt into passlib, but that's part of why this issue exists.
@zx80 , Are you essentially referring to this issue? https://foss.heptapod.net/python-libs/passlib/-/issues/148
Indeed.
Yes, passlib itself relies on crypt for certain operations that will be broken in 3.13. This wouldn't be an issue if there was an active maintainer. They could move the needed code from crypt into passlib, but that's part of why this issue exists.
Sure. The chicken-and-egg issue is that I'm not sure that when people justified removing crypt
because passlib
could do the job, they had the notion that passlib
was actually using crypt
under the hood and providing a consistent interface and some features over that.
I agree that the main issue is the unresponsiveness of passlib maintenance, the last commit was 3 years ago, and although there were some announce, nothing is visible a few weeks before 3.13 release.
I removed the mandatory passlib dependency on one of my project by implementing modern password algorithm directly based on the raw python packages which provide these (bcrypt, argon2, scrypt).
Very weird that people who managed Python 3.13 release didn't notice that passlib
depends on crypt
, but guess it happens 😅
I forked the library here: https://github.com/ThirVondukr/passlib
and replaced crypt
with legacycrypt, though crypt_r is also an option.
There's still a lot of legacy/compatibility things to clean up though.
Python 3.13 will release in September 2024. We added a passlib dependency to Python 3.13 recently in preparation for this release, per the upstream Python recommendation:
However, there is some concern about the maintenance status of passlib. Given the looming release date later in this year, and the activity in the upstream bug, we will want to keep an eye developments in that bug.
I just left a comment on the upstream passlib bug for this issue expressing cloud-init's interest in the outcomes of the issue.
Reference: passlib commits