Closed faerics closed 3 years ago
My pypaseto project is functional and last I checked was both parsing and creating tokens that work with the PHP reference spec.
It hasn’t been updated for a while, but it was only made last year, so I’m not sure where it says 6 years.
That said, the only reason I give a warning on using it is that it hasn’t been audited by a security pro. It should be functional enough to use, but I make no claims that there have been enough eyes on it to be free f potential security flaws.
@rlittlefield, glad to see you here! My bad, I supposed to write 6 months, not years. Edited the issue accordingly.
Hi @faerics,
I started my library python-paseto because I wanted to use PASETO in production and needed a very reliable library implementation with high performance characteristics. At the time, the only other python implementation stated on the project homepage that it was not suitable for use in prod.
The current codebase has been running in prod on a number of projects since Oct 2018. At the very least I'm looking to further improve performance by better integrating with libsodium and add a PyPi package now that the library has been subjected to internal dogfooding with python <-> python and python <-> javascript token exchange.
Beyond that it's hard to say what will happen, there are lots of ideas to improve ease of use, but also concerns around the draft RFC such as https://github.com/paragonie/paseto/issues/92.
Being interested in using PASETO as Python developer, I googled and found this implementation in Python: https://github.com/purificant/python-paseto by @purificant
Its latest commit is a month ago, while the implementation stated at the site (https://github.com/rlittlefield/pypaseto by @rlittlefield) is inactive for over 6 months.
I'm opening this issue to ensure the new implementation worth adding to the site.
In addition, let me ask about the meaning of a green tick in a table of implementations. I'm completely dumb in cryptography and for me the green tick is equal to Ready for use. Howewer, both of python implementations state that it could be risky to use it. So, does the green tick means The author said they support this version of PASETO or any checking is done?
Thanks in advance for a reply!