[Python-modules-team] Bug#806366: Bug#806366: passlib issues
Brian May
bam at debian.org
Tue Dec 22 23:51:07 UTC 2015
Neil Williams <codehelp at debian.org> writes:
> I've had a quick look at the django setup in passlib and the first
> impressions are *not* good.
Thanks for this. Thanks for the patch.
Have you considered adding any of this feedback to the upstream report?
> 0: I'm not sure why passlib wants to provide django support, django has
> password hashing functionality built in.
What does the Django support provide? Oh, looks like it monkey patches
Django internals, so we can have improved password hashing for Django
users.
IMHO, passlib should concentrate on password hashing, and nothing
else. Not Django settings, or monkey patching Django.
Security software like this needs to be kept as simple as possible so
people can understand it.
> 1: passlib tries to support too many different versions of django,
> including django1.0 which was old even in Lenny. That unnecessarily
> complicates the code. (passfail also uses it's own internal handling of
> the django versions which seems unnecessary.)
Apparently Django <= 1.5 will get dropped, see
https://passlib.readthedocs.org/en/stable/lib/passlib.ext.django.html
> 2: passlib doesn't handle django as a "typical" django app with no
> centralised settings - this makes the move to 1.9 error-prone. Fixing
> passlib/tests/test_ext_django.py just reveals that
> passlib/tests/test_handlers_django.py gets confused between django
> imports for 1.4, 1.6 and gets the wrong result for >> 1.7 which now
> fails with 1.9. fuzz_verifier_django tries to import from
> django.contrib.auth.models import check_password which has moved into
> django.contrib.auth.hashers.
Agreed.
> 3: It's not clear to me why passlib couldn't be separated into a
> passlib and passlib-django upstream (dropping support for all versions
> of django prior to 1.6 or 1.7 in the process) to make the whole library
> much easier and simpler to handle.
Agreed.
> 4: passlib also has the python-support dependency which is deprecated:
> https://wiki.debian.org/Python/TransitionToDHPython2
Are we looking at the same version here?
Version 1.6.5-3 looks fine to me...
--
Brian May <bam at debian.org>
More information about the Python-modules-team
mailing list